IPSEC between SRX and VYOS

I wasnt aware of VYOS security device till I was searching for a virtual Vyatta appliance. Then I
learned that Vyatta was actually acquired by Brocade and after that community fork of Vyatta
which is now VYOS has been brought to life. VYOS is using strongswan for IPSEC and on this
post, I will show how you can configure a simple site to site IPSEC VPN between an SRX
security device and VYOS. Lets dive right into the config

First configure IKE and IPSEC on SRX side.

SRX IKE Config
{primary:node0}[edit]
root@SRX# show security ike
proposal prop-basic {
authentication-method pre-sh

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

{primary:node0}[edit]
root@SRX# show security ike
proposal prop-basic {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
lifetime-seconds 7200;
}
policy pol-basic {
mode main;
proposals prop-basic;
pre-shared-key ascii-text "$9$7BNb24oGji.2gTz6/tp"; ## SECRET-DATA
}

16
17 gateway vyos2 {
18
ike-policy pol-basic;
19
address 76.1.1.2;
20
external-interface reth1.953;
21 }
SRX IPSEC Config
{primary:node0}[edit]
root@SRX# show security ipse
proposal prop-basic {
protocol esp;

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

{primary:node0}[edit]
root@SRX# show security ipsec
proposal prop-basic {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 3600;
}
policy pol-basic {
proposals prop-basic;
}
vpn vyos2-1 {
bind-interface st0.5;
ike {
gateway vyos2;
proxy-identity {
local 20.1.1.0/24;
remote 10.1.1.0/24;
}
ipsec-policy pol-basic;
}
establish-tunnels immediately;
}
Dont forget the followings either i.e st tunnel family inet, zone assignment and allowing IKE
service on external interface.

{primary:node0}[edit]
root@SRX# show interfaces st
family inet;

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

{primary:node0}[edit]
root@SRX# show interfaces st0.5
family inet;
{primary:node0}[edit]
root@SRX# show security zones security-zone VPN
interfaces {
st0.5;
}
root@SRX# show security zones security-zone INTERNET
host-inbound-traffic {
system-services {
ike;
ssh;
ping;
}
}
interfaces {
reth1.953;
}
SRX side of the IPSEC config is completed. Now VYOS side;
VYOS Phase 2
set vpn ipsec
set vpn ipsec
set vpn ipsec
set vpn ipsec

1
2
3
4
5
6

esp-group esp-co
esp-group esp-co
esp-group esp-co
esp-group esp-co

set vpn ipsec esp-group esp-co compression 'disable'

set vpn ipsec esp-group esp-co lifetime '3600'
set vpn ipsec esp-group esp-co mode 'tunnel'
set vpn ipsec esp-group esp-co pfs 'disable'
set vpn ipsec esp-group esp-co proposal 1 encryption '3des'
set vpn ipsec esp-group esp-co proposal 1 hash 'sha1'

VYOS Phase 1
set vpn ipsec
set vpn ipsec
set vpn ipsec
set vpn ipsec

1
2
3
4

ike-group co lifetim
ike-group co prop
ike-group co prop
ike-group co prop

set vpn ipsec ike-group co lifetime '7200'

set vpn ipsec ike-group co proposal 1 dh-group '2'
set vpn ipsec ike-group co proposal 1 encryption '3des'
set vpn ipsec ike-group co proposal 1 hash 'sha1'
Enable IPSEC on the interface
set vpn ipsec ipsec-interfaces i

set vpn ipsec ipsec-interfaces interface 'eth1.1400'

Remote Peer Config
set vpn ipsec
set vpn ipsec
set vpn ipsec
set vpn ipsec

1
2
3
4
5
6
7
8
9
10

site-to-site peer 1
site-to-site peer 1
site-to-site peer 1
site-to-site peer 1

set vpn ipsec site-to-site peer 192.168.9.2 authentication id '76.1.1.2'

set vpn ipsec site-to-site peer 192.168.9.2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 192.168.9.2 authentication pre-shared-secret 'lab123'
set vpn ipsec site-to-site peer 192.168.9.2 connection-type 'initiate'
set vpn ipsec site-to-site peer 192.168.9.2 default-esp-group 'esp-co'
set vpn ipsec site-to-site peer 192.168.9.2 ike-group 'co'
set vpn ipsec site-to-site peer 192.168.9.2 local-address '76.1.1.2'
set vpn ipsec site-to-site peer 192.168.9.2 tunnel 1 local prefix '10.1.1.0/24'
set vpn ipsec site-to-site peer 192.168.9.2 tunnel 1 protocol 'all'
set vpn ipsec site-to-site peer 192.168.9.2 tunnel 1 remote prefix '20.1.1.0/24'
Now verification time
SRX

{primary:node0}
root@SRX> show security ike s
node0:
--------------------------------------

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

{primary:node0}
root@SRX> show security ike sa
node0:
-------------------------------------------------------------------------Index State Initiator cookie Responder cookie Mode
Remote Address
2523228 UP 3db0cde4100411fb 0a816f43565434a3 Main
76.1.1.2
{primary:node0}
root@SRX> show security ipsec sa
node0:
-------------------------------------------------------------------------Total active tunnels: 1
ID Algorithm
SPI
Life:sec/kb Mon lsys Port Gateway
<131079 ESP:3des/sha1 8ba57ac1 2470/ unlim - root 500 76.1.1.2
>131079 ESP:3des/sha1 ca64d806 2470/ unlim - root 500 76.1.1.2
VYOS
vyos@vyos:~$ show vpn ike s
Peer ID / IP
Loc
---------------192.168.9.2
76

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

vyos@vyos:~$ show vpn ike sa

Peer ID / IP
Local ID / IP
-----------------------192.168.9.2
76.1.1.2
State Encrypt Hash D-H Grp NAT-T A-Time L-Time
----- ------- ---- ------- ----- ------ -----up 3des sha1 2
no 2180 7200
vyos@vyos:~$ show vpn ipsec sa
Peer ID / IP
Local ID / IP
-----------------------192.168.9.2
76.1.1.2
Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto
------ ----- ------------- ------- ---- ----- ------ ------ ----1
up 0.0/0.0
3des sha1 no 1943 3600 all

18
It seems everything is right. Both Phase1 and Phase2 SAs are installed. Now enjoy your tunnel:)