Table of Contents

VyOS Transit Gateway Spoke Isolation

Description

This is based on the following Palo Alto guide for Transit Gateway deployments;

Diagram


https://wiki.nerdydrunk.info/_media/images:svg:transit_gateway_spoke_isolation_via_vpn.svg

VyOS Configuration

The firewall name “isolate_spokes” will prevent VPC 33 from accessing VPC 34 but as the configuration is stateful VPC 34 will be able to access VPC 33.

The following line was changed from the AWS Vyatta VPN configuration file due to differences between Vyatta and VyOS related to BGP configuration;

set protocols bgp 65253 address-family ipv4-unicast network 0.0.0.0/0

##
## AWS Original Line
##
# set protocols bgp 65253 network 0.0.0.0/0

The following lines were changed from the AWS Vyatta VPN configuration due to the VyOS instance being configured for DHCP as it is in an AWS VPC. You will need to remove the AWS local-address lines and then add the dhcp-interface lines.

set vpn ipsec site-to-site peer 34.205.250.171 dhcp-interface 'eth0'
set vpn ipsec site-to-site peer 34.238.79.213 dhcp-interface 'eth0'

##
## AWS Original Lines
##
# set vpn ipsec site-to-site peer 34.205.250.171 local-address '107.20.10.85'
# set vpn ipsec site-to-site peer 34.238.79.213 local-address '107.20.10.85'

The VyOS configuration excluding unrelated information such as logins, ssh, and etc.

set firewall name isolate_spokes default-action 'accept'
set firewall name isolate_spokes rule 100 action 'accept'
set firewall name isolate_spokes rule 100 state established 'enable'
set firewall name isolate_spokes rule 100 state related 'enable'
set firewall name isolate_spokes rule 200 action 'drop'
set firewall name isolate_spokes rule 200 destination address '10.34.0.0/16'
set firewall name isolate_spokes rule 200 source address '10.33.0.0/16'
set interfaces ethernet eth0 address 'dhcp'
set interfaces vti vti0 address '169.254.227.86/30'
set interfaces vti vti0 description 'VPC tunnel 1'
set interfaces vti vti0 firewall in name 'isolate_spokes'
set interfaces vti vti0 mtu '1436'
set interfaces vti vti1 address '169.254.93.86/30'
set interfaces vti vti1 description 'VPC tunnel 2'
set interfaces vti vti1 firewall in name 'isolate_spokes'
set interfaces vti vti1 mtu '1436'
set nat source rule 100 outbound-interface 'eth0'
set nat source rule 100 translation address 'masquerade'
set protocols bgp 65253 address-family ipv4-unicast network 0.0.0.0/0
set protocols bgp 65253 neighbor 169.254.93.85 remote-as '64512'
set protocols bgp 65253 neighbor 169.254.93.85 timers holdtime '30'
set protocols bgp 65253 neighbor 169.254.93.85 timers keepalive '10'
set protocols bgp 65253 neighbor 169.254.227.85 remote-as '64512'
set protocols bgp 65253 neighbor 169.254.227.85 timers holdtime '30'
set protocols bgp 65253 neighbor 169.254.227.85 timers keepalive '10'
set vpn ipsec esp-group AWS compression 'disable'
set vpn ipsec esp-group AWS lifetime '3600'
set vpn ipsec esp-group AWS mode 'tunnel'
set vpn ipsec esp-group AWS pfs 'enable'
set vpn ipsec esp-group AWS proposal 1 encryption 'aes128'
set vpn ipsec esp-group AWS proposal 1 hash 'sha1'
set vpn ipsec ike-group AWS dead-peer-detection action 'restart'
set vpn ipsec ike-group AWS dead-peer-detection interval '15'
set vpn ipsec ike-group AWS dead-peer-detection timeout '30'
set vpn ipsec ike-group AWS lifetime '28800'
set vpn ipsec ike-group AWS proposal 1 dh-group '2'
set vpn ipsec ike-group AWS proposal 1 encryption 'aes128'
set vpn ipsec ike-group AWS proposal 1 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec site-to-site peer 34.205.250.171 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 34.205.250.171 authentication pre-shared-secret 'In6YeFxQfTfPhgyTVVvBAlecVbSSeuG4'
set vpn ipsec site-to-site peer 34.205.250.171 description 'VPC tunnel 1'
set vpn ipsec site-to-site peer 34.205.250.171 dhcp-interface 'eth0'
set vpn ipsec site-to-site peer 34.205.250.171 ike-group 'AWS'
set vpn ipsec site-to-site peer 34.205.250.171 vti bind 'vti0'
set vpn ipsec site-to-site peer 34.205.250.171 vti esp-group 'AWS'
set vpn ipsec site-to-site peer 34.238.79.213 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 34.238.79.213 authentication pre-shared-secret 'AelIhmGktbdAN2k.sxbmB0GAUkIkjcTV'
set vpn ipsec site-to-site peer 34.238.79.213 description 'VPC tunnel 2'
set vpn ipsec site-to-site peer 34.238.79.213 dhcp-interface 'eth0'
set vpn ipsec site-to-site peer 34.238.79.213 ike-group 'AWS'
set vpn ipsec site-to-site peer 34.238.79.213 vti bind 'vti1'
set vpn ipsec site-to-site peer 34.238.79.213 vti esp-group 'AWS'