set system host-name 'VyOS-for-DEMO-On-Prem'
set system login banner pre-login 'Welcome to the VyOS for DEMO on On-Prem'
set interfaces ethernet eth0 description 'WAN'
set interfaces ethernet eth1 description 'LAN'
set interfaces ethernet eth1 dhcp-options no-default-route
set system name-server '<DNS>'
set service dns forwarding name-server '<DNS>'
set service dns forwarding listen-address '<VYOS_PRIV_IP>'
set service dns forwarding allow-from '<VYOS_CIDR>'
set service dns forwarding no-serve-rfc1918
set nat source rule 10 outbound-interface name 'eth0'
set nat source rule 10 source address '<VYOS_CIDR>'
set nat source rule 10 translation address 'masquerade'
set vpn ipsec interface 'eth0'
set vpn ipsec esp-group AWS lifetime '3600'
set vpn ipsec esp-group AWS mode 'tunnel'
set vpn ipsec esp-group AWS pfs 'dh-group2'
set vpn ipsec esp-group AWS proposal 1 encryption 'aes256'
set vpn ipsec esp-group AWS proposal 1 hash 'sha1'
set vpn ipsec ike-group AWS dead-peer-detection action 'restart'
set vpn ipsec ike-group AWS dead-peer-detection interval '15'
set vpn ipsec ike-group AWS dead-peer-detection timeout '30'
set vpn ipsec ike-group AWS ikev2-reauth
set vpn ipsec ike-group AWS key-exchange 'ikev2'
set vpn ipsec ike-group AWS lifetime '28800'
set vpn ipsec ike-group AWS proposal 1 dh-group '2'
set vpn ipsec ike-group AWS proposal 1 encryption 'aes256'
set vpn ipsec ike-group AWS proposal 1 hash 'sha1'
set vpn ipsec ike-group AWS close-action start
set vpn ipsec option disable-route-autoinstall
set interfaces vti vti1 address '10.2.100.11/32'
set interfaces vti vti1 description 'Tunnel for VyOS in AWS'
set interfaces vti vti1 ip adjust-mss '1350'
set protocols static route 10.1.100.11/32 interface vti1
set vpn ipsec authentication psk VyOS id '<VYOS_AWS_PUB_IP>'
set vpn ipsec authentication psk VyOS id '<VYOS_PUB_IP>'
set vpn ipsec authentication psk VyOS secret 'ch00s3-4-s3cur3-psk'
set vpn ipsec site-to-site peer AWS authentication local-id '<VYOS_PUB_IP>'
set vpn ipsec site-to-site peer AWS authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer AWS authentication remote-id '<VYOS_AWS_PUB_IP>'
set vpn ipsec site-to-site peer AWS connection-type 'initiate'
set vpn ipsec site-to-site peer AWS description 'AWS TUNNEL to VyOS on NET 02'
set vpn ipsec site-to-site peer AWS ike-group 'AWS'
set vpn ipsec site-to-site peer AWS ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer AWS local-address '<VYOS_PUB_IP>'
set vpn ipsec site-to-site peer AWS remote-address '<VYOS_AWS_PUB_IP>'
set vpn ipsec site-to-site peer AWS vti bind 'vti1'
set vpn ipsec site-to-site peer AWS vti esp-group 'AWS'
set protocols bgp system-as '<VYOS_BGP_AS_NUMBER>'
set protocols bgp address-family ipv4-unicast network <VYOS_CIDR>
set protocols bgp neighbor 10.1.100.11 remote-as '<VYOS_AWS_BGP_AS_NUMBER>'
set protocols bgp neighbor 10.1.100.11 address-family ipv4-unicast soft-reconfiguration inbound
set protocols bgp neighbor 10.1.100.11 timers holdtime '30'
set protocols bgp neighbor 10.1.100.11 timers keepalive '10'
set protocols bgp neighbor 10.1.100.11 disable-connected-check