Here's configuration of 3 routers (one - gateway, others - points of IPSec connection)
Gateway
set system host-name Gateway set interfaces ethernet eth0 address dhcp set interfaces ethernet eth0 description 'OUTSIDE' set interfaces ethernet eth1 address '192.168.0.1/24' set interfaces ethernet eth1 description 'LAN1' set interfaces ethernet eth2 address '192.168.1.1/24' set interfaces ethernet eth2 description 'LAN2' set service dhcp-server shared-network-name LAN1 subnet 192.168.0.0/24 default-router '192.168.0.1' set service dhcp-server shared-network-name LAN1 subnet 192.168.0.0/24 dns-server '192.168.0.1' set service dhcp-server shared-network-name LAN1 subnet 192.168.0.0/24 domain-name 'vyos.net' set service dhcp-server shared-network-name LAN1 subnet 192.168.0.0/24 lease '86400' set service dhcp-server shared-network-name LAN1 subnet 192.168.0.0/24 range 0 start 192.168.0.9 set service dhcp-server shared-network-name LAN1 subnet 192.168.0.0/24 range 0 stop '192.168.0.254' set nat source rule 100 outbound-interface 'eth0' set nat source rule 100 source address '192.168.0.0/23' set nat source rule 100 translation address masquerade
R1
set system host-name R1 set interfaces ethernet eth0 address dhcp set interfaces ethernet eth0 description 'gateway' set interfaces ethernet eth1 address '172.16.0.1/24' set interfaces ethernet eth1 description 'LAN' set vpn ipsec esp-group london-berlin-esp compression 'disable' set vpn ipsec esp-group london-berlin-esp lifetime '1800' set vpn ipsec esp-group london-berlin-esp mode 'tunnel' set vpn ipsec esp-group london-berlin-esp pfs 'enable' set vpn ipsec esp-group london-berlin-esp proposal 1 encryption 'aes256' set vpn ipsec esp-group london-berlin-esp proposal 1 hash 'sha1' set vpn ipsec ike-group london-berlin-ike ikev2-reauth 'no' set vpn ipsec ike-group london-berlin-ike key-exchange 'ikev1' set vpn ipsec ike-group london-berlin-ike lifetime '3600' set vpn ipsec ike-group london-berlin-ike proposal 1 encryption 'aes256' set vpn ipsec ike-group london-berlin-ike proposal 1 hash 'sha1' set vpn ipsec ike-group london-berlin-ike proposal 1 dh-group 2 set vpn ipsec ipsec-interfaces interface 'eth0' set vpn ipsec site-to-site peer 192.168.1.2 authentication id @R1 set vpn ipsec site-to-site peer 192.168.1.2 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 192.168.1.2 authentication pre-shared-secret 'SomePreSharedKey' set vpn ipsec site-to-site peer 192.168.1.2 ike-group 'london-berlin-ike' set vpn ipsec site-to-site peer 192.168.1.2 connection-type initiate set vpn ipsec site-to-site peer 192.168.1.2 dhcp-interface 'eth0' set vpn ipsec site-to-site peer 192.168.1.2 tunnel 0 allow-nat-networks 'disable' set vpn ipsec site-to-site peer 192.168.1.2 tunnel 0 allow-public-networks 'disable' set vpn ipsec site-to-site peer 192.168.1.2 tunnel 0 esp-group 'london-berlin-esp' set vpn ipsec site-to-site peer 192.168.1.2 tunnel 0 local prefix '172.16.0.0/24' set vpn ipsec site-to-site peer 192.168.1.2 tunnel 0 remote prefix '10.10.10.0/24' set nat source rule 100 outbound-interface 'eth0' set nat source rule 100 source address '172.16.0.0/24' set nat source rule 100 translation address masquerade set protocols static route 0.0.0.0/0 next-hop 192.168.0.1
R2
set system host-name R2 set interfaces ethernet eth0 address '192.168.1.2/24' set interfaces ethernet eth0 description 'gateway' set interfaces ethernet eth1 address '10.10.10.1/24' set interfaces ethernet eth1 description 'LAN' set vpn ipsec esp-group london-berlin-esp compression 'disable' set vpn ipsec esp-group london-berlin-esp lifetime '1800' set vpn ipsec esp-group london-berlin-esp mode 'tunnel' set vpn ipsec esp-group london-berlin-esp pfs 'enable' set vpn ipsec esp-group london-berlin-esp proposal 1 encryption 'aes256' set vpn ipsec esp-group london-berlin-esp proposal 1 hash 'sha1' set vpn ipsec ike-group london-berlin-ike ikev2-reauth 'no' set vpn ipsec ike-group london-berlin-ike key-exchange 'ikev1' set vpn ipsec ike-group london-berlin-ike lifetime '3600' set vpn ipsec ike-group london-berlin-ike proposal 1 encryption 'aes256' set vpn ipsec ike-group london-berlin-ike proposal 1 hash 'sha1' set vpn ipsec ike-group london-berlin-ike proposal 1 dh-group 2 set vpn ipsec ipsec-interfaces interface 'eth0' set vpn ipsec site-to-site peer @R1 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer @R1 authentication pre-shared-secret 'SomePreSharedKey' set vpn ipsec site-to-site peer @R1 ike-group 'london-berlin-ike' set vpn ipsec site-to-site peer @R1 connection-type respond set vpn ipsec site-to-site peer @R1 authentication remote-id @R1 set vpn ipsec site-to-site peer @R1 local-address '192.168.1.2' set vpn ipsec site-to-site peer @R1 tunnel 0 allow-nat-networks 'disable' set vpn ipsec site-to-site peer @R1 tunnel 0 allow-public-networks 'disable' set vpn ipsec site-to-site peer @R1 tunnel 0 esp-group 'london-berlin-esp' set vpn ipsec site-to-site peer @R1 tunnel 0 local prefix '10.10.10.0/24' set vpn ipsec site-to-site peer @R1 tunnel 0 remote prefix '172.16.0.0/24' set nat source rule 100 outbound-interface 'eth0' set nat source rule 100 source address '10.10.10.0/24' set nat source rule 100 translation address masquerade set protocols static route 0.0.0.0/0 next-hop 192.168.1.1
Tunnel is up
vyos@R1:~$ show vpn ike sa Peer ID / IP Local ID / IP ------------ ------------- 192.168.1.2 192.168.1.2 192.168.0.9 R1 State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Te ----- ------ ------- ---- --------- ----- ------ ---- up IKEv1 AES_CBC_256 HMAC_SHA1_96 MODP_1024 no 30 0 vyos@R1:~$ show vpn ipsec sa Connection State Uptime Bytes In/Out Packets In/Out l ------------------------- ------- -------- -------------- ---------------- - peer-192.168.1.2-tunnel-0 up 37s 0B/0B 0/0 4
Here's what we have from sudo swanctl -L
peer-192.168.1.2-tunnel-0: , no reauthentication, no rekeying local: ['192.168.0.9/24' local: fe80::5210:ff:fe02:0/64 local: ] remote: 192.168.1.2 local pre-shared key authentication: id: R1 remote pre-shared key authentication: id: 192.168.1.2 peer-192.168.1.2-tunnel-0: TUNNEL, rekeying every 1260s local: 172.16.0.0/24 remote: 10.10.10.0/24
And sudo ip -6 a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000 inet6 fe80::200:ff:fe00:0/64 scope link valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000 inet6 fe80::5210:ff:fe02:0/64 scope link valid_lft forever preferred_lft forever 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000 inet6 fe80::5210:ff:fe02:1/64 scope link valid_lft forever preferred_lft forever 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000 inet6 fe80::5210:ff:fe02:2/64 scope link valid_lft forever preferred_lft forever 5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000 inet6 fe80::5210:ff:fe02:3/64 scope link valid_lft forever preferred_lft forever
Also files:
/etc/ipsec.conf
# Created by VyOS - manual changes will be overwritten config setup charondebug = "" uniqueids = yes conn peer-192.168.1.2 authby = secret left = ['192.168.0.9/24', 'fe80::5210:ff:fe02:0/64'] # dhcp:eth0 leftid = "@R1" right = 192.168.1.2 keylife = 3600s rekeymargin = 540s keyexchange = ikev1 ike = aes256-sha1-modp1024! ikelifetime = 3600s reauth = no closeaction = none conn peer-192.168.1.2-tunnel-0 also = peer-192.168.1.2 leftsubnet = 172.16.0.0/24[%any/%any] rightsubnet = 10.10.10.0/24[%any/%any] esp = aes256-sha1-modp1024! keylife = 1800s compress = no type = tunnel auto = start keyingtries = %forever conn peer-192.168.1.2-tunnel-0-passthough left = ['192.168.0.9/24', 'fe80::5210:ff:fe02:0/64'] right = 192.168.1.2 leftsubnet = 172.16.0.0/24 rightsubnet = 172.16.0.0/24 type = passthrough authby = never auto = route
and /etc/ipsec.secret
# Created by VyOS - manual changes will be overwritten ['192.168.0.9/24', 'fe80::5210:ff:fe02:0/64'] 192.168.1.2 @R1 : PSK "SomePreSharedKey" # dhcp:eth0