IPsec_x509_certs_1.4

# IPsec between R1 & R2 with R1 as a CA for x509 certs
# Tested in VyOS 1.4-rolling-202110310317

#### R1 chosen as CA
# ON R1 (CA) IN NON CONFIG MODE #
### generate keys and copy commands: 
vyos@R1:~$ generate pki ca install CA
vyos@vyos:~$ generate pki ca install CA
Enter private key type: [rsa, dsa, ec] (Default: rsa)
Enter private key bits: (Default: 2048)
Enter country code: (Default: GB)
Enter state: (Default: Some-State)
Enter locality: (Default: Some-City)
Enter organization name: (Default: VyOS)
Enter common name: (Default: vyos.io) CA
Enter how many days certificate will be valid: (Default: 1825)
Note: If you plan to use the generated key on this router, do not encrypt the private key.
Do you want to encrypt the private key with a passphrase? [y/N] N
Configure mode commands to install:
set pki ca CA certificate 'MIIDnTCCAo........='
set pki ca CA private key 'MIIEvwIBAD........='

# paste this commands to config mode on R1 (CA):
set pki ca CA certificate 'MIIDnTCCAo........='
set pki ca CA private key 'MIIEvwIBAD........='
commit
save

# ON R1 (CA) IN NON CONFIG MODE #
### Fill in all the fields. ESPECIALLY WITH СТ (Enter common name:)
vyos@R1:~$ generate pki certificate sign CA install R1

Do you already have a certificate request? [y/N] N
Enter private key type: [rsa, dsa, ec] (Default: rsa)
Enter private key bits: (Default: 2048)
Enter country code: (Default: GB)
Enter state: (Default: Some-State)
Enter locality: (Default: Some-City)
Enter organization name: (Default: VyOS)
Enter common name: (Default: vyos.io) R1
Do you want to configure Subject Alternative Names? [y/N] N
Enter how many days certificate will be valid: (Default: 365)
Enter certificate type: (client, server) (Default: server)
Note: If you plan to use the generated key on this router, do not encrypt the private key.
Do you want to encrypt the private key with a passphrase? [y/N] N
Configure mode commands to install:
set pki certificate R1 certificate 'MIIDrDCCA ..............='
set pki certificate R1 private key 'MIIEvgIBA...............O'


vyos@R1:~$ generate pki certificate sign CA install R2
Do you already have a certificate request? [y/N] N
Enter private key type: [rsa, dsa, ec] (Default: rsa)
Enter private key bits: (Default: 2048)
Enter country code: (Default: GB)
Enter state: (Default: Some-State)
Enter locality: (Default: Some-City)
Enter organization name: (Default: VyOS)
Enter common name: (Default: vyos.io) R2
Do you want to configure Subject Alternative Names? [y/N] N
Enter how many days certificate will be valid: (Default: 365)
Enter certificate type: (client, server) (Default: server)
Note: If you plan to use the generated key on this router, do not encrypt the private key.
Do you want to encrypt the private key with a passphrase? [y/N] N
Configure mode commands to install:
set pki certificate R2 certificate 'MIIDrDCCAp...........='
set pki certificate R2 private key 'MIIEvgIBAD...........L'


# on R1 (CA cert already there. Needs: R1 cert, R1 private key):
set pki certificate R1 certificate 'MIIDrDCCA ..............='
set pki certificate R1 private key 'MIIEvgIBA...............O'

# on R2 (Needs: CA cert, R2 cert, R2 private key):
set pki ca CA certificate 'MIIDnTCCAo........='
set pki certificate R1 certificate 'MIIDrDCCAp...........='
set pki certificate R1 private key 'MIIEvgIBA...............O'

# on R1:

set interfaces ethernet eth0 address '1.1.1.1/24'
set system host R1
set interfaces vti vti10 address 10.10.10.1/30
set vpn ipsec esp-group ESP_DEFAULT compression 'disable'
set vpn ipsec esp-group ESP_DEFAULT lifetime '3600'
set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel'
set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19'
set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128'
set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120'
set vpn ipsec ike-group IKEv2_DEFAULT ikev2-reauth 'no'
set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2'
set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800'
set vpn ipsec ike-group IKEv2_DEFAULT mobike 'disable'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256'
set vpn ipsec interface eth0
set vpn ipsec site-to-site peer 1.1.1.2 authentication id 'C=GB, ST=Some-State, L=Some-City, O=VyOS, CN=R1'
set vpn ipsec site-to-site peer 1.1.1.2 authentication mode 'x509'
set vpn ipsec site-to-site peer 1.1.1.2 authentication remote-id 'C=GB, ST=Some-State, L=Some-City, O=VyOS, CN=R2'
set vpn ipsec site-to-site peer 1.1.1.2 authentication x509 ca-certificate CA
set vpn ipsec site-to-site peer 1.1.1.2 authentication x509 certificate R1
set vpn ipsec site-to-site peer 1.1.1.2 connection-type 'initiate'
set vpn ipsec site-to-site peer 1.1.1.2 ike-group 'IKEv2_DEFAULT'
set vpn ipsec site-to-site peer 1.1.1.2 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 1.1.1.2 local-address 1.1.1.1
set vpn ipsec site-to-site peer 1.1.1.2 vti bind 'vti10'
set vpn ipsec site-to-site peer 1.1.1.2 vti esp-group 'ESP_DEFAULT'
set vpn ipsec options disable-route-autoinstall


# onR2:

set interfaces ethernet eth0 address '1.1.1.2/24'
set system host R2
set interfaces vti vti10 address 10.10.10.2/30
set vpn ipsec esp-group ESP_DEFAULT compression 'disable'
set vpn ipsec esp-group ESP_DEFAULT lifetime '3600'
set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel'
set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19'
set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128'
set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120'
set vpn ipsec ike-group IKEv2_DEFAULT ikev2-reauth 'no'
set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2'
set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800'
set vpn ipsec ike-group IKEv2_DEFAULT mobike 'disable'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256'
set vpn ipsec interface eth0
set vpn ipsec site-to-site peer 1.1.1.1 authentication id 'C=GB, ST=Some-State, L=Some-City, O=VyOS, CN=R2'
set vpn ipsec site-to-site peer 1.1.1.1 authentication mode 'x509'
set vpn ipsec site-to-site peer 1.1.1.1 authentication remote-id 'C=GB, ST=Some-State, L=Some-City, O=VyOS, CN=R1'
set vpn ipsec site-to-site peer 1.1.1.1 authentication x509 ca-certificate CA
set vpn ipsec site-to-site peer 1.1.1.1 authentication x509 certificate R2
set vpn ipsec site-to-site peer 1.1.1.1 connection-type 'initiate'
set vpn ipsec site-to-site peer 1.1.1.1 ike-group 'IKEv2_DEFAULT'
set vpn ipsec site-to-site peer 1.1.1.1 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 1.1.1.1 local-address 1.1.1.2
set vpn ipsec site-to-site peer 1.1.1.1 vti bind 'vti10'
set vpn ipsec site-to-site peer 1.1.1.1 vti esp-group 'ESP_DEFAULT'
set vpn ipsec options disable-route-autoinstall