Professional Documents
Culture Documents
I wasnt aware of VYOS security device till I was searching for a virtual Vyatta appliance. Then I
learned that Vyatta was actually acquired by Brocade and after that community fork of Vyatta
which is now VYOS has been brought to life. VYOS is using strongswan for IPSEC and on this
post, I will show how you can configure a simple site to site IPSEC VPN between an SRX
security device and VYOS. Lets dive right into the config
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
{primary:node0}[edit]
root@SRX# show security ike
proposal prop-basic {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
lifetime-seconds 7200;
}
policy pol-basic {
mode main;
proposals prop-basic;
pre-shared-key ascii-text "$9$7BNb24oGji.2gTz6/tp"; ## SECRET-DATA
}
16
17 gateway vyos2 {
18
ike-policy pol-basic;
19
address 76.1.1.2;
20
external-interface reth1.953;
21 }
SRX IPSEC Config
{primary:node0}[edit]
root@SRX# show security ipse
proposal prop-basic {
protocol esp;
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
{primary:node0}[edit]
root@SRX# show security ipsec
proposal prop-basic {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 3600;
}
policy pol-basic {
proposals prop-basic;
}
vpn vyos2-1 {
bind-interface st0.5;
ike {
gateway vyos2;
proxy-identity {
local 20.1.1.0/24;
remote 10.1.1.0/24;
}
ipsec-policy pol-basic;
}
establish-tunnels immediately;
}
Dont forget the followings either i.e st tunnel family inet, zone assignment and allowing IKE
service on external interface.
{primary:node0}[edit]
root@SRX# show interfaces st
family inet;
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
{primary:node0}[edit]
root@SRX# show interfaces st0.5
family inet;
{primary:node0}[edit]
root@SRX# show security zones security-zone VPN
interfaces {
st0.5;
}
root@SRX# show security zones security-zone INTERNET
host-inbound-traffic {
system-services {
ike;
ssh;
ping;
}
}
interfaces {
reth1.953;
}
SRX side of the IPSEC config is completed. Now VYOS side;
VYOS Phase 2
set vpn ipsec
set vpn ipsec
set vpn ipsec
set vpn ipsec
1
2
3
4
5
6
esp-group esp-co
esp-group esp-co
esp-group esp-co
esp-group esp-co
VYOS Phase 1
set vpn ipsec
set vpn ipsec
set vpn ipsec
set vpn ipsec
1
2
3
4
ike-group co lifetim
ike-group co prop
ike-group co prop
ike-group co prop
1
2
3
4
5
6
7
8
9
10
site-to-site peer 1
site-to-site peer 1
site-to-site peer 1
site-to-site peer 1
{primary:node0}
root@SRX> show security ike s
node0:
--------------------------------------
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
{primary:node0}
root@SRX> show security ike sa
node0:
-------------------------------------------------------------------------Index State Initiator cookie Responder cookie Mode
Remote Address
2523228 UP 3db0cde4100411fb 0a816f43565434a3 Main
76.1.1.2
{primary:node0}
root@SRX> show security ipsec sa
node0:
-------------------------------------------------------------------------Total active tunnels: 1
ID Algorithm
SPI
Life:sec/kb Mon lsys Port Gateway
<131079 ESP:3des/sha1 8ba57ac1 2470/ unlim - root 500 76.1.1.2
>131079 ESP:3des/sha1 ca64d806 2470/ unlim - root 500 76.1.1.2
VYOS
vyos@vyos:~$ show vpn ike s
Peer ID / IP
Loc
---------------192.168.9.2
76
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
It seems everything is right. Both Phase1 and Phase2 SAs are installed. Now enjoy your tunnel:)