{"id":1328,"date":"2020-12-25T23:32:42","date_gmt":"2020-12-25T16:32:42","guid":{"rendered":"https:\/\/lagonet.vn\/?p=1328"},"modified":"2020-12-25T23:32:42","modified_gmt":"2020-12-25T16:32:42","slug":"vyos-ipsec-vti-to-pfsense","status":"publish","type":"post","link":"https:\/\/kb.lagonet.vn\/?p=1328","title":{"rendered":"VyOS: IPSEC VTI to pfSense"},"content":{"rendered":"
\n

VyOS: IPSEC VTI to Pfsense<\/h1>\n<\/header>\n
\n
\"\"<\/figure>\n

1. Config on Pfsense first<\/strong><\/p>\n

VPN > IPSEC > Add P1<\/p>\n

\"\"<\/figure>\n

Input basic information<\/p>\n

\"\"<\/figure>\n

Input Phase 1 authenticate and proposal.
\nPSK: test123
\nProposal: AES128 > SHA1 > DH Group 2
\nTime 86400<\/p>\n

\"\"<\/figure>\n

Disable DPD > Save > Apply config<\/p>\n

\"\"<\/figure>\n

Add P2<\/p>\n

\"\"<\/figure>\n

Mode: Routed VTI. Input Local network and remote network<\/p>\n

\"\"<\/figure>\n

Proposal: AES 128 > SHA 1 > DH Group 16 > Time: 3600<\/p>\n

\"\"<\/figure>\n

Interface > Assignment > Add Save<\/p>\n

\"\"<\/figure>\n

Interface > OPT1 > Enable > Save > Apply Config<\/p>\n

\"\"<\/figure>\n

Remember create Firewall rule to allow all interfaces like WAN and IPSEC
\nAnd about Firewall rule for LAN, i use Policy base route, all traffic to 8.8.4.4 will go to IPSEC VTI and other will go direct internet.<\/p>\n

\"\"<\/figure>\n

2. VyOS<\/strong><\/p>\n

Basic Config<\/p>\n

configure\nset interfaces ethernet eth0 address '222.255.1.1\/24'\nset interfaces ethernet eth0 description 'OUTSIDE'\nset service ssh port '22'\nset firewall name IN default-action 'accept'\nset firewall name OUT default-action 'accept'\nset firewall name LOCAL default-action 'accept'\nset interfaces ethernet eth0 firewall in name 'IN'\nset interfaces ethernet eth0 firewall local name 'LOCAL'\nset interfaces ethernet eth0 firewall out name 'OUT'\nset protocols static route 0.0.0.0\/0 next-hop 222.255.1.254 distance '1'\ncommit<\/code><\/pre>\n
Set interface VTI<\/p>\n
set interfaces vti vti0 address 10.0.1.1\/30\nset interfaces vti vti0 description 'VPN_VTI0'<\/code><\/pre>\n
Apply firewall rule to VTI<\/p>\n
set interfaces vti vti0 firewall in name 'IN'\nset interfaces vti vti0 firewall local name 'LOCAL'\nset interfaces vti vti0 firewall out name 'OUT'<\/code><\/pre>\n
Create template P2<\/p>\n
set vpn ipsec esp-group ESP-Default compression 'disable'\nset vpn ipsec esp-group ESP-Default lifetime '3600'\nset vpn ipsec esp-group ESP-Default mode 'tunnel'\nset vpn ipsec esp-group ESP-Default pfs 'dh-group16'\nset vpn ipsec esp-group ESP-Default proposal 1 encryption 'aes128'\nset vpn ipsec esp-group ESP-Default proposal 1 hash 'sha1' <\/code><\/pre>\n
Create template P1<\/p>\n
set vpn ipsec ike-group IKE-Default ikev2-reauth 'no'\nset vpn ipsec ike-group IKE-Default key-exchange 'ikev1'\nset vpn ipsec ike-group IKE-Default lifetime '86400'\nset vpn ipsec ike-group IKE-Default proposal 1 dh-group '2'\nset vpn ipsec ike-group IKE-Default proposal 1 encryption 'aes128'\nset vpn ipsec ike-group IKE-Default proposal 1 hash 'sha1'<\/code><\/pre>\n
Choose interface will using for IPSEC<\/p>\n
set vpn ipsec ipsec-interfaces interface 'eth0' <\/code><\/pre>\n
Create IPSEC<\/p>\n
set vpn ipsec site-to-site peer 222.255.2.1 authentication id '222.255.1.1'\nset vpn ipsec site-to-site peer 222.255.2.1 authentication mode 'pre-shared-secret'\nset vpn ipsec site-to-site peer 222.255.2.1 authentication pre-shared-secret 'test123'\nset vpn ipsec site-to-site peer 222.255.2.1 connection-type 'initiate'\nset vpn ipsec site-to-site peer 222.255.2.1 default-esp-group 'ESP-Default'\nset vpn ipsec site-to-site peer 222.255.2.1 ike-group 'IKE-Default'\nset vpn ipsec site-to-site peer 222.255.2.1 ikev2-reauth 'inherit'\nset vpn ipsec site-to-site peer 222.255.2.1 local-address '222.255.1.1'\n<\/code><\/pre>\n
Bind VTI to IPSEC<\/p>\n
set vpn ipsec site-to-site peer 222.255.2.1 vti bind vti0\nset vpn ipsec site-to-site peer 222.255.2.1 vti esp-group ESP-Default<\/code><\/pre>\n
Route back to LAN of Pfsense and NAT thus traffic can go out internet.<\/p>\n
set protocols static route 172.17.3.0\/24 next-hop 10.0.1.2 distance '1'\nset nat source rule 103 outbound-interface 'eth0'\nset nat source rule 103 source address '172.17.3.0\/24'\nset nat source rule 103 translation address 'masquerade'<\/code><\/pre>\n
Commit and Save<\/p>\n
commit\nsave<\/code><\/pre>\n
Result from Client at Pfsense LAN. tracert to 8.8.4.4 will go by IPSEC VTI<\/p>\n
\"\"<\/figure>\n
<\/div>\n
<\/i>\u00a0145 total views<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"
VyOS: IPSEC VTI to Pfsense 1. Config on Pfsense first VPN > IPSEC > Add P1 Input basic information Input […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[25,16,6],"tags":[],"class_list":["post-1328","post","type-post","status-publish","format-standard","hentry","category-cisco","category-courses","category-networking"],"_links":{"self":[{"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=\/wp\/v2\/posts\/1328","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1328"}],"version-history":[{"count":0,"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=\/wp\/v2\/posts\/1328\/revisions"}],"wp:attachment":[{"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1328"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1328"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kb.lagonet.vn\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1328"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}