VyOS: IPSEC VTI to pfSense

By /

VyOS: IPSEC VTI to Pfsense

1. Config on Pfsense first

VPN > IPSEC > Add P1

Input basic information

Input Phase 1 authenticate and proposal.
PSK: test123
Proposal: AES128 > SHA1 > DH Group 2
Time 86400

Disable DPD > Save > Apply config

Add P2

Mode: Routed VTI. Input Local network and remote network

Proposal: AES 128 > SHA 1 > DH Group 16 > Time: 3600

Interface > Assignment > Add Save

Interface > OPT1 > Enable > Save > Apply Config

Remember create Firewall rule to allow all interfaces like WAN and IPSEC
And about Firewall rule for LAN, i use Policy base route, all traffic to 8.8.4.4 will go to IPSEC VTI and other will go direct internet.

2. VyOS

Basic Config

configure
set interfaces ethernet eth0 address '222.255.1.1/24'
set interfaces ethernet eth0 description 'OUTSIDE'
set service ssh port '22'
set firewall name IN default-action 'accept'
set firewall name OUT default-action 'accept'
set firewall name LOCAL default-action 'accept'
set interfaces ethernet eth0 firewall in name 'IN'
set interfaces ethernet eth0 firewall local name 'LOCAL'
set interfaces ethernet eth0 firewall out name 'OUT'
set protocols static route 0.0.0.0/0 next-hop 222.255.1.254 distance '1'
commit

Set interface VTI

set interfaces vti vti0 address 10.0.1.1/30
set interfaces vti vti0 description 'VPN_VTI0'

Apply firewall rule to VTI

set interfaces vti vti0 firewall in name 'IN'
set interfaces vti vti0 firewall local name 'LOCAL'
set interfaces vti vti0 firewall out name 'OUT'

Create template P2

set vpn ipsec esp-group ESP-Default compression 'disable'
set vpn ipsec esp-group ESP-Default lifetime '3600'
set vpn ipsec esp-group ESP-Default mode 'tunnel'
set vpn ipsec esp-group ESP-Default pfs 'dh-group16'
set vpn ipsec esp-group ESP-Default proposal 1 encryption 'aes128'
set vpn ipsec esp-group ESP-Default proposal 1 hash 'sha1'

Create template P1

set vpn ipsec ike-group IKE-Default ikev2-reauth 'no'
set vpn ipsec ike-group IKE-Default key-exchange 'ikev1'
set vpn ipsec ike-group IKE-Default lifetime '86400'
set vpn ipsec ike-group IKE-Default proposal 1 dh-group '2'
set vpn ipsec ike-group IKE-Default proposal 1 encryption 'aes128'
set vpn ipsec ike-group IKE-Default proposal 1 hash 'sha1'

Choose interface will using for IPSEC

set vpn ipsec ipsec-interfaces interface 'eth0'

Create IPSEC

set vpn ipsec site-to-site peer 222.255.2.1 authentication id '222.255.1.1'
set vpn ipsec site-to-site peer 222.255.2.1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 222.255.2.1 authentication pre-shared-secret 'test123'
set vpn ipsec site-to-site peer 222.255.2.1 connection-type 'initiate'
set vpn ipsec site-to-site peer 222.255.2.1 default-esp-group 'ESP-Default'
set vpn ipsec site-to-site peer 222.255.2.1 ike-group 'IKE-Default'
set vpn ipsec site-to-site peer 222.255.2.1 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 222.255.2.1 local-address '222.255.1.1'

Bind VTI to IPSEC

set vpn ipsec site-to-site peer 222.255.2.1 vti bind vti0
set vpn ipsec site-to-site peer 222.255.2.1 vti esp-group ESP-Default

Route back to LAN of Pfsense and NAT thus traffic can go out internet.

set protocols static route 172.17.3.0/24 next-hop 10.0.1.2 distance '1'
set nat source rule 103 outbound-interface 'eth0'
set nat source rule 103 source address '172.17.3.0/24'
set nat source rule 103 translation address 'masquerade'

Commit and Save

commit
save

Result from Client at Pfsense LAN. tracert to 8.8.4.4 will go by IPSEC VTI

 145 total views

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top