transit-vpc/config.sh at master · gswallow/transit-vpc · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
#!/bin/bash

ENI_ADDR=100.64.64.10
LOCAL_PREFIX=100.64.64.0/21
REMOTE_PREFIX=172.16.0.0/16
VPN_ID=vpn-ebe135dc
LOCAL_BGP_AS=65100
REMOTE_BGP_AS=65110

TUN1_INTERFACE=vti0
TUN1_INTERFACE_LOCAL_ADDR=169.254.59.150
TUN1_INTERFACE_REMOTE_ADDR=169.254.59.149
TUN1_PEER_ADDR=18.216.212.249
TUN1_INTERFACE_CIDR=30
TUN1_SHARED_SECRET=lBx1h3CVgKXJ1Cm47Q4WQhrVUDj54oHN

TUN2_INTERFACE=vti1
TUN2_INTERFACE_LOCAL_ADDR=169.254.59.106
TUN2_INTERFACE_REMOTE_ADDR=169.254.59.105
TUN2_PEER_ADDR=52.14.142.186
TUN2_INTERFACE_CIDR=30
TUN2_SHARED_SECRET=l7ghyGq6HnOpL2JUrdiHG0jtRCxQmoba

cat <<EOF
conf

# Globals

set protocols bgp $LOCAL_BGP_AS network $LOCAL_PREFIX
set protocols bgp $LOCAL_BGP_AS parameters router-id $ENI_ADDR
set protocols static interface-route $LOCAL_PREFIX next-hop-interface eth0
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec nat-traversal enable

# Tunnel 1

set interfaces vti $TUN1_INTERFACE description ${VPN_ID}-1
set interfaces vti $TUN1_INTERFACE address ${TUN1_INTERFACE_LOCAL_ADDR}/${TUN1_INTERFACE_CIDR}
set interfaces vti $TUN1_INTERFACE mtu 1436
set interfaces vti $TUN1_INTERFACE ip source-validation disable

set vpn ipsec ike-group ${VPN_ID}-1 proposal 1
set vpn ipsec ike-group ${VPN_ID}-1 proposal 1 encryption aes128
set vpn ipsec ike-group ${VPN_ID}-1 proposal 1 hash sha1
set vpn ipsec ike-group ${VPN_ID}-1 ikev2-reauth no
set vpn ipsec ike-group ${VPN_ID}-1 key-exchange ikev1
set vpn ipsec ike-group ${VPN_ID}-1 proposal 1 dh-group 2
set vpn ipsec ike-group ${VPN_ID}-1 lifetime 28800
set vpn ipsec ike-group ${VPN_ID}-1 dead-peer-detection action restart
set vpn ipsec ike-group ${VPN_ID}-1 dead-peer-detection interval 15
set vpn ipsec ike-group ${VPN_ID}-1 dead-peer-detection timeout 120
set vpn ipsec esp-group ${VPN_ID}-1 proposal 1 encryption aes128
set vpn ipsec esp-group ${VPN_ID}-1 proposal 1 hash sha1
set vpn ipsec esp-group ${VPN_ID}-1 lifetime 3600
set vpn ipsec esp-group ${VPN_ID}-1 pfs dh-group2
set vpn ipsec esp-group ${VPN_ID}-1 compression disable
set vpn ipsec site-to-site peer $TUN1_PEER_ADDR authentication mode pre-shared-secret
set vpn ipsec site-to-site peer $TUN1_PEER_ADDR ikev2-reauth inherit
edit vpn ipsec site-to-site peer $TUN1_PEER_ADDR
set authentication pre-shared-secret $TUN1_SHARED_SECRET
set authentication id $ENI_ADDR
set authentication remote-id $TUN1_PEER_ADDR
set ike-group ${VPN_ID}-1
set local-address $ENI_ADDR
set vti bind $TUN1_INTERFACE
set vti esp-group ${VPN_ID}-1
top

set protocols bgp $LOCAL_BGP_AS neighbor $TUN1_INTERFACE_REMOTE_ADDR ebgp-multihop 2
set protocols bgp $LOCAL_BGP_AS neighbor $TUN1_INTERFACE_REMOTE_ADDR remote-as $REMOTE_BGP_AS
set protocols bgp $LOCAL_BGP_AS neighbor $TUN1_INTERFACE_REMOTE_ADDR update-source $TUN1_INTERFACE_LOCAL_ADDR

# Tunnel 2

set interfaces vti $TUN2_INTERFACE description ${VPN_ID}-2
set interfaces vti $TUN2_INTERFACE address ${TUN2_INTERFACE_LOCAL_ADDR}/${TUN2_INTERFACE_CIDR}
set interfaces vti $TUN2_INTERFACE mtu 1436
set interfaces vti $TUN2_INTERFACE ip source-validation disable

set vpn ipsec ike-group ${VPN_ID}-2 proposal 1
set vpn ipsec ike-group ${VPN_ID}-2 proposal 1 encryption aes128
set vpn ipsec ike-group ${VPN_ID}-2 proposal 1 hash sha1
set vpn ipsec ike-group ${VPN_ID}-2 ikev2-reauth no
set vpn ipsec ike-group ${VPN_ID}-2 key-exchange ikev1
set vpn ipsec ike-group ${VPN_ID}-2 proposal 1 dh-group 2
set vpn ipsec ike-group ${VPN_ID}-2 lifetime 28800
set vpn ipsec ike-group ${VPN_ID}-1 dead-peer-detection action restart
set vpn ipsec ike-group ${VPN_ID}-2 dead-peer-detection interval 15
set vpn ipsec ike-group ${VPN_ID}-2 dead-peer-detection timeout 120
set vpn ipsec esp-group ${VPN_ID}-2 proposal 1 encryption aes128
set vpn ipsec esp-group ${VPN_ID}-2 proposal 1 hash sha1
set vpn ipsec esp-group ${VPN_ID}-2 lifetime 3600
set vpn ipsec esp-group ${VPN_ID}-2 pfs dh-group2
set vpn ipsec esp-group ${VPN_ID}-2 compression disable
set vpn ipsec site-to-site peer $TUN2_PEER_ADDR authentication mode pre-shared-secret
edit vpn ipsec site-to-site peer $TUN2_PEER_ADDR
set authentication pre-shared-secret $TUN2_SHARED_SECRET
set ike-group ${VPN_ID}-2
set local-address $ENI_ADDR
set vti bind $TUN2_INTERFACE
set vti esp-group ${VPN_ID}-2
top

set protocols bgp $LOCAL_BGP_AS neighbor $TUN2_INTERFACE_REMOTE_ADDR ebgp-multihop 2
set protocols bgp $LOCAL_BGP_AS neighbor $TUN2_INTERFACE_REMOTE_ADDR remote-as $REMOTE_BGP_AS
set protocols bgp $LOCAL_BGP_AS neighbor $TUN2_INTERFACE_REMOTE_ADDR update-source $TUN2_INTERFACE_LOCAL_ADDR

commit
save
EOF