set firewall global-options all-ping 'enable' set firewall global-options broadcast-ping 'disable' set firewall global-options ip-src-route 'disable' set firewall global-options ipv6-receive-redirects 'disable' set firewall global-options ipv6-src-route 'disable' set firewall global-options log-martians 'disable' set firewall global-options receive-redirects 'disable' set firewall global-options send-redirects 'enable' set firewall global-options source-validation 'disable' set firewall global-options syn-cookies 'enable' set firewall global-options twa-hazards-protection 'disable' set high-availability vrrp group DMZ-VLAN-3962 address 192.168.34.36/27 set high-availability vrrp group DMZ-VLAN-3962 interface 'eth1' set high-availability vrrp group DMZ-VLAN-3962 preempt-delay '180' set high-availability vrrp group DMZ-VLAN-3962 priority '200' set high-availability vrrp group DMZ-VLAN-3962 vrid '62' set interfaces ethernet eth0 address '192.0.2.189/27' set interfaces ethernet eth0 duplex 'auto' set interfaces ethernet eth0 offload gro set interfaces ethernet eth0 speed 'auto' set interfaces ethernet eth1 address '192.168.34.37/27' set interfaces ethernet eth1 duplex 'auto' set interfaces ethernet eth1 offload gro set interfaces ethernet eth1 speed 'auto' set interfaces loopback lo set interfaces vti vti31 ip adjust-mss '1350' set interfaces vti vti32 ip adjust-mss '1350' set interfaces vti vti41 ip adjust-mss '1350' set interfaces vti vti42 ip adjust-mss '1350' set interfaces vti vti51 ip adjust-mss '1350' set interfaces vti vti52 ip adjust-mss '1350' set policy prefix-list AZURE-BGP-IPv4-in description 'Prefixes received from Azure' set policy prefix-list AZURE-BGP-IPv4-in rule 100 action 'permit' set policy prefix-list AZURE-BGP-IPv4-in rule 100 le '32' set policy prefix-list AZURE-BGP-IPv4-in rule 100 prefix '100.64.0.0/10' set policy prefix-list ONPREM-BGP-IPv4-out description 'Prefixes allowed to be announced into Azure' set policy prefix-list ONPREM-BGP-IPv4-out rule 100 action 'permit' set policy prefix-list ONPREM-BGP-IPv4-out rule 100 prefix '10.0.0.0/8' set policy prefix-list ONPREM-BGP-IPv4-out rule 200 action 'permit' set policy prefix-list ONPREM-BGP-IPv4-out rule 200 prefix '172.16.0.0/12' set policy prefix-list ONPREM-BGP-IPv4-out rule 300 action 'permit' set policy prefix-list ONPREM-BGP-IPv4-out rule 300 prefix '192.168.0.0/16' set protocols bgp address-family ipv4-unicast network 10.0.0.0/8 set protocols bgp address-family ipv4-unicast network 172.16.0.0/12 set protocols bgp address-family ipv4-unicast network 192.168.0.0/16 set protocols bgp neighbor 100.66.8.36 peer-group 'AZURE' set protocols bgp neighbor 100.66.8.36 remote-as '64517' set protocols bgp neighbor 100.66.8.37 peer-group 'AZURE' set protocols bgp neighbor 100.66.8.37 remote-as '64517' set protocols bgp neighbor 100.66.24.36 peer-group 'AZURE' set protocols bgp neighbor 100.66.24.36 remote-as '64513' set protocols bgp neighbor 100.66.24.37 peer-group 'AZURE' set protocols bgp neighbor 100.66.24.37 remote-as '64513' set protocols bgp neighbor 100.66.40.36 peer-group 'AZURE' set protocols bgp neighbor 100.66.40.36 remote-as '64515' set protocols bgp neighbor 100.66.40.37 peer-group 'AZURE' set protocols bgp neighbor 100.66.40.37 remote-as '64515' set protocols bgp neighbor 192.168.34.38 address-family ipv4-unicast nexthop-self set protocols bgp neighbor 192.168.34.38 address-family ipv4-unicast soft-reconfiguration inbound set protocols bgp neighbor 192.168.34.38 capability dynamic set protocols bgp neighbor 192.168.34.38 password 'VyOSR0xx123' set protocols bgp neighbor 192.168.34.38 remote-as '65522' set protocols bgp neighbor 192.168.34.38 update-source 'eth1' set protocols bgp peer-group AZURE address-family ipv4-unicast maximum-prefix '50' set protocols bgp peer-group AZURE address-family ipv4-unicast prefix-list export 'ONPREM-BGP-IPv4-out' set protocols bgp peer-group AZURE address-family ipv4-unicast prefix-list import 'AZURE-BGP-IPv4-in' set protocols bgp peer-group AZURE ebgp-multihop '2' set protocols bgp peer-group AZURE update-source 'eth1' set protocols bgp system-as '65522' set protocols bgp timers holdtime '30' set protocols bgp timers keepalive '5' set protocols static route 0.0.0.0/0 next-hop 192.168.34.33 set protocols static route 51.105.0.0/16 next-hop 192.0.2.161 set protocols static route 52.143.0.0/16 next-hop 192.0.2.161 set protocols static route 100.66.8.36/32 interface vti31 set protocols static route 100.66.8.36/32 interface vti32 set protocols static route 100.66.8.37/32 interface vti31 set protocols static route 100.66.8.37/32 interface vti32 set protocols static route 100.66.24.36/32 interface vti41 set protocols static route 100.66.24.36/32 interface vti42 set protocols static route 100.66.24.37/32 interface vti41 set protocols static route 100.66.24.37/32 interface vti42 set protocols static route 100.66.40.36/32 interface vti51 set protocols static route 100.66.40.36/32 interface vti52 set protocols static route 100.66.40.37/32 interface vti51 set protocols static route 100.66.40.37/32 interface vti52 set protocols static route 195.137.175.0/24 next-hop 192.0.2.161 set protocols static route 212.23.159.0/26 next-hop 192.0.2.161 set service ntp allow-client address '0.0.0.0/0' set service ntp allow-client address '::/0' set service ntp server 192.0.2.254 set service snmp v3 engineid 'ff42' set service snmp v3 group default mode 'ro' set service snmp v3 group default seclevel 'priv' set service snmp v3 group default view 'default' set service snmp v3 user VyOS auth encrypted-password '1ad73f4620b8c0dd2de066622f875b161a14adad' set service snmp v3 user VyOS auth type 'sha' set service snmp v3 user VyOS group 'default' set service snmp v3 user VyOS privacy encrypted-password '1ad73f4620b8c0dd2de066622f875b16' set service snmp v3 user VyOS privacy type 'aes' set service snmp v3 view default oid 1 set service ssh disable-host-validation set service ssh port '22' set system config-management commit-revisions '100' set system conntrack modules ftp set system conntrack modules h323 set system conntrack modules nfs set system conntrack modules pptp set system conntrack modules sip set system conntrack modules sqlnet set system conntrack modules tftp set system console device ttyS0 speed '115200' set system domain-name 'vyos.net' set system flow-accounting interface 'eth1' set system flow-accounting interface 'vti31' set system flow-accounting interface 'vti32' set system flow-accounting interface 'vti41' set system flow-accounting interface 'vti42' set system flow-accounting interface 'vti51' set system flow-accounting interface 'vti52' set system flow-accounting netflow server 10.0.1.1 port '2055' set system flow-accounting netflow source-address '192.168.34.37' set system flow-accounting netflow version '10' set system flow-accounting syslog-facility 'daemon' set system host-name 'azure-gw-01' set system login radius server 192.0.2.253 key 'secret1234' set system login radius server 192.0.2.253 port '1812' set system login radius server 192.0.2.253 timeout '2' set system login radius server 192.0.2.254 key 'secret1234' set system login radius server 192.0.2.254 port '1812' set system login radius server 192.0.2.254 timeout '2' set system login radius source-address '192.168.34.37' set system login user vyos authentication encrypted-password '$6$O5gJRlDYQpj$MtrCV9lxMnZPMbcxlU7.FI793MImNHznxGoMFgm3Q6QP3vfKJyOSRCt3Ka/GzFQyW1yZS4NS616NLHaIPPFHc0' set system login user vyos authentication plaintext-password '' set system logs logrotate messages max-size '20' set system logs logrotate messages rotate '10' set system name-server '192.0.2.254' set system syslog global facility all level 'info' set system syslog global facility local7 level 'debug' set system syslog host 10.0.9.188 facility all level 'info' set system syslog host 10.0.9.188 protocol 'udp' set system time-zone 'Europe/Berlin' set vpn ipsec authentication psk peer_51-105-0-1 id '51.105.0.1' set vpn ipsec authentication psk peer_51-105-0-1 id '192.0.2.189' set vpn ipsec authentication psk peer_51-105-0-1 secret 'averysecretpsktowardsazure' set vpn ipsec authentication psk peer_51-105-0-2 id '51.105.0.2' set vpn ipsec authentication psk peer_51-105-0-2 id '192.0.2.189' set vpn ipsec authentication psk peer_51-105-0-2 secret 'averysecretpsktowardsazure' set vpn ipsec authentication psk peer_51-105-0-3 id '51.105.0.3' set vpn ipsec authentication psk peer_51-105-0-3 id '192.0.2.189' set vpn ipsec authentication psk peer_51-105-0-3 secret 'averysecretpsktowardsazure' set vpn ipsec authentication psk peer_51-105-0-4 id '51.105.0.4' set vpn ipsec authentication psk peer_51-105-0-4 id '192.0.2.189' set vpn ipsec authentication psk peer_51-105-0-4 secret 'averysecretpsktowardsazure' set vpn ipsec authentication psk peer_51-105-0-5 id '51.105.0.5' set vpn ipsec authentication psk peer_51-105-0-5 id '192.0.2.189' set vpn ipsec authentication psk peer_51-105-0-5 secret 'averysecretpsktowardsazure' set vpn ipsec authentication psk peer_51-105-0-6 id '51.105.0.6' set vpn ipsec authentication psk peer_51-105-0-6 id '192.0.2.189' set vpn ipsec authentication psk peer_51-105-0-6 secret 'averysecretpsktowardsazure' set vpn ipsec esp-group ESP-AZURE lifetime '27000' set vpn ipsec esp-group ESP-AZURE mode 'tunnel' set vpn ipsec esp-group ESP-AZURE pfs 'disable' set vpn ipsec esp-group ESP-AZURE proposal 1 encryption 'aes256' set vpn ipsec esp-group ESP-AZURE proposal 1 hash 'sha1' set vpn ipsec ike-group IKE-AZURE close-action 'none' set vpn ipsec ike-group IKE-AZURE dead-peer-detection action 'restart' set vpn ipsec ike-group IKE-AZURE dead-peer-detection interval '2' set vpn ipsec ike-group IKE-AZURE dead-peer-detection timeout '15' set vpn ipsec ike-group IKE-AZURE key-exchange 'ikev2' set vpn ipsec ike-group IKE-AZURE lifetime '27000' set vpn ipsec ike-group IKE-AZURE proposal 1 dh-group '2' set vpn ipsec ike-group IKE-AZURE proposal 1 encryption 'aes256' set vpn ipsec ike-group IKE-AZURE proposal 1 hash 'sha1' set vpn ipsec interface 'eth0' set vpn ipsec log level '2' set vpn ipsec log subsystem 'ike' set vpn ipsec site-to-site peer peer_51-105-0-1 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer peer_51-105-0-1 authentication remote-id '51.105.0.1' set vpn ipsec site-to-site peer peer_51-105-0-1 connection-type 'respond' set vpn ipsec site-to-site peer peer_51-105-0-1 default-esp-group 'ESP-AZURE' set vpn ipsec site-to-site peer peer_51-105-0-1 ike-group 'IKE-AZURE' set vpn ipsec site-to-site peer peer_51-105-0-1 ikev2-reauth 'inherit' set vpn ipsec site-to-site peer peer_51-105-0-1 local-address '192.0.2.189' set vpn ipsec site-to-site peer peer_51-105-0-1 remote-address '51.105.0.1' set vpn ipsec site-to-site peer peer_51-105-0-1 vti bind 'vti51' set vpn ipsec site-to-site peer peer_51-105-0-2 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer peer_51-105-0-2 authentication remote-id '51.105.0.2' set vpn ipsec site-to-site peer peer_51-105-0-2 connection-type 'respond' set vpn ipsec site-to-site peer peer_51-105-0-2 default-esp-group 'ESP-AZURE' set vpn ipsec site-to-site peer peer_51-105-0-2 ike-group 'IKE-AZURE' set vpn ipsec site-to-site peer peer_51-105-0-2 ikev2-reauth 'inherit' set vpn ipsec site-to-site peer peer_51-105-0-2 local-address '192.0.2.189' set vpn ipsec site-to-site peer peer_51-105-0-2 remote-address '51.105.0.2' set vpn ipsec site-to-site peer peer_51-105-0-2 vti bind 'vti52' set vpn ipsec site-to-site peer peer_51-105-0-3 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer peer_51-105-0-3 authentication remote-id '51.105.0.3' set vpn ipsec site-to-site peer peer_51-105-0-3 connection-type 'respond' set vpn ipsec site-to-site peer peer_51-105-0-3 ike-group 'IKE-AZURE' set vpn ipsec site-to-site peer peer_51-105-0-3 ikev2-reauth 'inherit' set vpn ipsec site-to-site peer peer_51-105-0-3 local-address '192.0.2.189' set vpn ipsec site-to-site peer peer_51-105-0-3 remote-address '51.105.0.3' set vpn ipsec site-to-site peer peer_51-105-0-3 vti bind 'vti32' set vpn ipsec site-to-site peer peer_51-105-0-3 vti esp-group 'ESP-AZURE' set vpn ipsec site-to-site peer peer_51-105-0-4 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer peer_51-105-0-4 authentication remote-id '51.105.0.4' set vpn ipsec site-to-site peer peer_51-105-0-4 connection-type 'respond' set vpn ipsec site-to-site peer peer_51-105-0-4 ike-group 'IKE-AZURE' set vpn ipsec site-to-site peer peer_51-105-0-4 ikev2-reauth 'inherit' set vpn ipsec site-to-site peer peer_51-105-0-4 local-address '192.0.2.189' set vpn ipsec site-to-site peer peer_51-105-0-4 remote-address '51.105.0.4' set vpn ipsec site-to-site peer peer_51-105-0-4 vti bind 'vti31' set vpn ipsec site-to-site peer peer_51-105-0-4 vti esp-group 'ESP-AZURE' set vpn ipsec site-to-site peer peer_51-105-0-5 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer peer_51-105-0-5 authentication remote-id '51.105.0.5' set vpn ipsec site-to-site peer peer_51-105-0-5 connection-type 'respond' set vpn ipsec site-to-site peer peer_51-105-0-5 ike-group 'IKE-AZURE' set vpn ipsec site-to-site peer peer_51-105-0-5 ikev2-reauth 'inherit' set vpn ipsec site-to-site peer peer_51-105-0-5 local-address '192.0.2.189' set vpn ipsec site-to-site peer peer_51-105-0-5 remote-address '51.105.0.5' set vpn ipsec site-to-site peer peer_51-105-0-5 vti bind 'vti42' set vpn ipsec site-to-site peer peer_51-105-0-5 vti esp-group 'ESP-AZURE' set vpn ipsec site-to-site peer peer_51-105-0-6 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer peer_51-105-0-6 authentication remote-id '51.105.0.6' set vpn ipsec site-to-site peer peer_51-105-0-6 connection-type 'respond' set vpn ipsec site-to-site peer peer_51-105-0-6 ike-group 'IKE-AZURE' set vpn ipsec site-to-site peer peer_51-105-0-6 ikev2-reauth 'inherit' set vpn ipsec site-to-site peer peer_51-105-0-6 local-address '192.0.2.189' set vpn ipsec site-to-site peer peer_51-105-0-6 remote-address '51.105.0.6' set vpn ipsec site-to-site peer peer_51-105-0-6 vti bind 'vti41' set vpn ipsec site-to-site peer peer_51-105-0-6 vti esp-group 'ESP-AZURE'