diff options
author | Christian Poessinger <christian@poessinger.com> | 2020-11-15 20:10:57 +0100 |
---|---|---|
committer | Christian Poessinger <christian@poessinger.com> | 2020-11-15 20:10:57 +0100 |
commit | 8a3147fca5aa6e1623a09d3ce120886463006418 (patch) | |
tree | e090e1502d753069dd871b5d05eb44edea187797 /docs/vpn/gre-ipsec.rst | |
parent | 2b7e8e29f58539bd89b79f7842c201002e871b33 (diff) | |
download | vyos-documentation-8a3147fca5aa6e1623a09d3ce120886463006418.tar.gz vyos-documentation-8a3147fca5aa6e1623a09d3ce120886463006418.zip |
vpn: dmvpn: move example from blueprints to the dmvpn chapter
Diffstat (limited to 'docs/vpn/gre-ipsec.rst')
-rw-r--r-- | docs/vpn/gre-ipsec.rst | 190 |
1 files changed, 0 insertions, 190 deletions
diff --git a/docs/vpn/gre-ipsec.rst b/docs/vpn/gre-ipsec.rst deleted file mode 100644 index 6d4bf1d0..00000000 --- a/docs/vpn/gre-ipsec.rst +++ /dev/null @@ -1,190 +0,0 @@ -.. _gre-ipsec: - -GRE/IPsec ---------- - -Generic Routing Encapsulation (GRE), GRE/IPsec (or IPIP/IPsec, SIT/IPsec, or any -other stateless tunnel protocol over IPsec) is the usual way to protect the -traffic inside a tunnel. - -An advantage of this scheme is that you get a real interface with its own -address, which makes it easier to setup static routes or use dynamic routing -protocols without having to modify IPsec policies. The other advantage is that -it greatly simplifies router to router communication, which can be tricky with -plain IPsec because the external outgoing address of the router usually doesn't -match the IPsec policy of typical site-to-site setup and you need to add special -configuration for it, or adjust the source address for outgoing traffic of your -applications. GRE/IPsec has no such problem and is completely transparent for -the applications. - -GRE/IPIP/SIT and IPsec are widely accepted standards, which make this scheme -easy to implement between VyOS and virtually any other router. - -For simplicity we'll assume that the protocol is GRE, it's not hard to guess -what needs to be changed to make it work with a different protocol. We assume -that IPsec will use pre-shared secret authentication and will use AES128/SHA1 -for the cipher and hash. Adjust this as necessary. - -.. NOTE:: VMware users should ensure that VMXNET3 adapters used, e1000 adapters - have known issue with GRE processing - -IPsec policy matching GRE -^^^^^^^^^^^^^^^^^^^^^^^^^ - -The first and arguably cleaner option is to make your IPsec policy match GRE -packets between external addresses of your routers. This is the best option if -both routers have static external addresses. - -Suppose the LEFT router has external address 192.0.2.10 on its eth0 interface, -and the RIGHT router is 203.0.113.45 - -On the LEFT: - -.. code-block:: none - - # GRE tunnel - set interfaces tunnel tun0 encapsulation gre - set interfaces tunnel tun0 local-ip 192.0.2.10 - set interfaces tunnel tun0 remote-ip 203.0.113.45 - set interfaces tunnel tun0 address 10.10.10.1/30 - - ## IPsec - set vpn ipsec ipsec-interfaces interface eth0 - - # IKE group - set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2' - set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes128' - set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha1' - - # ESP group - set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes128' - set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha1' - - # IPsec tunnel - set vpn ipsec site-to-site peer 203.0.113.45 authentication mode pre-shared-secret - set vpn ipsec site-to-site peer 203.0.113.45 authentication pre-shared-secret MYSECRETKEY - - set vpn ipsec site-to-site peer 203.0.113.45 ike-group MyIKEGroup - set vpn ipsec site-to-site peer 203.0.113.45 default-esp-group MyESPGroup - - set vpn ipsec site-to-site peer 203.0.113.45 local-address 192.0.2.10 - - # This will match all GRE traffic to the peer - set vpn ipsec site-to-site peer 203.0.113.45 tunnel 1 protocol gre - -On the RIGHT, setup by analogy and swap local and remote addresses. - - -Source tunnel from loopbacks -^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -The scheme above doesn't work when one of the routers has a dynamic external -address though. The classic workaround for this is to setup an address on a -loopback interface and use it as a source address for the GRE tunnel, then setup -an IPsec policy to match those loopback addresses. - -We assume that the LEFT router has static 192.0.2.10 address on eth0, and the -RIGHT router has a dynamic address on eth0. - -**Setting up the GRE tunnel** - -On the LEFT: - -.. code-block:: none - - set interfaces loopback lo address 192.168.99.1/32 - - set interfaces tunnel tun0 encapsulation gre - set interfaces tunnel tun0 address 10.10.10.1/30 - set interfaces tunnel tun0 local-ip 192.168.99.1 - set interfaces tunnel tun0 remote-ip 192.168.99.2 - -On the RIGHT: - -.. code-block:: none - - set interfaces loopback lo address 192.168.99.2/32 - - set interfaces tunnel tun0 encapsulation gre - set interfaces tunnel tun0 address 10.10.10.2/30 - set interfaces tunnel tun0 local-ip 192.168.99.2 - set interfaces tunnel tun0 remote-ip 192.168.99.1 - -**Setting up IPSec** - -However, now you need to make IPsec work with dynamic address on one side. The -tricky part is that pre-shared secret authentication doesn't work with dynamic -address, so we'll have to use RSA keys. - -First, on both routers run the operational command "generate vpn rsa-key bits -2048". You may choose different length than 2048 of course. - -.. code-block:: none - - vyos@left# run generate vpn rsa-key bits 2048 - Generating rsa-key to /config/ipsec.d/rsa-keys/localhost.key - - Your new local RSA key has been generated - The public portion of the key is: - - 0sAQO2335[long string here] - -Then on the opposite router, add the RSA key to your config. - -.. code-block:: none - - set vpn rsa-keys rsa-key-name LEFT rsa-key KEYGOESHERE - -Now you are ready to setup IPsec. You'll need to use an ID instead of address -for the peer on the dynamic side. - -On the LEFT (static address): - -.. code-block:: none - - set vpn rsa-keys rsa-key-name RIGHT rsa-key <PUBLIC KEY FROM THE RIGHT> - - set vpn ipsec ipsec-interfaces interface eth0 - - set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128 - set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1 - - set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group 2 - set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128 - set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1 - - set vpn ipsec site-to-site peer @RIGHT authentication mode rsa - set vpn ipsec site-to-site peer @RIGHT authentication rsa-key-name RIGHT - set vpn ipsec site-to-site peer @RIGHT default-esp-group MyESPGroup - set vpn ipsec site-to-site peer @RIGHT ike-group MyIKEGroup - set vpn ipsec site-to-site peer @RIGHT local-address 192.0.2.10 - set vpn ipsec site-to-site peer @RIGHT connection-type respond - set vpn ipsec site-to-site peer @RIGHT tunnel 1 local prefix 192.168.99.1/32 # Additional loopback address on the local - set vpn ipsec site-to-site peer @RIGHT tunnel 1 remote prefix 192.168.99.2/32 # Additional loopback address on the remote - - -On the RIGHT (dynamic address): - -.. code-block:: none - - set vpn rsa-keys rsa-key-name LEFT rsa-key <PUBLIC KEY FROM THE LEFT> - - set vpn ipsec ipsec-interfaces interface eth0 - - set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128 - set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1 - - set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group 2 - set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128 - set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1 - - set vpn ipsec site-to-site peer 192.0.2.10 authentication id @RIGHT - set vpn ipsec site-to-site peer 192.0.2.10 authentication mode rsa - set vpn ipsec site-to-site peer 192.0.2.10 authentication rsa-key-name LEFT - set vpn ipsec site-to-site peer 192.0.2.10 remote-id @LEFT - set vpn ipsec site-to-site peer 192.0.2.10 connection-type initiate - set vpn ipsec site-to-site peer 192.0.2.10 default-esp-group MyESPGroup - set vpn ipsec site-to-site peer 192.0.2.10 ike-group MyIKEGroup - set vpn ipsec site-to-site peer 192.0.2.10 local-address any - set vpn ipsec site-to-site peer 192.0.2.10 tunnel 1 local prefix 192.168.99.2/32 # Additional loopback address on the local - set vpn ipsec site-to-site peer 192.0.2.10 tunnel 1 remote prefix 192.168.99.1/32 # Additional loopback address on the remote |