vyos参考配置

基本配置

set interfaces ethernet eth0 address '192.168.114.248/24'

调整主备策略

set policy route-map ADD-ASPATH rule 1 action 'permit'
set policy route-map ADD-ASPATH rule 1 set as-path-prepend '65000'
set policy route-map SET-LP rule 1 action 'permit'
set policy route-map SET-LP rule 1 set local-preference '200'
set protocols bgp 65000 address-family ipv4-unicast network 192.168.114.0/24
set protocols bgp 65000 neighbor 169.254.62.1 address-family ipv4-unicast route-map export 'ADD-ASPATH'
set protocols bgp 65000 neighbor 169.254.62.1 remote-as '64512'
set protocols bgp 65000 neighbor 169.254.62.1 update-source '169.254.62.2'
set protocols bgp 65000 neighbor 169.254.83.1 address-family ipv4-unicast route-map import 'SET-LP'
set protocols bgp 65000 neighbor 169.254.83.1 remote-as '64512'
set protocols bgp 65000 neighbor 169.254.83.1 timers holdtime '30'
set protocols bgp 65000 neighbor 169.254.83.1 timers keepalive '10'
set protocols bgp 65000 neighbor 169.254.83.1 update-source '169.254.83.2'
set protocols bgp 65000 parameters router-id '169.254.83.2'
set protocols static route 0.0.0.0/0 next-hop 192.168.114.1

vti方式建立ipsec配置：

set interfaces vti vti1 address '169.254.83.2/30'
set interfaces vti vti2 address '169.254.62.2/30'
set vpn ipsec esp-group ESP-1E compression 'disable'
set vpn ipsec esp-group ESP-1E lifetime '3600'
set vpn ipsec esp-group ESP-1E mode 'tunnel'
set vpn ipsec esp-group ESP-1E pfs 'dh-group2'
set vpn ipsec esp-group ESP-1E proposal 1 encryption '3des'
set vpn ipsec esp-group ESP-1E proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-1E dead-peer-detection action 'restart'
set vpn ipsec ike-group IKE-1E dead-peer-detection interval '30'
set vpn ipsec ike-group IKE-1E dead-peer-detection timeout '120'
set vpn ipsec ike-group IKE-1E ikev2-reauth 'no'
set vpn ipsec ike-group IKE-1E key-exchange 'ikev1'
set vpn ipsec ike-group IKE-1E lifetime '28800'
set vpn ipsec ike-group IKE-1E proposal 1 dh-group '2'
set vpn ipsec ike-group IKE-1E proposal 1 encryption '3des'
set vpn ipsec ike-group IKE-1E proposal 1 hash 'sha1'
set vpn ipsec site-to-site peer 124.71.60.54 authentication id '58.255.36.219'
set vpn ipsec site-to-site peer 124.71.60.54 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 124.71.60.54 authentication pre-shared-secret 'www.myj123.com'
set vpn ipsec site-to-site peer 124.71.60.54 authentication remote-id '10.243.129.4'
set vpn ipsec site-to-site peer 124.71.60.54 connection-type 'initiate'
set vpn ipsec site-to-site peer 124.71.60.54 default-esp-group 'ESP-1E'
set vpn ipsec site-to-site peer 124.71.60.54 ike-group 'IKE-1E'
set vpn ipsec site-to-site peer 124.71.60.54 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 124.71.60.54 local-address '192.168.114.248'
set vpn ipsec site-to-site peer 124.71.60.54 vti bind 'vti2'
set vpn ipsec site-to-site peer 124.71.60.54 vti esp-group 'ESP-1E'
set vpn ipsec site-to-site peer 124.71.63.186 authentication id '58.255.36.219'
set vpn ipsec site-to-site peer 124.71.63.186 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 124.71.63.186 authentication pre-shared-secret 'www.myj123.com'
set vpn ipsec site-to-site peer 124.71.63.186 authentication remote-id '10.243.129.2'
set vpn ipsec site-to-site peer 124.71.63.186 connection-type 'initiate'
set vpn ipsec site-to-site peer 124.71.63.186 default-esp-group 'ESP-1E'
set vpn ipsec site-to-site peer 124.71.63.186 ike-group 'IKE-1E'
set vpn ipsec site-to-site peer 124.71.63.186 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 124.71.63.186 local-address '192.168.114.248'
set vpn ipsec site-to-site peer 124.71.63.186 vti bind 'vti1'
set vpn ipsec site-to-site peer 124.71.63.186 vti esp-group 'ESP-1E'