Site2Site VPN Configuration

This Document describes the configuration of a Site2Site VPN connection between an external router and an instance on EXOSCALE.

Steps:

  • Align on security parameters with provider of external router
  • Create Private Network on EXOSCALE portal
  • Start new instance using “VyOS” template
  • Configure VyOS and test connection
  • Setup and test connection on target instance

Configuration on EXOSCALE:

Prerequisites:

  • Pre-Shared-Secret: Shared assword for Authentification
  • VyOS 1.3 template
  • Instance: Tiny with 10 GB
  • SSH-Key
  • Private Network - unmanaged

During the setup you have to use the following IP addresses:

WAN-IP router Local IP router WAN-IP Exoscale Local IP Exoscale

Ports needed on Firewall settings:

  • Either use the “Default” Security group or create a new group
  • Add the following FW rules:

0.65

22 TCP – SSH 3389 TCP – RDP (if Windows server is used) 500 UDP – IPSec 4500 UDP – IPSec ESP

Create a Private Network

  • Click on “Add Private Network” and select “manual”

0.65

Connecting to VyOS

  • Use “Puttygen” to create an SSH keypair (public + private)
  • Import Public Key to EXOSCALE
  • Create instance in target zone (e.g. VIE) including SSH key and Security Group
  • Connect to VyOS with Putty using the private SSH key

Configuration VyOS

  • Enter “vyos” as user
  • Enter “configure” to got to “Edit” mode
  • Enter the commands below, you can copy paste each block

set system host-name ‘vpn-endpoint’

set interfaces ethernet eth1 address ‘Local IP Exoscale

IPSEC base config

set vpn ipsec ipsec-interfaces interface ‘eth0’

set vpn ipsec logging log-level ‘1’

set vpn ipsec logging log-modes ‘any’

IPSEC Phase 1

set vpn ipsec ike-group ike-local-remote close-action ‘none’

set vpn ipsec ike-group ike-local-remote dead-peer-detection action ‘clear’

set vpn ipsec ike-group ike-local-remote dead-peer-detection interval ‘30’

set vpn ipsec ike-group ike-local-remote dead-peer-detection timeout ‘90’

set vpn ipsec ike-group ike-local-remote ikev2-reauth ‘no’

set vpn ipsec ike-group ike-local-remote key-exchange ‘xxx’ (e.g. ikev2)

set vpn ipsec ike-group ike-local-remote lifetime ‘xxx’ (e.g. 86400)

set vpn ipsec ike-group ike-local-remote proposal 1 dh-group ‘XX’ (e.g. 21)

set vpn ipsec ike-group ike-local-remote proposal 1 encryption ‘xxx’ (e.g. aes256gcm128)

set vpn ipsec ike-group ike-local-remote proposal 1 hash ‘xxx’ (e.g. sha-512)

IPSEC Phase 2

set vpn ipsec esp-group esp-local-remote compression ‘disable’

set vpn ipsec esp-group esp-local-remote lifetime ‘xxx’ (e.g. 3600)

set vpn ipsec esp-group esp-local-remote mode ‘tunnel’

set vpn ipsec esp-group esp-local-remote pfs ‘xxx’ (e.g. dh-group21)

set vpn ipsec esp-group esp-local-remote proposal 1 encryption ‘xxx’ (e.g. aes256gcm128)

set vpn ipsec esp-group esp-local-remote proposal 1 hash ‘xxx’ (e.g. sha1)

IPSEC site-to-site config

set vpn ipsec site-to-site peer WAN-IP router authentication id ‘WAN-IP Exoscale

set vpn ipsec site-to-site peer WAN-IP router authentication mode ‘pre-shared-secret’

set vpn ipsec site-to-site peer WAN-IP router authentication pre-shared-secret ‘xxx’

set vpn ipsec site-to-site peer WAN-IP router connection-type ‘initiate’

set vpn ipsec site-to-site peer WAN-IP router default-esp-group ‘esp-local-remote’

set vpn ipsec site-to-site peer WAN-IP router ike-group ‘ike-local-remote’

set vpn ipsec site-to-site peer WAN-IP router ikev2-reauth ‘inherit’

set vpn ipsec site-to-site peer WAN-IP router local-address ‘WAN-IP Exoscale

set vpn ipsec site-to-site peer WAN-IP router tunnel 0 local prefix ‘Local IP Exoscale/Subnet

set vpn ipsec site-to-site peer WAN-IP router tunnel 0 remote prefix ‘Local IP router/Subnet

Check status of VPN Tunnel

In order to check the status of the new VPN tunnel, type in:

show vpn ipsec sa

0.65

IPSEC static routes

To enable connections between devices in your local and remote network, you need to set a static route:

set protocols static route Local IP router/Subnet next-hop Local IP Exoscale

Settings on Windows instance:

You need to set the route in your Windows instances as well:

route add Local IP router MASK Local Subnet Local IP Exoscale -p

Settings on Linux

Please refer to the documentation of your respective OS

Ping remote network to check Tunnel

ping XX.XX.XX.XX

Documentation

• https://vyos.readthedocs.io/en/latest

Useful commands:

• configure to enter configuration mode o commit to commit changes o save to save changes o exit discard to exit without saving changes • show configuration commands to show the configuration commands of the running config

Cloud-init

Beginning with version 1.2.4, cloud-init can be used to configure the instance.

Example: set set system host-name test01 set interfaces ethernet eth1 address ‘10.0.0.1/24’

or also possible: http://192.0.2.1/vyos-commands.txt

More information:

• https://github.com/zdc/vyos-cloud-init-userdata