VyOS 1.5 - Cloudflare Magic WAN
IPsec On Ramps
vyos@vyos# show
interfaces {
ethernet eth0 {
address 192.168.224.135/24
hw-id 00:0c:29:51:16:af
}
ethernet eth1 {
address 192.168.40.10/24
hw-id 00:0c:29:51:16:b9
}
loopback lo {
}
vti vti1 {
address 10.252.3.45/31
description "CF Magic WAN IPsec VTI 01 of 02"
mtu 1450
}
vti vti2 {
address 10.252.3.47/31
description "CF Magic WAN IPsec VTI 02 of 02"
mtu 1450
}
}
nat {
source {
rule 100 {
description src_nat_trust_to_untrust
outbound-interface {
name eth0
}
protocol all
source {
address 192.168.40.0/24
}
translation {
address masquerade
}
}
}
}
policy {
route cf_mwan_pbr_all_traffic {
default-log
interface eth1
rule 100 {
action accept
destination {
address 0.0.0.0/0
}
set {
table 100
}
source {
address 192.168.40.0/24
}
}
}
}
protocols {
static {
route 0.0.0.0/0 {
next-hop 192.168.224.1 {
}
}
table 100 {
route 0.0.0.0/0 {
next-hop 10.252.3.44 {
}
next-hop 10.252.3.46 {
}
}
}
}
}
service {
ntp {
allow-client {
address 0.0.0.0/0
address ::/0
}
server time1.vyos.net {
}
server time2.vyos.net {
}
server time3.vyos.net {
}
}
ssh {
listen-address 192.168.40.10
port 22
}
}
system {
config-management {
commit-revisions 100
}
conntrack {
modules {
ftp
h323
nfs
pptp
sip
sqlnet
tftp
}
}
console {
device ttyS0 {
speed 115200
}
}
host-name vyos
login {
user vyos {
authentication {
encrypted-password [REDACTED]
plaintext-password ""
}
}
}
syslog {
global {
facility all {
level info
}
facility local7 {
level debug
}
}
}
}
vpn {
ipsec {
authentication {
psk cf_mwan_ipsec_tun_01 {
id [REDACTED].ipsec.cloudflare.com
secret [REDACTED]
}
psk cf_mwan_ipsec_tun_02 {
id [REDACTED].ipsec.cloudflare.com
secret [REDACTED]
}
}
esp-group cf_mwan_esp_group {
lifetime 86400
mode tunnel
pfs enable
proposal 1 {
encryption aes256gcm128
hash sha512
}
}
ike-group cf_mwan_ike_group {
close-action none
dead-peer-detection {
action restart
interval 30
timeout 120
}
disable-mobike
key-exchange ikev2
lifetime 86400
proposal 1 {
dh-group 14
encryption aes256gcm128
hash sha512
}
}
interface eth0
options {
disable-route-autoinstall
}
site-to-site {
peer cf_mwan_ipsec_tun_01 {
authentication {
local-id [REDACTED].ipsec.cloudflare.com
mode pre-shared-secret
remote-id 162.159.68.68
}
connection-type initiate
ike-group cf_mwan_ike_group
ikev2-reauth no
local-address 192.168.224.135
remote-address 162.159.68.68
replay-window 0
vti {
bind vti1
esp-group cf_mwan_esp_group
}
}
peer cf_mwan_ipsec_tun_02 {
authentication {
local-id [REDACTED].ipsec.cloudflare.com
mode pre-shared-secret
remote-id 172.64.244.68
}
connection-type initiate
ike-group cf_mwan_ike_group
ikev2-reauth no
local-address 192.168.224.135
remote-address 172.64.244.68
replay-window 0
vti {
bind vti2
esp-group cf_mwan_esp_group
}
}
}
}
}
[edit]