diff options
author | Robert Göhler <github@ghlr.de> | 2023-10-26 13:36:13 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-10-26 13:36:13 +0200 |
commit | 7aa0c1ab320a527900c5c54c81264a2f31b7db06 (patch) | |
tree | 8b040d7add61ba45b15dc7eb92019d4cb620f517 | |
parent | 90c343fa9289ec150b3908bb625156198c2d6145 (diff) | |
parent | 4d7e44d3e7a80d028a12785ccaed4d78ab7636bd (diff) | |
download | vyos-documentation-7aa0c1ab320a527900c5c54c81264a2f31b7db06.tar.gz vyos-documentation-7aa0c1ab320a527900c5c54c81264a2f31b7db06.zip |
Merge pull request #1126 from srividya0208/ipsec_vips
Added config example of vpn ipsec site-to-site
-rw-r--r-- | docs/configexamples/index.rst | 1 | ||||
-rw-r--r-- | docs/configexamples/site-2-site-cisco.rst | 177 | ||||
-rw-r--r-- | docs/configuration/vpn/ipsec.rst | 4 | ||||
-rw-r--r-- | docs/configuration/vpn/site2site_ipsec.rst | 4 |
4 files changed, 184 insertions, 2 deletions
diff --git a/docs/configexamples/index.rst b/docs/configexamples/index.rst index a0413bfd..5528d280 100644 --- a/docs/configexamples/index.rst +++ b/docs/configexamples/index.rst @@ -22,6 +22,7 @@ This chapter contains various configuration examples: segment-routing-isis nmp policy-based-ipsec-and-firewall + site-2-site-cisco Configuration Blueprints (autotest) diff --git a/docs/configexamples/site-2-site-cisco.rst b/docs/configexamples/site-2-site-cisco.rst new file mode 100644 index 00000000..96e48d07 --- /dev/null +++ b/docs/configexamples/site-2-site-cisco.rst @@ -0,0 +1,177 @@ +.. _examples-site-2-site-cisco: + +Site-to-Site IPSec VPN to Cisco using FlexVPN +--------------------------------------------- + +This guide shows a sample configuration for FlexVPN site-to-site Internet +Protocol Security (IPsec)/Generic Routing Encapsulation (GRE) tunnel. + +FlexVPN is a newer "solution" for deployment of VPNs and it utilizes IKEv2 as +the key exchange protocol. The result is a flexible and scalable VPN solution +that can be easily adapted to fit various network needs. It can also support a +variety of encryption methods, including AES and 3DES. + +The lab was built using EVE-NG. + + +Configuration +^^^^^^^^^^^^^^ + +VyOS +===== + +- GRE: + +.. code-block:: none + + set interfaces tunnel tun1 encapsulation 'gre' + set interfaces tunnel tun1 ip adjust-mss '1336' + set interfaces tunnel tun1 mtu '1376' + set interfaces tunnel tun1 remote '10.1.1.6' + set interfaces tunnel tun1 source-address '88.2.2.1' + + +- IPsec: + +.. code-block:: none + + set vpn ipsec authentication psk vyos_cisco_l id 'vyos.net’ + set vpn ipsec authentication psk vyos_cisco_l id 'cisco.hub.net' + set vpn ipsec authentication psk vyos_cisco_l secret 'secret' + set vpn ipsec esp-group e1 lifetime '3600' + set vpn ipsec esp-group e1 mode 'tunnel' + set vpn ipsec esp-group e1 pfs 'disable' + set vpn ipsec esp-group e1 proposal 1 encryption 'aes128' + set vpn ipsec esp-group e1 proposal 1 hash 'sha256' + set vpn ipsec ike-group i1 key-exchange 'ikev2' + set vpn ipsec ike-group i1 lifetime '28800' + set vpn ipsec ike-group i1 proposal 1 dh-group '5' + set vpn ipsec ike-group i1 proposal 1 encryption 'aes256' + set vpn ipsec ike-group i1 proposal 1 hash 'sha256' + set vpn ipsec interface 'eth2' + set vpn ipsec options disable-route-autoinstall + set vpn ipsec options flexvpn + set vpn ipsec options interface 'tun1' + set vpn ipsec options virtual-ip + set vpn ipsec site-to-site peer cisco_hub authentication local-id 'vyos.net' + set vpn ipsec site-to-site peer cisco_hub authentication mode 'pre-shared-secret' + set vpn ipsec site-to-site peer cisco_hub authentication remote-id 'cisco.hub.net' + set vpn ipsec site-to-site peer cisco_hub connection-type 'initiate' + set vpn ipsec site-to-site peer cisco_hub default-esp-group 'e1' + set vpn ipsec site-to-site peer cisco_hub ike-group 'i1' + set vpn ipsec site-to-site peer cisco_hub local-address '88.2.2.1' + set vpn ipsec site-to-site peer cisco_hub remote-address '10.1.1.6' + set vpn ipsec site-to-site peer cisco_hub tunnel 1 local prefix '88.2.2.1/32' + set vpn ipsec site-to-site peer cisco_hub tunnel 1 protocol 'gre' + set vpn ipsec site-to-site peer cisco_hub tunnel 1 remote prefix '10.1.1.6/32' + set vpn ipsec site-to-site peer cisco_hub virtual-address '0.0.0.0' + + +Cisco +===== +.. code-block:: none + + aaa new-model + ! + ! + aaa authorization network default local + ! + crypto ikev2 name-mangler GET_DOMAIN + fqdn all + email all + ! + ! + crypto ikev2 authorization policy vyos + pool mypool + aaa attribute list mylist + route set interface + route accept any tag 100 distance 5 + ! + crypto ikev2 keyring mykeys + peer peer1 + identity fqdn vyos.net + pre-shared-key local secret + pre-shared-key remote secret + crypto ikev2 profile my_profile + match identity remote fqdn vyos.net + identity local fqdn cisco.hub.net + authentication remote pre-share + authentication local pre-share + keyring local mykeys + dpd 10 3 periodic + aaa authorization group psk list local name-mangler GET_DOMAIN + aaa authorization user psk cached + virtual-template 1 + ! + ! + ! + crypto ipsec transform-set TSET esp-aes esp-sha256-hmac + mode tunnel + ! + ! + crypto ipsec profile my-ipsec-profile + set transform-set TSET + set ikev2-profile my_profile + ! + interface Virtual-Template1 type tunnel + no ip address + ip mtu 1376 + ip nhrp network-id 1 + ip nhrp shortcut virtual-template 1 + ip tcp adjust-mss 1336 + tunnel path-mtu-discovery + tunnel protection ipsec profile my-ipsec-profile + ! + ip local pool my_pool 172.16.122.1 172.16.122.254 + + +Since the tunnel is a point-to-point GRE tunnel, it behaves like any other +point-to-point interface (for example: serial, dialer), and it is possible to +run any Interior Gateway Protocol (IGP)/Exterior Gateway Protocol (EGP) over +the link in order to exchange routing information + +Verification +^^^^^^^^^^^^ + +.. code-block:: none + + vyos@vyos$ show interfaces + Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down + Interface IP Address S/L Description + --------- ---------- --- ----------- + eth0 - u/u + eth1 - u/u + eth2 88.2.2.1/24 u/u + eth3 172.16.1.2/24 u/u + lo 127.0.0.1/8 u/u + ::1/128 + tun1 172.16.122.2/32 u/u + + vyos@vyos:~$ show vpn ipsec sa + Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal + ------------------ ------- -------- -------------- ---------------- ---------------- --------------------- ----------------------------- + cisco_hub-tunnel-1 up 44m17s 35K/31K 382/367 10.1.1.6 cisco.hub.net AES_CBC_128/HMAC_SHA2_256_128 + + + Hub#sh crypto ikev2 sa detailed + IPv4 Crypto IKEv2 SA + + Tunnel-id Local Remote fvrf/ivrf Status + 5 10.1.1.6/4500 88.2.2.1/4500 none/none READY + Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:5, Auth sign: PSK, Auth verify: PSK + Life/Active Time: 86400/2694 sec + CE id: 0, Session-id: 2 + Status Description: Negotiation done + Local spi: C94EE2DC92A60C47 Remote spi: 9AF0EF151BECF14C + Local id: cisco.hub.net + Remote id: vyos.net + Local req msg id: 269 Remote req msg id: 0 + Local next msg id: 269 Remote next msg id: 0 + Local req queued: 269 Remote req queued: 0 + Local window: 5 Remote window: 1 + DPD configured for 10 seconds, retry 3 + Fragmentation not configured. + Extended Authentication not configured. + NAT-T is not detected + Cisco Trust Security SGT is disabled + Assigned host addr: 172.16.122.2 diff --git a/docs/configuration/vpn/ipsec.rst b/docs/configuration/vpn/ipsec.rst index c91feea0..ece06fa2 100644 --- a/docs/configuration/vpn/ipsec.rst +++ b/docs/configuration/vpn/ipsec.rst @@ -161,11 +161,11 @@ Options (Global IPsec settings) Attributes * ``disable-route-autoinstall`` Do not automatically install routes to remote networks; - * ``flexvpn`` Allow FlexVPN vendor ID payload (IKEv2 only). Send the Cisco FlexVPN vendor ID payload (IKEv2 only), which is required in order to make Cisco brand devices allow negotiating a local traffic selector (from strongSwan's point of view) that is not the assigned virtual IP address if such an address is requested by strongSwan. Sending the Cisco FlexVPN vendor ID prevents the peer from narrowing the initiator's local traffic selector and allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0 instead. This has been tested with a "tunnel mode ipsec ipv4" Cisco template but should also work for GRE encapsulation; + * ``flexvpn`` Allows FlexVPN vendor ID payload (IKEv2 only). Send the Cisco FlexVPN vendor ID payload (IKEv2 only), which is required in order to make Cisco brand devices allow negotiating a local traffic selector (from strongSwan's point of view) that is not the assigned virtual IP address if such an address is requested by strongSwan. Sending the Cisco FlexVPN vendor ID prevents the peer from narrowing the initiator's local traffic selector and allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0 instead. This has been tested with a "tunnel mode ipsec ipv4" Cisco template but should also work for GRE encapsulation; * ``interface`` Interface Name to use. The name of the interface on which virtual IP addresses should be installed. If not specified the addresses will be installed on the outbound interface; - * ``virtual-ip`` Allow install virtual-ip addresses. Comma separated list of virtual IPs to request in IKEv2 configuration payloads or IKEv1 Mode Config. The wildcard addresses 0.0.0.0 and :: request an arbitrary address, specific addresses may be defined. The responder may return a different address, though, or none at all. + * ``virtual-ip`` Allows to install virtual-ip addresses. Comma separated list of virtual IPs to request in IKEv2 configuration payloads or IKEv1 Mode Config. The wildcard addresses 0.0.0.0 and :: request an arbitrary address, specific addresses may be defined. The responder may return a different address, though, or none at all. Define the ``virtual-address`` option to configure the IP address in site-to-site hierarchy. ************************* IPsec policy matching GRE diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst index 57b45181..2b3403f5 100644 --- a/docs/configuration/vpn/site2site_ipsec.rst +++ b/docs/configuration/vpn/site2site_ipsec.rst @@ -149,6 +149,10 @@ Each site-to-site peer has the next options: * ``esp-group`` - define ESP group for encrypt traffic, passed this VTI interface. +* ``virtual-address`` - Defines a virtual IP address which is requested by the + initiator and one or several IPv4 and/or IPv6 addresses are assigned from + multiple pools by the responder. + Examples: ------------------ |