firewall {
    all-ping enable
    broadcast-ping disable
    config-trap disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians disable
    options {
        interface vti31 {
            adjust-mss 1350
        }
        interface vti32 {
            adjust-mss 1350
        }
        interface vti41 {
            adjust-mss 1350
        }
        interface vti42 {
            adjust-mss 1350
        }
        interface vti51 {
            adjust-mss 1350
        }
        interface vti52 {
            adjust-mss 1350
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
    twa-hazards-protection disable
}
high-availability {
    vrrp {
        group DMZ-VLAN-3962 {
            interface eth1
            preempt-delay 180
            priority 200
            virtual-address 192.168.34.36/27
            vrid 62
        }
    }
}
interfaces {
    ethernet eth0 {
        address 192.0.2.189/27
        duplex auto
        smp-affinity auto
        speed auto
    }
    ethernet eth1 {
        address 192.168.34.37/27
        duplex auto
        smp-affinity auto
        speed auto
    }
    loopback lo {
    }
    vti vti31 {
    }
    vti vti32 {
    }
    vti vti41 {
    }
    vti vti42 {
    }
    vti vti51 {
    }
    vti vti52 {
    }
}
policy {
    prefix-list AZURE-BGP-IPv4-in {
        description "Prefixes received from Azure"
        rule 100 {
            action permit
            le 32
            prefix 100.64.0.0/10
        }
    }
    prefix-list ONPREM-BGP-IPv4-out {
        description "Prefixes allowed to be announced into Azure"
        rule 100 {
            action permit
            prefix 10.0.0.0/8
        }
        rule 200 {
            action permit
            prefix 172.16.0.0/12
        }
        rule 300 {
            action permit
            prefix 192.168.0.0/16
        }
    }
}
protocols {
    bgp 65522 {
        address-family {
            ipv4-unicast {
                network 10.0.0.0/8 {
                }
                network 172.16.0.0/12 {
                }
                network 192.168.0.0/16 {
                }
            }
        }
        neighbor 100.66.8.36 {
            peer-group AZURE
            remote-as 64517
        }
        neighbor 100.66.8.37 {
            peer-group AZURE
            remote-as 64517
        }
        neighbor 100.66.24.36 {
            peer-group AZURE
            remote-as 64513
        }
        neighbor 100.66.24.37 {
            peer-group AZURE
            remote-as 64513
        }
        neighbor 100.66.40.36 {
            peer-group AZURE
            remote-as 64515
        }
        neighbor 100.66.40.37 {
            peer-group AZURE
            remote-as 64515
        }
        neighbor 192.168.34.38 {
            address-family {
                ipv4-unicast {
                    nexthop-self
                    soft-reconfiguration {
                        inbound
                    }
                }
            }
            capability {
                dynamic
            }
            password VyOSR0xx123
            remote-as 65522
            update-source eth1
        }
        peer-group AZURE {
            address-family {
                ipv4-unicast {
                    maximum-prefix 50
                    prefix-list {
                        export ONPREM-BGP-IPv4-out
                        import AZURE-BGP-IPv4-in
                    }
                }
            }
            ebgp-multihop 2
            update-source eth1
        }
        timers {
            holdtime 30
            keepalive 5
        }
    }
    static {
        interface-route 100.66.8.36/32 {
            next-hop-interface vti31 {
            }
            next-hop-interface vti32 {
            }
        }
        interface-route 100.66.8.37/32 {
            next-hop-interface vti31 {
            }
            next-hop-interface vti32 {
            }
        }
        interface-route 100.66.24.36/32 {
            next-hop-interface vti41 {
            }
            next-hop-interface vti42 {
            }
        }
        interface-route 100.66.24.37/32 {
            next-hop-interface vti41 {
            }
            next-hop-interface vti42 {
            }
        }
        interface-route 100.66.40.36/32 {
            next-hop-interface vti51 {
            }
            next-hop-interface vti52 {
            }
        }
        interface-route 100.66.40.37/32 {
            next-hop-interface vti51 {
            }
            next-hop-interface vti52 {
            }
        }
        route 0.0.0.0/0 {
            next-hop 192.168.34.33 {
            }
        }
        route 51.105.0.0/16 {
            next-hop 192.0.2.161 {
            }
        }
        route 52.143.0.0/16 {
            next-hop 192.0.2.161 {
            }
        }
        route 195.137.175.0/24 {
            next-hop 192.0.2.161 {
            }
        }
        route 212.23.159.0/26 {
            next-hop 192.0.2.161 {
            }
        }
    }
}
service {
    ssh {
        disable-host-validation
        port 22
    }
}
system {
    config-management {
        commit-revisions 100
    }
    console {
        device ttyS0 {
            speed 115200
        }
    }
    domain-name vyos.net
    flow-accounting {
        interface eth1
        interface vti31
        interface vti32
        interface vti41
        interface vti42
        interface vti51
        interface vti52
        netflow {
            server 10.0.1.1 {
                port 2055
            }
            source-ip 192.168.34.37
            version 10
        }
        syslog-facility daemon
    }
    host-name azure-gw-01
    login {
        radius-server 192.0.2.253 {
            port 1812
            secret secret1234
            timeout 2
        }
        radius-server 192.0.2.254 {
            port 1812
            secret secret1234
            timeout 2
        }
        radius-source-address 192.168.34.37
        user vyos {
            authentication {
                encrypted-password $6$O5gJRlDYQpj$MtrCV9lxMnZPMbcxlU7.FI793MImNHznxGoMFgm3Q6QP3vfKJyOSRCt3Ka/GzFQyW1yZS4NS616NLHaIPPFHc0
                plaintext-password ""
            }
        }
    }
    name-server 192.0.2.254
    ntp {
        server 192.0.2.254 {
        }
    }
    syslog {
        global {
            archive {
                file 10
                size 20480
            }
            facility all {
                level info
            }
            facility protocols {
                level debug
            }
        }
        host 10.0.9.188 {
            facility all {
                level info
                protocol udp
            }
        }
    }
    time-zone Europe/Berlin
}
vpn {
    ipsec {
        esp-group ESP-AZURE {
            compression disable
            lifetime 27000
            mode tunnel
            pfs disable
            proposal 1 {
                encryption aes256
                hash sha1
            }
        }
        ike-group IKE-AZURE {
            close-action none
            dead-peer-detection {
                action restart
                interval 2
                timeout 15
            }
            ikev2-reauth no
            key-exchange ikev2
            lifetime 27000
            proposal 1 {
                dh-group 2
                encryption aes256
                hash sha1
            }
        }
        ipsec-interfaces {
            interface eth0
        }
        logging {
            log-level 2
            log-modes ike
        }
        site-to-site {
            peer 51.105.0.2 {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret averysecretpsktowardsazure
                }
                connection-type respond
                ike-group IKE-AZURE
                ikev2-reauth inherit
                local-address 192.0.2.189
                vti {
                    bind vti51
                    esp-group ESP-AZURE
                }
            }
            peer 51.105.0.3 {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret averysecretpsktowardsazure
                }
                connection-type respond
                ike-group IKE-AZURE
                ikev2-reauth inherit
                local-address 192.0.2.189
                vti {
                    bind vti52
                    esp-group ESP-AZURE
                }
            }
            peer 51.105.0.246 {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret averysecretpsktowardsazure
                }
                connection-type respond
                ike-group IKE-AZURE
                ikev2-reauth inherit
                local-address 192.0.2.189
                vti {
                    bind vti32
                    esp-group ESP-AZURE
                }
            }
            peer 51.105.0.247 {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret averysecretpsktowardsazure
                }
                connection-type respond
                ike-group IKE-AZURE
                ikev2-reauth inherit
                local-address 192.0.2.189
                vti {
                    bind vti31
                    esp-group ESP-AZURE
                }
            }
            peer 51.105.0.18 {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret averysecretpsktowardsazure
                }
                connection-type respond
                ike-group IKE-AZURE
                ikev2-reauth inherit
                local-address 192.0.2.189
                vti {
                    bind vti42
                    esp-group ESP-AZURE
                }
            }
            peer 51.105.0.19 {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret averysecretpsktowardsazure
                }
                connection-type respond
                ike-group IKE-AZURE
                ikev2-reauth inherit
                local-address 192.0.2.189
                vti {
                    bind vti41
                    esp-group ESP-AZURE
                }
            }
        }
    }
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "broadcast-relay@1:cluster@1:config-management@1:conntrack-sync@1:conntrack@1:dhcp-relay@2:dhcp-server@5:dns-forwarding@1:firewall@5:ipsec@5:l2tp@1:mdns@1:nat@4:ntp@1:pptp@1:qos@1:quagga@6:snmp@1:ssh@1:system@9:vrrp@2:wanloadbalance@3:webgui@1:webproxy@1:webproxy@2:zone-policy@1" === */
/* Release version: 1.2.5 */