VyOS
This tutorial contains configuration information and a sample template for using a VyOS device with an IPsec configuration.
vti <NAME_OF_VTI_INTERFACE- Specifies the virtual tunnel interface of the IPsec tunnel.
esp-group <NAME_OF_ESP_GROUP>- Defines the ESP group for encrypted traffic defined by the tunnel or defines a particular ESP policy or profile.
ike-group <NAME_OF_IKE_GROUP>- Defines IKE group to use for key exchanges or defines a particular IKE policy or profile.
- The IP addresses of the IPsec tunnel interfaces on both ends of the tunnel should be a pair of private IP addresses (RFC 1918) on the same
/31or
/30subnet, essentially specifying a point-to-point link.
- The IPsec tunnel endpoint on this VyOS router is the
<IP_ADDR_OF_UPLINK_INTF_TO_INTERNET/WAN>.
- The IP address of the IPsec tunnel endpoint on the Cloudflare side is the anycast IP address provided by Cloudflare.
- This router is configured to initiate the IPsec tunnel connection.
-
Encryption
- AES-GCM with 128-bit or 256-bit key length
-
Integrity
- SHA512
-
Encryption
- AES-GCM with 128-bit or 256-bit key length
-
Integrity
- SHA512
-
PFS group
- DH group 20 (348-bit random ECP group)
