summaryrefslogtreecommitdiff
path: root/Terraform/AWS/ha-instances-with-configs/files/on-prem-vyos-config.txt
blob: 242161f26952ed1eb9734de06d9d22e9dd7f1b6d (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
    - set system host-name 'VyOS-for-On-Prem'
    - set system login banner pre-login 'Welcome to the VyOS for DEMO'
    - set interfaces ethernet eth0 description 'WAN'
    - set interfaces ethernet eth1 description 'LAN'
    - set interfaces ethernet eth1 dhcp-options no-default-route
    - set system name-server '<DNS>'
    - set service dns forwarding name-server '<DNS>'
    - set service dns forwarding listen-address '<VYOS_PRIV_NIC_IP>'
    - set service dns forwarding allow-from '<VYOS_CIDR>'
    - set service dns forwarding no-serve-rfc1918
    - set nat source rule 10 outbound-interface name 'eth0'
    - set nat source rule 10 source address '<VYOS_CIDR>'
    - set nat source rule 10 translation address 'masquerade'
    - set vpn ipsec interface 'eth0'
    - set vpn ipsec esp-group AWS lifetime '3600'
    - set vpn ipsec esp-group AWS mode 'tunnel'
    - set vpn ipsec esp-group AWS pfs 'dh-group2'
    - set vpn ipsec esp-group AWS proposal 1 encryption 'aes256'
    - set vpn ipsec esp-group AWS proposal 1 hash 'sha1'
    - set vpn ipsec ike-group AWS dead-peer-detection action 'restart'
    - set vpn ipsec ike-group AWS dead-peer-detection interval '15'
    - set vpn ipsec ike-group AWS ikev2-reauth
    - set vpn ipsec ike-group AWS key-exchange 'ikev2'
    - set vpn ipsec ike-group AWS lifetime '28800'
    - set vpn ipsec ike-group AWS proposal 1 dh-group '2'
    - set vpn ipsec ike-group AWS proposal 1 encryption 'aes256'
    - set vpn ipsec ike-group AWS proposal 1 hash 'sha1'
    - set vpn ipsec ike-group AWS close-action start
    - set vpn ipsec option disable-route-autoinstall
    - set interfaces vti vti1 address '10.2.100.11/32'
    - set interfaces vti vti1 description 'Tunnel for VyOS-01 in AWS'
    - set interfaces vti vti1 ip adjust-mss '1350'
    - set interfaces vti vti2 address '10.2.100.12/32'
    - set interfaces vti vti2 description 'Tunnel for VyOS-02 in AWS'
    - set interfaces vti vti2 ip adjust-mss '1350'
    - set protocols bfd peer 10.1.100.11 interval multiplier '3'
    - set protocols bfd peer 10.1.100.11 interval receive '300'
    - set protocols bfd peer 10.1.100.11 interval transmit '300'
    - set protocols bfd peer 10.1.100.12 interval multiplier '3'
    - set protocols bfd peer 10.1.100.12 interval receive '300'
    - set protocols bfd peer 10.1.100.12 interval transmit '300'
    - set protocols static route 10.1.100.11/32 interface vti1
    - set protocols static route 10.1.100.12/32 interface vti2
    - set vpn ipsec authentication psk VyOS id '<VYOS_PUBLIC_IP>'
    - set vpn ipsec authentication psk VyOS id '<AWS_VYOS_PUBLIC_IP_01>'
    - set vpn ipsec authentication psk VyOS id '<AWS_VYOS_PUBLIC_IP_02>'
    - set vpn ipsec authentication psk VyOS secret 'ch00s3-4-s3cur3-psk'
    - set vpn ipsec site-to-site peer AWS-VyOS-01 authentication local-id '<VYOS_PUBLIC_IP>'
    - set vpn ipsec site-to-site peer AWS-VyOS-01 authentication mode 'pre-shared-secret'
    - set vpn ipsec site-to-site peer AWS-VyOS-01 authentication remote-id '<AWS_VYOS_PUBLIC_IP_01>'
    - set vpn ipsec site-to-site peer AWS-VyOS-01 connection-type 'none'
    - set vpn ipsec site-to-site peer AWS-VyOS-01 description 'TUNNEL to VyOS on AWS'
    - set vpn ipsec site-to-site peer AWS-VyOS-01 ike-group 'AWS'
    - set vpn ipsec site-to-site peer AWS-VyOS-01 ikev2-reauth 'inherit'
    - set vpn ipsec site-to-site peer AWS-VyOS-01 local-address '<vyos_pub_nic_ip>'
    - set vpn ipsec site-to-site peer AWS-VyOS-01 remote-address '<AWS_VYOS_PUBLIC_IP_01>'
    - set vpn ipsec site-to-site peer AWS-VyOS-01 vti bind 'vti1'
    - set vpn ipsec site-to-site peer AWS-VyOS-01 vti esp-group 'AWS'
    - set vpn ipsec site-to-site peer AWS-VyOS-02 authentication local-id '<VYOS_PUBLIC_IP>'
    - set vpn ipsec site-to-site peer AWS-VyOS-02 authentication mode 'pre-shared-secret'
    - set vpn ipsec site-to-site peer AWS-VyOS-02 authentication remote-id '<AWS_VYOS_PUBLIC_IP_02>'
    - set vpn ipsec site-to-site peer AWS-VyOS-02 connection-type 'none'
    - set vpn ipsec site-to-site peer AWS-VyOS-02 description 'TUNNEL to VyOS on AWS'
    - set vpn ipsec site-to-site peer AWS-VyOS-02 ike-group 'AWS'
    - set vpn ipsec site-to-site peer AWS-VyOS-02 ikev2-reauth 'inherit'
    - set vpn ipsec site-to-site peer AWS-VyOS-02 local-address '<vyos_pub_nic_ip>'
    - set vpn ipsec site-to-site peer AWS-VyOS-02 remote-address '<AWS_VYOS_PUBLIC_IP_02>'
    - set vpn ipsec site-to-site peer AWS-VyOS-02 vti bind 'vti2'
    - set vpn ipsec site-to-site peer AWS-VyOS-02 vti esp-group 'AWS'
    - set protocols bgp system-as '<vyos_bgp_as_number>'
    - set protocols bgp address-family ipv4-unicast network <VYOS_CIDR>
    - set protocols bgp neighbor 10.1.100.11 remote-as '<on_prem_bgp_as_number>'
    - set protocols bgp neighbor 10.1.100.11 address-family ipv4-unicast soft-reconfiguration inbound
    - set protocols bgp neighbor 10.1.100.11 timers holdtime '30'
    - set protocols bgp neighbor 10.1.100.11 bfd
    - set protocols bgp neighbor 10.1.100.11 disable-connected-check
    - set protocols bgp neighbor 10.1.100.11 update-source '10.2.100.11'
    - set protocols bgp neighbor 10.1.100.12 remote-as '<on_prem_bgp_as_number>'
    - set protocols bgp neighbor 10.1.100.12 address-family ipv4-unicast soft-reconfiguration inbound
    - set protocols bgp neighbor 10.1.100.12 timers holdtime '30'
    - set protocols bgp neighbor 10.1.100.12 bfd
    - set protocols bgp neighbor 10.1.100.12 disable-connected-check
    - set protocols bgp neighbor 10.1.100.12 update-source '10.2.100.12'