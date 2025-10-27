This tutorial contains configuration information and a sample template for using a VyOS device with an IPsec configuration.

Notes

vti <NAME_OF_VTI_INTERFACE - Specifies the virtual tunnel interface of the IPsec tunnel.

- Specifies the virtual tunnel interface of the IPsec tunnel. esp-group <NAME_OF_ESP_GROUP> - Defines the ESP group for encrypted traffic defined by the tunnel or defines a particular ESP policy or profile.

- Defines the ESP group for encrypted traffic defined by the tunnel or defines a particular ESP policy or profile. ike-group <NAME_OF_IKE_GROUP> - Defines IKE group to use for key exchanges or defines a particular IKE policy or profile.

- Defines IKE group to use for key exchanges or defines a particular IKE policy or profile. The IP addresses of the IPsec tunnel interfaces on both ends of the tunnel should be a pair of private IP addresses (RFC 1918) on the same /31 or /30 subnet, essentially specifying a point-to-point link.

or subnet, essentially specifying a point-to-point link. The IPsec tunnel endpoint on this VyOS router is the <IP_ADDR_OF_UPLINK_INTF_TO_INTERNET/WAN> .

. The IP address of the IPsec tunnel endpoint on the Cloudflare side is the anycast IP address provided by Cloudflare.

This router is configured to initiate the IPsec tunnel connection.

Configuration parameters

Phase 1

Encryption AES-GCM with 128-bit or 256-bit key length

Integrity SHA512



Phase 2

Encryption AES-GCM with 128-bit or 256-bit key length

Integrity SHA512

PFS group DH group 20 (348-bit random ECP group)



Configuration template