У меня есть USG Pro 4, и я хочу создать IPSec туннель с AWS к моей сети. Я скачал из AWS конфигурацию ipsec для VyattaOS и добавил её в USG через ssh. Теперь мне нужно конвертировать её в config.gateway.json, но я не знаю, какие разделы текущей конфигурации нужно добавить? Достаточно только секции «ipsec» или нужно создать ещё и «interface»?
set vpn ipsec ike-group AWS lifetime '28800'
set vpn ipsec ike-group AWS proposal 1 dh-group '2'
set vpn ipsec ike-group AWS proposal 1 encryption 'aes128'
set vpn ipsec ike-group AWS proposal 1 hash 'sha1'
set vpn ipsec site-to-site peer AWS_IP authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer AWS_IP authentication pre-shared-secret 'key'
set vpn ipsec site-to-site peer AWS_IP description 'VPC tunnel 1'
set vpn ipsec site-to-site peer AWS_IP ike-group 'AWS'
set vpn ipsec site-to-site peer AWS_IP local-address 'MY_WAN_IP'
set vpn ipsec site-to-site peer AWS_IP vti bind 'vti0'
set vpn ipsec site-to-site peer AWS_IP vti esp-group 'AWS'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec esp-group AWS compression 'disable'
set vpn ipsec esp-group AWS lifetime '3600'
set vpn ipsec esp-group AWS mode 'tunnel'
set vpn ipsec esp-group AWS pfs 'enable'
set vpn ipsec esp-group AWS proposal 1 encryption 'aes128'
set vpn ipsec esp-group AWS proposal 1 hash 'sha1'
set vpn ipsec ike-group AWS dead-peer-detection action 'restart'
set vpn ipsec ike-group AWS dead-peer-detection interval '15'
set vpn ipsec ike-group AWS dead-peer-detection timeout '30'
set interfaces vti vti0 address '169.254.106.114/30'
set interfaces vti vti0 description 'VPC tunnel 1'
set interfaces vti vti0 mtu '1436'
set protocols bgp 65000 neighbor 169.254.106.113 remote-as '64512'
set protocols bgp 65000 neighbor 169.254.106.113 soft-reconfiguration 'inbound'
set protocols bgp 65000 neighbor 169.254.106.113 timers holdtime '30'
set protocols bgp 65000 neighbor 169.254.106.113 timers keepalive '10'
set protocols bgp 65000 network 192.168.77.0/24
P.S. Также пробовал создать туннель через GUI контроллер — не получилось, работает только если конфиг загружать через ssh в USG.
set vpn ipsec ike-group AWS lifetime '28800'
set vpn ipsec ike-group AWS proposal 1 dh-group '2'
set vpn ipsec ike-group AWS proposal 1 encryption 'aes128'
set vpn ipsec ike-group AWS proposal 1 hash 'sha1'
set vpn ipsec site-to-site peer AWS_IP authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer AWS_IP authentication pre-shared-secret 'key'
set vpn ipsec site-to-site peer AWS_IP description 'VPC tunnel 1'
set vpn ipsec site-to-site peer AWS_IP ike-group 'AWS'
set vpn ipsec site-to-site peer AWS_IP local-address 'MY_WAN_IP'
set vpn ipsec site-to-site peer AWS_IP vti bind 'vti0'
set vpn ipsec site-to-site peer AWS_IP vti esp-group 'AWS'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec esp-group AWS compression 'disable'
set vpn ipsec esp-group AWS lifetime '3600'
set vpn ipsec esp-group AWS mode 'tunnel'
set vpn ipsec esp-group AWS pfs 'enable'
set vpn ipsec esp-group AWS proposal 1 encryption 'aes128'
set vpn ipsec esp-group AWS proposal 1 hash 'sha1'
set vpn ipsec ike-group AWS dead-peer-detection action 'restart'
set vpn ipsec ike-group AWS dead-peer-detection interval '15'
set vpn ipsec ike-group AWS dead-peer-detection timeout '30'
set interfaces vti vti0 address '169.254.106.114/30'
set interfaces vti vti0 description 'VPC tunnel 1'
set interfaces vti vti0 mtu '1436'
set protocols bgp 65000 neighbor 169.254.106.113 remote-as '64512'
set protocols bgp 65000 neighbor 169.254.106.113 soft-reconfiguration 'inbound'
set protocols bgp 65000 neighbor 169.254.106.113 timers holdtime '30'
set protocols bgp 65000 neighbor 169.254.106.113 timers keepalive '10'
set protocols bgp 65000 network 192.168.77.0/24
P.S. Также пробовал создать туннель через GUI контроллер — не получилось, работает только если конфиг загружать через ssh в USG.
