Scribd
Upload
15 views

Lab - 012 VyOS VPN

The document provides instructions for setting up a VPN between two VyOS routers to connect two network sites. Key steps include configuring interfaces, NAT, firewall rules, IPsec VPN settings and ensuring connectivity across the VPN by pinging and using Wireshark to view encrypted traffic.

Uploaded by

sara hashemi
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
15 views

Lab - 012 VyOS VPN

The document provides instructions for setting up a VPN between two VyOS routers to connect two network sites. Key steps include configuring interfaces, NAT, firewall rules, IPsec VPN settings and ensuring connectivity across the VPN by pinging and using Wireshark to view encrypted traffic.

Uploaded by

sara hashemi
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 5

VyOS VPN Lab

For this lab you will need 2 VyOS router images, you can’t reuse a VM in the same project – refer to
prior labs to create another selectable VyOS router.

Create the network below:

Please note IP addresses & Ports!

Use the commands ‘ip’ & ‘show ip’ to configure the nodes or better still once the routers are
configured, use the ‘ip dhcp’ command to configure the nodes.

Observe and execute the commands

For Site A

configure

set interfaces ethernet eth1 address 10.0.0.1/24

set interfaces ethernet eth1 description 'INSIDE'


set interfaces ethernet eth0 address 192.168.0.20/24

set interfaces ethernet eth0 description 'OUTSIDE'

//router IP if connected to internet do not use

//set system gateway-address 192.168.0.1

set nat source rule 100 outbound-interface 'eth0'

set nat source rule 100 source address '10.0.0.0/24'

set nat source rule 100 translation address masquerade

set service dhcp-server disabled 'false'

set service dhcp-server shared-network-name LAN subnet 10.0.0.0/24 default-router '10.0.0.1'

set service dhcp-server shared-network-name LAN subnet 10.0.0.0/24 dns-server '10.0.0.1'

set service dhcp-server shared-network-name LAN subnet 10.0.0.0/24 domain-name 'internal-


network-siteA'

set service dhcp-server shared-network-name LAN subnet 10.0.0.0/24 lease '86400'

set service dhcp-server shared-network-name LAN subnet 10.0.0.0/24 start 10.0.0.20 stop
10.0.0.100

// use this if using internet.... do not use

//set service dns fowarding cache-size '0'

//set service dns fowarding listen-on 'eth1'

//set service dns fowarding name-server '8.8.8.8'

//set service dns fowarding name server '8.8.4.4'

set firewall name OUTSIDE-IN default-action 'drop'

set firewall name OUTSIDE-IN rule 10 action 'accept'

set firewall name OUTSIDE-IN rule 10 state established 'enable'

set firewall name OUTSIDE-IN rule 10 state related 'enable'


set firewall name OUTSIDE-IN rule 20 action accept

set firewall name OUTSIDE-IN rule 20 source address 10.1.0.0/24

set firewall name OUTSIDE-LOCAL default-action 'drop'

set firewall name OUTSIDE-LOCAL rule 10 action 'accept'

set firewall name OUTSIDE-LOCAL rule 10 state established 'enable'

set firewall name OUTSIDE-LOCAL rule 10 state related 'enable'

set firewall name OUTSIDE-LOCAL rule 20 action accept

set firewall name OUTSIDE-LOCAL rule 20 icmp type-name 'echo-request'

set firewall name OUTSIDE-LOCAL rule 20 protocol 'icmp'

set firewall name OUTSIDE-LOCAL rule 20 state new 'enable'

set firewall name OUTSIDE-LOCAL rule 30 action 'accept'

set firewall name OUTSIDE-LOCAL rule 30 destination port '22'

set firewall name OUTSIDE-LOCAL rule 30 protocol 'tcp'

set firewall name OUTSIDE-LOCAL rule 30 recent count '4'

set firewall name OUTSIDE-LOCAL rule 30 recent time '60'

set firewall name OUTSIDE-LOCAL rule 30 state new 'enable'

set firewall name OUTSIDE-LOCAL rule 31 action 'accept'

set firewall name OUTSIDE-LOCAL rule 31 destination port '22'

set firewall name OUTSIDE-LOCAL rule 31 protocol 'tcp'

set firewall name OUTSIDE-LOCAL rule 31 state new 'enable'

set interface ethernet eth0 firewall in name 'OUTSIDE-IN'

set interface ethernet eth0 firewall local name 'OUTSIDE-LOCAL'

set vpn ipsec esp-group SiteA-esp compression 'disable'

set vpn ipsec esp-group SiteA-esp lifetime '1800'

set vpn ipsec esp-group SiteA-esp mode 'tunnel'

set vpn ipsec esp-group SiteA-esp pfs 'enable'

set vpn ipsec esp-group SiteA-esp proposal 1 encryption 'aes256'

set vpn ipsec esp-group SiteA-esp proposal 1 hash 'sha1'


set vpn ipsec ike-group SiteA-ike ikev2-reauth 'no'

set vpn ipsec ike-group SiteA-ike key-exchange 'ikev1'

set vpn ipsec ike-group SiteA-ike lifetime '3600'

set vpn ipsec ike-group SiteA-ike proposal 1 encryption 'aes256'

set vpn ipsec ike-group SiteA-ike proposal 1 hash 'sha1'

set vpn ipsec ipsec-interfaces interface 'eth0'

set vpn ipsec site-to-site peer 192.168.0.21 authentication mode 'pre-shared-secret'

set vpn ipsec site-to-site peer 192.168.0.21 authentication pre-shared-secret PASSWORD

set vpn ipsec site-to-site peer 192.168.0.21 ike-group SiteA-ike

set vpn ipsec site-to-site peer 192.168.0.21 local-address 192.168.0.20

set vpn ipsec site-to-site peer 192.168.0.21 tunnel 0 allow-nat-networks 'disable'

set vpn ipsec site-to-site peer 192.168.0.21 tunnel 0 allow-public-networks 'disable'

set vpn ipsec site-to-site peer 192.168.0.21 tunnel 0 esp-group 'SiteA-esp'

set vpn ipsec site-to-site peer 192.168.0.21 tunnel 0 local prefix '10.0.0.0/24'

set vpn ipsec site-to-site peer 192.168.0.21 tunnel 0 remote prefix 10.1.0.0/24

set nat source rule 10 destination address 10.1.0.0/24

set nat source rule 10 exclude

set nat source rule 10 outbound-interface eth0

set nat source rule 10 source address 10.0.0.0/24

commit

save

Similarly copy the above config and alter key parts (hint Ips & site names) to and configure Site B.
Stop & start your simulation……

Confirm configurations with the commands…

‘show interfaces’

‘sh vpn ipsec sa’

Then ping across the network – initially it won’t work, try from both sides, it will eventually work on
the second try.

Use Wireshark to confirm packets are encrypted (ESP is used)

Restore to defaults!

configure
load /opt/vyatta/etc/config.boot.default
commit
save

You might also like