IPsec with vShield

From VyOS Wiki
Jump to: navigation, search

vShield is a VMWare network virtualization product.

In this example we setup an IPsec tunnel from vShield to VyOS.

Settings

vShield side address: 192.0.2.1

VyOS address: 203.0.113.1

vShield local network: 10.46.128.0/26

VyOS local network: 10.46.94.0/24

Pre-shared key: testpsk123

Encryption: AES-128

Perfect Forward Secrecy: enabled

DH Group: 2

vShield side

You can read about vShield configuration in the VMWare knowledge base.

Vshield ipsec.png

VyOS side

By "AES" vShield means AES-128.

Local and remote ID settings from vShield do not have any effect on this configuration.

 vpn {
     ipsec {
         esp-group vShield {
             compression disable
             lifetime 3600
             mode tunnel
             pfs enable
             proposal 1 {
                 encryption aes128
                 hash sha1
             }
         }
         ike-group vShield {
             key-exchange ikev1
             lifetime 28800
             proposal 1 {
                 encryption aes128
                 hash sha1
             }
         }
         ipsec-interfaces {
             interface eth0
         }
         site-to-site {
             peer 192.0.2.1 {
                 authentication {
                     mode pre-shared-secret
                     pre-shared-secret testpsk123
                 }
                 connection-type initiate
                 ike-group vShield
                 local-address 203.0.113.1
                 tunnel 1 {
                     allow-nat-networks disable
                     allow-public-networks disable
                     esp-group vShield
                     local {
                         prefix 10.46.94.0/24
                     }
                     protocol all
                     remote {
                         prefix 10.46.128.0/26
                     }
                 }
             }
             }
         }
     }

 nat {
     source {
         rule 5 {
             destination {
                 address 10.46.128.0/26
             }
             exclude
             outbound-interface eth0
         }
 }