Sample Traditional IPSEC Router Configuration
Expand all | Collapse all
Sample Traditional IPSEC Router Configuration
Below is an example open-source router
configuration that can be used optionally for Virtual Data Centers
where desired.
This configuration was tested with VyOS (https://vyos.io/)
Version 1.1.7.
/*The following IPs must be changed to match your environment.= 52.10.10.10= 10.1.1.100, 10.1.1.101= 13.10.10.10= 14.10.10.10= 10.1.0.1= 10.1.0.10/24= 10.1.1.10/24Public IP (Service Center DataCenter) Prisma SD-WAN ION 7000sSymantec Public Endpoint IP ASymantec Public Endpoint IP BDefault GatewayLocal system IP eth0Local system IP eth1*/#vyos-configinterfaces {ethernet eth0 {address dhcpduplex autosmp_affinity autospeed auto}ethernet eth1 {address 10.1.1.10/24}loopback lo {}Prisma SD-WAN - Public Application Note 14vti vti0 {address 192.168.1.254/32ip {source-validation disable}mtu 1436}vti vti1 {address 192.168.1.253/32ip {source-validation disable}mtu 1436}}protocols {bgp 7501 {neighbor 10.1.1.100 {peer-group CLOUDGENIX}neighbor 10.1.1.101 {peer-group CLOUDGENIX}peer-group CLOUDGENIX {nexthop-selfremote-as 7502}}Prisma SD-WAN - Public Application Note 15static {/*Static routes - for active/active, set same AD.active/backup, make backup higher.*/interface-route 0.0.0.0/0 {next-hop-interface vti0 {distance 206}next-hop-interface vti1 {distance 208}}route 13.10.10.10/32 {next-hop 10.1.0.1 {}}route 14.10.10.10/32 {next-hop 10.1.0.1 {}}route 12.101.3.4/32 {next-hop 10.1.0.1 {}}}}Prisma SD-WAN - Public Application Note 16service {cloudinit {environment ec2}ssh {disable-host-validationdisable-password-authenticationport 22}}system {host-name SC-CUSTOMER-SymantecWSS-us-east-1-CORE-ROUTERtime-zone UTC}vpn {ipsec {esp-group ESP-1W {compression disablelifetime 3600mode tunnelpfs dh-group2proposal 1 {encryption 3deshash sha1}}ike-group IKE-1W {ikev2-reauth nokey-exchange ikev1lifetime 28800proposal 1 {dh-group 2encryption 3deshash sha1Prisma SD-WAN - Public Application Note 17}}ipsec-interfaces {interface eth0}nat-networks {allowed-network 0.0.0.0/0 {}}site-to-site {peer 14.10.10.10 {authentication {id 52.10.10.10mode pre-shared-secretpre-shared-secret <REMOVED-ENTER-YOUR-OWN>}connection-type initiateike-group IKE-GR1ikev2-reauth inheritlocal-address 10.1.0.10vti {bind vti1esp-group ESP-GR1}}peer 13.10.10.10 {authentication {id 52.10.10.10mode pre-shared-secretpre-shared-secret <REMOVED-ENTER-YOUR-OWN>}connection-type initiateike-group IKE-GR1ikev2-reauth inheritPrisma SD-WAN - Public Application Note 18local-address 10.1.0.10vti {bind vti0esp-group ESP-GR1}}}}}