1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
|
.. _examples-policy-based-ipsec-and-firewall:
Policy-Based Site-to-Site VPN and Firewall Configuration
--------------------------------------------------------
This guide shows an example policy-based IKEv2 site-to-site VPN between two
VyOS routers, and firewall configuration.
For simplicity, configuration and tests are done only using IPv4, and firewall
configuration is done only on one router.
Network Topology and requirements
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This configuration example and the requirements consists of:
- Two VyOS routers with public IP address.
- 2 private subnets on each site.
- Local subnets should be able to reach internet using source NAT.
- Communication between private subnets should be done through IPSec tunnel
without NAT.
- Configuration of basic firewall in one site, in order to:
- Protect the router on 'WAN' interface, allowing only IPSec connections
and SSH access from trusted IPs.
- Allow access to the router only from trusted networks.
- Allow DNS requests only only for local networks.
- Allow ICMP on all interfaces.
- Allow all new connections from local subnets.
- Allow connections from LANs to LANs through the tunnel.
.. image:: /_static/images/policy-based-ipsec-and-firewall.png
Configuration
^^^^^^^^^^^^^
Interface and routing configuration:
.. code-block:: none
# LEFT router:
set interfaces ethernet eth0 address '198.51.100.14/30'
set interfaces ethernet eth1 vif 111 address '10.1.11.1/24'
set interfaces ethernet eth2 vif 112 address '10.1.12.1/24'
set protocols static route 0.0.0.0/0 next-hop 198.51.100.13
# RIGHT router:
set interfaces ethernet eth0 address '192.0.2.130/30'
set interfaces ethernet eth1 vif 221 address '10.2.21.1/24'
set interfaces ethernet eth2 vif 222 address '10.2.22.1/24'
IPSec configuration:
.. code-block:: none
# LEFT router:
set vpn ipsec authentication psk RIGHT id '198.51.100.14'
set vpn ipsec authentication psk RIGHT id '192.0.2.130'
set vpn ipsec authentication psk RIGHT secret 'p4ssw0rd'
set vpn ipsec esp-group ESP-GROUP mode 'tunnel'
set vpn ipsec esp-group ESP-GROUP proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-GROUP proposal 1 hash 'sha256'
set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev2'
set vpn ipsec ike-group IKE-GROUP proposal 1 dh-group '14'
set vpn ipsec ike-group IKE-GROUP proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-GROUP proposal 1 hash 'sha256'
set vpn ipsec interface 'eth0'
set vpn ipsec site-to-site peer RIGHT authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer RIGHT connection-type 'initiate'
set vpn ipsec site-to-site peer RIGHT default-esp-group 'ESP-GROUP'
set vpn ipsec site-to-site peer RIGHT ike-group 'IKE-GROUP'
set vpn ipsec site-to-site peer RIGHT local-address '198.51.100.14'
set vpn ipsec site-to-site peer RIGHT remote-address '192.0.2.130'
set vpn ipsec site-to-site peer RIGHT tunnel 0 local prefix '10.1.11.0/24'
set vpn ipsec site-to-site peer RIGHT tunnel 0 remote prefix '10.2.21.0/24'
set vpn ipsec site-to-site peer RIGHT tunnel 1 local prefix '10.1.11.0/24'
set vpn ipsec site-to-site peer RIGHT tunnel 1 remote prefix '10.2.22.0/24'
set vpn ipsec site-to-site peer RIGHT tunnel 2 local prefix '10.1.12.0/24'
set vpn ipsec site-to-site peer RIGHT tunnel 2 remote prefix '10.2.21.0/24'
set vpn ipsec site-to-site peer RIGHT tunnel 3 local prefix '10.1.12.0/24'
set vpn ipsec site-to-site peer RIGHT tunnel 3 remote prefix '10.2.22.0/24'
# RIGHT router:
set vpn ipsec authentication psk LEFT id '192.0.2.130'
set vpn ipsec authentication psk LEFT id '198.51.100.14'
set vpn ipsec authentication psk LEFT secret 'p4ssw0rd'
set vpn ipsec esp-group ESP-GROUP mode 'tunnel'
set vpn ipsec esp-group ESP-GROUP proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-GROUP proposal 1 hash 'sha256'
set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev2'
set vpn ipsec ike-group IKE-GROUP proposal 1 dh-group '14'
set vpn ipsec ike-group IKE-GROUP proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-GROUP proposal 1 hash 'sha256'
set vpn ipsec interface 'eth0'
set vpn ipsec site-to-site peer LEFT authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer LEFT connection-type 'respond'
set vpn ipsec site-to-site peer LEFT default-esp-group 'ESP-GROUP'
set vpn ipsec site-to-site peer LEFT ike-group 'IKE-GROUP'
set vpn ipsec site-to-site peer LEFT local-address '192.0.2.130'
set vpn ipsec site-to-site peer LEFT remote-address '198.51.100.14'
set vpn ipsec site-to-site peer LEFT tunnel 0 local prefix '10.2.21.0/24'
set vpn ipsec site-to-site peer LEFT tunnel 0 remote prefix '10.1.11.0/24'
set vpn ipsec site-to-site peer LEFT tunnel 1 local prefix '10.2.22.0/24'
set vpn ipsec site-to-site peer LEFT tunnel 1 remote prefix '10.1.11.0/24'
set vpn ipsec site-to-site peer LEFT tunnel 2 local prefix '10.2.21.0/24'
set vpn ipsec site-to-site peer LEFT tunnel 2 remote prefix '10.1.12.0/24'
set vpn ipsec site-to-site peer LEFT tunnel 3 local prefix '10.2.22.0/24'
set vpn ipsec site-to-site peer LEFT tunnel 3 remote prefix '10.1.12.0/24'
Firewall Configuration:
.. code-block:: none
# Firewall Groups:
set firewall group network-group LOCAL-NETS network '10.1.11.0/24'
set firewall group network-group LOCAL-NETS network '10.1.12.0/24'
set firewall group network-group REMOTE-NETS network '10.2.21.0/24'
set firewall group network-group REMOTE-NETS network '10.2.22.0/24'
set firewall group network-group TRUSTED network '198.51.100.125/32'
set firewall group network-group TRUSTED network '203.0.113.0/24'
set firewall group network-group TRUSTED network '10.1.11.0/24'
set firewall group network-group TRUSTED network '192.168.70.0/24'
# Forward traffic: default drop and only allow what is needed
set firewall ipv4 forward filter default-action 'drop'
# Forward traffic: global state policies
set firewall ipv4 forward filter rule 1 action 'accept'
set firewall ipv4 forward filter rule 1 state established 'enable'
set firewall ipv4 forward filter rule 1 state related 'enable'
set firewall ipv4 forward filter rule 2 action 'drop'
set firewall ipv4 forward filter rule 2 state invalid 'enable'
# Forward traffic: Accept all connections from local networks
set firewall ipv4 forward filter rule 10 action 'accept'
set firewall ipv4 forward filter rule 10 source group network-group 'LOCAL-NETS'
# Forward traffic: accept connections from remote LANs to local LANs
set firewall ipv4 forward filter rule 20 action 'accept'
set firewall ipv4 forward filter rule 20 destination group network-group 'LOCAL-NETS'
set firewall ipv4 forward filter rule 20 source group network-group 'REMOTE-NETS'
# Input traffic: default drop and only allow what is needed
set firewall ipv4 input filter default-action 'drop'
# Input traffic: global state policies
set firewall ipv4 input filter rule 1 action 'accept'
set firewall ipv4 input filter rule 1 state established 'enable'
set firewall ipv4 input filter rule 1 state related 'enable'
set firewall ipv4 input filter rule 2 action 'drop'
set firewall ipv4 input filter rule 2 state invalid 'enable'
# Input traffic: add rules needed for ipsec connection
set firewall ipv4 input filter rule 10 action 'accept'
set firewall ipv4 input filter rule 10 destination port '500,4500'
set firewall ipv4 input filter rule 10 inbound-interface interface-name 'eth0'
set firewall ipv4 input filter rule 10 protocol 'udp'
set firewall ipv4 input filter rule 15 action 'accept'
set firewall ipv4 input filter rule 15 inbound-interface interface-name 'eth0'
set firewall ipv4 input filter rule 15 protocol 'esp'
# Input traffic: accept ssh connection from trusted ips
set firewall ipv4 input filter rule 20 action 'accept'
set firewall ipv4 input filter rule 20 destination port '22'
set firewall ipv4 input filter rule 20 protocol 'tcp'
set firewall ipv4 input filter rule 20 source group network-group 'TRUSTED'
# Input traffic: accepd dns requests only from local networks.
set firewall ipv4 input filter rule 25 action 'accept'
set firewall ipv4 input filter rule 25 destination port '53'
set firewall ipv4 input filter rule 25 protocol 'udp'
set firewall ipv4 input filter rule 25 source group network-group 'LOCAL-NETS'
# Input traffic: allow icmp
set firewall ipv4 input filter rule 30 action 'accept'
set firewall ipv4 input filter rule 30 protocol 'icmp'
And NAT Configuration:
.. code-block:: none
set nat source rule 10 destination group network-group 'REMOTE-NETS'
set nat source rule 10 exclude
set nat source rule 10 outbound-interface name 'eth0'
set nat source rule 10 source group network-group 'LOCAL-NETS'
set nat source rule 20 outbound-interface name 'eth0'
set nat source rule 20 source group network-group 'LOCAL-NETS'
set nat source rule 20 translation address 'masquerade'
Checking through op-mode commands
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
After some testing, we can check IPSec status, and counter on every tunnel:
.. code-block:: none
vyos@LEFT:~$ show vpn ipsec sa
Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal
-------------- ------- -------- -------------- ---------------- ---------------- ----------- ---------------------------------------
RIGHT-tunnel-0 up 36m24s 840B/840B 10/10 192.0.2.130 192.0.2.130 AES_CBC_256/HMAC_SHA2_256_128/MODP_2048
RIGHT-tunnel-1 up 36m33s 588B/588B 7/7 192.0.2.130 192.0.2.130 AES_CBC_256/HMAC_SHA2_256_128/MODP_2048
RIGHT-tunnel-2 up 35m50s 1K/1K 15/15 192.0.2.130 192.0.2.130 AES_CBC_256/HMAC_SHA2_256_128/MODP_2048
RIGHT-tunnel-3 up 36m54s 2K/2K 32/32 192.0.2.130 192.0.2.130 AES_CBC_256/HMAC_SHA2_256_128/MODP_2048
vyos@LEFT:~$
Also, we can check firewall counters:
.. code-block:: none
vyos@LEFT:~$ show firewall
Rulesets Information
---------------------------------
IPv4 Firewall "forward filter"
Rule Action Protocol Packets Bytes Conditions
------- -------- ---------- --------- ------- ------------------------------------------------------
1 accept all 681 96545 ct state { established, related } accept
2 drop all 0 0 ct state invalid
10 accept all 360 27205 ip saddr @N_LOCAL-NETS accept
20 accept all 8 648 ip daddr @N_LOCAL-NETS ip saddr @N_REMOTE-NETS accept
default drop all
---------------------------------
IPv4 Firewall "input filter"
Rule Action Protocol Packets Bytes Conditions
------- -------- ---------- --------- ------- ----------------------------------------------
1 accept all 901 123709 ct state { established, related } accept
2 drop all 0 0 ct state invalid
10 accept udp 0 0 udp dport { 500, 4500 } iifname "eth0" accept
15 accept esp 0 0 meta l4proto esp iifname "eth0" accept
20 accept tcp 1 60 tcp dport 22 ip saddr @N_TRUSTED accept
25 accept udp 0 0 udp dport 53 ip saddr @N_LOCAL-NETS accept
30 accept icmp 0 0 meta l4proto icmp accept
default drop all
vyos@LEFT:~$
vyos@LEFT:~$ show firewall statistics
Rulesets Statistics
---------------------------------
IPv4 Firewall "forward filter"
Rule Packets Bytes Action Source Destination Inbound-Interface Outbound-interface
------- --------- ------- -------- ----------- ------------- ------------------- --------------------
1 681 96545 accept any any any any
2 0 0 drop any any any any
10 360 27205 accept LOCAL-NETS any any any
20 8 648 accept REMOTE-NETS LOCAL-NETS any any
default N/A N/A drop any any any any
---------------------------------
IPv4 Firewall "input filter"
Rule Packets Bytes Action Source Destination Inbound-Interface Outbound-interface
------- --------- ------- -------- ---------- ------------- ------------------- --------------------
1 905 124213 accept any any any any
2 0 0 drop any any any any
10 0 0 accept any any eth0 any
15 0 0 accept any any eth0 any
20 1 60 accept TRUSTED any any any
25 0 0 accept LOCAL-NETS any any any
30 0 0 accept any any any any
default N/A N/A drop any any any any
vyos@LEFT:~$
|