summaryrefslogtreecommitdiff
path: root/docs/vpn/gre-ipsec.rst
blob: 1d40eace94134a181a0fa36a1c2a56174f36ec4a (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
.. _gre-ipsec:

GRE/IPsec
---------

Generic Routing Encapsulation (GRE), GRE/IPsec (or IPIP/IPsec, SIT/IPsec, or any other stateless tunnel protocol over IPsec) is the usual way to protect the traffic inside a tunnel.

An advantage of this scheme is that you get a real interface with its own address, which makes it easier to setup static routes or use dynamic routing protocols without having to modify IPsec policies. The other advantage is that it greatly simplifies router to router communication, which can be tricky with plain IPsec because the external outgoing address of the router usually doesn't match the IPsec policy of typical site-to-site setup and you need to add special configuration for it, or adjust the source address for outgoing traffic of your applications. GRE/IPsec has no such problem and is completely transparent for the applications.

GRE/IPIP/SIT and IPsec are widely accepted standards, which make this scheme easy to implement between VyOS and virtually any other router.

For simplicity we'll assume that the protocol is GRE, it's not hard to guess what needs to be changed to make it work with a different protocol. We assume that IPsec will use pre-shared secret authentication and will use AES128/SHA1 for the cipher and hash. Adjust this as necessary.

.. NOTE:: 
  Note for vmware users! 
  Ensure that VMXNET3 adapters used, e1000 adapters have known issue with GRE processing

#1 IPsec policy to match GRE
^^^^^^^^^^^^^^^^^^^^^^^^^^^^

The first and arguably cleaner option is to make your IPsec policy match GRE packets between external addresses of your routers. This is the best option if both routers have static external addresses.

Suppose the LEFT router has external address 192.0.2.10 on its eth0 interface, and the RIGHT router is 203.0.113.45

On the LEFT:

.. code-block:: sh

  # GRE tunnel
  set interfaces tunnel tun0 encapsulation gre
  set interfaces tunnel tun0 local-ip 192.0.2.10
  set interfaces tunnel tun0 remote-ip 203.0.113.45
  set interfaces tunnel tun0 address 10.10.10.1/30
  
  ## IPsec
  set vpn ipsec ipsec-interfaces interface eth0
  
  # IKE group
  set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2'
  set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes128'
  set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha1'
  
  # ESP group
  set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes128'
  set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha1'
  
  # IPsec tunnel
  set vpn ipsec site-to-site peer 203.0.113.45 authentication mode pre-shared-secret
  set vpn ipsec site-to-site peer 203.0.113.45 authentication pre-shared-secret MYSECRETKEY
  
  set vpn ipsec site-to-site peer 203.0.113.45 ike-group MyIKEGroup
  set vpn ipsec site-to-site peer 203.0.113.45 default-esp-group MyESPGroup
  
  set vpn ipsec site-to-site peer 203.0.113.45 local-address 192.0.2.10
  
  # This will match all GRE traffic to the peer
  set vpn ipsec site-to-site peer 203.0.113.45 tunnel 1 protocol gre

On the RIGHT, setup by analogy and swap local and remote addresses.


#2 Source tunnel from loopbacks
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

The scheme above doesn't work when one of the routers has a dynamic external address though. The classic workaround for this is to setup an address on a loopback interface and use it as a source address for the GRE tunnel, then setup an IPsec policy to match those loopback addresses.

We assume that the LEFT router has static 192.0.2.10 address on eth0, and the RIGHT router has a dynamic address on eth0.

**Setting up the GRE tunnel**

On the LEFT:

.. code-block:: sh

  set interfaces loopback lo address 192.168.99.1/32

  set interfaces tunnel tun0 encapsulation gre
  set interfaces tunnel tun0 address 10.10.10.1/30
  set interfaces tunnel tun0 local-ip 192.168.99.1
  set interfaces tunnel tun0 remote-ip 192.168.99.2  

On the RIGHT:

.. code-block:: sh

  set interfaces loopback lo address 192.168.99.2/32

  set interfaces tunnel tun0 encapsulation gre
  set interfaces tunnel tun0 address 10.10.10.2/30
  set interfaces tunnel tun0 local-ip 192.168.99.2
  set interfaces tunnel tun0 remote-ip 192.168.99.1

**Setting up IPSec**
However, now you need to make IPsec work with dynamic address on one side. The tricky part is that pre-shared secret authentication doesn't work with dynamic address, so we'll have to use RSA keys.

First, on both routers run the operational command "generate vpn rsa-key bits 2048". You may choose different length than 2048 of course. If your machine is a VM, generating it from /dev/random may take ages, so you may opt for "generate vpn rsa-key 2048 random /dev/urandom" instead.

.. code-block:: sh

  vyos@left# run generate vpn rsa-key bits 2048 random /dev/urandom 
  Generating rsa-key to /config/ipsec.d/rsa-keys/localhost.key
  
  Your new local RSA key has been generated
  The public portion of the key is:
  
  0sAQO2335[long string here]

Then on the opposite router, add the RSA key to your config.

.. code-block:: sh

  set vpn rsa-keys rsa-key-name LEFT rsa-key KEYGOESHERE

Now you are ready to setup IPsec. You'll need to use an ID instead of address for the peer on the dynamic side.

On the LEFT (static address):

.. code-block:: sh

  set vpn rsa-keys rsa-key-name RIGHT rsa-key <PUBLIC KEY FROM THE RIGHT>
  
  set vpn ipsec ipsec-interfaces interface eth0
  
  set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128
  set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1
  
  set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group 2
  set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128
  set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1
  
  set vpn ipsec site-to-site peer @RIGHT authentication mode rsa
  set vpn ipsec site-to-site peer @RIGHT authentication rsa-key-name RIGHT
  set vpn ipsec site-to-site peer @RIGHT default-esp-group MyESPGroup
  set vpn ipsec site-to-site peer @RIGHT ike-group MyIKEGroup
  set vpn ipsec site-to-site peer @RIGHT local-address 192.0.2.10
  set vpn ipsec site-to-site peer @RIGHT connection-type respond
  set vpn ipsec site-to-site peer @RIGHT tunnel 1 local prefix 192.168.99.1/32  # Additional loopback address on the local
  set vpn ipsec site-to-site peer @RIGHT tunnel 1 remote prefix 192.168.99.2/32 # Additional loopback address on the remote


On the RIGHT (dynamic address):

.. code-block:: sh

  set vpn rsa-keys rsa-key-name LEFT rsa-key <PUBLIC KEY FROM THE LEFT>
  
  set vpn ipsec ipsec-interfaces interface eth0
  
  set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128
  set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1
  
  set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group 2
  set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128
  set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1
  
  set vpn ipsec site-to-site peer 192.0.2.10 authentication id @RIGHT
  set vpn ipsec site-to-site peer 192.0.2.10 authentication mode rsa
  set vpn ipsec site-to-site peer 192.0.2.10 authentication rsa-key-name LEFT
  set vpn ipsec site-to-site peer 192.0.2.10 remote-id @LEFT
  set vpn ipsec site-to-site peer 192.0.2.10 connection-type initiate
  set vpn ipsec site-to-site peer 192.0.2.10 default-esp-group MyESPGroup
  set vpn ipsec site-to-site peer 192.0.2.10 ike-group MyIKEGroup
  set vpn ipsec site-to-site peer 192.0.2.10 local-address any
  set vpn ipsec site-to-site peer 192.0.2.10 tunnel 1 local prefix 192.168.99.2/32  # Additional loopback address on the local
  set vpn ipsec site-to-site peer 192.0.2.10 tunnel 1 remote prefix 192.168.99.1/32 # Additional loopback address on the remote