VyOS Static
IPsec peering with VyOS
Extensive testing with different routers and cloud provider IPsec offerings has shown that these IPsec clients will significantly underperform an instance or server running IPsec. Running IPsec on a router should only be done when it is not possible to configure a pritunl-link client with port forwarding. Additionally many failover features will be unsupported when not using pritunl-link clients for IPsec.
Pritunl Link has support for the VyOS using IPsec links with a static host. A static host in Pritunl Link is a IPsec client that is not running the pritunl-link application. This allows connecting on-site routers that have support for IPsec. Using a static host will have some limitations such as not being able to automatically update changes to the link configuration.
Configure VyOS
Static hosts are not able to automatically pull changes to the link configuration from the Pritunl server. Because of this the link configuration must be fully completed and all non-static hosts must be deployed first. The non-static hosts will push the public address of the host to the Pritunl server, this must be done before configuring the static host. If it's necessary to deploy a static host before non-static hosts the public address must be manually configured on the non-static hosts.
To configure a VyOS static host first create a location for the VyOS network then click Add Host in the location. Then click Advanced at the top right and enable Static Host. Set the Public Address to the public IP address of the VyOS. If an IPv6 link is being configured also set the IPv6 Address.
Once done a Get EdgeRouter Conf button will be displayed on the right side of the host. Both EdgeRouter and VyOS are based on the same operating system, except for the first auto firewall command all the EdgeRouter commands will run on VyOS. Click the button to get the configuration. Connect to the VyOS router with SSH then run the command configure
and paste these commands excluding the first one into the configuration mode. Then run commit
and save
. This will configure all the needed options and the router will then connect and route the traffic to the networks.
The commands show vpn ipsec status
, show vpn ipsec state
and sudo ipsec statusall
will show the status of the IPsec connection on VyOS.
Updated over 2 years ago