diff options
Diffstat (limited to 'docs/configexamples/policy-based-ipsec-and-firewall.rst')
-rw-r--r-- | docs/configexamples/policy-based-ipsec-and-firewall.rst | 281 |
1 files changed, 281 insertions, 0 deletions
diff --git a/docs/configexamples/policy-based-ipsec-and-firewall.rst b/docs/configexamples/policy-based-ipsec-and-firewall.rst new file mode 100644 index 00000000..1f969453 --- /dev/null +++ b/docs/configexamples/policy-based-ipsec-and-firewall.rst @@ -0,0 +1,281 @@ +.. _examples-policy-based-ipsec-and-firewall: + + +Policy-Based Site-to-Site VPN and Firewall Configuration +-------------------------------------------------------- + +This guide shows an example policy-based IKEv2 site-to-site VPN between two +VyOS routers, and firewall configiuration. + +For simplicity, configuration and tests are done only using ipv4, and firewall +configuration in done only on one router. + +Network Topology and requirements +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +This configuration example and the requirments consists on: + +- Two VyOS routers with public IP address. + +- 2 private subnets on each site. + +- Local subnets should be able to reach internet using source nat. + +- Communication between private subnets should be done through ipsec tunnel + without nat. + +- Configuration of basic firewall in one site, in order to: + + - Protect the router on 'WAN' interface, allowing only ipsec connections + and ssh access from trusted ips. + + - Allow access to the router only from trusted networks. + + - Allow dns requests only only for local networks. + + - Allow icmp on all interfaces. + + - Allow all new connections from local subnets. + + - Allow connections from LANs to LANs throught the tunnel. + + +.. image:: /_static/images/policy-based-ipsec-and-firewall.png + + +Configuration +^^^^^^^^^^^^^ + +Interface and routing configuration: + +.. code-block:: none + + # LEFT router: + set interfaces ethernet eth0 address '198.51.100.14/30' + set interfaces ethernet eth1 vif 111 address '10.1.11.1/24' + set interfaces ethernet eth2 vif 112 address '10.1.12.1/24' + set protocols static route 0.0.0.0/0 next-hop 198.51.100.13 + + # RIGHT router: + set interfaces ethernet eth0 address '192.0.2.130/30' + set interfaces ethernet eth1 vif 221 address '10.2.21.1/24' + set interfaces ethernet eth2 vif 222 address '10.2.22.1/24' + + +IPSec configuration: + +.. code-block:: none + + # LEFT router: + set vpn ipsec authentication psk RIGHT id '198.51.100.14' + set vpn ipsec authentication psk RIGHT id '192.0.2.130' + set vpn ipsec authentication psk RIGHT secret 'p4ssw0rd' + set vpn ipsec esp-group ESP-GROUP mode 'tunnel' + set vpn ipsec esp-group ESP-GROUP proposal 1 encryption 'aes256' + set vpn ipsec esp-group ESP-GROUP proposal 1 hash 'sha256' + set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev2' + set vpn ipsec ike-group IKE-GROUP proposal 1 dh-group '14' + set vpn ipsec ike-group IKE-GROUP proposal 1 encryption 'aes256' + set vpn ipsec ike-group IKE-GROUP proposal 1 hash 'sha256' + set vpn ipsec interface 'eth0' + set vpn ipsec site-to-site peer RIGHT authentication mode 'pre-shared-secret' + set vpn ipsec site-to-site peer RIGHT connection-type 'initiate' + set vpn ipsec site-to-site peer RIGHT default-esp-group 'ESP-GROUP' + set vpn ipsec site-to-site peer RIGHT ike-group 'IKE-GROUP' + set vpn ipsec site-to-site peer RIGHT local-address '198.51.100.14' + set vpn ipsec site-to-site peer RIGHT remote-address '192.0.2.130' + set vpn ipsec site-to-site peer RIGHT tunnel 0 local prefix '10.1.11.0/24' + set vpn ipsec site-to-site peer RIGHT tunnel 0 remote prefix '10.2.21.0/24' + set vpn ipsec site-to-site peer RIGHT tunnel 1 local prefix '10.1.11.0/24' + set vpn ipsec site-to-site peer RIGHT tunnel 1 remote prefix '10.2.22.0/24' + set vpn ipsec site-to-site peer RIGHT tunnel 2 local prefix '10.1.12.0/24' + set vpn ipsec site-to-site peer RIGHT tunnel 2 remote prefix '10.2.21.0/24' + set vpn ipsec site-to-site peer RIGHT tunnel 3 local prefix '10.1.12.0/24' + set vpn ipsec site-to-site peer RIGHT tunnel 3 remote prefix '10.2.22.0/24' + + # RIGHT router: + set vpn ipsec authentication psk LEFT id '192.0.2.130' + set vpn ipsec authentication psk LEFT id '198.51.100.14' + set vpn ipsec authentication psk LEFT secret 'p4ssw0rd' + set vpn ipsec esp-group ESP-GROUP mode 'tunnel' + set vpn ipsec esp-group ESP-GROUP proposal 1 encryption 'aes256' + set vpn ipsec esp-group ESP-GROUP proposal 1 hash 'sha256' + set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev2' + set vpn ipsec ike-group IKE-GROUP proposal 1 dh-group '14' + set vpn ipsec ike-group IKE-GROUP proposal 1 encryption 'aes256' + set vpn ipsec ike-group IKE-GROUP proposal 1 hash 'sha256' + set vpn ipsec interface 'eth0' + set vpn ipsec site-to-site peer LEFT authentication mode 'pre-shared-secret' + set vpn ipsec site-to-site peer LEFT connection-type 'respond' + set vpn ipsec site-to-site peer LEFT default-esp-group 'ESP-GROUP' + set vpn ipsec site-to-site peer LEFT ike-group 'IKE-GROUP' + set vpn ipsec site-to-site peer LEFT local-address '192.0.2.130' + set vpn ipsec site-to-site peer LEFT remote-address '198.51.100.14' + set vpn ipsec site-to-site peer LEFT tunnel 0 local prefix '10.2.21.0/24' + set vpn ipsec site-to-site peer LEFT tunnel 0 remote prefix '10.1.11.0/24' + set vpn ipsec site-to-site peer LEFT tunnel 1 local prefix '10.2.22.0/24' + set vpn ipsec site-to-site peer LEFT tunnel 1 remote prefix '10.1.11.0/24' + set vpn ipsec site-to-site peer LEFT tunnel 2 local prefix '10.2.21.0/24' + set vpn ipsec site-to-site peer LEFT tunnel 2 remote prefix '10.1.12.0/24' + set vpn ipsec site-to-site peer LEFT tunnel 3 local prefix '10.2.22.0/24' + set vpn ipsec site-to-site peer LEFT tunnel 3 remote prefix '10.1.12.0/24' + +Firewall Configuration: + +.. code-block:: none + + # Firewall Groups: + set firewall group network-group LOCAL-NETS network '10.1.11.0/24' + set firewall group network-group LOCAL-NETS network '10.1.12.0/24' + set firewall group network-group REMOTE-NETS network '10.2.21.0/24' + set firewall group network-group REMOTE-NETS network '10.2.22.0/24' + set firewall group network-group TRUSTED network '198.51.100.125/32' + set firewall group network-group TRUSTED network '203.0.113.0/24' + set firewall group network-group TRUSTED network '10.1.11.0/24' + set firewall group network-group TRUSTED network '192.168.70.0/24' + + # Forward traffic: default drop and only allow what is needed + set firewall ipv4 forward filter default-action 'drop' + + # Forward traffic: global state policies + set firewall ipv4 forward filter rule 1 action 'accept' + set firewall ipv4 forward filter rule 1 state established 'enable' + set firewall ipv4 forward filter rule 1 state related 'enable' + set firewall ipv4 forward filter rule 2 action 'drop' + set firewall ipv4 forward filter rule 2 state invalid 'enable' + + # Forward traffic: Accept all connections from local networks + set firewall ipv4 forward filter rule 10 action 'accept' + set firewall ipv4 forward filter rule 10 source group network-group 'LOCAL-NETS' + + # Forward traffic: accept connections from remote LANs to local LANs + set firewall ipv4 forward filter rule 20 action 'accept' + set firewall ipv4 forward filter rule 20 destination group network-group 'LOCAL-NETS' + set firewall ipv4 forward filter rule 20 source group network-group 'REMOTE-NETS' + + # Input traffic: default drop and only allow what is needed + set firewall ipv4 input filter default-action 'drop' + + # Input traffic: global state policies + set firewall ipv4 input filter rule 1 action 'accept' + set firewall ipv4 input filter rule 1 state established 'enable' + set firewall ipv4 input filter rule 1 state related 'enable' + set firewall ipv4 input filter rule 2 action 'drop' + set firewall ipv4 input filter rule 2 state invalid 'enable' + + # Input traffic: add rules needed for ipsec connection + set firewall ipv4 input filter rule 10 action 'accept' + set firewall ipv4 input filter rule 10 destination port '500,4500' + set firewall ipv4 input filter rule 10 inbound-interface interface-name 'eth0' + set firewall ipv4 input filter rule 10 protocol 'udp' + set firewall ipv4 input filter rule 15 action 'accept' + set firewall ipv4 input filter rule 15 inbound-interface interface-name 'eth0' + set firewall ipv4 input filter rule 15 protocol 'esp' + + # Input traffic: accept ssh connection from trusted ips + set firewall ipv4 input filter rule 20 action 'accept' + set firewall ipv4 input filter rule 20 destination port '22' + set firewall ipv4 input filter rule 20 protocol 'tcp' + set firewall ipv4 input filter rule 20 source group network-group 'TRUSTED' + + # Input traffic: accepd dns requests only from local networks. + set firewall ipv4 input filter rule 25 action 'accept' + set firewall ipv4 input filter rule 25 destination port '53' + set firewall ipv4 input filter rule 25 protocol 'udp' + set firewall ipv4 input filter rule 25 source group network-group 'LOCAL-NETS' + + # Input traffic: allow icmp + set firewall ipv4 input filter rule 30 action 'accept' + set firewall ipv4 input filter rule 30 protocol 'icmp' + +And NAT Configuration: + +.. code-block:: none + + set nat source rule 10 destination group network-group 'REMOTE-NETS' + set nat source rule 10 exclude + set nat source rule 10 outbound-interface 'eth0' + set nat source rule 10 source group network-group 'LOCAL-NETS' + set nat source rule 20 outbound-interface 'eth0' + set nat source rule 20 source group network-group 'LOCAL-NETS' + set nat source rule 20 translation address 'masquerade' + +Checking through op-mode commands +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +After some testing, we can check ipsec status, and counter on every tunnel: + +.. code-block:: none + + vyos@LEFT:~$ show vpn ipsec sa + Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal + -------------- ------- -------- -------------- ---------------- ---------------- ----------- --------------------------------------- + RIGHT-tunnel-0 up 36m24s 840B/840B 10/10 192.0.2.130 192.0.2.130 AES_CBC_256/HMAC_SHA2_256_128/MODP_2048 + RIGHT-tunnel-1 up 36m33s 588B/588B 7/7 192.0.2.130 192.0.2.130 AES_CBC_256/HMAC_SHA2_256_128/MODP_2048 + RIGHT-tunnel-2 up 35m50s 1K/1K 15/15 192.0.2.130 192.0.2.130 AES_CBC_256/HMAC_SHA2_256_128/MODP_2048 + RIGHT-tunnel-3 up 36m54s 2K/2K 32/32 192.0.2.130 192.0.2.130 AES_CBC_256/HMAC_SHA2_256_128/MODP_2048 + vyos@LEFT:~$ + + +Also, we can check firewall counters: + +.. code-block:: none + + vyos@LEFT:~$ show firewall + Rulesets Information + + --------------------------------- + IPv4 Firewall "forward filter" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- ------------------------------------------------------ + 1 accept all 681 96545 ct state { established, related } accept + 2 drop all 0 0 ct state invalid + 10 accept all 360 27205 ip saddr @N_LOCAL-NETS accept + 20 accept all 8 648 ip daddr @N_LOCAL-NETS ip saddr @N_REMOTE-NETS accept + default drop all + + --------------------------------- + IPv4 Firewall "input filter" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- ---------------------------------------------- + 1 accept all 901 123709 ct state { established, related } accept + 2 drop all 0 0 ct state invalid + 10 accept udp 0 0 udp dport { 500, 4500 } iifname "eth0" accept + 15 accept esp 0 0 meta l4proto esp iifname "eth0" accept + 20 accept tcp 1 60 tcp dport 22 ip saddr @N_TRUSTED accept + 25 accept udp 0 0 udp dport 53 ip saddr @N_LOCAL-NETS accept + 30 accept icmp 0 0 meta l4proto icmp accept + default drop all + + vyos@LEFT:~$ + vyos@LEFT:~$ show firewall statistics + Rulesets Statistics + + --------------------------------- + IPv4 Firewall "forward filter" + + Rule Packets Bytes Action Source Destination Inbound-Interface Outbound-interface + ------- --------- ------- -------- ----------- ------------- ------------------- -------------------- + 1 681 96545 accept any any any any + 2 0 0 drop any any any any + 10 360 27205 accept LOCAL-NETS any any any + 20 8 648 accept REMOTE-NETS LOCAL-NETS any any + default N/A N/A drop any any any any + + --------------------------------- + IPv4 Firewall "input filter" + + Rule Packets Bytes Action Source Destination Inbound-Interface Outbound-interface + ------- --------- ------- -------- ---------- ------------- ------------------- -------------------- + 1 905 124213 accept any any any any + 2 0 0 drop any any any any + 10 0 0 accept any any eth0 any + 15 0 0 accept any any eth0 any + 20 1 60 accept TRUSTED any any any + 25 0 0 accept LOCAL-NETS any any any + 30 0 0 accept any any any any + default N/A N/A drop any any any any + + vyos@LEFT:~$ |