diff options
| author | Yuriy Andamasov <yuriy@vyos.io> | 2026-05-02 17:25:47 +0300 |
|---|---|---|
| committer | Yuriy Andamasov <yuriy@vyos.io> | 2026-05-06 16:18:03 +0300 |
| commit | fa54a080fac977157454beb0853daf0ac0e6af66 (patch) | |
| tree | 82b112cde06437b80515450d63eb793bee198ec6 /docs/configuration/vpn | |
| parent | 746195618941d8be8ed132f4b0be539763ec352d (diff) | |
| download | vyos-documentation-fa54a080fac977157454beb0853daf0ac0e6af66.tar.gz vyos-documentation-fa54a080fac977157454beb0853daf0ac0e6af66.zip | |
feat(swap): import .md files and webp transition from myst/current
Selective import from origin/myst/current (cf9c9b34):
- Add/update 255 .md files (full MyST conversion plus webp ref updates)
- Delete 175 PNG/JPG from docs/_static/images (webp twins already present)
- Delete 5 autotest topology.png (webp twins already present)
Preserved on swap (untouched):
- All .rst files (incremental swap pattern)
- conf.py, _ext/, _include/*.txt, .gitignore
- 115 canary md-*.md files
- 7 superpowers/specs/*.md design docs
- Logos vyos-logo.png / vyos-logo-icon.png (referenced by conf.py)
🤖 Generated by [robots](https://vyos.io)
Diffstat (limited to 'docs/configuration/vpn')
| -rw-r--r-- | docs/configuration/vpn/dmvpn.md | 431 | ||||
| -rw-r--r-- | docs/configuration/vpn/index.md | 14 | ||||
| -rw-r--r-- | docs/configuration/vpn/ipsec/index.md | 11 | ||||
| -rw-r--r-- | docs/configuration/vpn/ipsec/ipsec_general.md | 407 | ||||
| -rw-r--r-- | docs/configuration/vpn/ipsec/remoteaccess_ipsec.md | 186 | ||||
| -rw-r--r-- | docs/configuration/vpn/ipsec/site2site_ipsec.md | 780 | ||||
| -rw-r--r-- | docs/configuration/vpn/ipsec/troubleshooting_ipsec.md | 313 | ||||
| -rw-r--r-- | docs/configuration/vpn/l2tp.md | 624 | ||||
| -rw-r--r-- | docs/configuration/vpn/openconnect.md | 330 | ||||
| -rw-r--r-- | docs/configuration/vpn/pptp.md | 594 | ||||
| -rw-r--r-- | docs/configuration/vpn/rsa-keys.md | 114 | ||||
| -rw-r--r-- | docs/configuration/vpn/sstp.md | 698 |
12 files changed, 4502 insertions, 0 deletions
diff --git a/docs/configuration/vpn/dmvpn.md b/docs/configuration/vpn/dmvpn.md new file mode 100644 index 00000000..4dc2c85f --- /dev/null +++ b/docs/configuration/vpn/dmvpn.md @@ -0,0 +1,431 @@ +(vpn-dmvpn)= + +# DMVPN + +{abbr}`DMVPN (Dynamic Multipoint Virtual Private Network)` is a dynamic +{abbr}`VPN (Virtual Private Network)` technology originally developed by Cisco. +While their implementation was somewhat proprietary, the underlying +technologies are actually standards based. The three technologies are: + +- {abbr}`NHRP (Next Hop Resolution Protocol)` {rfc}`2332` +- {abbr}`mGRE (Multipoint Generic Routing Encapsulation)` {rfc}`1702` +- {abbr}`IPSec (IP Security)` - too many RFCs to list, but start with + {rfc}`4301` + +NHRP provides the dynamic tunnel endpoint discovery mechanism (endpoint +registration, and endpoint discovery/lookup), mGRE provides the tunnel +encapsulation itself, and the IPSec protocols handle the key exchange, and +crypto mechanism. + +In short, DMVPN provides the capability for creating a dynamic-mesh VPN +network without having to pre-configure (static) all possible tunnel end-point +peers. + +:::{note} +DMVPN only automates the tunnel endpoint discovery and setup. A +complete solution also incorporates the use of a routing protocol. BGP is +particularly well suited for use with DMVPN. +::: + +:::{figure} /_static/images/vpn_dmvpn_topology01.webp +:alt: Baseline DMVPN topology +:scale: 40 % +Baseline DMVPN topology +::: + +## Configuration + +### Tunnel interface configuration + +NHRP never handles routing of prefixes itself. You need to run some real routing +protocol (e.g. BGP) to advertise routes over the tunnels. What nhrpd does it +establishes ‘shortcut routes’ that optimizes the routing protocol to avoid going +through extra nodes in NBMA GRE mesh. + +NHRP does route NHRP domain addresses individually using per-host prefixes. +This is similar to Cisco FlexVPN, but in contrast to opennhrp which uses +a generic subnet route. + +To create NBMA GRE tunnel you might use the following: + +```none +set interfaces tunnel tun100 address '10.0.0.1/32' +set interfaces tunnel tun100 enable-multicast +set interfaces tunnel tun100 encapsulation 'gre' +set interfaces tunnel tun100 ip adjust-mss '1360' +set interfaces tunnel tun100 mtu '1400' +set interfaces tunnel tun100 parameters ip key '42' +set interfaces tunnel tun100 source-interface 'eth0' +``` + +- Please refer to the {ref}`tunnel-interface` documentation for the individual + tunnel related options. + + :::{note} + The IP-address is assigned as host prefix to tunnel interface. + NHRP will automatically create additional host routes pointing to tunnel interface + when a connection with these hosts is established. + ::: + +The tunnel interface subnet prefix should be announced by routing protocol +from the hub nodes (e.g. BGP ‘network’ announce). This allows the routing +protocol to decide which is the closest hub and determine the relay hub on +prefix basis when direct tunnel is not established. + +### NHRP protocol configuration + +```{cfgcmd} set protocols nhrp tunnel \<tunnel\> authentication \<secret\> + +Enables Cisco style authentication on NHRP packets. This embeds the +plaintext password to the outgoing NHRP packets. Maximum length of +the password is 8 characters. +``` + +```{cfgcmd} set protocols nhrp tunnel \<tunnel\> holdtime \<timeout\> + +Holdtime is the number of seconds that have to pass before stopping to +advertise an NHRP NBMA address as valid. It also controls how often NHRP +registration requests are sent. By default registrations are sent every +one third of the holdtime +``` + +```{cfgcmd} set protocols nhrp tunnel \<tunnel\> map tunnel-ip \<tunnel-ip\> nbma \<nbma-ip\> + +* **tunnel-ip** - Tunnel ip address in format **x.x.x.x**. +* **nbma-ip** - NBMA ip address in format **x.x.x.x** or **local** + +Map an IP address of a station to the station’s NBMA address. +``` + +```{cfgcmd} set protocols nhrp tunnel \<tunnel\> mtu \<mtu\> + +Configure NHRP advertised MTU. +``` + +```{cfgcmd} set protocols nhrp tunnel \<tunnel\> multicast \<nbma-ip\> + +* **nbma-ip** - NBMA ip address in format **x.x.x.x** or **dynamic** + +Sends multicast packets to the specified NBMA address. If dynamic is specified +then destination NBMA address (or addresses) are learnt dynamically. +``` + +```{cfgcmd} set protocols nhrp tunnel \<tunnel\> network-id \<network-id\> + +* **network-id** - NHRP network id <1-4294967295> + +Enable NHRP on this interface and set the interface’s network ID. The network ID +is used to allow creating multiple nhrp domains on a router when multiple interfaces +are configured on the router. Interfaces configured with the same ID are part of the +same logical NBMA network. The ID is a local only parameter and is not sent to other +NHRP nodes and so IDs on different nodes do not need to match. When NHRP packets are +received on an interface they are assigned to the local NHRP domain for that interface. +``` + +```{cfgcmd} set protocols nhrp tunnel \<tunnel\> nhs tunnel-ip \<tunnel-ip\> nbma \<nbma-ip\> + +* **tunnel-ip** - Tunnel ip address in format **x.x.x.x** or **dynamic** +* **nbma-ip** - NBMA ip address in format **x.x.x.x** + +Configure the Next Hop Server address and its NBMA address. If dynamic is specified +then Next Hop Server can have dynamic address which maps to its NBMA address. +``` + +```{cfgcmd} set protocols nhrp tunnel \<tunnel\> redirect + +This enable redirect replies on the NHS similar to ICMP redirects except this is +managed by the nhrp protocol. This setting allows spokes to communicate with each +others directly. +``` + +```{cfgcmd} set protocols nhrp tunnel \<tunnel\> registration-no-unique + +Allow the client to not set the unique flag in the NHRP packets. This is useful when +a station has a dynamic IP address that could change over time. +``` + +```{cfgcmd} set protocols nhrp tunnel \<tunnel\> shortcut + +Enable shortcut (spoke-to-spoke) tunnels to allow NHC to talk to each others directly +after establishing a connection without going through the hub. +``` + + +### IPSEC configuration + +- Please refer to the {ref}`ipsec_general` documentation for the individual IPSec + related options. + +:::{note} +NHRP daemon based on FRR nhrpd. It controls IPSEC. That's why 'close-action' +parameter in IKE configuration always is set to 'close' and 'dead-peer-detection action' +always is set to 'clear'. +::: + +```{cfgcmd} set vpn ipsec profile \<profile-name\> authentication mode pre-shared-secret + +Set preshared secret mode authentication +``` + +```{cfgcmd} set vpn ipsec profile \<profile-name\> authentication pre-shared-secret \<secret\> + +Set preshared secret +``` + +```{cfgcmd} set vpn ipsec profile \<profile-name\> bind tunnel \<tunnel name\> + +Bind IPSEC profile to the specific tunnel interface. +``` + +```{cfgcmd} set vpn ipsec profile \<profile-name\> esp-group 'ESP-HUB' + +Map ESP group to IPSEC profile +``` + +```{cfgcmd} set vpn ipsec profile \<profile-name\> ike-group 'IKE-HUB' + +Map IKE group to IPSEC profile +``` + + +## Monitoring + +```{opcmd} show ip nhrp cache + +Forwarding cache information. +``` + +```{opcmd} show ip nhrp nhs + +Next hop server information. +``` + +```{opcmd} show ip nhrp shortcut + +Shortcut information. +``` + + +## Example + +This blueprint uses VyOS as the DMVPN Hub and Cisco IOSv 15.5(3)M and VyOS as +multiple spoke sites. + +:::{figure} /_static/images/blueprint-dmvpn.webp +:align: center +:alt: DMVPN Network Topology Diagram +:width: 70% +DMVPN Network Topology Diagram +::: + +Each node (Hub and Spoke) uses an IP address from the network 10.0.0.0/24. + +The below referenced IP address `192.168.0.2` is used as example address +representing a global unicast address under which the HUB can be contacted by +each and every individual spoke. +(dmvpn-example-configuration)= + +### Configuration + +#### Hub + +##### VyOS-HUB-1 + +```none +set interfaces ethernet eth0 address '192.168.0.2/30' + +set interfaces tunnel tun100 address '10.0.0.100/32' +set interfaces tunnel tun100 enable-multicast +set interfaces tunnel tun100 encapsulation 'gre' +set interfaces tunnel tun100 parameters ip key '42' +set interfaces tunnel tun100 source-interface 'eth0' + +set protocols nhrp tunnel tun100 authentication 'test123' +set protocols nhrp tunnel tun100 holdtime '300' +set protocols nhrp tunnel tun100 multicast 'dynamic' +set protocols nhrp tunnel tun100 network-id '1' +set protocols nhrp tunnel tun100 redirect +set protocols nhrp tunnel tun100 registration-no-unique + +set protocols static route 0.0.0.0/0 next-hop 192.168.0.1 + +set vpn ipsec esp-group ESP-HUB lifetime '1800' +set vpn ipsec esp-group ESP-HUB mode 'transport' +set vpn ipsec esp-group ESP-HUB pfs 'dh-group2' +set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256' +set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1' +set vpn ipsec ike-group IKE-HUB key-exchange 'ikev1' +set vpn ipsec ike-group IKE-HUB lifetime '3600' +set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2' +set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256' +set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1' +set vpn ipsec interface 'eth0' +set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret' +set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'secret' +set vpn ipsec profile NHRPVPN bind tunnel 'tun100' +set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB' +set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB' +``` + +:::{note} +Setting this up on AWS will require a "Custom Protocol Rule" for +protocol number "47" (GRE) Allow Rule in TWO places. Firstly on the VPC +Network ACL, and secondly on the security group network ACL attached to the +EC2 instance. This has been tested as working for the official AMI image on +the AWS Marketplace. (Locate the correct VPC and security group by navigating +through the details pane below your EC2 instance in the AWS console). +::: + +#### Spokes + +> The individual spoke configurations only differ in interface IP addresses. + +##### VyOS-Spoke-1 and VyOS-Spoke-2 + +```none +set interfaces ethernet eth0 address '192.168.1.2/30' + +set interfaces tunnel tun100 address '10.0.0.1/32' +set interfaces tunnel tun100 enable-multicast +set interfaces tunnel tun100 encapsulation 'gre' +set interfaces tunnel tun100 parameters ip key '42' +set interfaces tunnel tun100 source-interface 'eth0' + +set protocols nhrp tunnel tun100 authentication 'test123' +set protocols nhrp tunnel tun100 holdtime '300' +set protocols nhrp tunnel tun100 multicast 'dynamic' +set protocols nhrp tunnel tun100 network-id '1' +set protocols nhrp tunnel tun100 nhs tunnel-ip dynamic nbma '192.168.0.2' +set protocols nhrp tunnel tun100 registration-no-unique +set protocols nhrp tunnel tun100 shortcut + +set protocols static route 0.0.0.0/0 next-hop 192.168.1.1 +set protocols static route 10.0.0.0/24 next-hop 10.0.0.100 + +set vpn ipsec esp-group ESP-HUB lifetime '1800' +set vpn ipsec esp-group ESP-HUB mode 'transport' +set vpn ipsec esp-group ESP-HUB pfs 'dh-group2' +set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256' +set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1' +set vpn ipsec ike-group IKE-HUB key-exchange 'ikev1' +set vpn ipsec ike-group IKE-HUB lifetime '3600' +set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2' +set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256' +set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1' +set vpn ipsec interface 'eth0' +set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret' +set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'secret' +set vpn ipsec profile NHRPVPN bind tunnel 'tun100' +set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB' +set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB' +``` + + +##### Cisco-Spoke-3 + +```none +crypto isakmp policy 10 + encr aes 256 + authentication pre-share + group 2 + lifetime 3600 +crypto isakmp key secret address 0.0.0.0 +! +! +crypto ipsec transform-set DMVPNESP esp-aes 256 esp-sha-hmac + mode transport +! +crypto ipsec profile DMVPNPROFILE + set security-association lifetime seconds 1800 + set transform-set DMVPNESP + set pfs group2 +! +! +! +! +! +! +! +interface Tunnel100 + ip address 10.0.0.3 255.255.255.0 + no ip redirects + ip nhrp authentication test123 + ip nhrp map multicast dynamic + ip nhrp network-id 1 + ip nhrp holdtime 300 + ip nhrp nhs 10.0.0.100 nbma 192.168.0.2 + ip nhrp registration no-unique + ip nhrp redirect +tunnel source GigabitEthernet0/0 + tunnel mode gre multipoint + tunnel key 42 + tunnel protection ipsec profile DMVPNPROFILE +! +interface GigabitEthernet0/0 + ip address 192.168.3.2 255.255.255.252 + duplex auto + speed auto + media-type rj45 +! +ip route 0.0.0.0 0.0.0.0 192.168.3.1 +``` + + +##### Monitoring DMVPN Network + +Let send ICMP packets from VyOS-SPOKE-1 to Cisco-SPOKE-3 + +```none +vyos@vyos:~$ ping 10.0.0.3 +PING 10.0.0.3 (10.0.0.3) 56(84) bytes of data. +64 bytes from 10.0.0.3: icmp_seq=1 ttl=255 time=3.44 ms +64 bytes from 10.0.0.3: icmp_seq=2 ttl=255 time=3.07 ms +^C +--- 10.0.0.3 ping statistics --- +2 packets transmitted, 2 received, 0% packet loss, time 1002ms +rtt min/avg/max/mdev = 3.072/3.257/3.442/0.185 ms +``` + + +##### Monitoring on HUB + +```none +vyos@vyos:~$ show ip nhrp cache +Iface Type Protocol NBMA Claimed NBMA Flags Identity +tun100 dynamic 10.0.0.1 192.168.1.2 192.168.1.2 T 192.168.1.2 +tun100 dynamic 10.0.0.3 192.168.3.2 192.168.3.2 T 192.168.3.2 +tun100 dynamic 10.0.0.2 192.168.2.2 192.168.2.2 T 192.168.2.2 +tun100 local 10.0.0.100 192.168.0.2 192.168.0.2 - + +vyos@vyos:~$ show vpn ipsec sa +Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal +-------------------------- ------- -------- -------------- ---------------- ---------------- ----------- ---------------------------------- +dmvpn-NHRPVPN-tun100-child up 3m46s 230B/270B 2/2 192.168.1.2 192.168.1.2 AES_CBC_256/HMAC_SHA1_96/MODP_1024 +dmvpn-NHRPVPN-tun100-child up 5m48s 460B/540B 4/4 192.168.2.2 192.168.2.2 AES_CBC_256/HMAC_SHA1_96/MODP_1024 +dmvpn-NHRPVPN-tun100-child up 16m26s 1K/1K 13/12 192.168.3.2 192.168.3.2 AES_CBC_256/HMAC_SHA1_96/MODP_1024 +``` + + +##### Monitoring on Spokes + +```none +vyos@vyos:~$ show ip nhrp cache +Iface Type Protocol NBMA Claimed NBMA Flags Identity +tun100 local 10.0.0.1 192.168.1.2 192.168.1.2 - +tun100 dynamic 10.0.0.3 192.168.3.2 192.168.3.2 T 192.168.3.2 +tun100 nhs 10.0.0.100 192.168.0.2 192.168.0.2 T 192.168.0.2 + +vyos@vyos:~$ show ip nhrp nhs +Iface FQDN NBMA Protocol +tun100 192.168.0.2 192.168.0.2 10.0.0.100 + +vyos@vyos:~$ show ip nhrp shortcut +Type Prefix Via Identity +dynamic 10.0.0.3/32 10.0.0.3 192.168.3.2 + +vyos@vyos:~$ show vpn ipsec sa +Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal +-------------------------- ------- -------- -------------- ---------------- ---------------- ----------- ---------------------------------- +dmvpn-NHRPVPN-tun100-child up 6m43s 898B/695B 7/6 192.168.0.2 192.168.0.2 AES_CBC_256/HMAC_SHA1_96/MODP_1024 +dmvpn-NHRPVPN-tun100-child up 49s 215B/187B 2/2 192.168.3.2 192.168.3.2 AES_CBC_256/HMAC_SHA1_96/MODP_1024 +``` diff --git a/docs/configuration/vpn/index.md b/docs/configuration/vpn/index.md new file mode 100644 index 00000000..9b06e5df --- /dev/null +++ b/docs/configuration/vpn/index.md @@ -0,0 +1,14 @@ +# VPN + +```{toctree} +:includehidden: true +:maxdepth: 1 + +ipsec/index +l2tp +openconnect +pptp +rsa-keys +sstp +dmvpn +``` diff --git a/docs/configuration/vpn/ipsec/index.md b/docs/configuration/vpn/ipsec/index.md new file mode 100644 index 00000000..cc40b6f8 --- /dev/null +++ b/docs/configuration/vpn/ipsec/index.md @@ -0,0 +1,11 @@ +# IPsec + +```{toctree} +:includehidden: true +:maxdepth: 1 + +ipsec_general +site2site_ipsec +remoteaccess_ipsec +troubleshooting_ipsec +``` diff --git a/docs/configuration/vpn/ipsec/ipsec_general.md b/docs/configuration/vpn/ipsec/ipsec_general.md new file mode 100644 index 00000000..6fc47386 --- /dev/null +++ b/docs/configuration/vpn/ipsec/ipsec_general.md @@ -0,0 +1,407 @@ +(ipsec_general)= + +# IPsec General Information + +## Information about IPsec + +IPsec is the framework used to secure data. +IPsec accomplishes these goals by providing authentication, +encryption of IP network packets, key exchange, and key management. +VyOS uses Strongswan package to implement IPsec. + +**Authentication Header (AH)** is defined in {rfc}`4302`. It creates +a hash using the IP header and data payload, and prepends it to the +packet. This hash is used to validate that the data has not been +changed during transfer over the network. + +**Encapsulating Security Payload (ESP)** is defined in {rfc}`4303`. +It provides encryption and authentication of the data. + +```{eval-rst} +There are two IPsec modes: + **IPsec Transport Mode**: + In transport mode, an IPSec header (AH or ESP) is inserted + between the IP header and the upper layer protocol header. + + **IPsec Tunnel Mode:** + In tunnel mode, the original IP packet is encapsulated in + another IP datagram, and an IPsec header (AH or ESP) is + inserted between the outer and inner headers. + +.. figure:: /_static/images/ESP_AH.webp + :scale: 80 % + :alt: AH and ESP in Transport Mode and Tunnel Mode +``` + +## IKE (Internet Key Exchange) + +The default IPsec method for secure key negotiation is the Internet Key +Exchange (IKE) protocol. IKE is designed to provide mutual authentication +of systems, as well as to establish a shared secret key to create IPsec +security associations. A security association (SA) includes all relevant +attributes of the connection, including the cryptographic algorithm used, +the IPsec mode, the encryption key, and other parameters related to the +transmission of data over the VPN connection. + +### IKEv1 + +IKEv1 is the older version and is still used today. Nowadays, most +manufacturers recommend using IKEv2 protocol. + +IKEv1 is described in the next RFCs: {rfc}`2409` (IKE), {rfc}`3407` +(IPsec DOI), {rfc}`3947` (NAT-T), {rfc}`3948` (UDP Encapsulation +of ESP Packets), {rfc}`3706` (DPD) + +```{eval-rst} +IKEv1 operates in two phases to establish these IKE and IPsec SAs: + * **Phase 1** provides mutual authentication of the IKE peers and + establishment of the session key. This phase creates an IKE SA (a + security association for IKE) using a DH exchange, cookies, and an + ID exchange. Once an IKE SA is established, all IKE communication + between the initiator and responder is protected with encryption + and an integrity check that is authenticated. The purpose of IKE + phase 1 is to facilitate a secure channel between the peers so that + phase 2 negotiations can occur securely. IKE phase 1 offers two modes: + Main and Aggressive. + + * **Main Mode** is used for site-to-site VPN connections. + + * **Aggressive Mode** is used for remote access VPN connections. + + * **Phase 2** provides for the negotiation and establishment of the + IPsec SAs using ESP or AH to protect IP data traffic. +``` + +### IKEv2 + +IKEv2 is described in {rfc}`7296`. The biggest difference between IKEv1 and +IKEv2 is that IKEv2 is much simpler and more reliable than IKEv1 because +fewer messages are exchanged during the establishment of the VPN and +additional security capabilities are available. + +### IKE Authentication + +```{eval-rst} +VyOS supports 3 authentication methods. + * **Pre-shared keys**: In this method, both peers of the IPsec + tunnel must have the same preshared keys. + * **Digital certificates**: PKI is used in this method. + * **RSA-keys**: If the RSA-keys method is used in your IKE policy, + you need to make sure each peer has the other peer’s public keys. +``` + +## DPD (Dead Peer Detection) + +This is a mechanism used to detect when a VPN peer is no longer active. +This mechanism has different algorithms in IKEv1 and IKEv2 in VyOS. +DPD Requests are sent as ISAKMP R-U-THERE messages and DPD Responses +are sent as ISAKMP R-U-THERE-ACK messages. In IKEv1, DPD sends messages +every configured interval. The remote peer is considered unreachable +if no response to these packets is received within the DPD timeout. +In IKEv2, DPD sends messages every configured interval. If one request +is not responded, Strongswan execute its retransmission algorithm with +its timers. [IKEv2 Retransmission](#ikev2-retransmission) + +## Post-Quantum Preshared Keys (PPK) + +Post-Quantum Preshared Keys help provide some quantum resistance to IPSec +tunnels when a post-quantum key exchange algorithm such as ML-KEM is not +available. The use of PPKs in IKEv2 is described in {rfc}`8784`. + +```{eval-rst} +.. cfgmod:: edit vpn authentication ppk <name> +``` + +PPKs can be configued within VyOS under the `vpn ipsec authentication ppk` +config. + +```{eval-rst} +.. cfgmod:: set vpn authentication ppk <name> secret-type <plaintext|hex|base64> +``` + +PPKs need an id and a secret value. The ID and the secret must match if PPKs are +required for a successful IPsec connection. The secret can be plain text, a +hex value, or a Base64 value. The default is plain text. If using another +type of value, you must define the secret type. + +```{eval-rst} +.. cfgmod:: set vpn ipsec site-to-site <name> ppk id <id> +``` + +To use a PPK within a site-to-site or remote access connection, define the PPK +id under the connection. + +```{eval-rst} +.. cfgmod:: set vpn ipsec site-to-site <name> ppk required +``` + +Optionally, you can require the use of PPK to have a successful connection. + +```{eval-rst} +.. cfgmod:: show vpn ipsec connections +``` + +You can view the PPK column for information on if PPK is configured, and +if it is in use. The output is in the format of `<configured> / <in use>`. +The options for configured are none if not conifugred, opt if configured +but optional, and req is configured and required. The in use will show yes +Possible values of the `configured` field are `none` if not +conifgured, `opt` if configured but optional, and `req` is +configured and required. The in use will show yes + +## Configuration IKE + +```{eval-rst} +IKE (Internet Key Exchange) Attributes +====================================== + +VyOS IKE group has the next options: + +.. cfgcmd:: set vpn ipsec ike-group <name> close-action <action> + + Defines the action to take if the remote peer unexpectedly + closes a CHILD_SA: + + * **none** - Set action to none (default), + * **trap** - Installs a trap policy (IPsec policy without Security + Association) for the CHILD_SA and traffic matching these policies + will trigger acquire events that cause the daemon to establish the + required IKE/IPsec SAs. + * **start** - Tries to immediately re-create the CHILD_SA. + +.. cfgcmd:: set vpn ipsec ike-group <name> ikev2-reauth + + Whether rekeying of an IKE_SA should also reauthenticate + the peer. In IKEv1, reauthentication is always done. + Setting this parameter enables remote host re-authentication + during an IKE rekey. + +.. cfgcmd:: set vpn ipsec ike-group <name> key-exchange + + Which protocol should be used to initialize the connection + If not set both protocols are handled and connections will + use IKEv2 when initiating, but accept any protocol version + when responding: + + * **ikev1** - Use IKEv1 for Key Exchange. + * **ikev2** - Use IKEv2 for Key Exchange. + +.. cfgcmd:: set vpn ipsec ike-group <name> lifetime + + IKE lifetime in seconds <0-86400> (default 28800). + +.. cfgcmd:: set vpn ipsec ike-group <name> mode + + IKEv1 Phase 1 Mode Selection: + + * **main** - Use Main mode for Key Exchanges in the IKEv1 Protocol + (Recommended Default). + * **aggressive** - Use Aggressive mode for Key Exchanges in the IKEv1 + protocol aggressive mode is much more insecure compared to Main mode. + +.. stop_vyoslinter + +.. cfgcmd:: set vpn ipsec ike-group <name> proposal <number> dh-group <dh-group number> + + Dh-group. Default value is **2**. + +.. cfgcmd:: set vpn ipsec ike-group <name> proposal <number> encryption <encryption> + + Encryption algorithm. Default value is **aes128**. + +.. start_vyoslinter + +.. cfgcmd:: set vpn ipsec ike-group <name> proposal <number> hash <hash> + + Hash algorithm. Default value is **sha1**. + +.. cfgcmd:: set vpn ipsec ike-group <name> proposal <number> prf <prf> + + Pseudo-random function. + + +DPD (Dead Peer Detection) Configuration +======================================= + +.. cfgcmd:: set vpn ipsec ike-group <name> dead-peer-detection action <action> + + Action to perform for this CHILD_SA on DPD timeout. + + * **trap** - Installs a trap policy (IPsec policy without Security + Association), which will catch matching traffic and tries to + re-negotiate the tunnel on-demand. + * **clear** - Closes the CHILD_SA and does not take further action + (default). + * **restart** - Immediately tries to re-negotiate the CHILD_SA + under a fresh IKE_SA. + +.. stop_vyoslinter + +.. cfgcmd:: set vpn ipsec ike-group <name> dead-peer-detection interval <interval> + + Keep-alive interval in seconds <2-86400> (default 30). + +.. start_vyoslinter + +.. cfgcmd:: set vpn ipsec ike-group <name> dead-peer-detection timeout <timeout> + + Keep-alive timeout in seconds <2-86400> (default 120) **IKEv1 only** + +ESP (Encapsulating Security Payload) Attributes +=============================================== + +In VyOS, ESP attributes are specified through ESP groups. +Multiple proposals can be specified in a single group. + +VyOS ESP group has the next options: + +.. cfgcmd:: set vpn ipsec esp-group <name> compression + + Enables the IPComp(IP Payload Compression) protocol which allows + compressing the content of IP packets. + +.. cfgcmd:: set vpn ipsec esp-group <name> disable-rekey + + Do not locally initiate a re-key of the SA, remote peer must + re-key before expiration. + +.. cfgcmd:: set vpn ipsec esp-group <name> life-bytes <bytes> + + ESP life in bytes <1024-26843545600000>. Number of bytes + transmitted over an IPsec SA before it expires. + +.. cfgcmd:: set vpn ipsec esp-group <name> life-packets <packets> + + ESP life in packets <1000-26843545600000>. + Number of packets transmitted over an IPsec SA before it expires. + +.. cfgcmd:: set vpn ipsec esp-group <name> lifetime <timeout> + + ESP lifetime in seconds <30-86400> (default 3600). + How long a particular instance of a connection (a set of + encryption/authentication keys for user packets) should last, + from successful negotiation to expiry. + +.. cfgcmd:: set vpn ipsec esp-group <name> mode <mode> + + The type of the connection: + + * **tunnel** - Tunnel mode (default). + * **transport** - Transport mode. + +.. cfgcmd:: set vpn ipsec esp-group <name> pfs < dh-group> + + Whether Perfect Forward Secrecy of keys is desired on the + connection's keying channel and defines a Diffie-Hellman group for + PFS: + + * **enable** - Inherit Diffie-Hellman group from IKE group (default). + * **disable** - Disable PFS. + * **<dh-group>** - Defines a Diffie-Hellman group for PFS. + +.. stop_vyoslinter + +.. cfgcmd:: set vpn ipsec esp-group <name> proposal <number> encryption <encryption> + + Encryption algorithm. Default value is **aes128**. + +.. start_vyoslinter + +.. cfgcmd:: set vpn ipsec esp-group <name> proposal <number> hash <hash> + + Hash algorithm. Default value is **sha1**. + +Global IPsec Settings +===================== + +.. cfgcmd:: set vpn ipsec interface <name> + + Interface name to restrict outbound IPsec policies. There is a possibility + to specify multiple interfaces. If an interfaces are not specified, IPsec + policies apply to all interfaces. + + +.. cfgcmd:: set vpn ipsec log level <number> + + Level of logging. Default value is **0**. + +.. cfgcmd:: set vpn ipsec log subsystem <name> + + Subsystem of the daemon. + +Options +======= + +.. cfgcmd:: set vpn ipsec options disable-route-autoinstall + + Do not automatically install routes to remote + networks. + +.. cfgcmd:: set vpn ipsec options flexvpn + + Allows FlexVPN vendor ID payload (IKEv2 only). Send the Cisco + FlexVPN vendor ID payload (IKEv2 only), which is required in order to make + Cisco brand devices allow negotiating a local traffic selector (from + strongSwan's point of view) that is not the assigned virtual IP address if + such an address is requested by strongSwan. Sending the Cisco FlexVPN + vendor ID prevents the peer from narrowing the initiator's local traffic + selector and allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0 + instead. This has been tested with a "tunnel mode ipsec ipv4" Cisco + template but should also work for GRE encapsulation. + +.. cfgcmd:: set vpn ipsec options interface <name> + + Interface Name to use. The name of the interface on which + virtual IP addresses should be installed. If not specified the addresses + will be installed on the outbound interface. + +.. cfgcmd:: set vpn ipsec options virtual-ip + + Allows the installation of virtual-ip addresses. +``` + +### IKEv2 Retransmission + +If the peer does not respond on DPD packet, the router starts retransmission procedure. + +The following formula is used to calculate the timeout: + +```none +relative timeout = timeout * base ^ (attempts-1) +``` + +```{cfgcmd} set vpn ipsec options retransmission attempts + +Number of attempts before the peer is considered to be in the down state. +Default value is **5**. +``` + +```{cfgcmd} set vpn ipsec options retransmission base + +Base number of exponential backoff. Default value is **1.8**. +``` + +```{cfgcmd} set vpn ipsec options retransmission timeout + +Timeout in seconds before the first retransmission. Default value is **4**. +``` + +Using the default values, packets are retransmitted as follows: + +```{eval-rst} ++-----------+-------------+------------------+------------------+ +| Attempts | Formula | Relative timeout | Absolute timeout | ++-----------+-------------+------------------+------------------+ +| 1 | 4 * 1.8 ^ 0 | 4s | 4s | ++-----------+-------------+------------------+------------------+ +| 2 | 4 * 1.8 ^ 1 | 7s | 11s | ++-----------+-------------+------------------+------------------+ +| 3 | 4 * 1.8 ^ 2 | 13s | 24s | ++-----------+-------------+------------------+------------------+ +| 4 | 4 * 1.8 ^ 3 | 23s | 47s | ++-----------+-------------+------------------+------------------+ +| 5 | 4 * 1.8 ^ 4 | 42s | 89s | ++-----------+-------------+------------------+------------------+ +| peer down | 4 * 1.8 ^ 5 | 76s | 165s | ++-----------+-------------+------------------+------------------+ +``` diff --git a/docs/configuration/vpn/ipsec/remoteaccess_ipsec.md b/docs/configuration/vpn/ipsec/remoteaccess_ipsec.md new file mode 100644 index 00000000..6931e00b --- /dev/null +++ b/docs/configuration/vpn/ipsec/remoteaccess_ipsec.md @@ -0,0 +1,186 @@ +(remoteaccess-ipsec)= + +# IPSec IKEv2 Remote Access VPN + +```{todo} +Convert raw command blocks in this file to cfgcmd/opcmd +directives for command coverage tracking. +``` + +Internet Key Exchange version 2 (IKEv2) is a tunneling protocol, based on IPsec, +that establishes a secure VPN communication between VPN devices, and defines +negotiation and authentication processes for IPsec security associations (SAs). +It is often known as IKEv2/IPSec or IPSec IKEv2 remote-access — or road-warriors +as others call it. + +Key exchange and payload encryption is done using IKE and ESP proposals as known +from IKEv1 but the connections are faster to establish, more reliable, and also +support roaming from IP to IP (called MOBIKE which makes sure your connection +does not drop when changing networks from e.g. WIFI to LTE and back). +Authentication can be achieved with X.509 certificates. + +## Setting up certificates: + +First of all, we need to create a CA root certificate and server certificate +on the server side. + +```none +vyos@vpn.vyos.net# run generate pki ca install ca_root +Enter private key type: [rsa, dsa, ec] (Default: rsa) +Enter private key bits: (Default: 2048) +Enter country code: (Default: GB) +Enter state: (Default: Some-State) +Enter locality: (Default: Some-City) +Enter organization name: (Default: VyOS) +Enter common name: (Default: vyos.io) +Enter how many days certificate will be valid: (Default: 1825) +Note: If you plan to use the generated key on this router, do not encrypt the private key. +Do you want to encrypt the private key with a passphrase? [y/N] N +2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply. +[edit] + + +vyos@vpn.vyos.net# comp +[pki ca] ++ ca_root { ++ certificate "MIIDnTCCAoWgAwI…." ++ private { ++ key "MIIEvAIBADANBgkqhkiG9….” + +vyos@vpn.vyos.net# run generate pki certificate sign ca_root install server_cert +Do you already have a certificate request? [y/N] N +Enter private key type: [rsa, dsa, ec] (Default: rsa) +Enter private key bits: (Default: 2048) +Enter country code: (Default: GB) +Enter state: (Default: Some-State) +Enter locality: (Default: Some-City) +Enter organization name: (Default: VyOS) +Enter common name: (Default: vyos.io) vpn.vyos.net +Do you want to configure Subject Alternative Names? [y/N] N +Enter how many days certificate will be valid: (Default: 365) +Enter certificate type: (client, server) (Default: server) +Note: If you plan to use the generated key on this router, do not encrypt the private key. +Do you want to encrypt the private key with a passphrase? [y/N] N +2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply. + +vyos@vpn.vyos.net# comp +[pki certificate] ++ server_cert { ++ certificate "MIIDuzCCAqOgAwIBAgIUaSrCPWx………" ++ private { ++ key "MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBK….." ++ } ++ } +``` + +Once the command is completed, it will add the certificate to the configuration +session, to the pki subtree. You can then review the proposed changes and +commit them. + +## Setting up IPSec: + +After the PKI certs are all set up we can start configuring our IPSec/IKE +proposals used for key-exchange end data encryption. The used encryption ciphers +and integrity algorithms vary from operating system to operating system. The +ones used in this example are validated to work on Windows 10. + +```none +set vpn ipsec esp-group ESP-RW lifetime '3600' +set vpn ipsec esp-group ESP-RW pfs 'disable' +set vpn ipsec esp-group ESP-RW proposal 10 encryption 'aes128gcm128' +set vpn ipsec esp-group ESP-RW proposal 10 hash 'sha256' + +set vpn ipsec ike-group IKE-RW key-exchange 'ikev2' +set vpn ipsec ike-group IKE-RW lifetime '7200' +set vpn ipsec ike-group IKE-RW proposal 10 dh-group '14' +set vpn ipsec ike-group IKE-RW proposal 10 encryption 'aes128gcm128' +set vpn ipsec ike-group IKE-RW proposal 10 hash 'sha256' +``` + +Every connection/remote-access pool we configure also needs a pool where we +can draw our client IP addresses from. We provide one IPv4 and IPv6 pool. +Authorized clients will receive an IPv4 address from the configured IPv4 prefix +and an IPv6 address from the IPv6 prefix. We can also send some DNS nameservers +down to our clients used on their connection. + +```none +set vpn ipsec remote-access pool ra-rw-ipv4 name-server '192.0.2.1' +set vpn ipsec remote-access pool ra-rw-ipv4 prefix '192.0.2.128/25' + +set vpn ipsec remote-access pool ra-rw-ipv6 name-server '2001:db8:1000::1' +set vpn ipsec remote-access pool ra-rw-ipv6 prefix '2001:db8:2000::/64' +``` + + +## Setting up tunnel: + +```none +set vpn ipsec remote-access connection rw authentication local-id '192.0.2.1' +set vpn ipsec remote-access connection rw authentication server-mode 'x509' +set vpn ipsec remote-access connection rw authentication x509 ca-certificate 'ca_root' +set vpn ipsec remote-access connection rw authentication x509 certificate 'server_cert' +set vpn ipsec remote-access connection rw esp-group 'ESP-RW' +set vpn ipsec remote-access connection rw ike-group 'IKE-RW' +set vpn ipsec remote-access connection rw local-address '192.0.2.1' +set vpn ipsec remote-access connection rw pool 'ra-rw-ipv4' +set vpn ipsec remote-access connection rw pool 'ra-rw-ipv6' +``` + +VyOS also supports two different modes of authentication, local and RADIUS. +To create a new local user named "vyos" with a password of "vyos" use the +following commands. + +```none +set vpn ipsec remote-access connection rw authentication client-mode 'eap-mschapv2' +set vpn ipsec remote-access connection rw authentication local-users username vyos password 'vyos' +``` + +Some client operating systems like to see the servers certificate. The following +option causes the server to voluntarily send its certificate, even if it wasn't +requested. + +```none +set vpn ipsec remote-access connection rw authentication always-send-cert +``` + + +## Client Configuration + +Most operating systems include native client support for IPsec IKEv2 VPN +connections, and others typically have an app or add-on package which adds the +capability. +This section covers IPsec IKEv2 client configuration for Windows 10. + +VyOS provides a command to generate a connection profile used by Windows clients +that will connect to the "rw" connection on our VyOS server. + +:::{note} +Windows expects the server name to be also used in the server's +certificate common name, so it's best to use this DNS name for your VPN +connection. +::: + +```none +vyos@vpn.vyos.net:~$ generate ipsec profile windows-remote-access rw remote vpn.vyos.net + + +==== <snip> ==== +Add-VpnConnection -Name "VyOS IKEv2 VPN" -ServerAddress "vpn.vyos.net" -TunnelType "Ikev2" + +Set-VpnConnectionIPsecConfiguration -ConnectionName "VyOS IKEv2 VPN" -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants +GCMAES128 -EncryptionMethod GCMAES128 -IntegrityCheckMethod SHA256128 -PfsGroup None -DHGroup "Group14" -PassThru -Force +==== </snip> ==== +``` + +Add the commands from Snippet in the Windows side via PowerShell. +Also import the root CA cert to the Windows “Trusted Root Certification +Authorities” and establish the connection. + +## Verification: + +```none +vyos@vpn.vyos.net:~$ show vpn ipsec remote-access summary + Connection ID Username Protocol State Uptime Tunnel IP Remote Host Remote ID IKE Proposal IPSec Proposal +--------------- ---------- ---------- ------- -------- ----------- ------------- ----------- ------------------------------------------ ------------------ + 5 vyos IKEv2 UP 37s 192.0.2.129 10.0.0.2 10.0.0.2 AES_GCM_16-128/PRF_HMAC_SHA2_256/MODP_2048 ESP:AES_GCM_16-128 +``` diff --git a/docs/configuration/vpn/ipsec/site2site_ipsec.md b/docs/configuration/vpn/ipsec/site2site_ipsec.md new file mode 100644 index 00000000..d3b65ae1 --- /dev/null +++ b/docs/configuration/vpn/ipsec/site2site_ipsec.md @@ -0,0 +1,780 @@ +(size2site-ipsec)= + +# IPsec Site-to-Site VPN + +## IPsec Site-to-Site VPN Types + +VyOS supports two types of IPsec VPN: Policy-based IPsec VPN and Route-based +IPsec VPN. + +### Policy-based VPN + +Policy-based VPN is based on static configured policies. Each policy creates +individual IPSec SA. Traffic matches these SAs encrypted and directed to the +remote peer. + +### Route-Based VPN + +Route-based VPN is based on secure traffic passing over Virtual Tunnel +Interfaces (VTIs). This type of IPsec VPNs allows using routing protocols. + +## Configuration Site-to-Site VPN + +### Requirements and Prerequisites for Site-to-Site VPN + +**Negotiated parameters that need to match** + +```{eval-rst} +Phase 1 + * IKE version + * Authentication + * Encryption + * Hashing + * PRF + * Lifetime + + .. note:: Strongswan recommends to use the same lifetime value on both peers + +Phase 2 + * Encryption + * Hashing + * PFS + * Mode (tunnel or transport) + * Lifetime + + .. note:: Strongswan recommends to use the same lifetime value on both peers + + * Remote and Local networks in SA must be compatible on both peers +``` + +### Configuration Steps for Site-to-Site VPN + +The next example shows the configuration one of the router participating in +IPsec VPN. + +```{eval-rst} +Tunnel information: + * Phase 1: + * encryption: AES256 + * hash: SHA256 + * PRF: SHA256 + * DH: 14 + * lifetime: 28800 + * Phase 2: + * IPsec mode: tunnel + * encryption: AES256 + * hash: SHA256 + * PFS: inherited from DH Phase 1 + * lifetime: 3600 + * If Policy based VPN is used + * Remote network is 192.168.50.0/24. Local network is 192.168.10.0/24 + * If Route based VPN is used + * IP of the VTI interface is 10.0.0.1/30 +``` + +:::{note} +We do not recommend using policy-based vpn and route-based vpn configurations to the same peer. +::: + +**1. Configure ike-group (IKE Phase 1)** + +```none +set vpn ipsec ike-group IKE close-action 'start' +set vpn ipsec ike-group IKE key-exchange 'ikev1' +set vpn ipsec ike-group IKE lifetime '28800' +set vpn ipsec ike-group IKE proposal 10 dh-group '14' +set vpn ipsec ike-group IKE proposal 10 encryption 'aes256' +set vpn ipsec ike-group IKE proposal 10 hash 'sha256' +set vpn ipsec ike-group IKE proposal 10 prf 'prfsha256' +``` + +**2. Configure ESP-group (IKE Phase 2)** + +```none +set vpn ipsec esp-group ESP lifetime '3600' +set vpn ipsec esp-group ESP mode 'tunnel' +set vpn ipsec esp-group ESP pfs 'enable' +set vpn ipsec esp-group ESP proposal 10 encryption 'aes256' +set vpn ipsec esp-group ESP proposal 10 hash 'sha256' +``` + +**3. Specify interface facing to the protected destination.** + +```none +set vpn ipsec interface eth0 +``` + +**4. Configure PSK keys and authentication ids for this key if authentication type is PSK** + +```none +set vpn ipsec authentication psk PSK-KEY id '192.168.0.2' +set vpn ipsec authentication psk PSK-KEY id '192.168.5.2' +set vpn ipsec authentication psk PSK-KEY secret 'vyos' +``` + +To set base64 secret encode plaintext password to base64 and set secret-type + +```none +echo -n "vyos" | base64 +dnlvcw== +``` + +```none +set vpn ipsec authentication psk PSK-KEY secret 'dnlvcw==' +set vpn ipsec authentication psk PSK-KEY secret-type base64 +``` + +**5. Configure peer and apply IKE-group and esp-group to peer.** + +```none +set vpn ipsec site-to-site peer PEER1 authentication local-id '192.168.0.2' +set vpn ipsec site-to-site peer PEER1 authentication mode 'pre-shared-secret' +set vpn ipsec site-to-site peer PEER1 authentication remote-id '192.168.5.2' +set vpn ipsec site-to-site peer PEER1 connection-type 'initiate' +set vpn ipsec site-to-site peer PEER1 default-esp-group 'ESP' +set vpn ipsec site-to-site peer PEER1 ike-group 'IKE' +set vpn ipsec site-to-site peer PEER1 local-address '192.168.0.2' +set vpn ipsec site-to-site peer PEER1 remote-address '192.168.5.2' + +Peer selects the key from step 4 according to local-id/remote-id pair. +``` + +**6. Depends to vpn type (route-based vpn or policy-based vpn).** + +> **6.1 For Policy-based VPN configure SAs using tunnel command specifying remote and local networks.** +> +> > ```none +> > set vpn ipsec site-to-site peer PEER1 tunnel 1 local prefix '192.168.10.0/24' +> > set vpn ipsec site-to-site peer PEER1 tunnel 1 remote prefix '192.168.50.0/24' +> > ``` +> +> **6.2 For Route-based VPN create VTI interface, set IP address to this interface and bind this interface to the vpn peer.** +> +> > ```none +> > set interfaces vti vti1 address 10.0.0.1/30 +> > set vpn ipsec site-to-site peer PEER1 vti bind vti1 +> > set vpn ipsec options disable-route-autoinstall +> > ``` +> > +> > Create routing between local networks via VTI interface using dynamic or +> > static routing. +> > +> > ```none +> > set protocol static route 192.168.50.0/24 next-hop 10.0.0.2 +> > ``` + +### Initiator and Responder Connection Types + +In Site-to-Site IPsec VPN it is recommended that one peer should be an +initiator and the other - the responder. The initiator actively establishes +the VPN tunnel. The responder passively waits for the remote peer to +establish the VPN tunnel. Depends on selected role it is recommended +select proper values for close-action and DPD action. + +The result of wrong value selection can be unstable work of the VPN. +: - Duplicate CHILD SA creation. + - None of the VPN sides initiates the tunnel establishment. + +Below flow-chart could be a quick reference for the close-action +combination depending on how the peer is configured. + +```{eval-rst} +.. figure:: /_static/images/IPSec_close_action_settings.webp +``` + +Similar combinations are applicable for the dead-peer-detection. + +### Detailed Configuration Commands + +#### PSK Key Authentication + +```{cfgcmd} set vpn ipsec authentication psk \<name\> dhcp-interface + +ID for authentication generated from DHCP address +dynamically. + +``` + +```{cfgcmd} set vpn ipsec authentication psk id \<id\> + +static ID's for authentication. In general local and remote address +``<x.x.x.x>``, ``<h:h:h:h:h:h:h:h>`` or ``%any``. +``` + +```{cfgcmd} set vpn ipsec authentication psk secret \<secret\> + +A predefined shared secret used in configured mode +``pre-shared-secret``. Base64-encoded secrets are allowed if +`secret-type base64` is configured. +``` + +```{cfgcmd} set vpn ipsec authentication psk secret-type \<type\> + +Specifies the secret type: + +* **plaintext** - Plain text type (default value). +* **base64** - Base64 type. +``` + +#### Peer Configuration + + +##### Peer Authentication Commands + +```{cfgcmd} set vpn ipsec site-to-site peer \<name\> authentication mode \<mode\> + +Mode for authentication between VyOS and remote peer: + +* **pre-shared-secret** - Use predefined shared secret phrase. +* **rsa** - Use simple shared RSA key. +* **x509** - Use certificates infrastructure for authentication. +``` + +```{cfgcmd} set vpn ipsec site-to-site peer \<name\> authentication local-id \<id\> + +ID for the local VyOS router. If defined, during the authentication +it will be send to remote peer. +``` + +```{cfgcmd} set vpn ipsec site-to-site peer \<name\> authentication remote-id \<id\> + +ID for remote peer, instead of using peer name or +address. Useful in case if the remote peer is behind NAT +or if ``mode x509`` is used. +``` + +```{cfgcmd} set vpn ipsec site-to-site peer \<name\> authentication rsa local-key \<key\> + +Name of PKI key-pair with local private key. +``` + +```{cfgcmd} set vpn ipsec site-to-site peer \<name\> authentication rsa remote-key \<key\> + +Name of PKI key-pair with remote public key. +``` + +```{cfgcmd} set vpn ipsec site-to-site peer \<name\> authentication rsa passphrase \<passphrase\> + +Local private key passphrase. +``` + +```{cfgcmd} set vpn ipsec site-to-site peer \<name\> authentication use-x509-id \<id\> + +Use local ID from x509 certificate. Cannot be used when +``id`` is defined. +``` + +```{cfgcmd} set vpn ipsec site-to-site peer \<name\> authentication x509 ca-certificate \<name\> + +Name of CA certificate in PKI configuration. Using for authenticating +remote peer in x509 mode. +``` + +```{cfgcmd} set vpn ipsec site-to-site peer \<name\> authentication x509 certificate \<name\> + +Name of certificate in PKI configuration, which will be used +for authenticating local router on remote peer. +``` + +```{cfgcmd} set vpn ipsec authentication x509 passphrase \<passphrase\> + +Private key passphrase, if needed. +``` + +##### Global Peer Configuration Commands + +```{cfgcmd} set vpn ipsec site-to-site peer \<name\> connection-type \<type\> + +Operational mode defines how to handle this connection process. + +* **initiate** - does initial connection to remote peer immediately + after configuring and after boot. In this mode the connection will + not be restarted in case of disconnection, therefore should be used + only together with DPD or another session tracking methods. + +* **trap** - does not try to initiate a connection to a remote + peer immediately. Instead, it installs a trap policy that will + trigger IKE negotiation and establish the IPsec session when + matching traffic is sent from the local side. This can be useful + when there is no direct connectivity to the peer due to firewall + or NAT in the middle of the local and remote side. + + :::{warning} + The ``trap`` mode is not needed in most environments + and can lead to connection confusion or unintended tunnel uptime + behavior if used incorrectly. Using this mode requires careful + coordination with parameters such as ``close-action`` and DPD. + For most deployments, use ``initiate`` and ``none`` as described below. + ::: + +* **none** - loads the connection only, which then can be manually + initiated or used as a responder configuration. + +:::{note} +For most site-to-site VPNs, configure one peer +with ``connection-type initiate`` (active side) and the other peer +with ``connection-type none`` (passive side) to +ensure stable and predictable tunnel behavior. +When using ``connection-type initiate``, you must also configure +DPD or another session tracking method (such as ``close-action``) +to automatically re-establish the tunnel after a disconnection. +Otherwise, the tunnel will not reconnect automatically if it goes down. +::: +``` + +```{cfgcmd} set vpn ipsec site-to-site peer \<name\> default-esp-group \<name\> + +Name of ESP group to use by default for traffic encryption. +Might be overwritten by individual settings for tunnel or VTI +interface binding. +``` + +```{cfgcmd} set vpn ipsec site-to-site peer \<name\> description \<description\> + +Description for this peer. +``` + +```{cfgcmd} set vpn ipsec site-to-site peer \<name\> dhcp-interface \<interface\> + +Specify the interface which IP address, received from DHCP for IPSec +connection with this peer, will be used as ``local-address``. +``` + +```{cfgcmd} set vpn ipsec site-to-site peer \<name\> force-udp-encapsulation + +Force encapsulation of ESP into UDP datagrams. Useful in case if +between local and remote side is firewall or NAT, which not +allows passing plain ESP packets between them. +``` + +```{cfgcmd} set vpn ipsec site-to-site peer \<name\> ike-group \<name\> + +Name of IKE group to use for key exchanges. +``` + +```{cfgcmd} set vpn ipsec site-to-site peer \<name\> local-address \<address\> + +Local IP address for IPsec connection with this peer. +If defined ``any``, then an IP address which configured on interface with +default route will be used. +``` + +```{cfgcmd} set vpn ipsec site-to-site peer \<name\> remote-address \<address\> + +Remote IP address or hostname for IPsec connection. IPv4 or IPv6 +address is used when a peer has a public static IP address. Hostname +is a DNS name which could be used when a peer has a public IP +address and DNS name, but an IP address could be changed from time +to time. +``` + +```{cfgcmd} set vpn ipsec site-to-site peer \<name\> replay-window \<size\> + +IPsec replay window to configure for CHILD_SAs +(default: 32), a value of 0 disables IPsec replay protection. +``` + +```{cfgcmd} set vpn ipsec site-to-site peer \<name\> virtual-address \<address\> + +Defines a virtual IP address which is requested by the initiator and +one or several IPv4 and/or IPv6 addresses are assigned from multiple +pools by the responder. The wildcard addresses 0.0.0.0 and :: +request an arbitrary address, specific addresses may be defined. +``` + +##### CHILD SAs Configuration Commands + +###### Policy-Based CHILD SAs Configuration Commands + +Every configured tunnel under peer configuration is a new CHILD SA. + +```{cfgcmd} set vpn ipsec site-to-site peer \<name\> tunnel \<number\> disable + +Disable this tunnel. +``` + +```{cfgcmd} set vpn ipsec site-to-site peer \<name\> tunnel \<number\> esp-group \<name\> + +Specify ESP group for this CHILD SA. +``` + +```{cfgcmd} set vpn ipsec site-to-site peer \<name\> tunnel \<number\> priority \<number\> + +Priority for policy-based IPsec VPN tunnels (lowest value more +preferable). +``` + +```{cfgcmd} set vpn ipsec site-to-site peer \<name\> tunnel \<number\> protocol \<name\> + +Define the protocol for match traffic, which should be encrypted and +send to this peer. +``` + +```{cfgcmd} set vpn ipsec site-to-site peer \<name\> tunnel \<number\> local prefix \<network\> + +IP network at the local side. +``` + +```{cfgcmd} set vpn ipsec site-to-site peer \<name\> tunnel \<number\> local port \<number\> + +Local port number. Have effect only when used together with +``prefix``. +``` + +```{cfgcmd} set vpn ipsec site-to-site peer \<name\> tunnel \<number\> remote prefix \<network\> + +IP network at the remote side. +``` + +```{cfgcmd} set vpn ipsec site-to-site peer \<name\> tunnel \<number\> remote port \<number\> + +Remote port number. Have effect only when used together with +``prefix``. +``` + +###### Route-Based CHILD SAs Configuration Commands + +To configure route-based VPN it is enough to create vti interface and +bind it to the peer. Any traffic, which will be send to VTI interface +will be encrypted and send to this peer. Using VTI makes IPsec +configuration much flexible and easier in complex situation, and +allows to dynamically add/delete remote networks, reachable via a +peer, as in this mode router don't need to create additional SA/policy +for each remote network. + +:::{warning} +When using site-to-site IPsec with VTI interfaces, +be sure to disable route autoinstall. +::: +```none +set vpn ipsec options disable-route-autoinstall +``` + +```{cfgcmd} set vpn ipsec site-to-site peer \<name\> vti bind \<interface\> + +VTI interface to bind to this peer. +``` + +```{cfgcmd} set vpn ipsec site-to-site peer \<name\> vti esp-group \<name\> + +ESP group for encrypt traffic, passed this VTI interface. +``` + +Traffic-selectors parameters for traffic that should pass via vti +interface. + +```{cfgcmd} set vpn ipsec site-to-site peer \<name\> vti traffic-selector local prefix \<network\> + +Local prefix for interesting traffic. +``` + +```{cfgcmd} set vpn ipsec site-to-site peer \<name\> vti traffic-selector remote prefix \<network\> + +Remote prefix for interesting traffic. +``` + +### IPsec Op-mode Commands + +```{opcmd} show vpn ike sa + +Shows active IKE SAs information. +``` + +```{opcmd} show vpn ike secrets + +Shows configured authentication keys. +``` + +```{opcmd} show vpn ike status + +Shows Strongswan daemon status. +``` + +```{opcmd} show vpn ipsec connections + +Shows summary status of all configured IKE and IPsec SAs. +``` + +```{opcmd} show vpn ipsec sa [detail] + +Shows active IPsec SAs information. +``` + +```{opcmd} show vpn ipsec status + +Shows status of IPsec process. +``` + +```{opcmd} show vpn ipsec policy + +Shows the in-kernel crypto policies. +``` + +```{opcmd} show vpn ipsec state + +Shows the in-kernel crypto state. +``` + +```{opcmd} show log ipsec + +Shows IPsec logs. +``` + +```{opcmd} reset vpn ipsec site-to-site all + +Clear all ipsec connection and reinitiate them if VyOS is configured +as initiator. +``` + +```{opcmd} reset vpn ipsec site-to-site peer \<name\> + +Clear all peer IKE SAs with IPsec SAs and reinitiate them if VyOS is +configured as initiator. +``` + +```{opcmd} reset vpn ipsec site-to-site peer \<name\> tunnel \<number\> + +Clear scpecific IPsec SA and reinitiate it if VyOS is configured as +initiator. +``` + +```{opcmd} reset vpn ipsec site-to-site peer \<name\> vti \<number\> + +Clear IPsec SA which is map to vti interface of this peer and +reinitiate it if VyOS is configured as initiator. +``` + +```{opcmd} restart ipsec + +Restart Strongswan daemon. +``` + +## Examples: + +### Policy-Based VPN Example + +**PEER1:** +- WAN interface on `eth0` +- `eth0` interface IP: `10.0.1.2/30` +- `dum0` interface IP: `192.168.0.1/24` (for testing purposes) +- Initiator + +**PEER2:** +- WAN interface on `eth0` +- `eth0` interface IP: `10.0.2.2/30` +- `dum0` interface IP: `192.168.1.0/24` (for testing purposes) +- Responder + +```none +# PEER1 +set interfaces dummy dum0 address '192.168.0.1/32' +set interfaces ethernet eth0 address '10.0.1.2/30' +set protocols static route 0.0.0.0/0 next-hop 10.0.1.1 +set vpn ipsec authentication psk AUTH-PSK id '10.0.1.2' +set vpn ipsec authentication psk AUTH-PSK id '10.0.2.2' +set vpn ipsec authentication psk AUTH-PSK secret 'test' +set vpn ipsec esp-group ESP-GRPOUP lifetime '3600' +set vpn ipsec esp-group ESP-GRPOUP proposal 10 encryption 'aes256' +set vpn ipsec esp-group ESP-GRPOUP proposal 10 hash 'sha1' +set vpn ipsec ike-group IKE-GROUP close-action 'start' +set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'restart' +set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '30' +set vpn ipsec ike-group IKE-GROUP dead-peer-detection timeout '120' +set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev1' +set vpn ipsec ike-group IKE-GROUP lifetime '28800' +set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group '14' +set vpn ipsec ike-group IKE-GROUP proposal 10 encryption 'aes256' +set vpn ipsec ike-group IKE-GROUP proposal 10 hash 'sha1' +set vpn ipsec interface 'eth0' +set vpn ipsec site-to-site peer PEER2 authentication local-id '10.0.1.2' +set vpn ipsec site-to-site peer PEER2 authentication mode 'pre-shared-secret' +set vpn ipsec site-to-site peer PEER2 authentication remote-id '10.0.2.2' +set vpn ipsec site-to-site peer PEER2 connection-type 'initiate' +set vpn ipsec site-to-site peer PEER2 default-esp-group 'ESP-GRPOUP' +set vpn ipsec site-to-site peer PEER2 ike-group 'IKE-GROUP' +set vpn ipsec site-to-site peer PEER2 local-address '10.0.1.2' +set vpn ipsec site-to-site peer PEER2 remote-address '10.0.2.2' +set vpn ipsec site-to-site peer PEER2 tunnel 0 local prefix '192.168.0.0/24' +set vpn ipsec site-to-site peer PEER2 tunnel 0 remote prefix '192.168.1.0/24' + + +# PEER2 +set interfaces dummy dum0 address '192.168.1.1/32' +set interfaces ethernet eth0 address '10.0.2.2/30' +set protocols static route 0.0.0.0/0 next-hop 10.0.2.1 +set vpn ipsec authentication psk AUTH-PSK id '10.0.1.2' +set vpn ipsec authentication psk AUTH-PSK id '10.0.2.2' +set vpn ipsec authentication psk AUTH-PSK secret 'test' +set vpn ipsec esp-group ESP-GRPOUP lifetime '3600' +set vpn ipsec esp-group ESP-GRPOUP proposal 10 encryption 'aes256' +set vpn ipsec esp-group ESP-GRPOUP proposal 10 hash 'sha1' +set vpn ipsec ike-group IKE-GROUP close-action 'none' +set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'clear' +set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '30' +set vpn ipsec ike-group IKE-GROUP dead-peer-detection timeout '120' +set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev1' +set vpn ipsec ike-group IKE-GROUP lifetime '28800' +set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group '14' +set vpn ipsec ike-group IKE-GROUP proposal 10 encryption 'aes256' +set vpn ipsec ike-group IKE-GROUP proposal 10 hash 'sha1' +set vpn ipsec interface 'eth0' +set vpn ipsec site-to-site peer PEER1 authentication local-id '10.0.2.2' +set vpn ipsec site-to-site peer PEER1 authentication mode 'pre-shared-secret' +set vpn ipsec site-to-site peer PEER1 authentication remote-id '10.0.1.2' +set vpn ipsec site-to-site peer PEER1 connection-type 'none' +set vpn ipsec site-to-site peer PEER1 default-esp-group 'ESP-GRPOUP' +set vpn ipsec site-to-site peer PEER1 ike-group 'IKE-GROUP' +set vpn ipsec site-to-site peer PEER1 local-address '10.0.2.2' +set vpn ipsec site-to-site peer PEER1 remote-address '10.0.1.2' +set vpn ipsec site-to-site peer PEER1 tunnel 0 local prefix '192.168.1.0/24' +set vpn ipsec site-to-site peer PEER1 tunnel 0 remote prefix '192.168.0.0/24' +``` + +Show status of policy-based IPsec VPN setup: + +```none +vyos@PEER2:~$ show vpn ike sa +Peer ID / IP Local ID / IP +------------ ------------- +10.0.1.2 10.0.1.2 10.0.2.2 10.0.2.2 + + State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time + ----- ------ ------- ---- --------- ----- ------ ------ + up IKEv1 AES_CBC_256 HMAC_SHA1_96 MODP_2048 no 1254 25633 + + +vyos@srv-gw0:~$ show vpn ipsec sa +Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal +-------------- ------- -------- -------------- ---------------- ---------------- ----------- ---------------------------------- +PEER1-tunnel-0 up 20m42s 0B/0B 0/0 10.0.1.2 10.0.1.2 AES_CBC_256/HMAC_SHA1_96/MODP_2048 + +vyos@PEER2:~$ show vpn ipsec connections +Connection State Type Remote address Local TS Remote TS Local id Remote id Proposal +-------------- ------- ------ ---------------- -------------- -------------- ---------- ----------- ---------------------------------- +PEER1 up IKEv1 10.0.1.2 - - 10.0.2.2 10.0.1.2 AES_CBC/256/HMAC_SHA1_96/MODP_2048 +PEER1-tunnel-0 up IPsec 10.0.1.2 192.168.1.0/24 192.168.0.0/24 10.0.2.2 10.0.1.2 AES_CBC/256/HMAC_SHA1_96/MODP_2048 +``` + +If there is SNAT rules on eth0, need to add exclude rule + +```none +# PEER1 side +set nat source rule 10 destination address '192.168.1.0/24' +set nat source rule 10 'exclude' +set nat source rule 10 outbound-interface name 'eth0' +set nat source rule 10 source address '192.168.0.0/24' + +# PEER2 side +set nat source rule 10 destination address '192.168.0.0/24' +set nat source rule 10 'exclude' +set nat source rule 10 outbound-interface name 'eth0' +set nat source rule 10 source address '192.168.1.0/24' +``` + +### Route-Based VPN Example + +**PEER1:** +- WAN interface on `eth0` +- `eth0` interface IP: `10.0.1.2/30` +- 'vti0' interface IP: `10.100.100.1/30` +- `dum0` interface IP: `192.168.0.1/24` (for testing purposes) +- Role: Initiator + +**PEER2:** +- WAN interface on `eth0` +- `eth0` interface IP: `10.0.2.2/30` +- 'vti0' interface IP: `10.100.100.2/30` +- `dum0` interface IP: `192.168.1.0/24` (for testing purposes) +- Role: Responder + +```none +# PEER1 +set interfaces dummy dum0 address '192.168.0.1/32' +set interfaces ethernet eth0 address '10.0.1.2/30' +set interfaces vti vti0 address '10.100.100.1/30' +set protocols static route 0.0.0.0/0 next-hop 10.0.1.1 +set protocols static route 192.168.1.0/24 next-hop 10.100.100.2 +set vpn ipsec authentication psk AUTH-PSK id '10.0.1.2' +set vpn ipsec authentication psk AUTH-PSK id '10.0.2.2' +set vpn ipsec authentication psk AUTH-PSK secret 'test' +set vpn ipsec esp-group ESP-GRPOUP lifetime '3600' +set vpn ipsec esp-group ESP-GRPOUP proposal 10 encryption 'aes256' +set vpn ipsec esp-group ESP-GRPOUP proposal 10 hash 'sha1' +set vpn ipsec ike-group IKE-GROUP close-action 'start' +set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'restart' +set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '30' +set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev2' +set vpn ipsec ike-group IKE-GROUP lifetime '28800' +set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group '14' +set vpn ipsec ike-group IKE-GROUP proposal 10 encryption 'aes256' +set vpn ipsec ike-group IKE-GROUP proposal 10 hash 'sha1' +set vpn ipsec interface 'eth0' +set vpn ipsec options disable-route-autoinstall +set vpn ipsec site-to-site peer PEER2 authentication local-id '10.0.1.2' +set vpn ipsec site-to-site peer PEER2 authentication mode 'pre-shared-secret' +set vpn ipsec site-to-site peer PEER2 authentication remote-id '10.0.2.2' +set vpn ipsec site-to-site peer PEER2 connection-type 'initiate' +set vpn ipsec site-to-site peer PEER2 default-esp-group 'ESP-GRPOUP' +set vpn ipsec site-to-site peer PEER2 ike-group 'IKE-GROUP' +set vpn ipsec site-to-site peer PEER2 local-address '10.0.1.2' +set vpn ipsec site-to-site peer PEER2 remote-address '10.0.2.2' +set vpn ipsec site-to-site peer PEER2 vti bind 'vti0' + + +# PEER2 +set interfaces dummy dum0 address '192.168.1.1/32' +set interfaces ethernet eth0 address '10.0.2.2/30' +set interfaces vti vti0 address '10.100.100.2/30' +set protocols static route 0.0.0.0/0 next-hop 10.0.2.1 +set protocols static route 192.168.0.0/24 next-hop 10.100.100.1 +set vpn ipsec authentication psk AUTH-PSK id '10.0.1.2' +set vpn ipsec authentication psk AUTH-PSK id '10.0.2.2' +set vpn ipsec authentication psk AUTH-PSK secret 'test' +set vpn ipsec esp-group ESP-GRPOUP lifetime '3600' +set vpn ipsec esp-group ESP-GRPOUP proposal 10 encryption 'aes256' +set vpn ipsec esp-group ESP-GRPOUP proposal 10 hash 'sha1' +set vpn ipsec ike-group IKE-GROUP close-action 'none' +set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'clear' +set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '30' +set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev2' +set vpn ipsec ike-group IKE-GROUP lifetime '28800' +set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group '14' +set vpn ipsec ike-group IKE-GROUP proposal 10 encryption 'aes256' +set vpn ipsec ike-group IKE-GROUP proposal 10 hash 'sha1' +set vpn ipsec interface 'eth0' +set vpn ipsec options disable-route-autoinstall +set vpn ipsec site-to-site peer PEER1 authentication local-id '10.0.2.2' +set vpn ipsec site-to-site peer PEER1 authentication mode 'pre-shared-secret' +set vpn ipsec site-to-site peer PEER1 authentication remote-id '10.0.1.2' +set vpn ipsec site-to-site peer PEER1 connection-type 'none' +set vpn ipsec site-to-site peer PEER1 default-esp-group 'ESP-GRPOUP' +set vpn ipsec site-to-site peer PEER1 ike-group 'IKE-GROUP' +set vpn ipsec site-to-site peer PEER1 local-address '10.0.2.2' +set vpn ipsec site-to-site peer PEER1 remote-address '10.0.1.2' +set vpn ipsec site-to-site peer PEER1 vti bind 'vti0' +``` + +Show status of route-based IPsec VPN setup: + +```none +vyos@PEER2:~$ show vpn ike sa +Peer ID / IP Local ID / IP +------------ ------------- +10.0.1.2 10.0.1.2 10.0.2.2 10.0.2.2 + + State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time + ----- ------ ------- ---- --------- ----- ------ ------ + up IKEv2 AES_CBC_256 HMAC_SHA1_96 MODP_2048 no 404 27650 + +vyos@PEER2:~$ show vpn ipsec sa +Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal +------------ ------- -------- -------------- ---------------- ---------------- ----------- ---------------------------------- +PEER1-vti up 3m28s 0B/0B 0/0 10.0.1.2 10.0.1.2 AES_CBC_256/HMAC_SHA1_96/MODP_2048 + +vyos@PEER2:~$ show vpn ipsec connections +Connection State Type Remote address Local TS Remote TS Local id Remote id Proposal +------------ ------- ------ ---------------- ---------- ----------- ---------- ----------- ---------------------------------- +PEER1 up IKEv2 10.0.1.2 - - 10.0.2.2 10.0.1.2 AES_CBC/256/HMAC_SHA1_96/MODP_2048 +PEER1-vti up IPsec 10.0.1.2 0.0.0.0/0 0.0.0.0/0 10.0.2.2 10.0.1.2 AES_CBC/256/HMAC_SHA1_96/MODP_2048 + ::/0 ::/0 +``` diff --git a/docs/configuration/vpn/ipsec/troubleshooting_ipsec.md b/docs/configuration/vpn/ipsec/troubleshooting_ipsec.md new file mode 100644 index 00000000..2ca37bc2 --- /dev/null +++ b/docs/configuration/vpn/ipsec/troubleshooting_ipsec.md @@ -0,0 +1,313 @@ +(troubleshooting-ipsec)= + +# Troubleshooting Site-to-Site VPN IPsec + +```{todo} +Convert raw command blocks in this file to cfgcmd/opcmd +directives for command coverage tracking. +``` + + +## Introduction + +This document describes the methodology to monitor and troubleshoot +Site-to-Site VPN IPsec. + +Steps for troubleshooting problems with Site-to-Site VPN IPsec: +: 1. Ping the remote site through the tunnel using the source and + destination IPs included in the policy. + 2. Check connectivity between the routers using the ping command + (if ICMP traffic is allowed). + 3. Check the IKE SAs' statuses. + 4. Check the IPsec SAs' statuses. + 5. Check logs to view debug messages. + +## Checking IKE SA Status + +The next command shows IKE SAs' statuses. + +```none +vyos@vyos:~$ show vpn ike sa + +Peer ID / IP Local ID / IP +------------ ------------- +192.168.1.2 192.168.1.2 192.168.0.1 192.168.0.1 + + State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time + ----- ------ ------- ---- --------- ----- ------ ------ + up IKEv2 AES_CBC_128 HMAC_SHA1_96 MODP_2048 no 162 27023 +``` + +This command shows the next information: +: - IKE SA status. + - Selected IKE version. + - Selected Encryption, Hash and Diffie-Hellman Group. + - NAT-T. + - ID and IP of both peers. + - A-Time: established time, L-Time: time for next rekeying. + +## IPsec SA (CHILD SA) Status + +The next commands show IPsec SAs' statuses. + +```none +vyos@vyos:~$ show vpn ipsec sa +Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal +------------- ------- -------- -------------- ---------------- ---------------- ----------- ---------------------------------- +PEER-tunnel-1 up 16m30s 168B/168B 2/2 192.168.1.2 192.168.1.2 AES_CBC_128/HMAC_SHA1_96/MODP_2048 +``` + +```none +vyos@vyos:~$ show vpn ipsec sa detail +PEER: #1, ESTABLISHED, IKEv2, 101275ac719d5a1b_i* 68ea4ec3bed3bf0c_r + local '192.168.0.1' @ 192.168.0.1[4500] + remote '192.168.1.2' @ 192.168.1.2[4500] + AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 + established 4054s ago, rekeying in 23131s + PEER-tunnel-1: #2, reqid 1, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA1_96/MODP_2048 + installed 1065s ago, rekeying in 1998s, expires in 2535s + in c5821882, 168 bytes, 2 packets, 81s ago + out c433406a, 168 bytes, 2 packets, 81s ago + local 10.0.0.0/24 + remote 10.0.1.0/24 +``` + +These commands show the next information: +: - IPsec SA status. + - Uptime and time for the next rekeing. + - Amount of transferred data. + - Remote and local ID and IP. + - Selected Encryption, Hash and Diffie-Hellman Group. + - Mode (tunnel or transport). + - Remote and local prefixes which are use for policy. + +There is a possibility to view the summarized information of SAs' status + +```none +vyos@vyos:~$ show vpn ipsec connections +Connection State Type Remote address Local TS Remote TS Local id Remote id Proposal +------------- ------- ------ ---------------- ----------- ----------- ----------- ----------- ---------------------------------- +PEER up IKEv2 192.168.1.2 - - 192.168.0.1 192.168.1.2 AES_CBC/128/HMAC_SHA1_96/MODP_2048 +PEER-tunnel-1 up IPsec 192.168.1.2 10.0.0.0/24 10.0.1.0/24 192.168.0.1 192.168.1.2 AES_CBC/128/HMAC_SHA1_96/MODP_2048 +``` + + +## Viewing Logs for Debugging + +If IKE SAs or IPsec SAs are down, need to debug IPsec connectivity +using logs `show log ipsec` + +The next example of the successful IPsec connection initialization. + +```none +vyos@vyos:~$ show log ipsec +Jun 20 14:29:47 charon[2428]: 02[NET] <PEER|1> received packet: from 192.168.1.2[500] to 192.168.0.1[500] (472 bytes) +Jun 20 14:29:47 charon[2428]: 02[ENC] <PEER|1> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ] +Jun 20 14:29:47 charon-systemd[2428]: received packet: from 192.168.1.2[500] to 192.168.0.1[500] (472 bytes) +Jun 20 14:29:47 charon[2428]: 02[CFG] <PEER|1> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 +Jun 20 14:29:47 charon-systemd[2428]: parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ] +Jun 20 14:29:47 charon-systemd[2428]: selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 +Jun 20 14:29:47 charon[2428]: 02[IKE] <PEER|1> authentication of '192.168.0.1' (myself) with pre-shared key +Jun 20 14:29:47 charon-systemd[2428]: authentication of '192.168.0.1' (myself) with pre-shared key +Jun 20 14:29:47 charon[2428]: 02[IKE] <PEER|1> establishing CHILD_SA PEER-tunnel-1{1} +Jun 20 14:29:47 charon-systemd[2428]: establishing CHILD_SA PEER-tunnel-1{1} +Jun 20 14:29:47 charon[2428]: 02[ENC] <PEER|1> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] +Jun 20 14:29:47 charon-systemd[2428]: generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] +Jun 20 14:29:47 charon[2428]: 02[NET] <PEER|1> sending packet: from 192.168.0.1[4500] to 192.168.1.2[4500] (268 bytes) +Jun 20 14:29:47 charon-systemd[2428]: sending packet: from 192.168.0.1[4500] to 192.168.1.2[4500] (268 bytes) +Jun 20 14:29:47 charon[2428]: 13[NET] <PEER|1> received packet: from 192.168.1.2[4500] to 192.168.0.1[4500] (220 bytes) +Jun 20 14:29:47 charon[2428]: 13[ENC] <PEER|1> parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ] +Jun 20 14:29:47 charon-systemd[2428]: received packet: from 192.168.1.2[4500] to 192.168.0.1[4500] (220 bytes) +Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> authentication of '192.168.1.2' with pre-shared key successful +Jun 20 14:29:47 charon-systemd[2428]: parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ] +Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> peer supports MOBIKE +Jun 20 14:29:47 charon-systemd[2428]: authentication of '192.168.1.2' with pre-shared key successful +Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> IKE_SA PEER[1] established between 192.168.0.1[192.168.0.1]...192.168.1.2[192.168.1.2] +Jun 20 14:29:47 charon-systemd[2428]: peer supports MOBIKE +Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> scheduling rekeying in 27703s +Jun 20 14:29:47 charon-systemd[2428]: IKE_SA PEER[1] established between 192.168.0.1[192.168.0.1]...192.168.1.2[192.168.1.2] +Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> maximum IKE_SA lifetime 30583s +Jun 20 14:29:47 charon-systemd[2428]: scheduling rekeying in 27703s +Jun 20 14:29:47 charon[2428]: 13[CFG] <PEER|1> selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ +Jun 20 14:29:47 charon-systemd[2428]: maximum IKE_SA lifetime 30583s +Jun 20 14:29:47 charon-systemd[2428]: selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ +Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> CHILD_SA PEER-tunnel-1{1} established with SPIs cb94fb3f_i ca99c8a9_o and TS 10.0.0.0/24 === 10.0.1.0/24 +Jun 20 14:29:47 charon-systemd[2428]: CHILD_SA PEER-tunnel-1{1} established with SPIs cb94fb3f_i ca99c8a9_o and TS 10.0.0.0/24 === 10.0.1.0/24 +``` + + +## Troubleshooting Examples + +### IKE PROPOSAL are Different + +In this situation, IKE SAs can be down or not active. + +```none +vyos@vyos:~$ show vpn ike sa +``` + +The problem is in IKE phase (Phase 1). The next step is checking debug logs. + +Responder Side: + +```none +Jun 23 07:36:33 charon[2440]: 01[CFG] <1> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 +Jun 23 07:36:33 charon-systemd[2440]: received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 +Jun 23 07:36:33 charon[2440]: 01[CFG] <1> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 +Jun 23 07:36:33 charon-systemd[2440]: configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 +Jun 23 07:36:33 charon[2440]: 01[IKE] <1> received proposals unacceptable +Jun 23 07:36:33 charon-systemd[2440]: received proposals unacceptable +Jun 23 07:36:33 charon[2440]: 01[ENC] <1> generating IKE_SA_INIT response 0 [ N(NO_PROP) ] +``` + +Initiator side: + +```none +Jun 23 07:36:32 charon-systemd[2444]: parsed IKE_SA_INIT response 0 [ N(NO_PROP) ] +Jun 23 07:36:32 charon[2444]: 14[IKE] <PEER|1> received NO_PROPOSAL_CHOSEN notify error +Jun 23 07:36:32 charon-systemd[2444]: received NO_PROPOSAL_CHOSEN notify error +``` + +The notification **NO_PROPOSAL_CHOSEN** means that the proposal mismatch. +On the Responder side there is concrete information where is mismatch. +Encryption **AES_CBC_128** is configured in IKE policy on the responder +but **AES_CBC_256** is configured on the initiator side. + +### PSK Secret Mismatch + +In this situation, IKE SAs can be down or not active. + +```none +vyos@vyos:~$ show vpn ike sa +``` + +The problem is in IKE phase (Phase 1). The next step is checking debug logs. + +Responder: + +```none +Jun 23 08:07:26 charon-systemd[2440]: tried 1 shared key for '192.168.1.2' - '192.168.0.1', but MAC mismatched +Jun 23 08:07:26 charon[2440]: 13[ENC] <PEER|3> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] +``` + +Initiator side: + +```none +Jun 23 08:07:24 charon[2436]: 12[ENC] <PEER|1> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ] +Jun 23 08:07:24 charon-systemd[2436]: parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ] +Jun 23 08:07:24 charon[2436]: 12[IKE] <PEER|1> received AUTHENTICATION_FAILED notify error +Jun 23 08:07:24 charon-systemd[2436]: received AUTHENTICATION_FAILED notify error +``` + +The notification **AUTHENTICATION_FAILED** means that the authentication +is failed. There is a reason to check PSK on both side. + +### ESP Proposal Mismatch + +The output of **show** commands shows us that IKE SA is established but +IPSec SA is not. + +```none +vyos@vyos:~$ show vpn ike sa +Peer ID / IP Local ID / IP +------------ ------------- +192.168.1.2 192.168.1.2 192.168.0.1 192.168.0.1 + + State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time + ----- ------ ------- ---- --------- ----- ------ ------ + up IKEv2 AES_CBC_128 HMAC_SHA1_96 MODP_2048 no 158 26817 +``` + +```none +vyos@vyos:~$ show vpn ipsec sa +Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal +------------ ------- -------- -------------- ---------------- ---------------- ----------- ---------- +``` + +The next step is checking debug logs. + +Initiator side: + +```none +Jun 23 08:16:10 charon[3789]: 13[NET] <PEER|1> received packet: from 192.168.1.2[500] to 192.168.0.1[500] (472 bytes) +Jun 23 08:16:10 charon[3789]: 13[ENC] <PEER|1> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ] +Jun 23 08:16:10 charon-systemd[3789]: received packet: from 192.168.1.2[500] to 192.168.0.1[500] (472 bytes) +Jun 23 08:16:10 charon[3789]: 13[CFG] <PEER|1> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 +Jun 23 08:16:10 charon-systemd[3789]: parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ] +Jun 23 08:16:10 charon-systemd[3789]: selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 +Jun 23 08:16:10 charon[3789]: 13[IKE] <PEER|1> authentication of '192.168.0.1' (myself) with pre-shared key +Jun 23 08:16:10 charon-systemd[3789]: authentication of '192.168.0.1' (myself) with pre-shared key +Jun 23 08:16:10 charon[3789]: 13[IKE] <PEER|1> establishing CHILD_SA PEER-tunnel-1{1} +Jun 23 08:16:10 charon-systemd[3789]: establishing CHILD_SA PEER-tunnel-1{1} +Jun 23 08:16:10 charon[3789]: 13[ENC] <PEER|1> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] +Jun 23 08:16:10 charon-systemd[3789]: generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] +Jun 23 08:16:10 charon[3789]: 13[NET] <PEER|1> sending packet: from 192.168.0.1[4500] to 192.168.1.2[4500] (268 bytes) +Jun 23 08:16:10 charon-systemd[3789]: sending packet: from 192.168.0.1[4500] to 192.168.1.2[4500] (268 bytes) +Jun 23 08:16:10 charon[3789]: 09[NET] <PEER|1> received packet: from 192.168.1.2[4500] to 192.168.0.1[4500] (140 bytes) +Jun 23 08:16:10 charon-systemd[3789]: received packet: from 192.168.1.2[4500] to 192.168.0.1[4500] (140 bytes) +Jun 23 08:16:10 charon[3789]: 09[ENC] <PEER|1> parsed IKE_AUTH response 1 [ IDr AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(NO_PROP) ] +Jun 23 08:16:10 charon-systemd[3789]: parsed IKE_AUTH response 1 [ IDr AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(NO_PROP) ] +Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> authentication of '192.168.1.2' with pre-shared key successful +Jun 23 08:16:10 charon-systemd[3789]: authentication of '192.168.1.2' with pre-shared key successful +Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> peer supports MOBIKE +Jun 23 08:16:10 charon-systemd[3789]: peer supports MOBIKE +Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> IKE_SA PEER[1] established between 192.168.0.1[192.168.0.1]...192.168.1.2[192.168.1.2] +Jun 23 08:16:10 charon-systemd[3789]: IKE_SA PEER[1] established between 192.168.0.1[192.168.0.1]...192.168.1.2[192.168.1.2] +Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> scheduling rekeying in 26975s +Jun 23 08:16:10 charon-systemd[3789]: scheduling rekeying in 26975s +Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> maximum IKE_SA lifetime 29855s +Jun 23 08:16:10 charon-systemd[3789]: maximum IKE_SA lifetime 29855s +Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built +Jun 23 08:16:10 charon-systemd[3789]: received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built +Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> failed to establish CHILD_SA, keeping IKE_SA +Jun 23 08:16:10 charon-systemd[3789]: failed to establish CHILD_SA, keeping IKE_SA +``` + +There are messages: **NO_PROPOSAL_CHOSEN** and +**failed to establish CHILD_SA** which refers that the problem is in +the IPsec(ESP) proposal mismatch. + +The reason of this problem is showed on the responder side. + +```none +Jun 23 08:16:12 charon[2440]: 01[CFG] <PEER|5> received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ +Jun 23 08:16:12 charon-systemd[2440]: received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ +Jun 23 08:16:12 charon[2440]: 01[CFG] <PEER|5> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ +Jun 23 08:16:12 charon-systemd[2440]: configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ +Jun 23 08:16:12 charon[2440]: 01[IKE] <PEER|5> no acceptable proposal found +Jun 23 08:16:12 charon-systemd[2440]: no acceptable proposal found +Jun 23 08:16:12 charon[2440]: 01[IKE] <PEER|5> failed to establish CHILD_SA, keeping IKE_SA +``` + +Encryption **AES_CBC_128** is configured in IKE policy on the responder but **AES_CBC_256** +is configured on the initiator side. + +### Prefixes in Policies Mismatch + +As in previous situation, IKE SA is in up state but IPsec SA is not up. +According to logs we can see **TS_UNACCEPTABLE** notification. It means +that prefixes (traffic selectors) mismatch on both sides + +Initiator: + +```none +Jun 23 14:13:17 charon[4996]: 11[IKE] <PEER|1> received TS_UNACCEPTABLE notify, no CHILD_SA built +Jun 23 14:13:17 charon-systemd[4996]: maximum IKE_SA lifetime 29437s +Jun 23 14:13:17 charon[4996]: 11[IKE] <PEER|1> failed to establish CHILD_SA, keeping IKE_SA +Jun 23 14:13:17 charon-systemd[4996]: received TS_UNACCEPTABLE notify, no CHILD_SA built +Jun 23 14:13:17 charon-systemd[4996]: failed to establish CHILD_SA, keeping IKE_SA +``` + +The reason of this problem is showed on the responder side. + +```none +Jun 23 14:13:19 charon[2440]: 01[IKE] <PEER|7> traffic selectors 10.0.2.0/24 === 10.0.0.0/24 unacceptable +Jun 23 14:13:19 charon-systemd[2440]: traffic selectors 10.0.2.0/24 === 10.0.0.0/24 unacceptable +Jun 23 14:13:19 charon[2440]: 01[IKE] <PEER|7> failed to establish CHILD_SA, keeping IKE_SA +Jun 23 14:13:19 charon-systemd[2440]: failed to establish CHILD_SA, keeping IKE_SA +Jun 23 14:13:19 charon[2440]: 01[ENC] <PEER|7> generating IKE_AUTH response 1 [ IDr AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(TS_UNACCEPT) ] +Jun 23 14:13:19 charon-systemd[2440]: generating IKE_AUTH response 1 [ IDr AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(TS_UNACCEPT) ] +``` + +Traffic selectors **10.0.2.0/24 === 10.0.0.0/24** are unacceptable on the +responder side. diff --git a/docs/configuration/vpn/l2tp.md b/docs/configuration/vpn/l2tp.md new file mode 100644 index 00000000..d932d095 --- /dev/null +++ b/docs/configuration/vpn/l2tp.md @@ -0,0 +1,624 @@ +(l2tp)= + +# L2TP + +VyOS utilizes [accel-ppp] to provide L2TP server functionality. It can be used +with local authentication or a connected RADIUS server. + +## Configuring L2TP Server + +```none +set vpn l2tp remote-access authentication mode local +set vpn l2tp remote-access authentication local-users username test password 'test' +set vpn l2tp remote-access client-ip-pool L2TP-POOL range 192.168.255.2-192.168.255.254 +set vpn l2tp remote-access default-pool 'L2TP-POOL' +set vpn l2tp remote-access outside-address 192.0.2.2 +set vpn l2tp remote-access gateway-address 192.168.255.1 +``` + +```{cfgcmd} set vpn l2tp remote-access authentication mode \<local | radius\> + +Set authentication backend. The configured authentication backend is used +for all queries. + +* **radius**: All authentication queries are handled by a configured RADIUS + server. +* **local**: All authentication queries are handled locally. +``` + + +```{cfgcmd} set vpn l2tp remote-access authentication local-users username \<user\> password \<pass\> + +Create `<user>` for local authentication on this system. The users password +will be set to `<pass>`. +``` + + +```{cfgcmd} set vpn l2tp remote-access client-ip-pool \<POOL-NAME\> range \<x.x.x.x-x.x.x.x | x.x.x.x/x\> + +Use this command to define the first IP address of a pool of +addresses to be given to l2tp clients. If notation ``x.x.x.x-x.x.x.x``, +it must be within a /24 subnet. If notation ``x.x.x.x/x`` is +used there is possibility to set host/netmask. +``` + + +```{cfgcmd} set vpn l2tp remote-access default-pool \<POOL-NAME\> + +Use this command to define default address pool name. +``` + + +```{cfgcmd} set vpn l2tp remote-access gateway-address \<gateway\> + +Specifies single `<gateway>` IP address to be used as local address of PPP +interfaces. +``` + + +## Configuring IPsec + +```none +set vpn ipsec interface eth0 +set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret +set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret secret +``` + + +```{cfgcmd} set vpn ipsec interface \<INTERFACE\> + +Use this command to define IPsec interface. +``` + + +```{cfgcmd} set vpn l2tp remote-access ipsec-settings authentication mode \<pre-shared-secret | x509\> + +Set mode for IPsec authentication between VyOS and L2TP clients. +``` + + +```{cfgcmd} set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret \<secret\> + +Set predefined shared secret phrase. +``` + +If a local firewall policy is in place on your external interface you will need +to allow the ports below: +- UDP port 500 (IKE) +- IP protocol number 50 (ESP) +- UDP port 1701 for IPsec + +As well as the below to allow NAT-traversal (when NAT is detected by the +VPN client, ESP is encapsulated in UDP for NAT-traversal): + +- UDP port 4500 (NAT-T) + +Example: + +```none +set firewall ipv4 name OUTSIDE-LOCAL rule 40 action 'accept' +set firewall ipv4 name OUTSIDE-LOCAL rule 40 protocol 'esp' +set firewall ipv4 name OUTSIDE-LOCAL rule 41 action 'accept' +set firewall ipv4 name OUTSIDE-LOCAL rule 41 destination port '500' +set firewall ipv4 name OUTSIDE-LOCAL rule 41 protocol 'udp' +set firewall ipv4 name OUTSIDE-LOCAL rule 42 action 'accept' +set firewall ipv4 name OUTSIDE-LOCAL rule 42 destination port '4500' +set firewall ipv4 name OUTSIDE-LOCAL rule 42 protocol 'udp' +set firewall ipv4 name OUTSIDE-LOCAL rule 43 action 'accept' +set firewall ipv4 name OUTSIDE-LOCAL rule 43 destination port '1701' +set firewall ipv4 name OUTSIDE-LOCAL rule 43 ipsec 'match-ipsec' +set firewall ipv4 name OUTSIDE-LOCAL rule 43 protocol 'udp' +``` + +To allow VPN-clients access via your external address, a NAT rule is required: + +```none +set nat source rule 110 outbound-interface name 'eth0' +set nat source rule 110 source address '192.168.255.0/24' +set nat source rule 110 translation address masquerade +``` + + +## Configuring RADIUS authentication + +To enable RADIUS based authentication, the authentication mode needs to be +changed within the configuration. Previous settings like the local users, still +exists within the configuration, however they are not used if the mode has been +changed from local to radius. Once changed back to local, it will use all local +accounts again. + +```none +set vpn l2tp remote-access authentication mode radius +``` + +```{cfgcmd} set vpn l2tp remote-access authentication radius server \<server\> key \<secret\> + +Configure RADIUS `<server>` and its required shared `<secret>` for +communicating with the RADIUS server. +``` + +Since the RADIUS server would be a single point of failure, multiple RADIUS +servers can be setup and will be used subsequentially. +For example: + +```none +set vpn l2tp remote-access authentication radius server 10.0.0.1 key 'foo' +set vpn l2tp remote-access authentication radius server 10.0.0.2 key 'foo' +``` + +:::{note} +Some RADIUS severs use an access control list which allows or denies +queries, make sure to add your VyOS router to the allowed client list. +::: + +### RADIUS source address + +If you are using OSPF as your IGP, use the interface connected closest to the +RADIUS server. You can bind all outgoing RADIUS requests to a single source IP +e.g. the loopback interface. + +```{cfgcmd} set vpn l2tp remote-access authentication radius source-address \<address\> + +Source IPv4 address used in all RADIUS server queires. +``` + +:::{note} +The `source-address` must be configured to that of an interface. +Best practice would be a loopback or dummy interface. +::: + +### RADIUS advanced options + +```{cfgcmd} set vpn l2tp remote-access authentication radius server \<server\> port \<port\> + +Configure RADIUS `<server>` and its required port for authentication requests. +``` + +```{cfgcmd} set vpn l2tp remote-access authentication radius server \<server\> fail-time \<time\> + +Mark RADIUS server as offline for this given `<time>` in seconds. +``` + +```{cfgcmd} set vpn l2tp remote-access authentication radius server \<server\> disable + +Temporary disable this RADIUS server. +``` + +```{cfgcmd} set vpn l2tp remote-access authentication radius acct-timeout \<timeout\> + +Timeout to wait reply for Interim-Update packets. (default 3 seconds) +``` + +```{cfgcmd} set vpn l2tp remote-access authentication radius dynamic-author server \<address\> + +Specifies IP address for Dynamic Authorization Extension server (DM/CoA). +This IP must exist on any VyOS interface or it can be ``0.0.0.0``. +``` + +```{cfgcmd} set vpn l2tp remote-access authentication radius dynamic-author port \<port\> + +UDP port for Dynamic Authorization Extension server (DM/CoA) +``` + +```{cfgcmd} set vpn l2tp remote-access authentication radius dynamic-author key \<secret\> + +Secret for Dynamic Authorization Extension server (DM/CoA) +``` + +```{cfgcmd} set vpn l2tp remote-access authentication radius max-try \<number\> + +Maximum number of tries to send Access-Request/Accounting-Request queries +``` + +```{cfgcmd} set vpn l2tp remote-access authentication radius timeout \<timeout\> + +Timeout to wait response from server (seconds) +``` + +```{cfgcmd} set vpn l2tp remote-access authentication radius nas-identifier \<identifier\> + +Value to send to RADIUS server in NAS-Identifier attribute and to be matched +in DM/CoA requests. +``` + +```{cfgcmd} set vpn l2tp remote-access authentication radius nas-ip-address \<address\> + +Value to send to RADIUS server in NAS-IP-Address attribute and to be matched +in DM/CoA requests. Also DM/CoA server will bind to that address. +``` + +```{cfgcmd} set vpn l2tp remote-access authentication radius source-address \<address\> + +Source IPv4 address used in all RADIUS server queires. +``` + +```{cfgcmd} set vpn l2tp remote-access authentication radius rate-limit attribute \<attribute\> + +Specifies which RADIUS server attribute contains the rate limit information. +The default attribute is `Filter-Id`. +``` + +:::{note} +If you set a custom RADIUS attribute you must define it on both +dictionaries on the RADIUS server and client. +::: + +```{cfgcmd} set vpn l2tp remote-access authentication radius rate-limit enable + +Enables bandwidth shaping via RADIUS. +``` + +```{cfgcmd} set vpn l2tp remote-access authentication radius rate-limit vendor + +Specifies the vendor dictionary. This dictionary needs to be present in +/usr/share/accel-ppp/radius. +``` + +Received RADIUS attributes have a higher priority than parameters defined within +the CLI configuration, refer to the explanation below. + +### Allocation clients ip addresses by RADIUS + +If the RADIUS server sends the attribute `Framed-IP-Address` then this IP +address will be allocated to the client and the option `default-pool` within +the CLI config will be ignored. + +If the RADIUS server sends the attribute `Framed-Pool`, then the IP address +will be allocated from a predefined IP pool whose name equals the attribute +value. + +If the RADIUS server sends the attribute `Stateful-IPv6-Address-Pool`, the +IPv6 address will be allocated from a predefined IPv6 pool `prefix` whose +name equals the attribute value. + +If the RADIUS server sends the attribute `Delegated-IPv6-Prefix-Pool`, an +IPv6 delegation prefix will be allocated from a predefined IPv6 pool +`delegate` whose name equals the attribute value. + +:::{note} +`Stateful-IPv6-Address-Pool` and `Delegated-IPv6-Prefix-Pool` are defined in +RFC6911. If they are not defined in your RADIUS server, add new [dictionary]. +::: + +The client's interface can be put into a VRF context via a RADIUS Access-Accept +packet, or changed via RADIUS CoA. `Accel-VRF-Name` is used for these +purposes. This is a custom [ACCEL-PPP attribute]. Define it in your RADIUS +server. + +### Renaming clients interfaces by RADIUS + +If the RADIUS server uses the attribute `NAS-Port-Id`, ppp tunnels will be +renamed. + +:::{note} +The value of the attribute `NAS-Port-Id` must be less than 16 +characters, otherwise the interface won't be renamed. +::: + +## Configuring LNS (L2TP Network Server) + +LNS are often used to connect to a LAC (L2TP Access Concentrator). + +```{cfgcmd} set vpn l2tp remote-access lns host-name \<hostname\> + +Sent to the client (LAC) in the Host-Name attribute +``` + +```{cfgcmd} set vpn l2tp remote-access lns shared-secret \<secret\> + +Tunnel password used to authenticate the client (LAC) +``` + +To explain the usage of LNS follow our blueprint {ref}`examples-lac-lns`. + +## IPv6 + +```{cfgcmd} set vpn l2tp remote-access ppp-options ipv6 \<require | prefer | allow | deny\> + +Specifies IPv6 negotiation preference. +* **require** - Require IPv6 negotiation +* **prefer** - Ask client for IPv6 negotiation, do not fail if it rejects +* **allow** - Negotiate IPv6 only if client requests +* **deny** - Do not negotiate IPv6 (default value) +``` + +```{cfgcmd} set vpn l2tp remote-access client-ipv6-pool \<IPv6-POOL-NAME\> prefix \<address\> mask \<number-of-bits\> + +Use this comand to set the IPv6 address pool from which an l2tp client will +get an IPv6 prefix of your defined length (mask) to terminate the l2tp +endpoint at their side. The mask length can be set between 48 and 128 bits +long, the default value is 64. +``` + +```{cfgcmd} set vpn l2tp remote-access client-ipv6-pool \<IPv6-POOL-NAME\> delegate \<address\> delegation-prefix \<number-of-bits\> + +Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on l2tp. +You will have to set your IPv6 pool and the length of the delegation +prefix. From the defined IPv6 pool you will be handing out networks of the +defined length (delegation-prefix). The length of the delegation prefix can +be between 32 and 64 bits long. +``` + +```{cfgcmd} set vpn l2tp remote-access default-ipv6-pool \<IPv6-POOL-NAME\> + +Use this command to define default IPv6 address pool name. +``` + +```none +set vpn l2tp remote-access ppp-options ipv6 allow +set vpn l2tp remote-access client-ipv6-pool IPv6-POOL delegate '2001:db8:8003::/48' delegation-prefix '56' +set vpn l2tp remote-access client-ipv6-pool IPv6-POOL prefix '2001:db8:8002::/48' mask '64' +set vpn l2tp remote-access default-ipv6-pool IPv6-POOL +``` + + +### IPv6 Advanced Options + +```{cfgcmd} set vpn l2tp remote-access ppp-options ipv6-accept-peer-interface-id + +Accept peer interface identifier. By default this is not defined. +``` + +```{cfgcmd} set vpn l2tp remote-access ppp-options ipv6-interface-id \<random | x:x:x:x\> + +Specifies if a fixed or random interface identifier is used for IPv6. The +default is fixed. +* **random** - Random interface identifier for IPv6 +* **x:x:x:x** - Specify interface identifier for IPv6 +``` + +```{cfgcmd} set vpn l2tp remote-access ppp-options ipv6-interface-id \<random | x:x:x:x\> + +Specifies the peer interface identifier for IPv6. The default is fixed. +* **random** - Random interface identifier for IPv6 +* **x:x:x:x** - Specify interface identifier for IPv6 +* **ipv4-addr** - Calculate interface identifier from IPv4 address. +* **calling-sid** - Calculate interface identifier from calling-station-id. +``` + + +## Scripting + +```{cfgcmd} set vpn l2tp remote-access extended-scripts on-change \<path_to_script\> + +Script to run when the session interface is changed by RADIUS CoA handling +``` + +```{cfgcmd} set vpn l2tp remote-access extended-scripts on-down \<path_to_script\> + +Script to run when the session interface is about to terminate +``` + +```{cfgcmd} set vpn l2tp remote-access extended-scripts on-pre-up \<path_to_script\> + +Script to run before the session interface comes up +``` + +```{cfgcmd} set vpn l2tp remote-access extended-scripts on-up \<path_to_script\> + +Script to run when the session interface is completely configured and started +``` + + +## Advanced Options + +### Authentication Advanced Options + +```{cfgcmd} set vpn l2tp remote-access authentication local-users username \<user\> disable + +Disable `<user>` account. +``` + +```{cfgcmd} set vpn l2tp remote-access authentication local-users username \<user\> static-ip \<address\> + +Assign a static IP address to `<user>` account. +``` + +```{cfgcmd} set vpn l2tp remote-access authentication local-users username \<user\> rate-limit download \<bandwidth\> + +Rate limit the download bandwidth for `<user>` to `<bandwidth>` kbit/s. +``` + +```{cfgcmd} set vpn l2tp remote-access authentication local-users username \<user\> rate-limit upload \<bandwidth\> + +Rate limit the upload bandwidth for `<user>` to `<bandwidth>` kbit/s +``` + +```{cfgcmd} set vpn l2tp remote-access authentication protocols \<pap | chap | mschap | mschap-v2\> + +Require the peer to authenticate itself using one of the following protocols: +pap, chap, mschap, mschap-v2. +``` + + +### Client IP Pool Advanced Options + +```{cfgcmd} set vpn l2tp remote-access client-ip-pool \<POOL-NAME\> next-pool \<NEXT-POOL-NAME\> + +Use this command to define the next address pool name. +``` + + +### PPP Advanced Options + +```{cfgcmd} set vpn l2tp remote-access ppp-options disable-ccp + +Disable Compression Control Protocol (CCP). +CCP is enabled by default. +``` + +```{cfgcmd} set vpn l2tp remote-access ppp-options interface-cache \<number\> + +Specifies number of interfaces to cache. This prevents interfaces from being +removed once the corresponding session is destroyed. Instead, interfaces are +cached for later use in new sessions. This should reduce the kernel-level +interface creation/deletion rate. +Default value is **0**. +``` + +```{cfgcmd} set vpn l2tp remote-access ppp-options ipv4 \<require | prefer | allow | deny\> + +Specifies IPv4 negotiation preference. +* **require** - Require IPv4 negotiation +* **prefer** - Ask client for IPv4 negotiation, do not fail if it rejects +* **allow** - Negotiate IPv4 only if client requests (Default value) +* **deny** - Do not negotiate IPv4 +``` + +```{cfgcmd} set vpn l2tp remote-access ppp-options lcp-echo-failure \<number\> + +Defines the maximum `<number>` of unanswered echo requests. Upon reaching the +value `<number>`, the session will be reset. Default value is **3**. +``` + +```{cfgcmd} set vpn l2tp remote-access ppp-options lcp-echo-interval \<interval\> + +If this option is specified and is greater than 0, then the PPP module will +send LCP echo requests every `<interval>` seconds. +Default value is **30**. +``` + +```{cfgcmd} set vpn l2tp remote-access ppp-options lcp-echo-timeout + +Specifies timeout in seconds to wait for any peer activity. If this option is +specified it turns on adaptive lcp echo functionality and "lcp-echo-failure" +is not used. Default value is **0**. +``` + +```{cfgcmd} set vpn l2tp remote-access ppp-options min-mtu \<number\> + +Defines the minimum acceptable MTU. If a client tries to negotiate an MTU +lower than this it will be NAKed, and disconnected if it rejects a greater +MTU. +Default value is **100**. +``` + +```{cfgcmd} set vpn l2tp remote-access ppp-options mppe \<require | prefer | deny\> + +Specifies {abbr}`MPPE (Microsoft Point-to-Point Encryption)` negotiation +preference. +* **require** - ask client for mppe, if it rejects drop connection +* **prefer** - ask client for mppe, if it rejects don't fail. (Default value) +* **deny** - deny mppe + +Default behavior - don't ask the client for mppe, but allow it if the client +wants. Please note that RADIUS may override this option with the +MS-MPPE-Encryption-Policy attribute. +``` + +```{cfgcmd} set vpn l2tp remote-access ppp-options mru \<number\> + +Defines preferred MRU. By default is not defined. +``` + + +### Global Advanced options + +```{cfgcmd} set vpn l2tp remote-access description \<description\> + +Set description. +``` + +```{cfgcmd} set vpn l2tp remote-access limits burst \<value\> + +Burst count +``` + +```{cfgcmd} set vpn l2tp remote-access limits connection-limit \<value\> + +Maximum accepted connection rate (e.g. 1/min, 60/sec) +``` + +```{cfgcmd} set vpn l2tp remote-access limits timeout \<value\> + +Timeout in seconds +``` + +```{cfgcmd} set vpn l2tp remote-access mtu + +Maximum Transmission Unit (MTU) (default: **1436**) +``` + +```{cfgcmd} set vpn l2tp remote-access max-concurrent-sessions + +Maximum number of concurrent session start attempts +``` + +```{cfgcmd} set vpn l2tp remote-access name-server \<address\> + +Connected clients should use `<address>` as their DNS server. This command +accepts both IPv4 and IPv6 addresses. Up to two nameservers can be configured +for IPv4, up to three for IPv6. +``` + +```{cfgcmd} set vpn l2tp remote-access shaper fwmark \<1-2147483647\> + +Match firewall mark value +``` + +```{cfgcmd} set vpn l2tp remote-access snmp master-agent + +Enable SNMP +``` + +```{cfgcmd} set vpn l2tp remote-access wins-server \<address\> + +Windows Internet Name Service (WINS) servers propagated to client +``` + + +## Monitoring + +```none +vyos@vyos:~$ show l2tp-server sessions + ifname | username | ip | ip6 | ip6-dp | calling-sid | rate-limit | state | uptime | rx-bytes | tx-bytes +--------+----------+---------------+-----+--------+-------------+------------+--------+----------+----------+---------- + l2tp0 | test | 192.168.255.3 | | | 192.168.0.36 | | active | 02:01:47 | 7.7 KiB | 1.2 KiB +``` + +```none +vyos@vyos:~$ show l2tp-server statistics + uptime: 0.02:49:49 +cpu: 0% +mem(rss/virt): 5920/100892 kB +core: + mempool_allocated: 133202 + mempool_available: 131770 + thread_count: 1 + thread_active: 1 + context_count: 5 + context_sleeping: 0 + context_pending: 0 + md_handler_count: 3 + md_handler_pending: 0 + timer_count: 0 + timer_pending: 0 +sessions: + starting: 0 + active: 0 + finishing: 0 +l2tp: + tunnels: + starting: 0 + active: 0 + finishing: 0 + sessions (control channels): + starting: 0 + active: 0 + finishing: 0 + sessions (data channels): + starting: 0 + active: 0 + finishing: 0 +``` + +[accel-ppp]: https://accel-ppp.org/ +[accel-ppp attribute]: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.accel +[cloudflare]: https://blog.cloudflare.com/announcing-1111 +[dictionary]: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.rfc6911 +[freeradius]: https://freeradius.org +[google public dns]: https://developers.google.com/speed/public-dns +[network policy server]: <https://en.wikipedia.org/wiki/Network_Policy_Server> +[opennic]: https://www.opennic.org/ +[quad9]: https://quad9.net +[radius]: https://en.wikipedia.org/wiki/RADIUS diff --git a/docs/configuration/vpn/openconnect.md b/docs/configuration/vpn/openconnect.md new file mode 100644 index 00000000..0bf804ff --- /dev/null +++ b/docs/configuration/vpn/openconnect.md @@ -0,0 +1,330 @@ +(vpn-openconnect)= + +# OpenConnect + +```{todo} +Convert raw command blocks in this file to cfgcmd/opcmd +directives for command coverage tracking. +``` + +OpenConnect-compatible server feature has been available since Equuleus (1.3). +Openconnect VPN supports SSL connection and offers full network access. SSL VPN +network extension connects the end-user system to the corporate network with +access controls based only on network layer information, such as destination IP +address and port number. So, it provides safe communication for all types of +device traffic across public networks and private networks, also encrypts the +traffic with SSL protocol. + +The remote user will use the openconnect client to connect to the router and +will receive an IP address from a VPN pool, allowing full access to the +network. + +## Configuration + +### SSL Certificates + +We need to generate the certificate which authenticates users who attempt to +access the network resource through the SSL VPN tunnels. The following commands +will create a self signed certificates and will be stored in configuration: + +```none +run generate pki ca install <CA name> +run generate pki certificate sign <CA name> install <Server name> +``` + +We can also create the certificates using Certbot which is an easy-to-use +client that fetches a certificate from Let's Encrypt an open certificate +authority launched by the EFF, Mozilla, and others and deploys it to a web +server. + +```none +sudo certbot certonly --standalone --preferred-challenges http -d <domain name> +``` + + +### Server Configuration + +```none +set vpn openconnect authentication local-users username <user> password <pass> +set vpn openconnect authentication mode <local password|radius|certificate> +set vpn openconnect network-settings client-ip-settings subnet <subnet> +set vpn openconnect network-settings name-server <address> +set vpn openconnect network-settings name-server <address> +set vpn openconnect ssl ca-certificate <pki-ca-name> +set vpn openconnect ssl certificate <pki-cert-name> +set vpn openconnect ssl passphrase <pki-password> +``` + + +### 2FA OTP support + +Instead of password only authentication, 2FA password +authentication + OTP key can be used. Alternatively, OTP authentication only, +without a password, can be used. +To do this, an OTP configuration must be added to the configuration above: + +```none +set vpn openconnect authentication mode local <password-otp|otp> +set vpn openconnect authentication local-users username <user> otp <key> +set vpn openconnect authentication local-users username <user> interval <interval (optional)> +set vpn openconnect authentication local-users username <user> otp-length <otp-length (optional)> +set vpn openconnect authentication local-users username <user> token-type <token-type (optional)> +``` + +For generating an OTP key in VyOS, you can use the CLI command +(operational mode): + +```none +generate openconnect username <user> otp-key hotp-time +``` + + +### User Certificate Authentication + +You can configure users to be authenticated by certificate by setting +the authentication mode to certificate, and defining what field (by OID) +in the certificate will be used to identify the username. Two pre-defined + +shortcuts for Common Name (OID 2.5.4.3) and User ID +(OID 0.9.2342.19200300.100.1.1) have been provided as cn or uid. + +Otherwise a specific OID value must be provided. + +The user's certificate must be signed by the certificate authority +defined in the configuration for it to be validated for authentication. + +```none +set vpn openconnect authentication mode certificate +set vpn openconnect authentication mode certificate user-identifier-field cn +set vpn openconnect ssl ca-certificate <cert> +``` + + +## Verification + +```none +vyos@vyos:~$ sh openconnect-server sessions +interface username ip remote IP RX TX state uptime +----------- ---------- ------------- ----------- ------- --------- --------- -------- +sslvpn0 tst 172.20.20.198 192.168.6.1 0 bytes 152 bytes connected 3s +``` + +:::{note} +It is compatible with Cisco (R) AnyConnect (R) clients. +::: + +## Example + +### SSL Certificates generation + +Follow the instructions to generate CA cert (in configuration mode): + +```none +vyos@vyos# run generate pki ca install ca-ocserv +Enter private key type: [rsa, dsa, ec] (Default: rsa) +Enter private key bits: (Default: 2048) +Enter country code: (Default: GB) US +Enter state: (Default: Some-State) Delaware +Enter locality: (Default: Some-City) Mycity +Enter organization name: (Default: VyOS) MyORG +Enter common name: (Default: vyos.io) oc-ca +Enter how many days certificate will be valid: (Default: 1825) 3650 +Note: If you plan to use the generated key on this router, do not encrypt the private key. +Do you want to encrypt the private key with a passphrase? [y/N] N +2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply. +[edit] +``` + +Follow the instructions to generate server cert (in configuration mode): + +```none +vyos@vyos# run generate pki certificate sign ca-ocserv install srv-ocserv +Do you already have a certificate request? [y/N] N +Enter private key type: [rsa, dsa, ec] (Default: rsa) +Enter private key bits: (Default: 2048) +Enter country code: (Default: GB) US +Enter state: (Default: Some-State) Delaware +Enter locality: (Default: Some-City) Mycity +Enter organization name: (Default: VyOS) MyORG +Enter common name: (Default: vyos.io) oc-srv +Do you want to configure Subject Alternative Names? [y/N] N +Enter how many days certificate will be valid: (Default: 365) 1830 +Enter certificate type: (client, server) (Default: server) +Note: If you plan to use the generated key on this router, do not encrypt the private key. +Do you want to encrypt the private key with a passphrase? [y/N] N +2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply. +[edit] +``` + +Each of the install command should be applied to the configuration and commited +before using under the openconnect configuration: + +```none +vyos@vyos# commit +[edit] +vyos@vyos# save +Saving configuration to '/config/config.boot'... +Done +[edit] +``` + + +### Openconnect Configuration + +Simple setup with one user added and password authentication: + +```none +set vpn openconnect authentication local-users username tst password 'OC_bad_Secret' +set vpn openconnect authentication mode local password +set vpn openconnect network-settings client-ip-settings subnet '172.20.20.0/24' +set vpn openconnect network-settings name-server '10.1.1.1' +set vpn openconnect network-settings name-server '10.1.1.2' +set vpn openconnect ssl ca-certificate 'ca-ocserv' +set vpn openconnect ssl certificate 'srv-ocserv' +``` + +To enable the HTTP security headers in the configuration file, use the command: + +```none +set vpn openconnect http-security-headers +``` + + +### Adding a 2FA with an OTP-key + +First the OTP keys must be generated and sent to the user and to the +configuration: + +```none +vyos@vyos:~$ generate openconnect username tst otp-key hotp-time +# You can share it with the user, he just needs to scan the QR in his OTP app +# username: tst +# OTP KEY: 5PA4SGYTQSGOBO3H3EQSSNCUNZAYAPH2 +# OTP URL: otpauth://totp/tst@vyos?secret=5PA4SGYTQSGOBO3H3EQSSNCUNZAYAPH2&digits=6&period=30 +█████████████████████████████████████████ +█████████████████████████████████████████ +████ ▄▄▄▄▄ █▀ ██▄▀ ▄█▄▀▀▄▄▄▄██ ▄▄▄▄▄ ████ +████ █ █ █▀ █▄▄▀▀▀▄█ ▄▄▀▄ █ █ █ ████ +████ █▄▄▄█ █▀█▀▄▄▀ ▄▀ █▀ ▀▄██ █▄▄▄█ ████ +████▄▄▄▄▄▄▄█▄█▄▀ ▀▄█ ▀ ▀ ▀ █▄█▄▄▄▄▄▄▄████ +████ ▄▄▄▀▄▄ ▄███▀▄▀█▄██▀ ▀▄ ▀▄█ ▀ ▀████ +████ ▀▀ ▀ ▄█▄ ▀ ▀▄ ▄█▀ ▄█ ▄▀▀▄██ █████ +████▄ █▄▀▀▄█▀ ▀█▄█▄▄▄▄ ▄▀█▀▀█ ▀ ▄ ▀█▀████ +█████ ▀█▀▄▄ █ ▀▄▄ ▄█▄ ▀█▀▀ █▀ ▄█████ +████▀██▀█▄▄ ▀▀▀▀█▄▀ ▀█▄▄▀▀▀ ▀ ▀█▄██▀▀████ +████▄ ▄ ▄▀▄██▀█ ▄ ▀▄██ ▄▄ ▀▀▄█▄██ ▄█████ +████▀▀ ▄▀ ▄ ▀█▀█▀█ █▀█▄▄▀█▀█▄██▄▄█ ▀████ +████ █ ▀█▄▄█▄ ▀ ▄▄▀▀ ▀ █▄█▀████ █▀ ▀████ +████▄██▄██▄█▀ ▄▀ ▄▄▀▄ ▄▀█ ▄ ▄▄▄ ▀█▄ ████ +████ ▄▄▄▄▄ █▄ ▀█▄█ ▄ ▀ ▄ ▄ █▄█ ▄▀▄█████ +████ █ █ █ ▀▄██▄▄▀█▄▀▄██▄▀ ▄ ▀██▀████ +████ █▄▄▄█ █ ██▀▄▄ ▀▄▄▀█▀ ▀█ ▄▀█ ▀██████ +████▄▄▄▄▄▄▄█▄███▄███▄█▄▄▄▄█▄▄█▄██▄█▄█████ +█████████████████████████████████████████ +█████████████████████████████████████████ +# To add this OTP key to configuration, run the following commands: +set vpn openconnect authentication local-users username tst otp key 'ebc1c91b13848ce0bb67d9212934546e41803cfa' +``` + +Next it is necessary to configure 2FA for OpenConnect: + +```none +set vpn openconnect authentication mode local password-otp +set vpn openconnect authentication local-users username tst otp key 'ebc1c91b13848ce0bb67d9212934546e41803cfa' +``` + +Now when connecting the user will first be asked for the password +and then the OTP key. + +:::{warning} +When using Time-based one-time password (TOTP) (OTP HOTP-time), +be sure that the time on the server and the +OTP token generator are synchronized by NTP +::: + +To display the configured OTP user settings, use the command: + +```none +show openconnect-server user <username> otp <full|key-b32|key-hex|qrcode|uri> +``` + + +### Identity Based Configuration + +OpenConnect supports a subset of it's configuration options to be applied on a +per user/group basis, for configuration purposes we refer to this functionality +as "Identity based config". The following [OpenConnect Server Manual](https://ocserv.gitlab.io/www/manual.html#:~:text=Configuration%20files%20that%20will%20be%20applied%20per%20user%20connection%20or%0A%23%20per%20group) +outlines the set of configuration options that are allowed. This can be +leveraged to apply different sets of configs to different users or groups of +users. + +```none +sudo mkdir -p /config/auth/ocserv/config-per-user +sudo touch /config/auth/ocserv/default-user.conf + +set vpn openconnect authentication identity-based-config mode user +set vpn openconnect authentication identity-based-config directory /config/auth/ocserv/config-per-user +set vpn openconnect authentication identity-based-config default-config /config/auth/ocserv/default-user.conf +``` + +:::{warning} +The above directory and default-config must be a child directory +of /config/auth, since files outside this directory are not persisted after an +image upgrade. +::: + +Once you commit the above changes you can create a config file in the +/config/auth/ocserv/config-per-user directory that matches a username of a +user you have created e.g. "tst". Now when logging in with the "tst" user the +config options you set in this file will be loaded. + +Be sure to set a sane default config in the default config file, this will be +loaded in the case that a user is authenticated and no file is found in the +configured directory matching the users username/group. + +```none +sudo nano /config/auth/ocserv/config-per-user/tst +``` + +The same configuration options apply when Identity based config is configured +in group mode except that group mode can only be used with RADIUS +authentication. + +:::{warning} +OpenConnect server matches the filename in a case sensitive +manner, make sure the username/group name you configure matches the +filename exactly. +::: + +### Configuring RADIUS accounting + +OpenConnect can be configured to send accounting information to a +RADIUS server to capture user session data such as time of +connect/disconnect, data transferred, and so on. + +Configure an accounting server and enable accounting with: + +```none +set vpn openconnect accounting mode radius +set vpn openconnect accounting radius server 172.20.20.10 +set vpn openconnect accounting radius server 172.20.20.10 port 1813 +set vpn openconnect accounting radius server 172.20.20.10 key your_radius_secret +``` + +:::{warning} +The RADIUS accounting feature must be used with the OpenConnect +authentication mode RADIUS. It cannot be used with local authentication. +You must configure the OpenConnect authentication mode to "radius". +::: + +An example of the data captured by a FREERADIUS server with sql accounting: + +```none +mysql> SELECT username, nasipaddress, acctstarttime, acctstoptime, acctinputoctets, acctoutputoctets, callingstationid, framedipaddress, connectinfo_start FROM radacct; ++----------+---------------+---------------------+---------------------+-----------------+------------------+-------------------+-----------------+-----------------------------------+ +| username | nasipaddress | acctstarttime | acctstoptime | acctinputoctets | acctoutputoctets | callingstationid | framedipaddress | connectinfo_start | ++----------+---------------+---------------------+---------------------+-----------------+------------------+-------------------+-----------------+-----------------------------------+ +| test | 198.51.100.15 | 2023-01-13 00:59:15 | 2023-01-13 00:59:21 | 10606 | 152 | 192.168.6.1 | 172.20.20.198 | Open AnyConnect VPN Agent v8.05-1 | ++----------+---------------+---------------------+---------------------+-----------------+------------------+-------------------+-----------------+-----------------------------------+ +``` + diff --git a/docs/configuration/vpn/pptp.md b/docs/configuration/vpn/pptp.md new file mode 100644 index 00000000..5df63755 --- /dev/null +++ b/docs/configuration/vpn/pptp.md @@ -0,0 +1,594 @@ +(pptp)= + +# PPTP-Server + +The Point-to-Point Tunneling Protocol (PPTP) has been implemented in VyOS only +for backwards compatibility. PPTP has many well known security issues and you +should use one of the many other new VPN implementations. + +## Configuring PPTP Server + +```none +set vpn pptp remote-access authentication mode local +set vpn pptp remote-access authentication local-users username test password 'test' +set vpn pptp remote-access client-ip-pool PPTP-POOL range 192.168.255.2-192.168.255.254 +set vpn pptp remote-access default-pool 'PPTP-POOL' +set vpn pptp remote-access outside-address 192.0.2.2 +set vpn pptp remote-access gateway-address 192.168.255.1 +``` + +```{cfgcmd} set vpn pptp remote-access authentication mode \<local | radius\> + +Set authentication backend. The configured authentication backend is used +for all queries. +* **radius**: All authentication queries are handled by a configured RADIUS +server. +* **local**: All authentication queries are handled locally. +* **noauth**: Authentication disabled. +``` + +```{cfgcmd} set vpn pptp remote-access authentication local-users username \<user\> password \<pass\> + +Create `<user>` for local authentication on this system. The users password +will be set to `<pass>`. +``` + +```{cfgcmd} set vpn pptp remote-access client-ip-pool \<POOL-NAME\> range \<x.x.x.x-x.x.x.x | x.x.x.x/x\> + +Use this command to define the first IP address of a pool of +addresses to be given to PPTP clients. If notation ``x.x.x.x-x.x.x.x``, +it must be within a /24 subnet. If notation ``x.x.x.x/x`` is +used there is possibility to set host/netmask. +``` + +```{cfgcmd} set vpn pptp remote-access default-pool \<POOL-NAME\> + +Use this command to define default address pool name. +``` + +```{cfgcmd} set vpn pptp remote-access gateway-address \<gateway\> + +Specifies single `<gateway>` IP address to be used as local address of PPP +interfaces. +``` + + +## Configuring RADIUS authentication + +To enable RADIUS based authentication, the authentication mode needs to be +changed within the configuration. Previous settings like the local users, still +exists within the configuration, however they are not used if the mode has been +changed from local to radius. Once changed back to local, it will use all local +accounts again. + +```none +set vpn pptp remote-access authentication mode radius +``` + +```{cfgcmd} set vpn pptp remote-access authentication radius server \<server\> key \<secret\> + +Configure RADIUS `<server>` and its required shared `<secret>` for +communicating with the RADIUS server. +``` + +Since the RADIUS server would be a single point of failure, multiple RADIUS +servers can be setup and will be used subsequentially. +For example: + +```none +set vpn pptp remote-access authentication radius server 10.0.0.1 key 'foo' +set vpn pptp remote-access authentication radius server 10.0.0.2 key 'foo' +``` + +:::{note} +Some RADIUS severs use an access control list which allows or denies +queries, make sure to add your VyOS router to the allowed client list. +::: + +### RADIUS source address + +If you are using OSPF as IGP, always the closest interface connected to the +RADIUS server is used. You can bind all outgoing RADIUS requests +to a single source IP e.g. the loopback interface. + +```{cfgcmd} set vpn pptp remote-access authentication radius source-address \<address\> + +Source IPv4 address used in all RADIUS server queires. +``` + +:::{note} +Some RADIUS severs use an access control list which allows or denies +queries, make sure to add your VyOS router to the allowed client list. +::: + +### RADIUS advanced options + +```{cfgcmd} set vpn pptp remote-access authentication radius server \<server\> port \<port\> + +Configure RADIUS `<server>` and its required port for authentication requests. +``` + +```{cfgcmd} set vpn pptp remote-access authentication radius server \<server\> fail-time \<time\> + +Mark RADIUS server as offline for this given `<time>` in seconds. +``` + +```{cfgcmd} set vpn pptp remote-access authentication radius server \<server\> disable + +Temporary disable this RADIUS server. +``` + +```{cfgcmd} set vpn pptp remote-access authentication radius acct-timeout \<timeout\> + +Timeout to wait reply for Interim-Update packets. (default 3 seconds) +``` + +```{cfgcmd} set vpn pptp remote-access authentication radius dynamic-author server \<address\> + +Specifies IP address for Dynamic Authorization Extension server (DM/CoA). +This IP must exist on any VyOS interface or it can be ``0.0.0.0``. +``` + +```{cfgcmd} set vpn pptp remote-access authentication radius dynamic-author port \<port\> + +UDP port for Dynamic Authorization Extension server (DM/CoA) +``` + +```{cfgcmd} set vpn pptp remote-access authentication radius dynamic-author key \<secret\> + +Secret for Dynamic Authorization Extension server (DM/CoA) +``` + +```{cfgcmd} set vpn pptp remote-access authentication radius max-try \<number\> + +Maximum number of tries to send Access-Request/Accounting-Request queries +``` + +```{cfgcmd} set vpn pptp remote-access authentication radius timeout \<timeout\> + +Timeout to wait response from server (seconds) +``` + +```{cfgcmd} set vpn pptp remote-access authentication radius nas-identifier \<identifier\> + +Value to send to RADIUS server in NAS-Identifier attribute and to be matched +in DM/CoA requests. +``` + +```{cfgcmd} set vpn pptp remote-access authentication radius nas-ip-address \<address\> + +Value to send to RADIUS server in NAS-IP-Address attribute and to be matched +in DM/CoA requests. Also DM/CoA server will bind to that address. +``` + +```{cfgcmd} set vpn pptp remote-access authentication radius source-address \<address\> + +Source IPv4 address used in all RADIUS server queires. +``` + +```{cfgcmd} set vpn pptp remote-access authentication radius rate-limit attribute \<attribute\> + +Specifies which RADIUS server attribute contains the rate limit information. +The default attribute is `Filter-Id`. +``` + +:::{note} +If you set a custom RADIUS attribute you must define it on both +dictionaries at RADIUS server and client. +::: + +```{cfgcmd} set vpn pptp remote-access authentication radius rate-limit enable + +Enables bandwidth shaping via RADIUS. +``` + +```{cfgcmd} set vpn pptp remote-access authentication radius rate-limit vendor + +Specifies the vendor dictionary, dictionary needs to be in +/usr/share/accel-ppp/radius. +``` + +Received RADIUS attributes have a higher priority than parameters defined within +the CLI configuration, refer to the explanation below. + +### Allocation clients ip addresses by RADIUS + +If the RADIUS server sends the attribute `Framed-IP-Address` then this IP +address will be allocated to the client and the option `default-pool` within the CLI +config is being ignored. + +If the RADIUS server sends the attribute `Framed-Pool`, IP address will be allocated +from a predefined IP pool whose name equals the attribute value. + +If the RADIUS server sends the attribute `Stateful-IPv6-Address-Pool`, IPv6 address +will be allocated from a predefined IPv6 pool `prefix` whose name equals the attribute value. + +If the RADIUS server sends the attribute `Delegated-IPv6-Prefix-Pool`, IPv6 +delegation pefix will be allocated from a predefined IPv6 pool `delegate` +whose name equals the attribute value. + +:::{note} +`Stateful-IPv6-Address-Pool` and `Delegated-IPv6-Prefix-Pool` are defined in +RFC6911. If they are not defined in your RADIUS server, add new [dictionary]. +::: + +User interface can be put to VRF context via RADIUS Access-Accept packet, or change +it via RADIUS CoA. `Accel-VRF-Name` is used from these purposes. It is custom [ACCEL-PPP attribute]. +Define it in your RADIUS server. + +### Renaming clients interfaces by RADIUS + +If the RADIUS server uses the attribute `NAS-Port-Id`, ppp tunnels will be +renamed. + +:::{note} +The value of the attribute `NAS-Port-Id` must be less than 16 +characters, otherwise the interface won't be renamed. +::: + +## IPv6 + +```{cfgcmd} set vpn pptp remote-access ppp-options ipv6 \<require | prefer | allow | deny\> + +Specifies IPv6 negotiation preference. +* **require** - Require IPv6 negotiation +* **prefer** - Ask client for IPv6 negotiation, do not fail if it rejects +* **allow** - Negotiate IPv6 only if client requests +* **deny** - Do not negotiate IPv6 (default value) +``` + +```{cfgcmd} set vpn pptp remote-access client-ipv6-pool \<IPv6-POOL-NAME\> prefix \<address\> mask \<number-of-bits\> + +Use this comand to set the IPv6 address pool from which an PPTP client +will get an IPv6 prefix of your defined length (mask) to terminate the +PPTP endpoint at their side. The mask length can be set from 48 to 128 +bit long, the default value is 64. +``` + +```{cfgcmd} set vpn pptp remote-access client-ipv6-pool \<IPv6-POOL-NAME\> delegate \<address\> delegation-prefix \<number-of-bits\> + +Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on +PPTP. You will have to set your IPv6 pool and the length of the +delegation prefix. From the defined IPv6 pool you will be handing out +networks of the defined length (delegation-prefix). The length of the +delegation prefix can be set from 32 to 64 bit long. +``` + +```{cfgcmd} set vpn pptp remote-access default-ipv6-pool \<IPv6-POOL-NAME\> + +Use this command to define default IPv6 address pool name. +``` + +```none +set vpn pptp remote-access ppp-options ipv6 allow +set vpn pptp remote-access client-ipv6-pool IPv6-POOL delegate '2001:db8:8003::/48' delegation-prefix '56' +set vpn pptp remote-access client-ipv6-pool IPv6-POOL prefix '2001:db8:8002::/48' mask '64' +set vpn pptp remote-access default-ipv6-pool IPv6-POOL +``` + + +### IPv6 Advanced Options + +```{cfgcmd} set vpn pptp remote-access ppp-options ipv6-accept-peer-interface-id + +Accept peer interface identifier. By default is not defined. +``` + +```{cfgcmd} set vpn pptp remote-access ppp-options ipv6-interface-id \<random | x:x:x:x\> + +Specifies fixed or random interface identifier for IPv6. +By default is fixed. +* **random** - Random interface identifier for IPv6 +* **x:x:x:x** - Specify interface identifier for IPv6 +``` + +```{cfgcmd} set vpn pptp remote-access ppp-options ipv6-interface-id \<random | x:x:x:x\> + +Specifies peer interface identifier for IPv6. By default is fixed. +* **random** - Random interface identifier for IPv6 +* **x:x:x:x** - Specify interface identifier for IPv6 +* **ipv4-addr** - Calculate interface identifier from IPv4 address. +* **calling-sid** - Calculate interface identifier from calling-station-id. +``` + + +## Scripting + +```{cfgcmd} set vpn pptp remote-access extended-scripts on-change \<path_to_script\> + +Script to run when session interface changed by RADIUS CoA handling +``` + +```{cfgcmd} set vpn pptp remote-access extended-scripts on-down \<path_to_script\> + +Script to run when session interface going to terminate +``` + +```{cfgcmd} set vpn pptp remote-access extended-scripts on-pre-up \<path_to_script\> + +Script to run before session interface comes up +``` + +```{cfgcmd} set vpn pptp remote-access extended-scripts on-up \<path_to_script\> + +Script to run when session interface is completely configured and started +``` + + +## Advanced Options + +### Authentication Advanced Options + +```{cfgcmd} set vpn pptp remote-access authentication local-users username \<user\> disable + +Disable `<user>` account. +``` + +```{cfgcmd} set vpn pptp remote-access authentication local-users username \<user\> static-ip \<address\> + +Assign static IP address to `<user>` account. +``` + +```{cfgcmd} set vpn pptp remote-access authentication local-users username \<user\> rate-limit download \<bandwidth\> + +Download bandwidth limit in kbit/s for `<user>`. +``` + +```{cfgcmd} set vpn pptp remote-access authentication local-users username \<user\> rate-limit upload \<bandwidth\> + +Upload bandwidth limit in kbit/s for `<user>`. +``` + +```{cfgcmd} set vpn pptp remote-access authentication protocols \<pap | chap | mschap | mschap-v2\> + +Require the peer to authenticate itself using one of the following protocols: +pap, chap, mschap, mschap-v2. +``` + + +### Client IP Pool Advanced Options + +```{cfgcmd} set vpn pptp remote-access client-ip-pool \<POOL-NAME\> next-pool \<NEXT-POOL-NAME\> + +Use this command to define the next address pool name. +``` + + +### PPP Advanced Options + +```{cfgcmd} set vpn pptp remote-access ppp-options disable-ccp + +Disable Compression Control Protocol (CCP). +CCP is enabled by default. +``` + +```{cfgcmd} set vpn pptp remote-access ppp-options interface-cache \<number\> + +Specifies number of interfaces to keep in cache. It means that don’t +destroy interface after corresponding session is destroyed, instead +place it to cache and use it later for new sessions repeatedly. +This should reduce kernel-level interface creation/deletion rate lack. +Default value is **0**. +``` + +```{cfgcmd} set vpn pptp remote-access ppp-options ipv4 \<require | prefer | allow | deny\> + +Specifies IPv4 negotiation preference. +* **require** - Require IPv4 negotiation +* **prefer** - Ask client for IPv4 negotiation, do not fail if it rejects +* **allow** - Negotiate IPv4 only if client requests (Default value) +* **deny** - Do not negotiate IPv4 +``` + +```{cfgcmd} set vpn pptp remote-access ppp-options lcp-echo-failure \<number\> + +Defines the maximum `<number>` of unanswered echo requests. Upon reaching the +value `<number>`, the session will be reset. Default value is **3**. +``` + +```{cfgcmd} set vpn pptp remote-access ppp-options lcp-echo-interval \<interval\> + +If this option is specified and is greater than 0, then the PPP module will +send LCP pings of the echo request every `<interval>` seconds. +Default value is **30**. +``` + +```{cfgcmd} set vpn pptp remote-access ppp-options lcp-echo-timeout + +Specifies timeout in seconds to wait for any peer activity. If this option +specified it turns on adaptive lcp echo functionality and "lcp-echo-failure" +is not used. Default value is **0**. +``` + +```{cfgcmd} set vpn pptp remote-access ppp-options min-mtu \<number\> + +Defines minimum acceptable MTU. If client will try to negotiate less then +specified MTU then it will be NAKed or disconnected if rejects greater MTU. +Default value is **100**. +``` + +```{cfgcmd} set vpn pptp remote-access ppp-options mppe \<require | prefer | deny\> + +Specifies {abbr}`MPPE (Microsoft Point-to-Point Encryption)` negotiation +preference. +* **require** - ask client for mppe, if it rejects drop connection +* **prefer** - ask client for mppe, if it rejects don't fail. (Default value) +* **deny** - deny mppe + +Default behavior - don't ask client for mppe, but allow it if client wants. +Please note that RADIUS may override this option by MS-MPPE-Encryption-Policy +attribute. +``` + +```{cfgcmd} set vpn pptp remote-access ppp-options mru \<number\> + +Defines preferred MRU. By default is not defined. +``` + + +### Global Advanced options + +```{cfgcmd} set vpn pptp remote-access description \<description\> + +Set description. +``` + +```{cfgcmd} set vpn pptp remote-access limits burst \<value\> + +Burst count +``` + +```{cfgcmd} set vpn pptp remote-access limits connection-limit \<value\> + +Acceptable rate of connections (e.g. 1/min, 60/sec) +``` + +```{cfgcmd} set vpn pptp remote-access limits timeout \<value\> + +Timeout in seconds +``` + +```{cfgcmd} set vpn pptp remote-access mtu + +Maximum Transmission Unit (MTU) (default: **1436**) +``` + +```{cfgcmd} set vpn pptp remote-access max-concurrent-sessions + +Maximum number of concurrent session start attempts +``` + +```{cfgcmd} set vpn pptp remote-access name-server \<address\> + +Connected client should use `<address>` as their DNS server. This +command accepts both IPv4 and IPv6 addresses. Up to two nameservers +can be configured for IPv4, up to three for IPv6. +``` + +```{cfgcmd} set vpn pptp remote-access shaper fwmark \<1-2147483647\> + +Match firewall mark value +``` + +```{cfgcmd} set vpn pptp remote-access snmp master-agent + +Enable SNMP +``` + +```{cfgcmd} set vpn pptp remote-access wins-server \<address\> + +Windows Internet Name Service (WINS) servers propagated to client +``` + + +## Monitoring + +```{opcmd} show pptp-server sessions + +Use this command to locally check the active sessions in the PPTP +server. +``` + +```none +vyos@vyos:~$ show pptp-server sessions + ifname | username | ip | ip6 | ip6-dp | calling-sid | rate-limit | state | uptime | rx-bytes | tx-bytes +--------+----------+----------+-----+--------+----------------+------------+--------+----------+----------+---------- + pptp0 | test | 10.0.0.2 | | | 192.168.10.100 | | active | 00:01:26 | 6.9 KiB | 220 B +``` + +```none +vyos@vyos:~$ show pptp-server statistics + uptime: 0.00:04:52 +cpu: 0% +mem(rss/virt): 5504/100176 kB +core: + mempool_allocated: 152007 + mempool_available: 149007 + thread_count: 1 + thread_active: 1 + context_count: 6 + context_sleeping: 0 + context_pending: 0 + md_handler_count: 6 + md_handler_pending: 0 + timer_count: 2 + timer_pending: 0 +sessions: + starting: 0 + active: 1 + finishing: 0 +pptp: + starting: 0 + active: 1 +``` + + +## Troubleshooting + +```none +vyos@vyos:~$sudo journalctl -u accel-ppp@pptp -b 0 + +Feb 29 14:58:57 vyos accel-pptp[4629]: pptp: new connection from 192.168.10.100 +Feb 29 14:58:57 vyos accel-pptp[4629]: :: recv [PPTP Start-Ctrl-Conn-Request <Version 1> <Framing 1> <Bearer 1> <Max-Chan 0>] +Feb 29 14:58:57 vyos accel-pptp[4629]: :: send [PPTP Start-Ctrl-Conn-Reply <Version 1> <Result 1> <Error 0> <Framing 3> <Bearer 3> <Max-Chan 1>] +Feb 29 14:58:57 vyos accel-pptp[4629]: :: recv [PPTP Outgoing-Call-Request <Call-ID 2961> <Call-Serial 2> <Min-BPS 300> <Max-BPS 100000000> <Bearer 3> <Framing 3> <Window-Size 64> <Delay 0>] +Feb 29 14:58:57 vyos accel-pptp[4629]: :: send [PPTP Outgoing-Call-Reply <Call-ID 2> <Peer-Call-ID 2961> <Result 1> <Error 0> <Cause 0> <Speed 100000000> <Window-Size 64> <Delay 0> <Channel 0>] +Feb 29 14:58:57 vyos accel-pptp[4629]: :: lcp_layer_init +Feb 29 14:58:57 vyos accel-pptp[4629]: :: auth_layer_init +Feb 29 14:58:57 vyos accel-pptp[4629]: :: ccp_layer_init +Feb 29 14:58:57 vyos accel-pptp[4629]: :: ipcp_layer_init +Feb 29 14:58:57 vyos accel-pptp[4629]: :: ipv6cp_layer_init +Feb 29 14:58:57 vyos accel-pptp[4629]: :: ppp establishing +Feb 29 14:58:57 vyos accel-pptp[4629]: :: lcp_layer_start +Feb 29 14:58:57 vyos accel-pptp[4629]: :: send [LCP ConfReq id=75 <auth PAP> <mru 1436> <magic 483920bd>] +Feb 29 14:58:57 vyos accel-pptp[4629]: :: recv [PPTP Set-Link-Info] +Feb 29 14:58:57 vyos accel-pptp[4629]: :: recv [LCP ConfReq id=0 <mru 1400> <magic 0142785a> <pcomp> <accomp> < d 3 6 >] +Feb 29 14:58:57 vyos accel-pptp[4629]: :: send [LCP ConfRej id=0 <pcomp> <accomp> < d 3 6 >] +Feb 29 14:58:57 vyos accel-pptp[4629]: :: recv [LCP ConfReq id=1 <mru 1400> <magic 0142785a>] +Feb 29 14:58:57 vyos accel-pptp[4629]: :: send [LCP ConfAck id=1] +Feb 29 14:59:00 vyos accel-pptp[4629]: :: fsm timeout 9 +Feb 29 14:59:00 vyos accel-pptp[4629]: :: send [LCP ConfReq id=75 <auth PAP> <mru 1436> <magic 483920bd>] +Feb 29 14:59:00 vyos accel-pptp[4629]: :: recv [LCP ConfNak id=75 <auth MSCHAP-v2>] +Feb 29 14:59:00 vyos accel-pptp[4629]: :: send [LCP ConfReq id=76 <auth CHAP-md5> <mru 1436> <magic 483920bd>] +Feb 29 14:59:00 vyos accel-pptp[4629]: :: recv [LCP ConfNak id=76 <auth MSCHAP-v2>] +Feb 29 14:59:00 vyos accel-pptp[4629]: :: send [LCP ConfReq id=77 <auth MSCHAP-v1> <mru 1436> <magic 483920bd>] +Feb 29 14:59:00 vyos accel-pptp[4629]: :: recv [LCP ConfNak id=77 <auth MSCHAP-v2>] +Feb 29 14:59:00 vyos accel-pptp[4629]: :: send [LCP ConfReq id=78 <auth MSCHAP-v2> <mru 1436> <magic 483920bd>] +Feb 29 14:59:00 vyos accel-pptp[4629]: :: recv [LCP ConfAck id=78 <auth MSCHAP-v2> <mru 1436> <magic 483920bd>] +Feb 29 14:59:00 vyos accel-pptp[4629]: :: lcp_layer_started +Feb 29 14:59:00 vyos accel-pptp[4629]: :: auth_layer_start +Feb 29 14:59:00 vyos accel-pptp[4629]: :: send [MSCHAP-v2 Challenge id=1 <8aa758781676e6a8e85c11963ee010>] +Feb 29 14:59:00 vyos accel-pptp[4629]: :: recv [LCP Ident id=2 <MSRASV5.20>] +Feb 29 14:59:00 vyos accel-pptp[4629]: :: recv [LCP Ident id=3 <MSRAS-0-MSEDGEWIN10>] +Feb 29 14:59:00 vyos accel-pptp[4629]: [43B blob data] +Feb 29 14:59:00 vyos accel-pptp[4629]: :: recv [PPTP Set-Link-Info] +Feb 29 14:59:00 vyos accel-pptp[4629]: :: recv [MSCHAP-v2 Response id=1 <90c21af1091f745e8bf22388b058>, <e695ae5aae274c88a3fa1ee3dc9057aece4d53c87b9fea>, F=0, name="test"] +Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: connect: ppp0 <--> pptp(192.168.10.100) +Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: ppp connected +Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: send [MSCHAP-v2 Success id=1 "S=347F417CF04BEBBC7F75CFA7F43474C36FB218F9 M=Authentication succeeded"] +Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: test: authentication succeeded +Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: auth_layer_started +Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: ccp_layer_start +Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: send [CCP ConfReq id=b9 <mppe +H -M +S -L -D -C>] +Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: ipcp_layer_start +Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: ipv6cp_layer_start +Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: IPV6CP: discarding packet +Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: send [LCP ProtoRej id=122 <8057>] +Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: recv [IPCP ConfReq id=6 <addr 0.0.0.0> <dns1 0.0.0.0> <wins1 0.0.0.0> <dns2 0.0.0.0> <wins2 0.0.0.0>] +Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: send [IPCP ConfReq id=3b <addr 10.0.0.1>] +Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: send [IPCP ConfRej id=6 <dns1 0.0.0.0> <wins1 0.0.0.0> <dns2 0.0.0.0> <wins2 0.0.0.0>] +Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: recv [LCP ProtoRej id=7 <80fd>] +Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: ccp_layer_finished +Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: recv [IPCP ConfAck id=3b <addr 10.0.0.1>] +Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: recv [IPCP ConfReq id=8 <addr 0.0.0.0>] +Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: send [IPCP ConfNak id=8 <addr 10.0.0.2>] +Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: recv [IPCP ConfReq id=9 <addr 10.0.0.2>] +Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: send [IPCP ConfAck id=9] +Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: ipcp_layer_started +Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: rename interface to 'pptp0' +Feb 29 14:59:00 vyos accel-pptp[4629]: pptp0:test: pptp: ppp started +``` + +[accel-ppp]: https://accel-ppp.org/ +[accel-ppp attribute]: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.accel +[dictionary]: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.rfc6911 diff --git a/docs/configuration/vpn/rsa-keys.md b/docs/configuration/vpn/rsa-keys.md new file mode 100644 index 00000000..b224b514 --- /dev/null +++ b/docs/configuration/vpn/rsa-keys.md @@ -0,0 +1,114 @@ +# RSA-Keys + +```{todo} +Convert raw command blocks in this file to cfgcmd/opcmd +directives for command coverage tracking. +``` + +RSA can be used for services such as key exchanges and for encryption purposes. +To make IPSec work with dynamic address on one/both sides, we will have to use +RSA keys for authentication. They are very fast and easy to setup. + +First, on both routers run the operational command "generate pki key-pair +install \<key-pair nam>>". You may choose different length than 2048 of course. + +```none +vyos@left# run generate pki key-pair install ipsec-LEFT +Enter private key type: [rsa, dsa, ec] (Default: rsa) +Enter private key bits: (Default: 2048) +Note: If you plan to use the generated key on this router, do not encrypt the private key. +Do you want to encrypt the private key with a passphrase? [y/N] N +Configure mode commands to install key pair: +Do you want to install the public key? [Y/n] Y +set pki key-pair ipsec-LEFT public key 'MIIBIjANBgkqh...' +Do you want to install the private key? [Y/n] Y +set pki key-pair ipsec-LEFT private key 'MIIEvgIBADAN...' +[edit] +``` + +Configuration commands will display. +Note the command with the public key +(set pki key-pair ipsec-LEFT public key 'MIIBIjANBgkqh...'). +Then do the same on the opposite router: + +```none +vyos@left# run generate pki key-pair install ipsec-RIGHT +``` + +Note the command with the public key +(set pki key-pair ipsec-RIGHT public key 'FAAOCAQ8AMII...'). + +The noted public keys should be entered on the opposite routers. + +On the LEFT: + +```none +set pki key-pair ipsec-RIGHT public key 'FAAOCAQ8AMII...' +``` + +On the RIGHT: + +```none +set pki key-pair ipsec-LEFT public key 'MIIBIjANBgkqh...' +``` + +Now you are ready to setup IPsec. The key points: +1. Since both routers do not know their effective public addresses, + we set the local-address of the peer to "any". +2. On the initiator, we set the peer address to its public address, + but on the responder we only set the id. +3. On the initiator, we need to set the remote-id option so that it + can identify IKE traffic from the responder correctly. +4. On the responder, we need to set the local id so that initiator + can know who's talking to it for the point #3 to work. + +On the LEFT (static address): + +```none +set vpn ipsec interface eth0 + +set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128 +set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1 + +set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group 2 +set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128 +set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1 + +set vpn ipsec site-to-site peer @RIGHT authentication id LEFT +set vpn ipsec site-to-site peer @RIGHT authentication mode rsa +set vpn ipsec site-to-site peer @RIGHT authentication rsa local-key ipsec-LEFT +set vpn ipsec site-to-site peer @RIGHT authentication rsa remote-key ipsec-RIGHT +set vpn ipsec site-to-site peer @RIGHT authentication remote-id RIGHT +set vpn ipsec site-to-site peer @RIGHT default-esp-group MyESPGroup +set vpn ipsec site-to-site peer @RIGHT ike-group MyIKEGroup +set vpn ipsec site-to-site peer @RIGHT local-address 192.0.2.10 +set vpn ipsec site-to-site peer @RIGHT connection-type none +set vpn ipsec site-to-site peer @RIGHT tunnel 1 local prefix 192.168.99.1/32 # Additional loopback address on the local +set vpn ipsec site-to-site peer @RIGHT tunnel 1 remote prefix 192.168.99.2/32 # Additional loopback address on the remote +``` + +On the RIGHT (dynamic address): + +```none +set vpn ipsec interface eth0 + +set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128 +set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1 + +set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group 2 +set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128 +set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1 + +set vpn ipsec site-to-site peer 192.0.2.10 authentication id RIGHT +set vpn ipsec site-to-site peer 192.0.2.10 authentication mode rsa +set vpn ipsec site-to-site peer 192.0.2.10 authentication rsa local-key ipsec-RIGHT +set vpn ipsec site-to-site peer 192.0.2.10 authentication rsa remote-key ipsec-LEFT +set vpn ipsec site-to-site peer 192.0.2.10 authentication remote-id LEFT +set vpn ipsec site-to-site peer 192.0.2.10 connection-type initiate +set vpn ipsec site-to-site peer 192.0.2.10 default-esp-group MyESPGroup +set vpn ipsec site-to-site peer 192.0.2.10 ike-group MyIKEGroup +set vpn ipsec site-to-site peer 192.0.2.10 local-address any +set vpn ipsec site-to-site peer 192.0.2.10 tunnel 1 local prefix 192.168.99.2/32 # Additional loopback address on the local +set vpn ipsec site-to-site peer 192.0.2.10 tunnel 1 remote prefix 192.168.99.1/32 # Additional loopback address on the remote +``` + diff --git a/docs/configuration/vpn/sstp.md b/docs/configuration/vpn/sstp.md new file mode 100644 index 00000000..54383cc6 --- /dev/null +++ b/docs/configuration/vpn/sstp.md @@ -0,0 +1,698 @@ +(sstp)= + +# SSTP Server + +{abbr}`SSTP (Secure Socket Tunneling Protocol)` is a form of {abbr}`VPN +(Virtual Private Network)` tunnel that provides a mechanism to transport PPP +traffic through an SSL/TLS channel. SSL/TLS provides transport-level security +with key negotiation, encryption and traffic integrity checking. The use of +SSL/TLS over TCP port 443 allows SSTP to pass through virtually all firewalls +and proxy servers except for authenticated web proxies. + +SSTP is available for Linux, BSD, and Windows. + +VyOS utilizes [accel-ppp](https://accel-ppp.org/) to provide SSTP server functionality. We support both +local and RADIUS authentication. + +As SSTP provides PPP via a SSL/TLS channel the use of either publicly signed +certificates or private PKI is required. + +## Configuring SSTP Server + +### Certificates + +Using our documentation chapter - {ref}`pki` generate and install CA and Server certificate + +```none +vyos@vyos:~$ generate pki ca install CA +``` + +```none +vyos@vyos:~$ generate pki certificate sign CA install Server +``` + + +### Configuration + +```none +set vpn sstp authentication local-users username test password 'test' +set vpn sstp authentication mode 'local' +set vpn sstp client-ip-pool SSTP-POOL range '10.0.0.2-10.0.0.100' +set vpn sstp default-pool 'SSTP-POOL' +set vpn sstp gateway-address '10.0.0.1' +set vpn sstp ssl ca-certificate 'CA1' +set vpn sstp ssl certificate 'Server' +``` + +```{cfgcmd} set vpn sstp authentication mode \<local | radius\> + +Set authentication backend. The configured authentication backend is used +for all queries. +* **radius**: All authentication queries are handled by a configured RADIUS +server. +* **local**: All authentication queries are handled locally. +``` + +```{cfgcmd} set vpn sstp authentication local-users username \<user\> password \<pass\> + +Create `<user>` for local authentication on this system. The users password +will be set to `<pass>`. +``` + +```{cfgcmd} set vpn sstp client-ip-pool \<POOL-NAME\> range \<x.x.x.x-x.x.x.x | x.x.x.x/x\> + +Use this command to define the first IP address of a pool of +addresses to be given to SSTP clients. If notation ``x.x.x.x-x.x.x.x``, +it must be within a /24 subnet. If notation ``x.x.x.x/x`` is +used there is possibility to set host/netmask. +``` + +```{cfgcmd} set vpn sstp default-pool \<POOL-NAME\> + +Use this command to define default address pool name. +``` + +```{cfgcmd} set vpn sstp gateway-address \<gateway\> + +Specifies single `<gateway>` IP address to be used as local address of PPP +interfaces. +``` + +```{cfgcmd} set vpn sstp ssl ca-certificate \<file\> + +Name of installed certificate authority certificate. +``` + +```{cfgcmd} set vpn sstp ssl certificate \<file\> + +Name of installed server certificate. +``` + + +## Configuring RADIUS authentication + +To enable RADIUS based authentication, the authentication mode needs to be +changed within the configuration. Previous settings like the local users still +exist within the configuration, however they are not used if the mode has been +changed from local to radius. Once changed back to local, it will use all local +accounts again. + +```none +set vpn sstp authentication mode radius +``` + +```{cfgcmd} set vpn sstp authentication radius server \<server\> key \<secret\> + +Configure RADIUS `<server>` and its required shared `<secret>` for +communicating with the RADIUS server. +``` + +Since the RADIUS server would be a single point of failure, multiple RADIUS +servers can be setup and will be used subsequentially. +For example: + +```none +set vpn sstp authentication radius server 10.0.0.1 key 'foo' +set vpn sstp authentication radius server 10.0.0.2 key 'foo' +``` + +:::{note} +Some RADIUS severs use an access control list which allows or denies +queries, make sure to add your VyOS router to the allowed client list. +::: + +### RADIUS source address + +If you are using OSPF as your IGP, use the interface connected closest to the +RADIUS server. You can bind all outgoing RADIUS requests to a single source IP +e.g. the loopback interface. + +```{cfgcmd} set vpn sstp authentication radius source-address \<address\> + +Source IPv4 address used in all RADIUS server queires. +``` + +:::{note} +The `source-address` must be configured to that of an interface. +Best practice would be a loopback or dummy interface. +::: + +### RADIUS advanced options + +```{cfgcmd} set vpn sstp authentication radius server \<server\> port \<port\> + +Configure RADIUS `<server>` and its required port for authentication requests. +``` + +```{cfgcmd} set vpn sstp authentication radius server \<server\> fail-time \<time\> + +Mark RADIUS server as offline for this given `<time>` in seconds. +``` + +```{cfgcmd} set vpn sstp authentication radius server \<server\> disable + +Temporary disable this RADIUS server. +``` + +```{cfgcmd} set vpn sstp authentication radius acct-timeout \<timeout\> + +Timeout to wait reply for Interim-Update packets. (default 3 seconds) +``` + +```{cfgcmd} set vpn sstp authentication radius dynamic-author server \<address\> + +Specifies IP address for Dynamic Authorization Extension server (DM/CoA). +This IP must exist on any VyOS interface or it can be ``0.0.0.0``. +``` + +```{cfgcmd} set vpn sstp authentication radius dynamic-author port \<port\> + +UDP port for Dynamic Authorization Extension server (DM/CoA) +``` + +```{cfgcmd} set vpn sstp authentication radius dynamic-author key \<secret\> + +Secret for Dynamic Authorization Extension server (DM/CoA) +``` + +```{cfgcmd} set vpn sstp authentication radius max-try \<number\> + +Maximum number of tries to send Access-Request/Accounting-Request queries +``` + +```{cfgcmd} set vpn sstp authentication radius timeout \<timeout\> + +Timeout to wait response from server (seconds) +``` + +```{cfgcmd} set vpn sstp authentication radius nas-identifier \<identifier\> + +Value to send to RADIUS server in NAS-Identifier attribute and to be matched +in DM/CoA requests. +``` + +```{cfgcmd} set vpn sstp authentication radius nas-ip-address \<address\> + +Value to send to RADIUS server in NAS-IP-Address attribute and to be matched +in DM/CoA requests. Also DM/CoA server will bind to that address. +``` + +```{cfgcmd} set vpn sstp authentication radius source-address \<address\> + +Source IPv4 address used in all RADIUS server queires. +``` + +```{cfgcmd} set vpn sstp authentication radius rate-limit attribute \<attribute\> + +Specifies which RADIUS server attribute contains the rate limit information. +The default attribute is `Filter-Id`. +``` + +:::{note} +If you set a custom RADIUS attribute you must define it on both +dictionaries on the RADIUS server and client. +::: + +```{cfgcmd} set vpn sstp authentication radius rate-limit enable + +Enables bandwidth shaping via RADIUS. +``` + +```{cfgcmd} set vpn sstp authentication radius rate-limit vendor + +Specifies the vendor dictionary, This dictionary needs to be present in +/usr/share/accel-ppp/radius. +``` + +Received RADIUS attributes have a higher priority than parameters defined within +the CLI configuration, refer to the explanation below. + +### Allocation clients ip addresses by RADIUS + +If the RADIUS server sends the attribute `Framed-IP-Address` then this IP +address will be allocated to the client and the option `default-pool` within +the CLI config will being ignored. + +If the RADIUS server sends the attribute `Framed-Pool`, then the IP address +will be allocated from a predefined IP pool whose name equals the attribute +value. + +If the RADIUS server sends the attribute `Stateful-IPv6-Address-Pool`, the +IPv6 address will be allocated from a predefined IPv6 pool `prefix` whose +name equals the attribute value. + +If the RADIUS server sends the attribute `Delegated-IPv6-Prefix-Pool`, an +IPv6 delegation prefix will be allocated from a predefined IPv6 pool `delegate` +whose name equals the attribute value. + +:::{note} +`Stateful-IPv6-Address-Pool` and `Delegated-IPv6-Prefix-Pool` are defined in +RFC6911. If they are not defined in your RADIUS server, add new [dictionary]. +::: + +The client's interface can be put into a VRF context via a RADIUS Access-Accept +packet, or changed via RADIUS CoA. `Accel-VRF-Name` is used for these +purposes. This is a custom [ACCEL-PPP attribute]. Define it in your RADIUS +server. + +### Renaming clients interfaces by RADIUS + +If the RADIUS server uses the attribute `NAS-Port-Id`, ppp tunnels will be +renamed. + +:::{note} +The value of the attribute `NAS-Port-Id` must be less than 16 +characters, otherwise the interface won't be renamed. +::: + +## IPv6 + +```{cfgcmd} set vpn sstp ppp-options ipv6 \<require | prefer | allow | deny\> + +Specifies IPv6 negotiation preference. +* **require** - Require IPv6 negotiation +* **prefer** - Ask client for IPv6 negotiation, do not fail if it rejects +* **allow** - Negotiate IPv6 only if client requests +* **deny** - Do not negotiate IPv6 (default value) +``` + +```{cfgcmd} set vpn sstp client-ipv6-pool \<IPv6-POOL-NAME\> prefix \<address\> mask \<number-of-bits\> + +Use this comand to set the IPv6 address pool from which an SSTP client will +get an IPv6 prefix of your defined length (mask) to terminate the SSTP +endpoint at their side. The mask length can be set between 48 and 128 bits +long, the default value is 64. +``` + +```{cfgcmd} set vpn sstp client-ipv6-pool \<IPv6-POOL-NAME\> delegate \<address\> delegation-prefix \<number-of-bits\> + +Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on SSTP. You +will have to set your IPv6 pool and the length of the delegation prefix. From +the defined IPv6 pool you will be handing out networks of the defined length +(delegation-prefix). The length of the delegation prefix can be set between +32 and 64 bits long. +``` + +```{cfgcmd} set vpn sstp default-ipv6-pool \<IPv6-POOL-NAME\> + +Use this command to define default IPv6 address pool name. +``` + +```none +set vpn sstp ppp-options ipv6 allow +set vpn sstp client-ipv6-pool IPv6-POOL delegate '2001:db8:8003::/48' delegation-prefix '56' +set vpn sstp client-ipv6-pool IPv6-POOL prefix '2001:db8:8002::/48' mask '64' +set vpn sstp default-ipv6-pool IPv6-POOL +``` + + +### IPv6 Advanced Options + +```{cfgcmd} set vpn sstp ppp-options ipv6-accept-peer-interface-id + +Accept peer interface identifier. By default this is not defined. +``` + +```{cfgcmd} set vpn sstp ppp-options ipv6-interface-id \<random | x:x:x:x\> + +Specifies if a fixed or random interface identifier is used for IPv6. The +default is fixed. +* **random** - Random interface identifier for IPv6 +* **x:x:x:x** - Specify interface identifier for IPv6 +``` + +```{cfgcmd} set vpn sstp ppp-options ipv6-interface-id \<random | x:x:x:x\> + +Specifies the peer interface identifier for IPv6. The default is fixed. +* **random** - Random interface identifier for IPv6 +* **x:x:x:x** - Specify interface identifier for IPv6 +* **ipv4-addr** - Calculate interface identifier from IPv4 address. +* **calling-sid** - Calculate interface identifier from calling-station-id. +``` + + +## Scripting + +```{cfgcmd} set vpn sstp extended-scripts on-change \<path_to_script\> + +Script to run when the session interface is changed by RADIUS CoA handling +``` + +```{cfgcmd} set vpn sstp extended-scripts on-down \<path_to_script\> + +Script to run when the session interface about to terminate +``` + +```{cfgcmd} set vpn sstp extended-scripts on-pre-up \<path_to_script\> + +Script to run before the session interface comes up +``` + +```{cfgcmd} set vpn sstp extended-scripts on-up \<path_to_script\> + +Script to run when the session interface is completely configured and started +``` + + +## Advanced Options + +### Authentication Advanced Options + +```{cfgcmd} set vpn sstp authentication local-users username \<user\> disable + +Disable `<user>` account. +``` + +```{cfgcmd} set vpn sstp authentication local-users username \<user\> static-ip \<address\> + +Assign a static IP address to `<user>` account. +``` + +```{cfgcmd} set vpn sstp authentication local-users username \<user\> rate-limit download \<bandwidth\> + +Rate limit the download bandwidth for `<user>` to `<bandwidth>` kbit/s. +``` + +```{cfgcmd} set vpn sstp authentication local-users username \<user\> rate-limit upload \<bandwidth\> + +Rate limit the upload bandwidth for `<user>` to `<bandwidth>` kbit/s. +``` + +```{cfgcmd} set vpn sstp authentication protocols \<pap | chap | mschap | mschap-v2\> + +Require the peer to authenticate itself using one of the following protocols: +pap, chap, mschap, mschap-v2. +``` + + +### Client IP Pool Advanced Options + +```{cfgcmd} set vpn sstp client-ip-pool \<POOL-NAME\> next-pool \<NEXT-POOL-NAME\> + +Use this command to define the next address pool name. +``` + + +### PPP Advanced Options + +```{cfgcmd} set vpn sstp ppp-options disable-ccp + +Disable Compression Control Protocol (CCP). +CCP is enabled by default. +``` + +```{cfgcmd} set vpn sstp ppp-options interface-cache \<number\> + +Specifies number of interfaces to cache. This prevents interfaces from being +removed once the corresponding session is destroyed. Instead, interfaces are +cached for later use in new sessions. This should reduce the kernel-level +interface creation/deletion rate. +Default value is **0**. +``` + +```{cfgcmd} set vpn sstp ppp-options ipv4 \<require | prefer | allow | deny\> + +Specifies IPv4 negotiation preference. +* **require** - Require IPv4 negotiation +* **prefer** - Ask client for IPv4 negotiation, do not fail if it rejects +* **allow** - Negotiate IPv4 only if client requests (Default value) +* **deny** - Do not negotiate IPv4 +``` + +```{cfgcmd} set vpn sstp ppp-options lcp-echo-failure \<number\> + +Defines the maximum `<number>` of unanswered echo requests. Upon reaching the +value `<number>`, the session will be reset. Default value is **3**. +``` + +```{cfgcmd} set vpn sstp ppp-options lcp-echo-interval \<interval\> + +If this option is specified and is greater than 0, then the PPP module will +send LCP echo requests every `<interval>` seconds. +Default value is **30**. +``` + +```{cfgcmd} set vpn sstp ppp-options lcp-echo-timeout + +Specifies timeout in seconds to wait for any peer activity. If this option is +specified it turns on adaptive lcp echo functionality and "lcp-echo-failure" +is not used. Default value is **0**. +``` + +```{cfgcmd} set vpn sstp ppp-options min-mtu \<number\> + +Defines the minimum acceptable MTU. If a client tries to negotiate an MTU +lower than this it will be NAKed, and disconnected if it rejects a greater +MTU. +Default value is **100**. +``` + +```{cfgcmd} set vpn sstp ppp-options mppe \<require | prefer | deny\> + +Specifies {abbr}`MPPE (Microsoft Point-to-Point Encryption)` negotiation +preference. +* **require** - ask client for mppe, if it rejects drop connection +* **prefer** - ask client for mppe, if it rejects don't fail. (Default value) +* **deny** - deny mppe + +Default behavior - don't ask the client for mppe, but allow it if the client +wants. Please note that RADIUS may override this option by MS-MPPE-Encryption-Policy +attribute. +``` + +```{cfgcmd} set vpn sstp ppp-options mru \<number\> + +Defines preferred MRU. By default is not defined. +``` + + +### Global Advanced options + +```{cfgcmd} set vpn sstp description \<description\> + +Set description. +``` + +```{cfgcmd} set vpn sstp limits burst \<value\> + +Burst count +``` + +```{cfgcmd} set vpn sstp limits connection-limit \<value\> + +Maximum accepted connection rate (e.g. 1/min, 60/sec) +``` + +```{cfgcmd} set vpn sstp limits timeout \<value\> + +Timeout in seconds +``` + +```{cfgcmd} set vpn sstp mtu + +Maximum Transmission Unit (MTU) (default: **1500**) +``` + +```{cfgcmd} set vpn sstp max-concurrent-sessions + +Maximum number of concurrent session start attempts +``` + +```{cfgcmd} set vpn sstp name-server \<address\> + +Connected clients should use `<address>` as their DNS server. This command +accepts both IPv4 and IPv6 addresses. Up to two nameservers can be configured +for IPv4, up to three for IPv6. +``` + +```{cfgcmd} set vpn sstp shaper fwmark \<1-2147483647\> + +Match firewall mark value +``` + +```{cfgcmd} set vpn sstp snmp master-agent + +Enable SNMP +``` + +```{cfgcmd} set vpn sstp wins-server \<address\> + +Windows Internet Name Service (WINS) servers propagated to client +``` + +```{cfgcmd} set vpn sstp host-name \<hostname\> + +If this option is given, only SSTP connections to the specified host +and with the same TLS SNI will be allowed. +``` + + +## Configuring SSTP client + +Once you have setup your SSTP server there comes the time to do some basic +testing. The Linux client used for testing is called [sstpc]. [sstpc] requires a +PPP configuration/peer file. + +If you use a self-signed certificate, do not forget to install CA on the client side. + +The following PPP configuration tests MSCHAP-v2: + +```none +$ cat /etc/ppp/peers/vyos +usepeerdns +#require-mppe +#require-pap +require-mschap-v2 +noauth +lock +refuse-pap +refuse-eap +refuse-chap +refuse-mschap +#refuse-mschap-v2 +nobsdcomp +nodeflate +debug +``` + +You can now "dial" the peer with the follwoing command: `sstpc --log-level 4 +--log-stderr --user vyos --password vyos vpn.example.com -- call vyos`. + +A connection attempt will be shown as: + +```none +$ sstpc --log-level 4 --log-stderr --user vyos --password vyos vpn.example.com -- call vyos + +Mar 22 13:29:12 sstpc[12344]: Resolved vpn.example.com to 192.0.2.1 +Mar 22 13:29:12 sstpc[12344]: Connected to vpn.example.com +Mar 22 13:29:12 sstpc[12344]: Sending Connect-Request Message +Mar 22 13:29:12 sstpc[12344]: SEND SSTP CRTL PKT(14) +Mar 22 13:29:12 sstpc[12344]: TYPE(1): CONNECT REQUEST, ATTR(1): +Mar 22 13:29:12 sstpc[12344]: ENCAP PROTO(1): 6 +Mar 22 13:29:12 sstpc[12344]: RECV SSTP CRTL PKT(48) +Mar 22 13:29:12 sstpc[12344]: TYPE(2): CONNECT ACK, ATTR(1): +Mar 22 13:29:12 sstpc[12344]: CRYPTO BIND REQ(4): 40 +Mar 22 13:29:12 sstpc[12344]: Started PPP Link Negotiation +Mar 22 13:29:15 sstpc[12344]: Sending Connected Message +Mar 22 13:29:15 sstpc[12344]: SEND SSTP CRTL PKT(112) +Mar 22 13:29:15 sstpc[12344]: TYPE(4): CONNECTED, ATTR(1): +Mar 22 13:29:15 sstpc[12344]: CRYPTO BIND(3): 104 +Mar 22 13:29:15 sstpc[12344]: Connection Established + +$ ip addr show ppp0 +164: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1452 qdisc fq_codel state UNKNOWN group default qlen 3 + link/ppp promiscuity 0 + inet 100.64.2.2 peer 100.64.1.1/32 scope global ppp0 + valid_lft forever preferred_lft forever +``` + + +## Monitoring + +```{opcmd} show sstp-server sessions + +Use this command to locally check the active sessions in the SSTP +server. +``` + +```none +vyos@vyos:~$ show sstp-server sessions + ifname | username | ip | ip6 | ip6-dp | calling-sid | rate-limit | state | uptime | rx-bytes | tx-bytes +--------+----------+----------+-----+--------+----------------+------------+--------+----------+----------+---------- + sstp0 | test | 10.0.0.2 | | | 192.168.10.100 | | active | 00:15:46 | 16.3 KiB | 210 B +``` + +```none +vyos@vyos:~$ show sstp-server statistics + uptime: 0.01:21:54 +cpu: 0% +mem(rss/virt): 6688/100464 kB +core: + mempool_allocated: 149420 + mempool_available: 146092 + thread_count: 1 + thread_active: 1 + context_count: 6 + context_sleeping: 0 + context_pending: 0 + md_handler_count: 7 + md_handler_pending: 0 + timer_count: 2 + timer_pending: 0 +sessions: + starting: 0 + active: 1 + finishing: 0 +sstp: + starting: 0 + active: 1 +``` + + +## Troubleshooting + +```none +vyos@vyos:~$sudo journalctl -u accel-ppp@sstp -b 0 + +Feb 28 17:03:04 vyos accel-sstp[2492]: sstp: new connection from 192.168.10.100:49852 +Feb 28 17:03:04 vyos accel-sstp[2492]: sstp: starting +Feb 28 17:03:04 vyos accel-sstp[2492]: sstp: started +Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [HTTP <SSTP_DUPLEX_POST /sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/ HTTP/1.1>] +Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [HTTP <SSTPCORRELATIONID: {48B82435-099A-4158-A987-052E7570CFAA}>] +Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [HTTP <Content-Length: 18446744073709551615>] +Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [HTTP <Host: vyos.io>] +Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [HTTP <HTTP/1.1 200 OK>] +Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [HTTP <Date: Wed, 28 Feb 2024 17:03:04 GMT>] +Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [HTTP <Content-Length: 18446744073709551615>] +Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [SSTP SSTP_MSG_CALL_CONNECT_REQUEST] +Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [SSTP SSTP_MSG_CALL_CONNECT_ACK] +Feb 28 17:03:04 vyos accel-sstp[2492]: :: lcp_layer_init +Feb 28 17:03:04 vyos accel-sstp[2492]: :: auth_layer_init +Feb 28 17:03:04 vyos accel-sstp[2492]: :: ccp_layer_init +Feb 28 17:03:04 vyos accel-sstp[2492]: :: ipcp_layer_init +Feb 28 17:03:04 vyos accel-sstp[2492]: :: ipv6cp_layer_init +Feb 28 17:03:04 vyos accel-sstp[2492]: :: ppp establishing +Feb 28 17:03:04 vyos accel-sstp[2492]: :: lcp_layer_start +Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [LCP ConfReq id=56 <auth PAP> <mru 1452> <magic 1cd9ad05>] +Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [LCP ConfReq id=0 <mru 4091> <magic 345f64ca> <pcomp> <accomp> < d 3 6 >] +Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [LCP ConfRej id=0 <pcomp> <accomp> < d 3 6 >] +Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [LCP ConfReq id=1 <mru 4091> <magic 345f64ca>] +Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [LCP ConfNak id=1 <mru 1452>] +Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [LCP ConfReq id=2 <mru 1452> <magic 345f64ca>] +Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [LCP ConfAck id=2] +Feb 28 17:03:07 vyos accel-sstp[2492]: :: fsm timeout 9 +Feb 28 17:03:07 vyos accel-sstp[2492]: :: send [LCP ConfReq id=56 <auth PAP> <mru 1452> <magic 1cd9ad05>] +Feb 28 17:03:07 vyos accel-sstp[2492]: :: recv [LCP ConfAck id=56 <auth PAP> <mru 1452> <magic 1cd9ad05>] +Feb 28 17:03:07 vyos accel-sstp[2492]: :: lcp_layer_started +Feb 28 17:03:07 vyos accel-sstp[2492]: :: auth_layer_start +Feb 28 17:03:07 vyos accel-sstp[2492]: :: recv [LCP Ident id=3 <MSRASV5.20>] +Feb 28 17:03:07 vyos accel-sstp[2492]: :: recv [LCP Ident id=4 <MSRAS-0-MSEDGEWIN10>] +Feb 28 17:03:07 vyos accel-sstp[2492]: [50B blob data] +Feb 28 17:03:07 vyos accel-sstp[2492]: :: recv [PAP AuthReq id=3] +Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: connect: ppp0 <--> sstp(192.168.10.100:49852) +Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: ppp connected +Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [PAP AuthAck id=3 "Authentication succeeded"] +Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: test: authentication succeeded +Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: auth_layer_started +Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: ccp_layer_start +Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: ipcp_layer_start +Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: ipv6cp_layer_start +Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: recv [SSTP SSTP_MSG_CALL_CONNECTED] +Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: IPV6CP: discarding packet +Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [LCP ProtoRej id=88 <8057>] +Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: recv [IPCP ConfReq id=7 <addr 0.0.0.0> <dns1 0.0.0.0> <wins1 0.0.0.0> <dns2 0.0.0.0> <wins2 0.0.0.0>] +Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [IPCP ConfReq id=25 <addr 10.0.0.1>] +Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [IPCP ConfRej id=7 <dns1 0.0.0.0> <wins1 0.0.0.0> <dns2 0.0.0.0> <wins2 0.0.0.0>] +Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: recv [IPCP ConfAck id=25 <addr 10.0.0.1>] +Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: recv [IPCP ConfReq id=8 <addr 0.0.0.0>] +Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [IPCP ConfNak id=8 <addr 10.0.0.5>] +Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: recv [IPCP ConfReq id=9 <addr 10.0.0.5>] +Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [IPCP ConfAck id=9] +Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: ipcp_layer_started +Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: rename interface to 'sstp0' +Feb 28 17:03:07 vyos accel-sstp[2492]: sstp0:test: sstp: ppp: started +``` + +[accel-ppp attribute]: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.accel +[dictionary]: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.rfc6911 +[sstpc]: https://github.com/reliablehosting/sstp-client |
