diff options
| -rw-r--r-- | docs/_static/images/ESP_AH.png | bin | 0 -> 35607 bytes | |||
| -rw-r--r-- | docs/_static/images/IPSec_close_action_settings.jpg | bin | 62330 -> 0 bytes | |||
| -rw-r--r-- | docs/_static/images/IPSec_close_action_settings.png | bin | 0 -> 22371 bytes | |||
| -rw-r--r-- | docs/configuration/vpn/dmvpn.rst | 2 | ||||
| -rw-r--r-- | docs/configuration/vpn/index.rst | 4 | ||||
| -rw-r--r-- | docs/configuration/vpn/ipsec.rst | 657 | ||||
| -rw-r--r-- | docs/configuration/vpn/ipsec/index.rst | 21 | ||||
| -rw-r--r-- | docs/configuration/vpn/ipsec/ipsec_general.rst | 308 | ||||
| -rw-r--r-- | docs/configuration/vpn/ipsec/remoteaccess_ipsec.rst (renamed from docs/configuration/vpn/remoteaccess_ipsec.rst) | 0 | ||||
| -rw-r--r-- | docs/configuration/vpn/ipsec/site2site_ipsec.rst | 729 | ||||
| -rw-r--r-- | docs/configuration/vpn/ipsec/troubleshooting_ipsec.rst | 323 | ||||
| -rw-r--r-- | docs/configuration/vpn/site2site_ipsec.rst | 433 |
12 files changed, 1383 insertions, 1094 deletions
diff --git a/docs/_static/images/ESP_AH.png b/docs/_static/images/ESP_AH.png Binary files differnew file mode 100644 index 00000000..6075c3f4 --- /dev/null +++ b/docs/_static/images/ESP_AH.png diff --git a/docs/_static/images/IPSec_close_action_settings.jpg b/docs/_static/images/IPSec_close_action_settings.jpg Binary files differdeleted file mode 100644 index 6996f857..00000000 --- a/docs/_static/images/IPSec_close_action_settings.jpg +++ /dev/null diff --git a/docs/_static/images/IPSec_close_action_settings.png b/docs/_static/images/IPSec_close_action_settings.png Binary files differnew file mode 100644 index 00000000..531643f7 --- /dev/null +++ b/docs/_static/images/IPSec_close_action_settings.png diff --git a/docs/configuration/vpn/dmvpn.rst b/docs/configuration/vpn/dmvpn.rst index e58eecbc..59f5af1e 100644 --- a/docs/configuration/vpn/dmvpn.rst +++ b/docs/configuration/vpn/dmvpn.rst @@ -146,7 +146,7 @@ NHRP protocol configuration IPSEC configuration ============================== -* Please refer to the :ref:`ipsec` documentation for the individual IPSec +* Please refer to the :ref:`ipsec_general` documentation for the individual IPSec related options. .. note:: NHRP daemon based on FRR nhrpd. It controls IPSEC. That's why 'close-action' diff --git a/docs/configuration/vpn/index.rst b/docs/configuration/vpn/index.rst index cf825a63..d0121abd 100644 --- a/docs/configuration/vpn/index.rst +++ b/docs/configuration/vpn/index.rst @@ -7,7 +7,7 @@ VPN :maxdepth: 1 :includehidden: - ipsec + ipsec/index l2tp openconnect pptp @@ -22,5 +22,3 @@ pages to sort :includehidden: dmvpn - site2site_ipsec - remoteaccess_ipsec diff --git a/docs/configuration/vpn/ipsec.rst b/docs/configuration/vpn/ipsec.rst deleted file mode 100644 index 5e44312d..00000000 --- a/docs/configuration/vpn/ipsec.rst +++ /dev/null @@ -1,657 +0,0 @@ -.. _ipsec: - -##### -IPsec -##### - -:abbr:`GRE (Generic Routing Encapsulation)`, GRE/IPsec (or IPIP/IPsec, -SIT/IPsec, or any other stateless tunnel protocol over IPsec) is the usual way -to protect the traffic inside a tunnel. - -An advantage of this scheme is that you get a real interface with its own -address, which makes it easier to setup static routes or use dynamic routing -protocols without having to modify IPsec policies. The other advantage is that -it greatly simplifies router to router communication, which can be tricky with -plain IPsec because the external outgoing address of the router usually doesn't -match the IPsec policy of a typical site-to-site setup and you would need to -add special configuration for it, or adjust the source address of the outgoing -traffic of your applications. GRE/IPsec has no such problem and is completely -transparent for applications. - -GRE/IPIP/SIT and IPsec are widely accepted standards, which make this scheme -easy to implement between VyOS and virtually any other router. - -For simplicity we'll assume that the protocol is GRE, it's not hard to guess -what needs to be changed to make it work with a different protocol. We assume -that IPsec will use pre-shared secret authentication and will use AES128/SHA1 -for the cipher and hash. Adjust this as necessary. - -.. NOTE:: VMware users should ensure that a VMXNET3 adapter is used. E1000 - adapters have known issues with GRE processing. - -************************************** -IKE (Internet Key Exchange) Attributes -************************************** - -IKE performs mutual authentication between two parties and establishes -an IKE security association (SA) that includes shared secret information -that can be used to efficiently establish SAs for Encapsulating Security -Payload (ESP) or Authentication Header (AH) and a set of cryptographic -algorithms to be used by the SAs to protect the traffic that they carry. -https://datatracker.ietf.org/doc/html/rfc5996 - -In VyOS, IKE attributes are specified through IKE groups. -Multiple proposals can be specified in a single group. - -VyOS IKE group has the next options: - -* ``close-action`` defines the action to take if the remote peer unexpectedly - closes a CHILD_SA: - - * ``none`` set action to none (default); - - * ``trap`` installs a trap policy for the CHILD_SA; - - * ``start`` tries to immediately re-create the CHILD_SA; - -* ``dead-peer-detection`` controls the use of the Dead Peer Detection protocol - (DPD, RFC 3706) where R_U_THERE notification messages (IKEv1) or empty - INFORMATIONAL messages (IKEv2) are periodically sent in order to check the - liveliness of the IPsec peer: - - * ``action`` keep-alive failure action: - - * ``trap`` installs a trap policy, which will catch matching traffic - and tries to re-negotiate the tunnel on-demand; - - * ``clear`` closes the CHILD_SA and does not take further action (default); - - * ``restart`` immediately tries to re-negotiate the CHILD_SA - under a fresh IKE_SA; - - * ``interval`` keep-alive interval in seconds <2-86400> (default 30); - - * ``timeout`` keep-alive timeout in seconds <2-86400> (default 120) IKEv1 only - -* ``ikev2-reauth`` whether rekeying of an IKE_SA should also reauthenticate - the peer. In IKEv1, reauthentication is always done. - Setting this parameter enables remote host re-authentication during an IKE - rekey. - -* ``key-exchange`` which protocol should be used to initialize the connection - If not set both protocols are handled and connections will use IKEv2 when - initiating, but accept any protocol version when responding: - - * ``ikev1`` use IKEv1 for Key Exchange; - - * ``ikev2`` use IKEv2 for Key Exchange; - -* ``lifetime`` IKE lifetime in seconds <0-86400> (default 28800); - -* ``disable-mobike`` disables MOBIKE Support. MOBIKE is only available for IKEv2 - and enabled by default. - -* ``mode`` IKEv1 Phase 1 Mode Selection: - - * ``main`` use Main mode for Key Exchanges in the IKEv1 Protocol - (Recommended Default); - - * ``aggressive`` use Aggressive mode for Key Exchanges in the IKEv1 protocol - aggressive mode is much more insecure compared to Main mode; - -* ``proposal`` the list of proposals and their parameters: - - * ``dh-group`` dh-group; - - * ``encryption`` encryption algorithm; - - * ``hash`` hash algorithm. - - * ``prf`` pseudo-random function. - -*********************************************** -ESP (Encapsulating Security Payload) Attributes -*********************************************** - -ESP is used to provide confidentiality, data origin authentication, -connectionless integrity, an anti-replay service (a form of partial sequence -integrity), and limited traffic flow confidentiality. -https://datatracker.ietf.org/doc/html/rfc4303 - -In VyOS, ESP attributes are specified through ESP groups. -Multiple proposals can be specified in a single group. - -VyOS ESP group has the next options: - -* ``compression`` Enables the IPComp(IP Payload Compression) protocol which - allows compressing the content of IP packets. - -* ``life-bytes`` ESP life in bytes <1024-26843545600000>. - Number of bytes transmitted over an IPsec SA before it expires; - -* ``life-packets`` ESP life in packets <1000-26843545600000>. - Number of packets transmitted over an IPsec SA before it expires; - -* ``lifetime`` ESP lifetime in seconds <30-86400> (default 3600). - How long a particular instance of a connection (a set of - encryption/authentication keys for user packets) should last, - from successful negotiation to expiry; - -* ``mode`` the type of the connection: - - * ``tunnel`` tunnel mode (default); - - * ``transport`` transport mode; - -* ``pfs`` whether Perfect Forward Secrecy of keys is desired on the - connection's keying channel and defines a Diffie-Hellman group for PFS: - - * ``enable`` Inherit Diffie-Hellman group from IKE group (default); - - * ``disable`` Disable PFS; - - * ``< dh-group >`` defines a Diffie-Hellman group for PFS; - -* ``proposal`` ESP-group proposal with number <1-65535>: - - * ``encryption`` encryption algorithm (default 128 bit AES-CBC); - - * ``hash`` hash algorithm (default sha1). - - * ``disable-rekey`` Do not locally initiate a re-key of the SA, remote - peer must re-key before expiration. - -*********************************************** -Options (Global IPsec settings) Attributes -*********************************************** - -* ``options`` - - * ``disable-route-autoinstall`` Do not automatically install routes to remote - networks; - - * ``flexvpn`` Allows FlexVPN vendor ID payload (IKEv2 only). Send the Cisco - FlexVPN vendor ID payload (IKEv2 only), which is required in order to make - Cisco brand devices allow negotiating a local traffic selector (from - strongSwan's point of view) that is not the assigned virtual IP address if - such an address is requested by strongSwan. Sending the Cisco FlexVPN - vendor ID prevents the peer from narrowing the initiator's local traffic - selector and allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0 - instead. This has been tested with a "tunnel mode ipsec ipv4" Cisco - template but should also work for GRE encapsulation; - - * ``interface`` Interface Name to use. The name of the interface on which - virtual IP addresses should be installed. If not specified the addresses - will be installed on the outbound interface; - - * ``virtual-ip`` Allows the installation of virtual-ip addresses. A comma - separated list of virtual IPs to request in IKEv2 configuration payloads or - IKEv1 Mode Config. The wildcard addresses 0.0.0.0 and :: request an - arbitrary address, specific addresses may be defined. The responder may - return a different address, or none at all. Define the ``virtual-address`` - option to configure the IP address in a site-to-site hierarchy. - -************************* -IPsec policy matching GRE -************************* - -The first and arguably cleaner option is to make your IPsec policy match GRE -packets between external addresses of your routers. This is the best option if -both routers have static external addresses. - -Suppose the LEFT router has external address 192.0.2.10 on its eth0 interface, -and the RIGHT router is 203.0.113.45 - -On the LEFT: - -.. code-block:: none - - # GRE tunnel - set interfaces tunnel tun0 encapsulation gre - set interfaces tunnel tun0 source-address 192.0.2.10 - set interfaces tunnel tun0 remote 203.0.113.45 - set interfaces tunnel tun0 address 10.10.10.1/30 - - ## IPsec - set vpn ipsec interface eth0 - - # Pre-shared-secret - set vpn ipsec authentication psk vyos id 192.0.2.10 - set vpn ipsec authentication psk vyos id 203.0.113.45 - set vpn ipsec authentication psk vyos secret MYSECRETKEY - - # IKE group - set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2' - set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes128' - set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha1' - - # ESP group - set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes128' - set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha1' - - # IPsec tunnel - set vpn ipsec site-to-site peer right authentication mode pre-shared-secret - set vpn ipsec site-to-site peer right authentication remote-id 203.0.113.45 - - set vpn ipsec site-to-site peer right ike-group MyIKEGroup - set vpn ipsec site-to-site peer right default-esp-group MyESPGroup - - set vpn ipsec site-to-site peer right local-address 192.0.2.10 - set vpn ipsec site-to-site peer right remote-address 203.0.113.45 - - # This will match all GRE traffic to the peer - set vpn ipsec site-to-site peer right tunnel 1 protocol gre - -On the RIGHT, setup by analogy and swap local and remote addresses. - - -Source tunnel from dummy interface -================================== - -The scheme above doesn't work when one of the routers has a dynamic external -address though. The classic workaround for this is to setup an address on a -loopback interface and use it as a source address for the GRE tunnel, then setup -an IPsec policy to match those loopback addresses. - -We assume that the LEFT router has static 192.0.2.10 address on eth0, and the -RIGHT router has a dynamic address on eth0. - -The peer names RIGHT and LEFT are used as informational text. - -**Setting up the GRE tunnel** - -On the LEFT: - -.. code-block:: none - - set interfaces dummy dum0 address 192.168.99.1/32 - - set interfaces tunnel tun0 encapsulation gre - set interfaces tunnel tun0 address 10.10.10.1/30 - set interfaces tunnel tun0 source-address 192.168.99.1 - set interfaces tunnel tun0 remote 192.168.99.2 - -On the RIGHT: - -.. code-block:: none - - set interfaces dummy dum0 address 192.168.99.2/32 - - set interfaces tunnel tun0 encapsulation gre - set interfaces tunnel tun0 address 10.10.10.2/30 - set interfaces tunnel tun0 source-address 192.168.99.2 - set interfaces tunnel tun0 remote 192.168.99.1 - -**Setting up IPSec** - -However, now you need to make IPsec work with dynamic address on one side. The -tricky part is that pre-shared secret authentication doesn't work with dynamic -address, so we'll have to use RSA keys. - -First, on both routers run the operational command "generate pki key-pair -install <key-pair name>". You may choose different length than 2048 of course. - -.. code-block:: none - - vyos@left# run generate pki key-pair install ipsec-LEFT - Enter private key type: [rsa, dsa, ec] (Default: rsa) - Enter private key bits: (Default: 2048) - Note: If you plan to use the generated key on this router, do not encrypt the private key. - Do you want to encrypt the private key with a passphrase? [y/N] N - Configure mode commands to install key pair: - Do you want to install the public key? [Y/n] Y - set pki key-pair ipsec-LEFT public key 'MIIBIjANBgkqh...' - Do you want to install the private key? [Y/n] Y - set pki key-pair ipsec-LEFT private key 'MIIEvgIBADAN...' - [edit] - -Configuration commands for the private and public key will be displayed on the -screen which needs to be set on the router first. -Note the command with the public key -(set pki key-pair ipsec-LEFT public key 'MIIBIjANBgkqh...'). -Then do the same on the opposite router: - -.. code-block:: none - - vyos@left# run generate pki key-pair install ipsec-RIGHT - -Note the command with the public key -(set pki key-pair ipsec-RIGHT public key 'FAAOCAQ8AMII...'). - -Now the noted public keys should be entered on the opposite routers. - -On the LEFT: - -.. code-block:: none - - set pki key-pair ipsec-RIGHT public key 'FAAOCAQ8AMII...' - -On the RIGHT: - -.. code-block:: none - - set pki key-pair ipsec-LEFT public key 'MIIBIjANBgkqh...' - -Now you are ready to setup IPsec. You'll need to use an ID instead of address -for the peer. - -On the LEFT (static address): - -.. code-block:: none - - set vpn ipsec interface eth0 - - set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128 - set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1 - - set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group 2 - set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128 - set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1 - - set vpn ipsec site-to-site peer RIGHT authentication local-id LEFT - set vpn ipsec site-to-site peer RIGHT authentication mode rsa - set vpn ipsec site-to-site peer RIGHT authentication rsa local-key ipsec-LEFT - set vpn ipsec site-to-site peer RIGHT authentication rsa remote-key ipsec-RIGHT - set vpn ipsec site-to-site peer RIGHT authentication remote-id RIGHT - set vpn ipsec site-to-site peer RIGHT default-esp-group MyESPGroup - set vpn ipsec site-to-site peer RIGHT ike-group MyIKEGroup - set vpn ipsec site-to-site peer RIGHT local-address 192.0.2.10 - set vpn ipsec site-to-site peer RIGHT connection-type respond - set vpn ipsec site-to-site peer RIGHT tunnel 1 local prefix 192.168.99.1/32 # Additional loopback address on the local - set vpn ipsec site-to-site peer RIGHT tunnel 1 remote prefix 192.168.99.2/32 # Additional loopback address on the remote - -On the RIGHT (dynamic address): - -.. code-block:: none - - set vpn ipsec interface eth0 - - set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128 - set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1 - - set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group 2 - set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128 - set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1 - - set vpn ipsec site-to-site peer LEFT authentication local-id RIGHT - set vpn ipsec site-to-site peer LEFT authentication mode rsa - set vpn ipsec site-to-site peer LEFT authentication rsa local-key ipsec-RIGHT - set vpn ipsec site-to-site peer LEFT authentication rsa remote-key ipsec-LEFT - set vpn ipsec site-to-site peer LEFT authentication remote-id LEFT - set vpn ipsec site-to-site peer LEFT connection-type initiate - set vpn ipsec site-to-site peer LEFT default-esp-group MyESPGroup - set vpn ipsec site-to-site peer LEFT ike-group MyIKEGroup - set vpn ipsec site-to-site peer LEFT local-address any - set vpn ipsec site-to-site peer LEFT remote-address 192.0.2.10 - set vpn ipsec site-to-site peer LEFT tunnel 1 local prefix 192.168.99.2/32 # Additional loopback address on the local - set vpn ipsec site-to-site peer LEFT tunnel 1 remote prefix 192.168.99.1/32 # Additional loopback address on the remote - - -******************************************* -IKEv2 IPSec road-warriors remote-access VPN -******************************************* - -Internet Key Exchange version 2, IKEv2 for short, is a request/response -protocol developed by both Cisco and Microsoft. It is used to establish and -secure IPv4/IPv6 connections, be it a site-to-site VPN or from a -road-warrior connecting to a hub site. IKEv2, when run in point-to-multipoint, -or remote-access/road-warrior mode, secures the server-side with another layer -by using an x509 signed server certificate. - -Key exchange and payload encryption is still done using IKE and ESP proposals -as known from IKEv1 but the connections are faster to establish, more reliable, -and also support roaming from IP to IP (called MOBIKE which makes sure your -connection does not drop when changing networks from e.g. WIFI to LTE and back). - -This feature closely works together with :ref:`pki` subsystem as you required -a x509 certificate. - -Example -======= - -This example uses CACert as certificate authority. - -.. code-block:: - - set pki ca CAcert_Class_3_Root certificate 'MIIGPTCCBCWgAwIBAgIDFOIoMA0GCSqGSIb3DQEBDQUAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnMB4XDTIxMDQxOTEyMTgzMFoXDTMxMDQxNzEyMTgzMFowVDEUMBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57aiX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6CjQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgiapNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPtXapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luLoFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGprmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVABfvpAgMBAAGjgfIwge8wDwYDVR0TAQH/BAUwAwEB/zBhBggrBgEFBQcBAQRVMFMwIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLkNBY2VydC5vcmcvMCwGCCsGAQUFBzAChiBodHRwOi8vd3d3LkNBY2VydC5vcmcvY2xhc3MzLmNydDBFBgNVHSAEPjA8MDoGCysGAQQBgZBKAgMBMCswKQYIKwYBBQUHAgEWHWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZy9jcHMucGhwMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHBzOi8vd3d3LmNhY2VydC5vcmcvY2xhc3MzLmNybDANBgkqhkiG9w0BAQ0FAAOCAgEAxh6td1y0KJvRyI1EEsC9dnYEgyEH+BGCf2vBlULAOBG1JXCNiwzB1Wz9HBoDfIv4BjGlnd5BKdSLm4TXPcE3hnGjH1thKR5dd3278K25FRkTFOY1gP+mGbQ3hZRB6IjDX+CyBqS7+ECpHTms7eo/mARN+Yz5R3lzUvXs3zSX+z534NzRg4i6iHNHWqakFcQNcA0PnksTB37vGD75pQGqeSmx51L6UzrIpn+274mhsaFNL85jhX+lKuk71MGjzwoThbuZ15xmkITnZtRQs6HhLSIqJWjDILIrxLqYHehK71xYwrRNhFb3TrsWaEJskrhveM0Os/vvoLNkh/L3iEQ5/LnmLMCYJNRALF7I7gsduAJNJrgKGMYvHkt1bo8uIXO8wgNV7qoU4JoaB1ML30QUqGcFr0TI06FFdgK2fwy5hulPxm6wuxW0v+iAtXYx/mRkwQpYbcVQtrIDvx1CT1k50cQxi+jIKjkcFWHw3kBoDnCos0/ukegPT7aQnk2AbL4c7nCkuAcEKw1BAlSETkfqi5btdlhh58MhewZv1LcL5zQyg8w1puclT3wXQvy8VwPGn0J/mGD4gLLZ9rGcHDUECokxFoWk+u5MCcVqmGbsyG4q5suS3CNslsHURfM8bQK4oLvHR8LCHEBMRcdFBn87cSvOK6eB1kdGKLA8ymXxZp8=' - set pki ca CAcert_Signing_Authority certificate 'MIIG7jCCBNagAwIBAgIBDzANBgkqhkiG9w0BAQsFADB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0wMzAzMzAxMjI5NDlaFw0zMzAzMjkxMjI5NDlaMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAziLA4kZ97DYoB1CW8qAzQIxL8TtmPzHlawI229Z89vGIj053NgVBlfkJ8BLPRoZzYLdufujAWGSuzbCtRRcMY/pnCujW0r8+55jE8Ez64AO7NV1sId6eINm6zWYyN3L69wj1x81YyY7nDl7qPv4coRQKFWyGhFtkZip6qUtTefWIonvuLwphK42yfk1WpRPs6tqSnqxEQR5YYGUFZvjARL3LlPdCfgv3ZWiYUQXw8wWRBB0bF4LsyFe7w2t6iPGwcswlWyCR7BYCEo8y6RcYSNDHBS4CMEK4JZwFaz+qOqfrU0j36NK2B5jcG8Y0f3/JHIJ6BVgrCFvzOKKrF11myZjXnhCLotLddJr3cQxyYN/Nb5gznZY0dj4kepKwDpUeb+agRThHqtdB7Uq3EvbXG4OKDy7YCbZZ16oE/9KTfWgu3YtLq1i6L43qlaegw1SJpfvbi1EinbLDvhG+LJGGi5Z4rSDTii8aP8bQUWWHIbEZAWV/RRyH9XzQQUxPKZgh/TMfdQwEUfoZd9vUFBzugcMd9Zi3aQaRIt0AUMyBMawSB3s42mhb5ivUfslfrejrckzzAeVLIL+aplfKkQABi6F1ITe1Yw1nPkZPcCBnzsXWWdsC4PDSy826YreQQejdIOQpvGQpQsgi3Hia/0PsmBsJUUtaWsJx8cTLc6nloQsCAwEAAaOCAX8wggF7MB0GA1UdDgQWBBQWtTIb1Mfz4OaO873SsDrusjkY0TAPBgNVHRMBAf8EBTADAQH/MDQGCWCGSAGG+EIBCAQnFiVodHRwOi8vd3d3LmNhY2VydC5vcmcvaW5kZXgucGhwP2lkPTEwMFYGCWCGSAGG+EIBDQRJFkdUbyBnZXQgeW91ciBvd24gY2VydGlmaWNhdGUgZm9yIEZSRUUgaGVhZCBvdmVyIHRvIGh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzAxBgNVHR8EKjAoMCagJKAihiBodHRwOi8vY3JsLmNhY2VydC5vcmcvcmV2b2tlLmNybDAzBglghkgBhvhCAQQEJhYkVVJJOmh0dHA6Ly9jcmwuY2FjZXJ0Lm9yZy9yZXZva2UuY3JsMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL29jc3AuY2FjZXJ0Lm9yZzAfBgNVHSMEGDAWgBQWtTIb1Mfz4OaO873SsDrusjkY0TANBgkqhkiG9w0BAQsFAAOCAgEAR5zXs6IX01JTt7Rq3b+bNRUhbO9vGBMggczo7R0qIh1kdhS6WzcrDoO6PkpuRg0L3qM7YQB6pw2V+ubzF7xl4C0HWltfzPTbzAHdJtjaJQw7QaBlmAYpN2CLB6Jeg8q/1Xpgdw/+IP1GRwdg7xUpReUA482l4MH1kf0W0ad94SuIfNWQHcdLApmno/SUh1bpZyeWrMnlhkGNDKMxCCQXQ360TwFHc8dfEAaq5ry6cZzm1oetrkSviE2qofxvv1VFiQ+9TX3/zkECCsUB/EjPM0lxFBmu9T5Ih+Eqns9ivmrEIQDv9tNyJHuLsDNqbUBal7OoiPZnXk9LH+qb+pLf1ofv5noy5vX2a5OKebHe+0Ex/A7e+G/HuOjVNqhZ9j5Nispfq9zNyOHGWD8ofj8DHwB50L1Xh5H+EbIoga/hJCQnRtxWkHP699T1JpLFYwapgplivF4TFv4fqp0nHTKC1x9gGrIgvuYJl1txIKmxXdfJzgscMzqpabhtHOMXOiwQBpWzyJkofF/w55e0LttZDBkEsilV/vW0CJsPs3eNaQF+iMWscGOkgLFlWsAS3HwyiYLNJo26aqyWPaIdc8E4ck7Sk08WrFrHIK3EHr4n1FZwmLpFAvucKqgl0hr+2jypyh5puA3KksHF3CsUzjMUvzxMhykh9zrMxQAHLBVrGwc=' - -After you obtain your server certificate you can import it from a file on the -local filesystem, or paste it into the CLI. Please note that when entering the -certificate manually you need to strip the ``-----BEGIN KEY-----`` and -``-----END KEY-----`` tags. Also, the certificate or key needs to be presented -in a single line without line breaks (``\n``). - -To import it from the filesystem use: - -.. code-block:: - - import pki certificate <name> file /path/to/cert.pem - -In our example the certificate name is called vyos: - -.. code-block:: - - set pki certificate vyos certificate 'MIIE45s...' - set pki certificate vyos private key 'MIIEvgI...' - -After the PKI certs are all set up we can start configuring our IPSec/IKE -proposals used for key-exchange end data encryption. The used encryption -ciphers and integrity algorithms vary from operating system to operating -system. The ones used in this post are validated to work on both Windows 10 -and iOS/iPadOS 14 to 17. - -.. code-block:: - - set vpn ipsec esp-group ESP-RW compression 'disable' - set vpn ipsec esp-group ESP-RW lifetime '3600' - set vpn ipsec esp-group ESP-RW pfs 'disable' - set vpn ipsec esp-group ESP-RW proposal 10 encryption 'aes128gcm128' - set vpn ipsec esp-group ESP-RW proposal 10 hash 'sha256' - - set vpn ipsec ike-group IKE-RW key-exchange 'ikev2' - set vpn ipsec ike-group IKE-RW lifetime '7200' - set vpn ipsec ike-group IKE-RW mobike 'enable' - set vpn ipsec ike-group IKE-RW proposal 10 dh-group '14' - set vpn ipsec ike-group IKE-RW proposal 10 encryption 'aes128gcm128' - set vpn ipsec ike-group IKE-RW proposal 10 hash 'sha256' - -Every connection/remote-access pool we configure also needs a pool where -we can draw our client IP addresses from. We provide one IPv4 and IPv6 pool. -Authorized clients will receive an IPv4 address from the 192.0.2.128/25 prefix -and an IPv6 address from the 2001:db8:2000::/64 prefix. We can also send some -DNS nameservers down for our clients to use with their connection. - -.. code-block:: - - set vpn ipsec remote-access pool ra-rw-ipv4 name-server '192.0.2.1' - set vpn ipsec remote-access pool ra-rw-ipv4 prefix '192.0.2.128/25' - set vpn ipsec remote-access pool ra-rw-ipv6 name-server '2001:db8:1000::1' - set vpn ipsec remote-access pool ra-rw-ipv6 prefix '2001:db8:2000::/64' - -VyOS supports multiple IKEv2 remote-access connections. Every connection can -have its own dedicated IKE/ESP ciphers, certificates or local listen address -for e.g. inbound load balancing. - -We configure a new connection named ``rw`` for road-warrior, that identifies -itself as ``192.0.2.1`` to the clients and uses the ``vyos`` certificate -signed by the `CAcert_Class3_Root`` intermediate CA. We select our previously -specified IKE/ESP groups and also link the IP address pool to draw addresses -from. - -.. code-block:: - - set vpn ipsec remote-access connection rw authentication id '192.0.2.1' - set vpn ipsec remote-access connection rw authentication server-mode 'x509' - set vpn ipsec remote-access connection rw authentication x509 ca-certificate 'CAcert_Class_3_Root' - set vpn ipsec remote-access connection rw authentication x509 certificate 'vyos' - set vpn ipsec remote-access connection rw esp-group 'ESP-RW' - set vpn ipsec remote-access connection rw ike-group 'IKE-RW' - set vpn ipsec remote-access connection rw local-address '192.0.2.1' - set vpn ipsec remote-access connection rw pool 'ra-rw-ipv4' - set vpn ipsec remote-access connection rw pool 'ra-rw-ipv6' - -VyOS also supports (currently) two different modes of authentication, local and -RADIUS. To create a new local user named ``vyos`` with password ``vyos`` use the -following commands. - -.. code-block:: - - set vpn ipsec remote-access connection rw authentication client-mode 'eap-mschapv2' - set vpn ipsec remote-access connection rw authentication local-users username vyos password 'vyos' - -If you feel better forwarding all authentication requests to your enterprises -RADIUS server, use the commands below. - -.. code-block:: - - set vpn ipsec remote-access connection rw authentication client-mode 'eap-radius' - set vpn ipsec remote-access radius server 192.0.2.2 key 'secret' - -Client Configuration -==================== - -Configuring VyOS to act as your IPSec access concentrator is one thing, but -you probably need to setup your client connecting to the server so they can -talk to the IPSec gateway. - -Microsoft Windows (10+) ------------------------ - -Windows 10 does not allow a user to choose the integrity and encryption ciphers -using the GUI and it uses some older proposals by default. A user can only -change the proposals on the client side by configuring the IPSec connection -profile via PowerShell. - -We generate a connection profile used by Windows clients that will connect to -the "rw" connection on our VyOS server on the VPN servers IP address/fqdn -`vpn.vyos.net`. - -.. note:: Microsoft Windows expects the server name to be also used in the - server's certificate common name, so it's best to use this DNS name for - your VPN connection. - -.. code-block:: - - vyos@vyos:~$ generate ipsec profile windows-remote-access rw remote vpn.vyos.net - - ==== <snip> ==== - Add-VpnConnection -Name "VyOS IKEv2 VPN" -ServerAddress "vpn.vyos.net" -TunnelType "Ikev2" - Set-VpnConnectionIPsecConfiguration -ConnectionName "VyOS IKEv2 VPN" -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants GCMAES128 -EncryptionMethod GCMAES128 -IntegrityCheckMethod SHA256128 -PfsGroup None -DHGroup "Group14" -PassThru -Force - ==== </snip> ==== - -As both Microsoft Windows and Apple iOS/iPadOS only support a certain set of -encryption ciphers and integrity algorithms we will validate the configured -IKE/ESP proposals and only list the compatible ones to the user — if multiple -are defined. If there are no matching proposals found — we can not generate a -profile for you. - -When first connecting to the new VPN the user is prompted to enter proper -credentials. - -Apple iOS/iPadOS (14.2+) ------------------------- - -Like on Microsoft Windows, Apple iOS/iPadOS out of the box does not expose -all available VPN options via the device GUI. - -If you want, need, and should use more advanced encryption ciphers (default -is still 3DES) you need to provision your device using a so-called "Device -Profile". A profile is a simple text file containing XML nodes with a -``.mobileconfig`` file extension that can be sent and opened on any device -from an E-Mail. - -Profile generation happens from the operational level and is as simple as -issuing the following command to create a profile to connect to the IKEv2 -access server at ``vpn.vyos.net`` with the configuration for the ``rw`` -remote-access connection group. - -.. note:: Apple iOS/iPadOS expects the server name to be also used in the - server's certificate common name, so it's best to use this DNS name for - your VPN connection. - -.. code-block:: - - vyos@vyos:~$ generate ipsec profile ios-remote-access rw remote vpn.vyos.net - - ==== <snip> ==== - <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> - <plist version="1.0"> - ... - </plist> - ==== </snip> ==== - -In the end, an XML structure is generated which can be saved as -``vyos.mobileconfig`` and sent to the device by E-Mail where it later can -be imported. - -During profile import, the user is asked to enter its IPSec credentials -(username and password) which is stored on the mobile. - -Operation Mode -============== - -.. opcmd:: show vpn ike sa - - Show all currently active IKE Security Associations. - -.. opcmd:: show vpn ike sa nat-traversal - - Show all currently active IKE Security Associations (SA) that are using - NAT Traversal. - -.. opcmd:: show vpn ike sa peer <peer_name> - - Show all currently active IKE Security Associations (SA) for a specific - peer. - -.. opcmd:: show vpn ike secrets - - Show all the configured pre-shared secret keys. - -.. opcmd:: show vpn ike status - - Show the detailed status information of IKE charon process. - -.. opcmd:: show vpn ipsec connections - - Show details of all available VPN connections - -.. opcmd:: show vpn ipsec policy - - Print out the list of existing crypto policies - -.. opcmd:: show vpn ipsec sa - - Show all active IPsec Security Associations (SA) - -.. opcmd:: show vpn ipsec sa detail - - Show a detailed information of all active IPsec Security Associations (SA) - in verbose format. - -.. opcmd:: show vpn ipsec state - - Print out the list of existing in-kernel crypto state - -.. opcmd:: show vpn ipsec status - - Show the status of running IPsec process and process ID. - -.. opcmd:: restart ipsec - - Restart the IPsec VPN process and re-establishes the connection. - -.. opcmd:: reset vpn ipsec site-to-site all - - Reset all site-to-site IPSec VPN sessions. It terminates all active - child_sa and reinitiates the connection. - -.. opcmd:: reset vpn ipsec site-to-site peer <name> - - Reset all tunnels for a given peer, can specify tunnel or vti interface. - It terminates a specific child_sa and reinitiates the connection. - -.. opcmd:: show log ipsec - - Show logs for IPsec diff --git a/docs/configuration/vpn/ipsec/index.rst b/docs/configuration/vpn/ipsec/index.rst new file mode 100644 index 00000000..e454e2f6 --- /dev/null +++ b/docs/configuration/vpn/ipsec/index.rst @@ -0,0 +1,21 @@ +##### +IPsec +##### + + +.. toctree:: + :maxdepth: 1 + :includehidden: + + ipsec_general + site2site_ipsec + remoteaccess_ipsec + troubleshooting_ipsec + +pages to sort + +.. toctree:: + :maxdepth: 1 + :includehidden: + + diff --git a/docs/configuration/vpn/ipsec/ipsec_general.rst b/docs/configuration/vpn/ipsec/ipsec_general.rst new file mode 100644 index 00000000..18d974c9 --- /dev/null +++ b/docs/configuration/vpn/ipsec/ipsec_general.rst @@ -0,0 +1,308 @@ +.. _ipsec_general: + +######################### +IPsec General Information +######################### + +*********************** +Information about IPsec +*********************** + +IPsec is the framework used to secure data. +IPsec accomplishes these goals by providing authentication, +encryption of IP network packets, key exchange, and key management. +VyOS uses Strongswan package to implement IPsec. + +**Authentication Header (AH)** is defined in :rfc:`4302`. It creates +a hash using the IP header and data payload, and prepends it to the +packet. This hash is used to validate that the data has not been +changed during transfer over the network. + +**Encapsulating Security Payload (ESP)** is defined in :rfc:`4303`. +It provides encryption and authentication of the data. + + +There are two IPsec modes: + **IPsec Transport Mode**: + In transport mode, an IPSec header (AH or ESP) is inserted + between the IP header and the upper layer protocol header. + + **IPsec Tunnel Mode:** + In tunnel mode, the original IP packet is encapsulated in + another IP datagram, and an IPsec header (AH or ESP) is + inserted between the outer and inner headers. + +.. figure:: /_static/images/ESP_AH.png + :scale: 80 % + :alt: AH and ESP in Transport Mode and Tunnel Mode + +*************************** +IKE (Internet Key Exchange) +*************************** +The default IPsec method for secure key negotiation is the Internet Key +Exchange (IKE) protocol. IKE is designed to provide mutual authentication +of systems, as well as to establish a shared secret key to create IPsec +security associations. A security association (SA) includes all relevant +attributes of the connection, including the cryptographic algorithm used, +the IPsec mode, the encryption key, and other parameters related to the +transmission of data over the VPN connection. + +IKEv1 +===== + +IKEv1 is the older version and is still used today. Nowadays, most +manufacturers recommend using IKEv2 protocol. + +IKEv1 is described in the next RFCs: :rfc:`2409` (IKE), :rfc:`3407` +(IPsec DOI), :rfc:`3947` (NAT-T), :rfc:`3948` (UDP Encapsulation +of ESP Packets), :rfc:`3706` (DPD) + +IKEv1 operates in two phases to establish these IKE and IPsec SAs: + * **Phase 1** provides mutual authentication of the IKE peers and + establishment of the session key. This phase creates an IKE SA (a + security association for IKE) using a DH exchange, cookies, and an + ID exchange. Once an IKE SA is established, all IKE communication + between the initiator and responder is protected with encryption + and an integrity check that is authenticated. The purpose of IKE + phase 1 is to facilitate a secure channel between the peers so that + phase 2 negotiations can occur securely. IKE phase 1 offers two modes: + Main and Aggressive. + + * **Main Mode** is used for site-to-site VPN connections. + + * **Aggressive Mode** is used for remote access VPN connections. + + * **Phase 2** provides for the negotiation and establishment of the + IPsec SAs using ESP or AH to protect IP data traffic. + +IKEv2 +===== + +IKEv2 is described in :rfc:`7296`. The biggest difference between IKEv1 and +IKEv2 is that IKEv2 is much simpler and more reliable than IKEv1 because +fewer messages are exchanged during the establishment of the VPN and +additional security capabilities are available. + + +IKE Authentication +================== + +VyOS supports 3 authentication methods. + * **Pre-shared keys**: In this method, both peers of the IPsec + tunnel must have the same preshared keys. + * **Digital certificates**: PKI is used in this method. + * **RSA-keys**: If the RSA-keys method is used in your IKE policy, + you need to make sure each peer has the other peer’s public keys. + +************************* +DPD (Dead Peer Detection) +************************* + +This is a mechanism used to detect when a VPN peer is no longer active. +This mechanism has different algorithms in IKEv1 and IKEv2 in VyOS. +DPD Requests are sent as ISAKMP R-U-THERE messages and DPD Responses +are sent as ISAKMP R-U-THERE-ACK messages. In IKEv1, DPD sends messages +every configured interval. The remote peer is considered unreachable +if no response to these packets is received within the DPD timeout. +In IKEv2, DPD sends messages every configured interval. If one request +is not responded, Strongswan execute its retransmission algorithm with +its timers. https://docs.strongswan.org/docs/5.9/config/retransmission.html + +***************** +Configuration IKE +***************** + +IKE (Internet Key Exchange) Attributes +====================================== + +VyOS IKE group has the next options: + +.. cfgcmd:: set vpn ipsec ike-group <name> close-action <action> + + Defines the action to take if the remote peer unexpectedly + closes a CHILD_SA: + + * **none** - Set action to none (default), + * **trap** - Installs a trap policy (IPsec policy without Security + Association) for the CHILD_SA and traffic matching these policies + will trigger acquire events that cause the daemon to establish the + required IKE/IPsec SAs. + * **start** - Tries to immediately re-create the CHILD_SA. + +.. cfgcmd:: set vpn ipsec ike-group <name> ikev2-reauth + + Whether rekeying of an IKE_SA should also reauthenticate + the peer. In IKEv1, reauthentication is always done. + Setting this parameter enables remote host re-authentication + during an IKE rekey. + +.. cfgcmd:: set vpn ipsec ike-group <name> key-exchange + + Which protocol should be used to initialize the connection + If not set both protocols are handled and connections will + use IKEv2 when initiating, but accept any protocol version + when responding: + + * **ikev1** - Use IKEv1 for Key Exchange. + * **ikev2** - Use IKEv2 for Key Exchange. + +.. cfgcmd:: set vpn ipsec ike-group <name> lifetime + + IKE lifetime in seconds <0-86400> (default 28800). + +.. cfgcmd:: set vpn ipsec ike-group <name> mode + + IKEv1 Phase 1 Mode Selection: + + * **main** - Use Main mode for Key Exchanges in the IKEv1 Protocol + (Recommended Default). + * **aggressive** - Use Aggressive mode for Key Exchanges in the IKEv1 + protocol aggressive mode is much more insecure compared to Main mode. + +.. cfgcmd:: set vpn ipsec ike-group <name> proposal <number> dh-group <dh-group number> + + Dh-group. Default value is **2**. + +.. cfgcmd:: set vpn ipsec ike-group <name> proposal <number> encryption <encryption> + + Encryption algorithm. Default value is **aes128**. + +.. cfgcmd:: set vpn ipsec ike-group <name> proposal <number> hash <hash> + + Hash algorithm. Default value is **sha1**. + +.. cfgcmd:: set vpn ipsec ike-group <name> proposal <number> prf <prf> + + Pseudo-random function. + + +DPD (Dead Peer Detection) Configuration +======================================= + +.. cfgcmd:: set vpn ipsec ike-group <name> dead-peer-detection action <action> + + Action to perform for this CHILD_SA on DPD timeout. + + * **trap** - Installs a trap policy (IPsec policy without Security + Association), which will catch matching traffic and tries to + re-negotiate the tunnel on-demand. + * **clear** - Closes the CHILD_SA and does not take further action + (default). + * **restart** - Immediately tries to re-negotiate the CHILD_SA + under a fresh IKE_SA. + +.. cfgcmd:: set vpn ipsec ike-group <name> dead-peer-detection interval <interval> + + Keep-alive interval in seconds <2-86400> (default 30). + +.. cfgcmd:: set vpn ipsec ike-group <name> dead-peer-detection timeout <timeout> + + Keep-alive timeout in seconds <2-86400> (default 120) **IKEv1 only** + +ESP (Encapsulating Security Payload) Attributes +=============================================== + +In VyOS, ESP attributes are specified through ESP groups. +Multiple proposals can be specified in a single group. + +VyOS ESP group has the next options: + +.. cfgcmd:: set vpn ipsec esp-group <name> compression + + Enables the IPComp(IP Payload Compression) protocol which allows + compressing the content of IP packets. + +.. cfgcmd:: set vpn ipsec esp-group <name> disable-rekey + + Do not locally initiate a re-key of the SA, remote peer must + re-key before expiration. + +.. cfgcmd:: set vpn ipsec esp-group <name> life-bytes <bytes> + + ESP life in bytes <1024-26843545600000>. Number of bytes + transmitted over an IPsec SA before it expires. + +.. cfgcmd:: set vpn ipsec esp-group <name> life-packets <packets> + + ESP life in packets <1000-26843545600000>. + Number of packets transmitted over an IPsec SA before it expires. + +.. cfgcmd:: set vpn ipsec esp-group <name> lifetime <timeout> + + ESP lifetime in seconds <30-86400> (default 3600). + How long a particular instance of a connection (a set of + encryption/authentication keys for user packets) should last, + from successful negotiation to expiry. + +.. cfgcmd:: set vpn ipsec esp-group <name> mode <mode> + + The type of the connection: + + * **tunnel** - Tunnel mode (default). + * **transport** - Transport mode. + +.. cfgcmd:: set vpn ipsec esp-group <name> pfs < dh-group> + + Whether Perfect Forward Secrecy of keys is desired on the + connection's keying channel and defines a Diffie-Hellman group for + PFS: + + * **enable** - Inherit Diffie-Hellman group from IKE group (default). + * **disable** - Disable PFS. + * **<dh-group>** - Defines a Diffie-Hellman group for PFS. + +.. cfgcmd:: set vpn ipsec esp-group <name> proposal <number> encryption <encryption> + + Encryption algorithm. Default value is **aes128**. + +.. cfgcmd:: set vpn ipsec esp-group <name> proposal <number> hash <hash> + + Hash algorithm. Default value is **sha1**. + +Global IPsec Settings +===================== + +.. cfgcmd:: set vpn ipsec interface <name> + + Interface name to restrict outbound IPsec policies. There is a possibility + to specify multiple interfaces. If an interfaces are not specified, IPsec + policies apply to all interfaces. + + +.. cfgcmd:: set vpn ipsec log level <number> + + Level of logging. Default value is **0**. + +.. cfgcmd:: set vpn ipsec log subsystem <name> + + Subsystem of the daemon. + +Options +======= + +.. cfgcmd:: set vpn ipsec options disable-route-autoinstall + + Do not automatically install routes to remote + networks. + +.. cfgcmd:: set vpn ipsec options flexvpn + + Allows FlexVPN vendor ID payload (IKEv2 only). Send the Cisco + FlexVPN vendor ID payload (IKEv2 only), which is required in order to make + Cisco brand devices allow negotiating a local traffic selector (from + strongSwan's point of view) that is not the assigned virtual IP address if + such an address is requested by strongSwan. Sending the Cisco FlexVPN + vendor ID prevents the peer from narrowing the initiator's local traffic + selector and allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0 + instead. This has been tested with a "tunnel mode ipsec ipv4" Cisco + template but should also work for GRE encapsulation. + +.. cfgcmd:: set vpn ipsec options interface <name> + + Interface Name to use. The name of the interface on which + virtual IP addresses should be installed. If not specified the addresses + will be installed on the outbound interface. + +.. cfgcmd:: set vpn ipsec options virtual-ip + + Allows the installation of virtual-ip addresses. diff --git a/docs/configuration/vpn/remoteaccess_ipsec.rst b/docs/configuration/vpn/ipsec/remoteaccess_ipsec.rst index 9bc49979..9bc49979 100644 --- a/docs/configuration/vpn/remoteaccess_ipsec.rst +++ b/docs/configuration/vpn/ipsec/remoteaccess_ipsec.rst diff --git a/docs/configuration/vpn/ipsec/site2site_ipsec.rst b/docs/configuration/vpn/ipsec/site2site_ipsec.rst new file mode 100644 index 00000000..80dfa423 --- /dev/null +++ b/docs/configuration/vpn/ipsec/site2site_ipsec.rst @@ -0,0 +1,729 @@ +.. _size2site_ipsec: + +###################### +IPsec Site-to-Site VPN +###################### + +**************************** +IPsec Site-to-Site VPN Types +**************************** + +VyOS supports two types of IPsec VPN: Policy-based IPsec VPN and Route-based +IPsec VPN. + +Policy-based VPN +================ + +Policy-based VPN is based on static configured policies. Each policy creates +individual IPSec SA. Traffic matches these SAs encrypted and directed to the +remote peer. + +Route-Based VPN +=============== + +Route-based VPN is based on secure traffic passing over Virtual Tunnel +Interfaces (VTIs). This type of IPsec VPNs allows using routing protocols. + +****************************** +Configuration Site-to-Site VPN +****************************** + +Requirements and Prerequisites for Site-to-Site VPN +=================================================== + +**Negotiated parameters that need to match** + +Phase 1 + * IKE version + * Authentication + * Encryption + * Hashing + * PRF + * Lifetime + + .. note:: Strongswan recommends to use the same lifetime value on both peers + +Phase 2 + * Encryption + * Hashing + * PFS + * Mode (tunnel or transport) + * Lifetime + + .. note:: Strongswan recommends to use the same lifetime value on both peers + + * Remote and Local networks in SA must be compatible on both peers + +Configuration Steps for Site-to-Site VPN +======================================== + +The next example shows the configuration one of the router participating in +IPsec VPN. + +Tunnel information: + * Phase 1: + * encryption: AES256 + * hash: SHA256 + * PRF: SHA256 + * DH: 14 + * lifetime: 28800 + * Phase 2: + * IPsec mode: tunnel + * encryption: AES256 + * hash: SHA256 + * PFS: inherited from DH Phase 1 + * lifetime: 3600 + * If Policy based VPN is used + * Remote network is 192.168.50.0/24. Local network is 192.168.10.0/24 + * If Route based VPN is used + * IP of the VTI interface is 10.0.0.1/30 + +.. note:: We do not recommend using policy-based vpn and route-based vpn configurations to the same peer. + +**1. Configure ike-group (IKE Phase 1)** + +.. code-block:: none + + set vpn ipsec ike-group IKE close-action 'start' + set vpn ipsec ike-group IKE key-exchange 'ikev1' + set vpn ipsec ike-group IKE lifetime '28800' + set vpn ipsec ike-group IKE proposal 10 dh-group '14' + set vpn ipsec ike-group IKE proposal 10 encryption 'aes256' + set vpn ipsec ike-group IKE proposal 10 hash 'sha256' + set vpn ipsec ike-group IKE proposal 10 prf 'prfsha256' + +**2. Configure ESP-group (IKE Phase 2)** + +.. code-block:: none + + set vpn ipsec esp-group ESP lifetime '3600' + set vpn ipsec esp-group ESP mode 'tunnel' + set vpn ipsec esp-group ESP pfs 'enable' + set vpn ipsec esp-group ESP proposal 10 encryption 'aes256' + set vpn ipsec esp-group ESP proposal 10 hash 'sha256' + +**3. Specify interface facing to the protected destination.** + +.. code-block:: none + + set vpn ipsec interface eth0 + +**4. Configure PSK keys and authentication ids for this key if authentication type is PSK** + +.. code-block:: none + + set vpn ipsec authentication psk PSK-KEY id '192.168.0.2' + set vpn ipsec authentication psk PSK-KEY id '192.168.5.2' + set vpn ipsec authentication psk PSK-KEY secret 'vyos' + +To set base64 secret encode plaintext password to base64 and set secret-type + +.. code-block:: none + + echo -n "vyos" | base64 + dnlvcw== + +.. code-block:: none + + set vpn ipsec authentication psk PSK-KEY secret 'dnlvcw==' + set vpn ipsec authentication psk PSK-KEY secret-type base64 + + +**5. Configure peer and apply IKE-group and esp-group to peer.** + +.. code-block:: none + + set vpn ipsec site-to-site peer PEER1 authentication local-id '192.168.0.2' + set vpn ipsec site-to-site peer PEER1 authentication mode 'pre-shared-secret' + set vpn ipsec site-to-site peer PEER1 authentication remote-id '192.168.5.2' + set vpn ipsec site-to-site peer PEER1 connection-type 'initiate' + set vpn ipsec site-to-site peer PEER1 default-esp-group 'ESP' + set vpn ipsec site-to-site peer PEER1 ike-group 'IKE' + set vpn ipsec site-to-site peer PEER1 local-address '192.168.0.2' + set vpn ipsec site-to-site peer PEER1 remote-address '192.168.5.2' + + Peer selects the key from step 4 according to local-id/remote-id pair. + +**6. Depends to vpn type (route-based vpn or policy-based vpn).** + + **6.1 For Policy-based VPN configure SAs using tunnel command specifying remote and local networks.** + + .. code-block:: none + + set vpn ipsec site-to-site peer PEER1 tunnel 1 local prefix '192.168.10.0/24' + set vpn ipsec site-to-site peer PEER1 tunnel 1 remote prefix '192.168.50.0/24' + + **6.2 For Route-based VPN create VTI interface, set IP address to this interface and bind this interface to the vpn peer.** + + .. code-block:: none + + set interfaces vti vti1 address 10.0.0.1/30 + set vpn ipsec site-to-site peer PEER1 vti bind vti1 + set vpn ipsec options disable-route-autoinstall + + Create routing between local networks via VTI interface using dynamic or + static routing. + + .. code-block:: none + + set protocol static route 192.168.50.0/24 next-hop 10.0.0.2 + +Initiator and Responder Connection Types +======================================== + +In Site-to-Site IPsec VPN it is recommended that one peer should be an +initiator and the other - the responder. The initiator actively establishes +the VPN tunnel. The responder passively waits for the remote peer to +establish the VPN tunnel. Depends on selected role it is recommended +select proper values for close-action and DPD action. + +The result of wrong value selection can be unstable work of the VPN. + * Duplicate CHILD SA creation. + * None of the VPN sides initiates the tunnel establishment. + +Below flow-chart could be a quick reference for the close-action +combination depending on how the peer is configured. + +.. figure:: /_static/images/IPSec_close_action_settings.png + +Similar combinations are applicable for the dead-peer-detection. + +Detailed Configuration Commands +=============================== + +PSK Key Authentication +---------------------- + +.. cfgcmd:: set vpn ipsec authentication psk <name> dhcp-interface + + ID for authentication generated from DHCP address + dynamically. + +.. cfgcmd:: set vpn ipsec authentication psk id <id> + + static ID's for authentication. In general local and remote + address ``<x.x.x.x>``, ``<h:h:h:h:h:h:h:h>`` or ``%any``. + +.. cfgcmd:: set vpn ipsec authentication psk secret <secret> + + A predefined shared secret used in configured mode + ``pre-shared-secret``. Base64-encoded secrets are allowed if + `secret-type base64` is configured. + +.. cfgcmd:: set vpn ipsec authentication psk secret-type <type> + + Specifies the secret type: + + * **plaintext** - Plain text type (default value). + * **base64** - Base64 type. + +Peer Configuration +------------------ + +Peer Authentication Commands +^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication mode <mode> + + Mode for authentication between VyOS and remote peer: + + * **pre-shared-secret** - Use predefined shared secret phrase. + * **rsa** - Use simple shared RSA key. + * **x509** - Use certificates infrastructure for authentication. + + +.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication local-id <id> + + ID for the local VyOS router. If defined, during the authentication + it will be send to remote peer. + +.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication remote-id <id> + + ID for remote peer, instead of using peer name or + address. Useful in case if the remote peer is behind NAT + or if ``mode x509`` is used. + +.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication rsa local-key <key> + + Name of PKI key-pair with local private key. + +.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication rsa remote-key <key> + + Name of PKI key-pair with remote public key. + +.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication rsa passphrase <passphrase> + + Local private key passphrase. + +.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication use-x509-id <id> + + Use local ID from x509 certificate. Cannot be used when + ``id`` is defined. + +.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication x509 ca-certificate <name> + + Name of CA certificate in PKI configuration. Using for authenticating + remote peer in x509 mode. + +.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication x509 certificate <name> + + Name of certificate in PKI configuration, which will be used + for authenticating local router on remote peer. + +.. cfgcmd:: set vpn ipsec authentication x509 passphrase <passphrase> + + Private key passphrase, if needed. + +Global Peer Configuration Commands +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +.. cfgcmd:: set vpn ipsec site-to-site peer <name> connection-type <type> + + Operational mode defines how to handle this connection process. + + * **initiate** - does initial connection to remote peer immediately + after configuring and after boot. In this mode the connection will + not be restarted in case of disconnection, therefore should be used + only together with DPD or another session tracking methods. + * **respond** - does not try to initiate a connection to a remote + peer. In this mode, the IPsec session will be established only + after initiation from a remote peer. Could be useful when there + is no direct connectivity to the peer due to firewall or NAT in + the middle of the local and remote side. + * **none** - loads the connection only, which then can be manually + initiated or used as a responder configuration. + +.. cfgcmd:: set vpn ipsec site-to-site peer <name> default-esp-group <name> + + Name of ESP group to use by default for traffic encryption. + Might be overwritten by individual settings for tunnel or VTI + interface binding. + +.. cfgcmd:: set vpn ipsec site-to-site peer <name> description <description> + + Description for this peer. + +.. cfgcmd:: set vpn ipsec site-to-site peer <name> dhcp-interface <interface> + + Specify the interface which IP address, received from DHCP for IPSec + connection with this peer, will be used as ``local-address``. + +.. cfgcmd:: set vpn ipsec site-to-site peer <name> force-udp-encapsulation + + Force encapsulation of ESP into UDP datagrams. Useful in case if + between local and remote side is firewall or NAT, which not + allows passing plain ESP packets between them. + +.. cfgcmd:: set vpn ipsec site-to-site peer <name> ike-group <name> + + Name of IKE group to use for key exchanges. + +.. cfgcmd:: set vpn ipsec site-to-site peer <name> local-address <address> + + Local IP address for IPsec connection with this peer. + If defined ``any``, then an IP address which configured on interface with + default route will be used. + +.. cfgcmd:: set vpn ipsec site-to-site peer <name> remote-address <address> + + Remote IP address or hostname for IPsec connection. IPv4 or IPv6 + address is used when a peer has a public static IP address. Hostname + is a DNS name which could be used when a peer has a public IP + address and DNS name, but an IP address could be changed from time + to time. + +.. cfgcmd:: set vpn ipsec site-to-site peer <name> replay-window <size> + + IPsec replay window to configure for CHILD_SAs + (default: 32), a value of 0 disables IPsec replay protection. + +.. cfgcmd:: set vpn ipsec site-to-site peer <name> virtual-address <address> + + Defines a virtual IP address which is requested by the initiator and + one or several IPv4 and/or IPv6 addresses are assigned from multiple + pools by the responder. The wildcard addresses 0.0.0.0 and :: + request an arbitrary address, specific addresses may be defined. + +CHILD SAs Configuration Commands +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Policy-Based CHILD SAs Configuration Commands +""""""""""""""""""""""""""""""""""""""""""""" + +Every configured tunnel under peer configuration is a new CHILD SA. + +.. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> disable + + Disable this tunnel. + +.. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> esp-group <name> + + Specify ESP group for this CHILD SA. + +.. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> priority <number> + + Priority for policy-based IPsec VPN tunnels (lowest value more + preferable). + +.. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> protocol <name> + + Define the protocol for match traffic, which should be encrypted and + send to this peer. + +.. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> local prefix <network> + + IP network at the local side. + +.. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> local port <number> + + Local port number. Have effect only when used together with + ``prefix``. + +.. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> remote prefix <network> + + IP network at the remote side. + +.. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> remote port <number> + + Remote port number. Have effect only when used together with + ``prefix``. + +Route-Based CHILD SAs Configuration Commands +""""""""""""""""""""""""""""""""""""""""""""" + +To configure route-based VPN it is enough to create vti interface and +bind it to the peer. Any traffic, which will be send to VTI interface +will be encrypted and send to this peer. Using VTI makes IPsec +configuration much flexible and easier in complex situation, and +allows to dynamically add/delete remote networks, reachable via a +peer, as in this mode router don't need to create additional SA/policy +for each remote network. + +.. warning:: When using site-to-site IPsec with VTI interfaces, + be sure to disable route autoinstall. + +.. code-block:: none + + set vpn ipsec options disable-route-autoinstall + +.. cfgcmd:: set vpn ipsec site-to-site peer <name> vti bind <interface> + + VTI interface to bind to this peer. + +.. cfgcmd:: set vpn ipsec site-to-site peer <name> vti esp-group <name> + + ESP group for encrypt traffic, passed this VTI interface. + +Traffic-selectors parameters for traffic that should pass via vti +interface. + +.. cfgcmd:: set vpn ipsec site-to-site peer <name> vti traffic-selector local prefix <network> + + Local prefix for interesting traffic. + +.. cfgcmd:: set vpn ipsec site-to-site peer <name> vti traffic-selector remote prefix <network> + + Remote prefix for interesting traffic. + +IPsec Op-mode Commands +====================== + +.. opcmd:: show vpn ike sa + + Shows active IKE SAs information. + +.. opcmd:: show vpn ike secrets + + Shows configured authentication keys. + +.. opcmd:: show vpn ike status + + Shows Strongswan daemon status. + +.. opcmd:: show vpn ipsec connections + + Shows summary status of all configured IKE and IPsec SAs. + +.. opcmd:: show vpn ipsec sa [detail] + + Shows active IPsec SAs information. + +.. opcmd:: show vpn ipsec status + + Shows status of IPsec process. + +.. opcmd:: show vpn ipsec policy + + Shows the in-kernel crypto policies. + +.. opcmd:: show vpn ipsec state + + Shows the in-kernel crypto state. + +.. opcmd:: show log ipsec + + Shows IPsec logs. + +.. opcmd:: reset vpn ipsec site-to-site all + + Clear all ipsec connection and reinitiate them if VyOS is configured + as initiator. + +.. opcmd:: reset vpn ipsec site-to-site peer <name> + + Clear all peer IKE SAs with IPsec SAs and reinitiate them if VyOS is + configured as initiator. + +.. opcmd:: reset vpn ipsec site-to-site peer <name> tunnel <number> + + Clear scpecific IPsec SA and reinitiate it if VyOS is configured as + initiator. + +.. opcmd:: reset vpn ipsec site-to-site peer <name> vti <number> + + Clear IPsec SA which is map to vti interface of this peer and + reinitiate it if VyOS is configured as initiator. + +.. opcmd:: restart ipsec + + Restart Strongswan daemon. + +********* +Examples: +********* + +Policy-Based VPN Example +======================== + +**PEER1:** + +* WAN interface on `eth0` +* `eth0` interface IP: `10.0.1.2/30` +* `dum0` interface IP: `192.168.0.1/24` (for testing purposes) +* Initiator + +**PEER2:** + +* WAN interface on `eth0` +* `eth0` interface IP: `10.0.2.2/30` +* `dum0` interface IP: `192.168.1.0/24` (for testing purposes) +* Responder + +.. code-block:: none + + # PEER1 + set interfaces dummy dum0 address '192.168.0.1/32' + set interfaces ethernet eth0 address '10.0.1.2/30' + set protocols static route 0.0.0.0/0 next-hop 10.0.1.1 + set vpn ipsec authentication psk AUTH-PSK id '10.0.1.2' + set vpn ipsec authentication psk AUTH-PSK id '10.0.2.2' + set vpn ipsec authentication psk AUTH-PSK secret 'test' + set vpn ipsec esp-group ESP-GRPOUP lifetime '3600' + set vpn ipsec esp-group ESP-GRPOUP proposal 10 encryption 'aes256' + set vpn ipsec esp-group ESP-GRPOUP proposal 10 hash 'sha1' + set vpn ipsec ike-group IKE-GROUP close-action 'start' + set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'restart' + set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '30' + set vpn ipsec ike-group IKE-GROUP dead-peer-detection timeout '120' + set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev1' + set vpn ipsec ike-group IKE-GROUP lifetime '28800' + set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group '14' + set vpn ipsec ike-group IKE-GROUP proposal 10 encryption 'aes256' + set vpn ipsec ike-group IKE-GROUP proposal 10 hash 'sha1' + set vpn ipsec interface 'eth0' + set vpn ipsec site-to-site peer PEER2 authentication local-id '10.0.1.2' + set vpn ipsec site-to-site peer PEER2 authentication mode 'pre-shared-secret' + set vpn ipsec site-to-site peer PEER2 authentication remote-id '10.0.2.2' + set vpn ipsec site-to-site peer PEER2 connection-type 'initiate' + set vpn ipsec site-to-site peer PEER2 default-esp-group 'ESP-GRPOUP' + set vpn ipsec site-to-site peer PEER2 ike-group 'IKE-GROUP' + set vpn ipsec site-to-site peer PEER2 local-address '10.0.1.2' + set vpn ipsec site-to-site peer PEER2 remote-address '10.0.2.2' + set vpn ipsec site-to-site peer PEER2 tunnel 0 local prefix '192.168.0.0/24' + set vpn ipsec site-to-site peer PEER2 tunnel 0 remote prefix '192.168.1.0/24' + + + # PEER2 + set interfaces dummy dum0 address '192.168.1.1/32' + set interfaces ethernet eth0 address '10.0.2.2/30' + set protocols static route 0.0.0.0/0 next-hop 10.0.2.1 + set vpn ipsec authentication psk AUTH-PSK id '10.0.1.2' + set vpn ipsec authentication psk AUTH-PSK id '10.0.2.2' + set vpn ipsec authentication psk AUTH-PSK secret 'test' + set vpn ipsec esp-group ESP-GRPOUP lifetime '3600' + set vpn ipsec esp-group ESP-GRPOUP proposal 10 encryption 'aes256' + set vpn ipsec esp-group ESP-GRPOUP proposal 10 hash 'sha1' + set vpn ipsec ike-group IKE-GROUP close-action 'none' + set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'clear' + set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '30' + set vpn ipsec ike-group IKE-GROUP dead-peer-detection timeout '120' + set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev1' + set vpn ipsec ike-group IKE-GROUP lifetime '28800' + set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group '14' + set vpn ipsec ike-group IKE-GROUP proposal 10 encryption 'aes256' + set vpn ipsec ike-group IKE-GROUP proposal 10 hash 'sha1' + set vpn ipsec interface 'eth0' + set vpn ipsec site-to-site peer PEER1 authentication local-id '10.0.2.2' + set vpn ipsec site-to-site peer PEER1 authentication mode 'pre-shared-secret' + set vpn ipsec site-to-site peer PEER1 authentication remote-id '10.0.1.2' + set vpn ipsec site-to-site peer PEER1 connection-type 'respond' + set vpn ipsec site-to-site peer PEER1 default-esp-group 'ESP-GRPOUP' + set vpn ipsec site-to-site peer PEER1 ike-group 'IKE-GROUP' + set vpn ipsec site-to-site peer PEER1 local-address '10.0.2.2' + set vpn ipsec site-to-site peer PEER1 remote-address '10.0.1.2' + set vpn ipsec site-to-site peer PEER1 tunnel 0 local prefix '192.168.1.0/24' + set vpn ipsec site-to-site peer PEER1 tunnel 0 remote prefix '192.168.0.0/24' + + +Show status of policy-based IPsec VPN setup: + +.. code-block:: none + + vyos@PEER2:~$ show vpn ike sa + Peer ID / IP Local ID / IP + ------------ ------------- + 10.0.1.2 10.0.1.2 10.0.2.2 10.0.2.2 + + State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time + ----- ------ ------- ---- --------- ----- ------ ------ + up IKEv1 AES_CBC_256 HMAC_SHA1_96 MODP_2048 no 1254 25633 + + + vyos@srv-gw0:~$ show vpn ipsec sa + Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal + -------------- ------- -------- -------------- ---------------- ---------------- ----------- ---------------------------------- + PEER1-tunnel-0 up 20m42s 0B/0B 0/0 10.0.1.2 10.0.1.2 AES_CBC_256/HMAC_SHA1_96/MODP_2048 + + vyos@PEER2:~$ show vpn ipsec connections + Connection State Type Remote address Local TS Remote TS Local id Remote id Proposal + -------------- ------- ------ ---------------- -------------- -------------- ---------- ----------- ---------------------------------- + PEER1 up IKEv1 10.0.1.2 - - 10.0.2.2 10.0.1.2 AES_CBC/256/HMAC_SHA1_96/MODP_2048 + PEER1-tunnel-0 up IPsec 10.0.1.2 192.168.1.0/24 192.168.0.0/24 10.0.2.2 10.0.1.2 AES_CBC/256/HMAC_SHA1_96/MODP_2048 + +If there is SNAT rules on eth0, need to add exclude rule + +.. code-block:: none + + # PEER1 side + set nat source rule 10 destination address '192.168.1.0/24' + set nat source rule 10 'exclude' + set nat source rule 10 outbound-interface name 'eth0' + set nat source rule 10 source address '192.168.0.0/24' + + # PEER2 side + set nat source rule 10 destination address '192.168.0.0/24' + set nat source rule 10 'exclude' + set nat source rule 10 outbound-interface name 'eth0' + set nat source rule 10 source address '192.168.1.0/24' + + +Route-Based VPN Example +======================= + +**PEER1:** + +* WAN interface on `eth0` +* `eth0` interface IP: `10.0.1.2/30` +* 'vti0' interface IP: `10.100.100.1/30` +* `dum0` interface IP: `192.168.0.1/24` (for testing purposes) +* Role: Initiator + +**PEER2:** + +* WAN interface on `eth0` +* `eth0` interface IP: `10.0.2.2/30` +* 'vti0' interface IP: `10.100.100.2/30` +* `dum0` interface IP: `192.168.1.0/24` (for testing purposes) +* Role: Responder + +.. code-block:: none + + # PEER1 + set interfaces dummy dum0 address '192.168.0.1/32' + set interfaces ethernet eth0 address '10.0.1.2/30' + set interfaces vti vti0 address '10.100.100.1/30' + set protocols static route 0.0.0.0/0 next-hop 10.0.1.1 + set protocols static route 192.168.1.0/24 next-hop 10.100.100.2 + set vpn ipsec authentication psk AUTH-PSK id '10.0.1.2' + set vpn ipsec authentication psk AUTH-PSK id '10.0.2.2' + set vpn ipsec authentication psk AUTH-PSK secret 'test' + set vpn ipsec esp-group ESP-GRPOUP lifetime '3600' + set vpn ipsec esp-group ESP-GRPOUP proposal 10 encryption 'aes256' + set vpn ipsec esp-group ESP-GRPOUP proposal 10 hash 'sha1' + set vpn ipsec ike-group IKE-GROUP close-action 'start' + set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'restart' + set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '30' + set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev2' + set vpn ipsec ike-group IKE-GROUP lifetime '28800' + set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group '14' + set vpn ipsec ike-group IKE-GROUP proposal 10 encryption 'aes256' + set vpn ipsec ike-group IKE-GROUP proposal 10 hash 'sha1' + set vpn ipsec interface 'eth0' + set vpn ipsec options disable-route-autoinstall + set vpn ipsec site-to-site peer PEER2 authentication local-id '10.0.1.2' + set vpn ipsec site-to-site peer PEER2 authentication mode 'pre-shared-secret' + set vpn ipsec site-to-site peer PEER2 authentication remote-id '10.0.2.2' + set vpn ipsec site-to-site peer PEER2 connection-type 'initiate' + set vpn ipsec site-to-site peer PEER2 default-esp-group 'ESP-GRPOUP' + set vpn ipsec site-to-site peer PEER2 ike-group 'IKE-GROUP' + set vpn ipsec site-to-site peer PEER2 local-address '10.0.1.2' + set vpn ipsec site-to-site peer PEER2 remote-address '10.0.2.2' + set vpn ipsec site-to-site peer PEER2 vti bind 'vti0' + + + # PEER2 + set interfaces dummy dum0 address '192.168.1.1/32' + set interfaces ethernet eth0 address '10.0.2.2/30' + set interfaces vti vti0 address '10.100.100.2/30' + set protocols static route 0.0.0.0/0 next-hop 10.0.2.1 + set protocols static route 192.168.0.0/24 next-hop 10.100.100.1 + set vpn ipsec authentication psk AUTH-PSK id '10.0.1.2' + set vpn ipsec authentication psk AUTH-PSK id '10.0.2.2' + set vpn ipsec authentication psk AUTH-PSK secret 'test' + set vpn ipsec esp-group ESP-GRPOUP lifetime '3600' + set vpn ipsec esp-group ESP-GRPOUP proposal 10 encryption 'aes256' + set vpn ipsec esp-group ESP-GRPOUP proposal 10 hash 'sha1' + set vpn ipsec ike-group IKE-GROUP close-action 'none' + set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'clear' + set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '30' + set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev2' + set vpn ipsec ike-group IKE-GROUP lifetime '28800' + set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group '14' + set vpn ipsec ike-group IKE-GROUP proposal 10 encryption 'aes256' + set vpn ipsec ike-group IKE-GROUP proposal 10 hash 'sha1' + set vpn ipsec interface 'eth0' + set vpn ipsec options disable-route-autoinstall + set vpn ipsec site-to-site peer PEER1 authentication local-id '10.0.2.2' + set vpn ipsec site-to-site peer PEER1 authentication mode 'pre-shared-secret' + set vpn ipsec site-to-site peer PEER1 authentication remote-id '10.0.1.2' + set vpn ipsec site-to-site peer PEER1 connection-type 'respond' + set vpn ipsec site-to-site peer PEER1 default-esp-group 'ESP-GRPOUP' + set vpn ipsec site-to-site peer PEER1 ike-group 'IKE-GROUP' + set vpn ipsec site-to-site peer PEER1 local-address '10.0.2.2' + set vpn ipsec site-to-site peer PEER1 remote-address '10.0.1.2' + set vpn ipsec site-to-site peer PEER1 vti bind 'vti0' + +Show status of route-based IPsec VPN setup: + +.. code-block:: none + + vyos@PEER2:~$ show vpn ike sa + Peer ID / IP Local ID / IP + ------------ ------------- + 10.0.1.2 10.0.1.2 10.0.2.2 10.0.2.2 + + State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time + ----- ------ ------- ---- --------- ----- ------ ------ + up IKEv2 AES_CBC_256 HMAC_SHA1_96 MODP_2048 no 404 27650 + + vyos@PEER2:~$ show vpn ipsec sa + Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal + ------------ ------- -------- -------------- ---------------- ---------------- ----------- ---------------------------------- + PEER1-vti up 3m28s 0B/0B 0/0 10.0.1.2 10.0.1.2 AES_CBC_256/HMAC_SHA1_96/MODP_2048 + + vyos@PEER2:~$ show vpn ipsec connections + Connection State Type Remote address Local TS Remote TS Local id Remote id Proposal + ------------ ------- ------ ---------------- ---------- ----------- ---------- ----------- ---------------------------------- + PEER1 up IKEv2 10.0.1.2 - - 10.0.2.2 10.0.1.2 AES_CBC/256/HMAC_SHA1_96/MODP_2048 + PEER1-vti up IPsec 10.0.1.2 0.0.0.0/0 0.0.0.0/0 10.0.2.2 10.0.1.2 AES_CBC/256/HMAC_SHA1_96/MODP_2048 + ::/0 ::/0 diff --git a/docs/configuration/vpn/ipsec/troubleshooting_ipsec.rst b/docs/configuration/vpn/ipsec/troubleshooting_ipsec.rst new file mode 100644 index 00000000..fdeb347d --- /dev/null +++ b/docs/configuration/vpn/ipsec/troubleshooting_ipsec.rst @@ -0,0 +1,323 @@ +.. _troubleshooting_ipsec: + +###################################### +Troubleshooting Site-to-Site VPN IPsec +###################################### + +************ +Introduction +************ + +This document describes the methodology to monitor and troubleshoot +Site-to-Site VPN IPsec. + +Steps for troubleshooting problems with Site-to-Site VPN IPsec: + 1. Ping the remote site through the tunnel using the source and + destination IPs included in the policy. + 2. Check connectivity between the routers using the ping command + (if ICMP traffic is allowed). + 3. Check the IKE SAs' statuses. + 4. Check the IPsec SAs' statuses. + 5. Check logs to view debug messages. + +********************** +Checking IKE SA Status +********************** + +The next command shows IKE SAs' statuses. + +.. code-block:: none + + vyos@vyos:~$ show vpn ike sa + + Peer ID / IP Local ID / IP + ------------ ------------- + 192.168.1.2 192.168.1.2 192.168.0.1 192.168.0.1 + + State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time + ----- ------ ------- ---- --------- ----- ------ ------ + up IKEv2 AES_CBC_128 HMAC_SHA1_96 MODP_2048 no 162 27023 + +This command shows the next information: + - IKE SA status. + - Selected IKE version. + - Selected Encryption, Hash and Diffie-Hellman Group. + - NAT-T. + - ID and IP of both peers. + - A-Time: established time, L-Time: time for next rekeying. + +************************** +IPsec SA (CHILD SA) Status +************************** + +The next commands show IPsec SAs' statuses. + +.. code-block:: none + + vyos@vyos:~$ show vpn ipsec sa + Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal + ------------- ------- -------- -------------- ---------------- ---------------- ----------- ---------------------------------- + PEER-tunnel-1 up 16m30s 168B/168B 2/2 192.168.1.2 192.168.1.2 AES_CBC_128/HMAC_SHA1_96/MODP_2048 + +.. code-block:: none + + vyos@vyos:~$ show vpn ipsec sa detail + PEER: #1, ESTABLISHED, IKEv2, 101275ac719d5a1b_i* 68ea4ec3bed3bf0c_r + local '192.168.0.1' @ 192.168.0.1[4500] + remote '192.168.1.2' @ 192.168.1.2[4500] + AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 + established 4054s ago, rekeying in 23131s + PEER-tunnel-1: #2, reqid 1, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA1_96/MODP_2048 + installed 1065s ago, rekeying in 1998s, expires in 2535s + in c5821882, 168 bytes, 2 packets, 81s ago + out c433406a, 168 bytes, 2 packets, 81s ago + local 10.0.0.0/24 + remote 10.0.1.0/24 + +These commands show the next information: + - IPsec SA status. + - Uptime and time for the next rekeing. + - Amount of transferred data. + - Remote and local ID and IP. + - Selected Encryption, Hash and Diffie-Hellman Group. + - Mode (tunnel or transport). + - Remote and local prefixes which are use for policy. + +There is a possibility to view the summarized information of SAs' status + +.. code-block:: none + + vyos@vyos:~$ show vpn ipsec connections + Connection State Type Remote address Local TS Remote TS Local id Remote id Proposal + ------------- ------- ------ ---------------- ----------- ----------- ----------- ----------- ---------------------------------- + PEER up IKEv2 192.168.1.2 - - 192.168.0.1 192.168.1.2 AES_CBC/128/HMAC_SHA1_96/MODP_2048 + PEER-tunnel-1 up IPsec 192.168.1.2 10.0.0.0/24 10.0.1.0/24 192.168.0.1 192.168.1.2 AES_CBC/128/HMAC_SHA1_96/MODP_2048 + +************************** +Viewing Logs for Debugging +************************** + +If IKE SAs or IPsec SAs are down, need to debug IPsec connectivity +using logs ``show log ipsec`` + +The next example of the successful IPsec connection initialization. + +.. code-block:: none + + vyos@vyos:~$ show log ipsec + Jun 20 14:29:47 charon[2428]: 02[NET] <PEER|1> received packet: from 192.168.1.2[500] to 192.168.0.1[500] (472 bytes) + Jun 20 14:29:47 charon[2428]: 02[ENC] <PEER|1> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ] + Jun 20 14:29:47 charon-systemd[2428]: received packet: from 192.168.1.2[500] to 192.168.0.1[500] (472 bytes) + Jun 20 14:29:47 charon[2428]: 02[CFG] <PEER|1> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 + Jun 20 14:29:47 charon-systemd[2428]: parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ] + Jun 20 14:29:47 charon-systemd[2428]: selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 + Jun 20 14:29:47 charon[2428]: 02[IKE] <PEER|1> authentication of '192.168.0.1' (myself) with pre-shared key + Jun 20 14:29:47 charon-systemd[2428]: authentication of '192.168.0.1' (myself) with pre-shared key + Jun 20 14:29:47 charon[2428]: 02[IKE] <PEER|1> establishing CHILD_SA PEER-tunnel-1{1} + Jun 20 14:29:47 charon-systemd[2428]: establishing CHILD_SA PEER-tunnel-1{1} + Jun 20 14:29:47 charon[2428]: 02[ENC] <PEER|1> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] + Jun 20 14:29:47 charon-systemd[2428]: generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] + Jun 20 14:29:47 charon[2428]: 02[NET] <PEER|1> sending packet: from 192.168.0.1[4500] to 192.168.1.2[4500] (268 bytes) + Jun 20 14:29:47 charon-systemd[2428]: sending packet: from 192.168.0.1[4500] to 192.168.1.2[4500] (268 bytes) + Jun 20 14:29:47 charon[2428]: 13[NET] <PEER|1> received packet: from 192.168.1.2[4500] to 192.168.0.1[4500] (220 bytes) + Jun 20 14:29:47 charon[2428]: 13[ENC] <PEER|1> parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ] + Jun 20 14:29:47 charon-systemd[2428]: received packet: from 192.168.1.2[4500] to 192.168.0.1[4500] (220 bytes) + Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> authentication of '192.168.1.2' with pre-shared key successful + Jun 20 14:29:47 charon-systemd[2428]: parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ] + Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> peer supports MOBIKE + Jun 20 14:29:47 charon-systemd[2428]: authentication of '192.168.1.2' with pre-shared key successful + Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> IKE_SA PEER[1] established between 192.168.0.1[192.168.0.1]...192.168.1.2[192.168.1.2] + Jun 20 14:29:47 charon-systemd[2428]: peer supports MOBIKE + Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> scheduling rekeying in 27703s + Jun 20 14:29:47 charon-systemd[2428]: IKE_SA PEER[1] established between 192.168.0.1[192.168.0.1]...192.168.1.2[192.168.1.2] + Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> maximum IKE_SA lifetime 30583s + Jun 20 14:29:47 charon-systemd[2428]: scheduling rekeying in 27703s + Jun 20 14:29:47 charon[2428]: 13[CFG] <PEER|1> selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ + Jun 20 14:29:47 charon-systemd[2428]: maximum IKE_SA lifetime 30583s + Jun 20 14:29:47 charon-systemd[2428]: selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ + Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> CHILD_SA PEER-tunnel-1{1} established with SPIs cb94fb3f_i ca99c8a9_o and TS 10.0.0.0/24 === 10.0.1.0/24 + Jun 20 14:29:47 charon-systemd[2428]: CHILD_SA PEER-tunnel-1{1} established with SPIs cb94fb3f_i ca99c8a9_o and TS 10.0.0.0/24 === 10.0.1.0/24 + +************************ +Troubleshooting Examples +************************ + +IKE PROPOSAL are Different +========================== + +In this situation, IKE SAs can be down or not active. + +.. code-block:: none + + vyos@vyos:~$ show vpn ike sa + +The problem is in IKE phase (Phase 1). The next step is checking debug logs. + +Responder Side: + +.. code-block:: none + + Jun 23 07:36:33 charon[2440]: 01[CFG] <1> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 + Jun 23 07:36:33 charon-systemd[2440]: received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 + Jun 23 07:36:33 charon[2440]: 01[CFG] <1> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 + Jun 23 07:36:33 charon-systemd[2440]: configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 + Jun 23 07:36:33 charon[2440]: 01[IKE] <1> received proposals unacceptable + Jun 23 07:36:33 charon-systemd[2440]: received proposals unacceptable + Jun 23 07:36:33 charon[2440]: 01[ENC] <1> generating IKE_SA_INIT response 0 [ N(NO_PROP) ] + +Initiator side: + +.. code-block:: none + + Jun 23 07:36:32 charon-systemd[2444]: parsed IKE_SA_INIT response 0 [ N(NO_PROP) ] + Jun 23 07:36:32 charon[2444]: 14[IKE] <PEER|1> received NO_PROPOSAL_CHOSEN notify error + Jun 23 07:36:32 charon-systemd[2444]: received NO_PROPOSAL_CHOSEN notify error + +The notification **NO_PROPOSAL_CHOSEN** means that the proposal mismatch. +On the Responder side there is concrete information where is mismatch. +Encryption **AES_CBC_128** is configured in IKE policy on the responder +but **AES_CBC_256** is configured on the initiator side. + +PSK Secret Mismatch +=================== + +In this situation, IKE SAs can be down or not active. + +.. code-block:: none + + vyos@vyos:~$ show vpn ike sa + +The problem is in IKE phase (Phase 1). The next step is checking debug logs. + +Responder: + +.. code-block:: none + + Jun 23 08:07:26 charon-systemd[2440]: tried 1 shared key for '192.168.1.2' - '192.168.0.1', but MAC mismatched + Jun 23 08:07:26 charon[2440]: 13[ENC] <PEER|3> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] + +Initiator side: + +.. code-block:: none + + Jun 23 08:07:24 charon[2436]: 12[ENC] <PEER|1> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ] + Jun 23 08:07:24 charon-systemd[2436]: parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ] + Jun 23 08:07:24 charon[2436]: 12[IKE] <PEER|1> received AUTHENTICATION_FAILED notify error + Jun 23 08:07:24 charon-systemd[2436]: received AUTHENTICATION_FAILED notify error + +The notification **AUTHENTICATION_FAILED** means that the authentication +is failed. There is a reason to check PSK on both side. + +ESP Proposal Mismatch +===================== + +The output of **show** commands shows us that IKE SA is established but +IPSec SA is not. + +.. code-block:: none + + vyos@vyos:~$ show vpn ike sa + Peer ID / IP Local ID / IP + ------------ ------------- + 192.168.1.2 192.168.1.2 192.168.0.1 192.168.0.1 + + State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time + ----- ------ ------- ---- --------- ----- ------ ------ + up IKEv2 AES_CBC_128 HMAC_SHA1_96 MODP_2048 no 158 26817 + +.. code-block:: none + + vyos@vyos:~$ show vpn ipsec sa + Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal + ------------ ------- -------- -------------- ---------------- ---------------- ----------- ---------- + +The next step is checking debug logs. + +Initiator side: + +.. code-block:: none + + Jun 23 08:16:10 charon[3789]: 13[NET] <PEER|1> received packet: from 192.168.1.2[500] to 192.168.0.1[500] (472 bytes) + Jun 23 08:16:10 charon[3789]: 13[ENC] <PEER|1> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ] + Jun 23 08:16:10 charon-systemd[3789]: received packet: from 192.168.1.2[500] to 192.168.0.1[500] (472 bytes) + Jun 23 08:16:10 charon[3789]: 13[CFG] <PEER|1> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 + Jun 23 08:16:10 charon-systemd[3789]: parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ] + Jun 23 08:16:10 charon-systemd[3789]: selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 + Jun 23 08:16:10 charon[3789]: 13[IKE] <PEER|1> authentication of '192.168.0.1' (myself) with pre-shared key + Jun 23 08:16:10 charon-systemd[3789]: authentication of '192.168.0.1' (myself) with pre-shared key + Jun 23 08:16:10 charon[3789]: 13[IKE] <PEER|1> establishing CHILD_SA PEER-tunnel-1{1} + Jun 23 08:16:10 charon-systemd[3789]: establishing CHILD_SA PEER-tunnel-1{1} + Jun 23 08:16:10 charon[3789]: 13[ENC] <PEER|1> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] + Jun 23 08:16:10 charon-systemd[3789]: generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] + Jun 23 08:16:10 charon[3789]: 13[NET] <PEER|1> sending packet: from 192.168.0.1[4500] to 192.168.1.2[4500] (268 bytes) + Jun 23 08:16:10 charon-systemd[3789]: sending packet: from 192.168.0.1[4500] to 192.168.1.2[4500] (268 bytes) + Jun 23 08:16:10 charon[3789]: 09[NET] <PEER|1> received packet: from 192.168.1.2[4500] to 192.168.0.1[4500] (140 bytes) + Jun 23 08:16:10 charon-systemd[3789]: received packet: from 192.168.1.2[4500] to 192.168.0.1[4500] (140 bytes) + Jun 23 08:16:10 charon[3789]: 09[ENC] <PEER|1> parsed IKE_AUTH response 1 [ IDr AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(NO_PROP) ] + Jun 23 08:16:10 charon-systemd[3789]: parsed IKE_AUTH response 1 [ IDr AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(NO_PROP) ] + Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> authentication of '192.168.1.2' with pre-shared key successful + Jun 23 08:16:10 charon-systemd[3789]: authentication of '192.168.1.2' with pre-shared key successful + Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> peer supports MOBIKE + Jun 23 08:16:10 charon-systemd[3789]: peer supports MOBIKE + Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> IKE_SA PEER[1] established between 192.168.0.1[192.168.0.1]...192.168.1.2[192.168.1.2] + Jun 23 08:16:10 charon-systemd[3789]: IKE_SA PEER[1] established between 192.168.0.1[192.168.0.1]...192.168.1.2[192.168.1.2] + Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> scheduling rekeying in 26975s + Jun 23 08:16:10 charon-systemd[3789]: scheduling rekeying in 26975s + Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> maximum IKE_SA lifetime 29855s + Jun 23 08:16:10 charon-systemd[3789]: maximum IKE_SA lifetime 29855s + Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built + Jun 23 08:16:10 charon-systemd[3789]: received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built + Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> failed to establish CHILD_SA, keeping IKE_SA + Jun 23 08:16:10 charon-systemd[3789]: failed to establish CHILD_SA, keeping IKE_SA + +There are messages: **NO_PROPOSAL_CHOSEN** and +**failed to establish CHILD_SA** which refers that the problem is in +the IPsec(ESP) proposal mismatch. + +The reason of this problem is showed on the responder side. + +.. code-block:: none + + Jun 23 08:16:12 charon[2440]: 01[CFG] <PEER|5> received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ + Jun 23 08:16:12 charon-systemd[2440]: received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ + Jun 23 08:16:12 charon[2440]: 01[CFG] <PEER|5> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ + Jun 23 08:16:12 charon-systemd[2440]: configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ + Jun 23 08:16:12 charon[2440]: 01[IKE] <PEER|5> no acceptable proposal found + Jun 23 08:16:12 charon-systemd[2440]: no acceptable proposal found + Jun 23 08:16:12 charon[2440]: 01[IKE] <PEER|5> failed to establish CHILD_SA, keeping IKE_SA + +Encryption **AES_CBC_128** is configured in IKE policy on the responder but **AES_CBC_256** +is configured on the initiator side. + +Prefixes in Policies Mismatch +============================= + +As in previous situation, IKE SA is in up state but IPsec SA is not up. +According to logs we can see **TS_UNACCEPTABLE** notification. It means +that prefixes (traffic selectors) mismatch on both sides + +Initiator: + +.. code-block:: none + + Jun 23 14:13:17 charon[4996]: 11[IKE] <PEER|1> received TS_UNACCEPTABLE notify, no CHILD_SA built + Jun 23 14:13:17 charon-systemd[4996]: maximum IKE_SA lifetime 29437s + Jun 23 14:13:17 charon[4996]: 11[IKE] <PEER|1> failed to establish CHILD_SA, keeping IKE_SA + Jun 23 14:13:17 charon-systemd[4996]: received TS_UNACCEPTABLE notify, no CHILD_SA built + Jun 23 14:13:17 charon-systemd[4996]: failed to establish CHILD_SA, keeping IKE_SA + +The reason of this problem is showed on the responder side. + +.. code-block:: none + + Jun 23 14:13:19 charon[2440]: 01[IKE] <PEER|7> traffic selectors 10.0.2.0/24 === 10.0.0.0/24 unacceptable + Jun 23 14:13:19 charon-systemd[2440]: traffic selectors 10.0.2.0/24 === 10.0.0.0/24 unacceptable + Jun 23 14:13:19 charon[2440]: 01[IKE] <PEER|7> failed to establish CHILD_SA, keeping IKE_SA + Jun 23 14:13:19 charon-systemd[2440]: failed to establish CHILD_SA, keeping IKE_SA + Jun 23 14:13:19 charon[2440]: 01[ENC] <PEER|7> generating IKE_AUTH response 1 [ IDr AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(TS_UNACCEPT) ] + Jun 23 14:13:19 charon-systemd[2440]: generating IKE_AUTH response 1 [ IDr AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(TS_UNACCEPT) ] + +Traffic selectors **10.0.2.0/24 === 10.0.0.0/24** are unacceptable on the +responder side. + + diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst deleted file mode 100644 index 400aff29..00000000 --- a/docs/configuration/vpn/site2site_ipsec.rst +++ /dev/null @@ -1,433 +0,0 @@ -.. _size2site_ipsec: - -Site-to-Site -============ - -Site-to-site mode provides a way to add remote peers, which could be configured -to exchange encrypted information between them and VyOS itself or -connected/routed networks. - -To configure site-to-site connection you need to add peers with the -``set vpn ipsec site-to-site peer <name>`` command. - -The peer name must be an alphanumeric and can have hypen or underscore as -special characters. It is purely informational. - -Each site-to-site peer has the next options: - -* ``authentication`` - configure authentication between VyOS and a remote peer. - If pre-shared-secret mode is used, the secret key must be defined in - ``set vpn ipsec authentication`` and suboptions: - - * ``psk`` - Preshared secret key name: - - * ``dhcp-interface`` - ID for authentication generated from DHCP address - dynamically; - * ``id`` - static ID's for authentication. In general local and remote - address ``<x.x.x.x>``, ``<h:h:h:h:h:h:h:h>`` or ``%any``; - * ``secret`` - a predefined shared secret used in configured mode - ``pre-shared-secret``. Base64-encoded secrets are allowed if - `secret-type base64` is configured; - * ``secret-type`` - specifies the secret type, either ``plaintext`` or - ``base64``. Default to ``plaintext``; - - - * ``local-id`` - ID for the local VyOS router. If defined, during the - authentication - it will be send to remote peer; - - * ``mode`` - mode for authentication between VyOS and remote peer: - - * ``pre-shared-secret`` - use predefined shared secret phrase; - - * ``rsa`` - use simple shared RSA key. - - * ``x509`` - use certificates infrastructure for authentication. - - * ``remote-id`` - define an ID for remote peer, instead of using peer name or - address. Useful in case if the remote peer is behind NAT or if ``mode x509`` - is used; - - * ``rsa`` - options for RSA authentication mode: - - * ``local-key`` - name of PKI key-pair with local private key - - * ``remote-key`` - name of PKI key-pair with remote public key - - * ``passphrase`` - local private key passphrase - - * ``use-x509-id`` - use local ID from x509 certificate. Cannot be used when - ``id`` is defined; - - * ``x509`` - options for x509 authentication mode: - - * ``ca-certificate`` - CA certificate in PKI configuration. Using for - authenticating remote peer; - - * ``certificate`` - certificate file in PKI configuration, which will be used - for authenticating local router on remote peer; - - * ``passphrase`` - private key passphrase, if needed. - -* ``connection-type`` - how to handle this connection process. Possible - variants: - - * ``initiate`` - does initial connection to remote peer immediately after - configuring and after boot. In this mode the connection will not be restarted - in case of disconnection, therefore should be used only together with DPD or - another session tracking methods; - - * ``respond`` - does not try to initiate a connection to a remote peer. In this - mode, the IPSec session will be established only after initiation from a - remote peer. Could be useful when there is no direct connectivity to the - peer due to firewall or NAT in the middle of the local and remote side. - - * ``none`` - loads the connection only, which then can be manually initiated or - used as a responder configuration. - -* ``default-esp-group`` - ESP group to use by default for traffic encryption. - Might be overwritten by individual settings for tunnel or VTI interface - binding; - -* ``description`` - description for this peer; - -* ``dhcp-interface`` - use an IP address, received from DHCP for IPSec - connection with this peer, instead of ``local-address``; - -* ``force-udp-encapsulation`` - force encapsulation of ESP into UDP datagrams. - Useful in case if between local and remote side is firewall or NAT, which not - allows passing plain ESP packets between them; - -* ``ike-group`` - IKE group to use for key exchanges; - -* ``ikev2-reauth`` - reauthenticate remote peer during the rekeying process. - Can be used only with IKEv2. - Create a new IKE_SA from the scratch and try to recreate all IPsec SAs; - -* ``local-address`` - local IP address for IPSec connection with this peer. - If defined ``any``, then an IP address which configured on interface with - default route will be used; - -* ``remote-address`` - remote IP address or hostname for IPSec connection. - IPv4 or IPv6 address is used when a peer has a public static IP address. - Hostname is a DNS name which could be used when a peer has a public IP - address and DNS name, but an IP address could be changed from time to time. - -* ``replay-window`` - IPsec replay window to configure for this CHILD_SA - (default: 32), a value of 0 disables IPsec replay protection - -* ``tunnel`` - define criteria for traffic to be matched for encrypting and send - it to a peer: - - * ``disable`` - disable this tunnel; - - * ``esp-group`` - define ESP group for encrypt traffic, defined by this tunnel; - - * ``local`` - define a local source for match traffic, which should be - encrypted and send to this peer: - - * ``port`` - define port. Have effect only when used together with ``prefix``; - - * ``prefix`` - IP network at local side. - - * ``priority`` - Add priority for policy-based IPSec VPN tunnels(lowest value - more preferable) - - * ``protocol`` - define the protocol for match traffic, which should be - encrypted and send to this peer; - - * ``remote`` - define the remote destination for match traffic, which should be - encrypted and send to this peer: - - * ``port`` - define port. Have effect only when used together with ``prefix``; - - * ``prefix`` - IP network at remote side. - -* ``vti`` - use a VTI interface for traffic encryption. Any traffic, which will - be send to VTI interface will be encrypted and send to this peer. Using VTI - makes IPSec configuration much flexible and easier in complex situation, and - allows to dynamically add/delete remote networks, reachable via a peer, as in - this mode router don't need to create additional SA/policy for each remote - network: - - * ``bind`` - select a VTI interface to bind to this peer; - - * ``esp-group`` - define ESP group for encrypt traffic, passed this VTI - interface. - -* ``virtual-address`` - Defines a virtual IP address which is requested by the - initiator and one or several IPv4 and/or IPv6 addresses are assigned from - multiple pools by the responder. - -Examples: ------------------- - -IKEv1 -^^^^^ - -Example: - -* WAN interface on `eth1` -* left subnet: `192.168.0.0/24` site1, server side (i.e. locality, actually - there is no client or server roles) -* left local_ip: `198.51.100.3` # server side WAN IP -* right subnet: `10.0.0.0/24` site2,remote office side -* right local_ip: `203.0.113.2` # remote office side WAN IP - -.. code-block:: none - - # server config - set vpn ipsec authentication psk OFFICE-B id '198.51.100.3' - set vpn ipsec authentication psk OFFICE-B id '203.0.113.2' - set vpn ipsec authentication psk OFFICE-B secret 'SomePreSharedKey' - set vpn ipsec esp-group office-srv-esp lifetime '1800' - set vpn ipsec esp-group office-srv-esp mode 'tunnel' - set vpn ipsec esp-group office-srv-esp pfs 'enable' - set vpn ipsec esp-group office-srv-esp proposal 1 encryption 'aes256' - set vpn ipsec esp-group office-srv-esp proposal 1 hash 'sha1' - set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1' - set vpn ipsec ike-group office-srv-ike lifetime '3600' - set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256' - set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1' - set vpn ipsec interface 'eth1' - set vpn ipsec site-to-site peer OFFICE-B authentication local-id '198.51.100.3' - set vpn ipsec site-to-site peer OFFICE-B authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer OFFICE-B authentication remote-id '203.0.113.2' - set vpn ipsec site-to-site peer OFFICE-B ike-group 'office-srv-ike' - set vpn ipsec site-to-site peer OFFICE-B local-address '198.51.100.3' - set vpn ipsec site-to-site peer OFFICE-B remote-address '203.0.113.2' - set vpn ipsec site-to-site peer OFFICE-B tunnel 0 esp-group 'office-srv-esp' - set vpn ipsec site-to-site peer OFFICE-B tunnel 0 local prefix '192.168.0.0/24' - set vpn ipsec site-to-site peer OFFICE-B tunnel 0 remote prefix '10.0.0.0/21' - - # remote office config - set vpn ipsec authentication psk OFFICE-A id '198.51.100.3' - set vpn ipsec authentication psk OFFICE-A id '203.0.113.2' - set vpn ipsec authentication psk OFFICE-A secret 'SomePreSharedKey' - set vpn ipsec esp-group office-srv-esp lifetime '1800' - set vpn ipsec esp-group office-srv-esp mode 'tunnel' - set vpn ipsec esp-group office-srv-esp pfs 'enable' - set vpn ipsec esp-group office-srv-esp proposal 1 encryption 'aes256' - set vpn ipsec esp-group office-srv-esp proposal 1 hash 'sha1' - set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1' - set vpn ipsec ike-group office-srv-ike lifetime '3600' - set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256' - set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1' - set vpn ipsec interface 'eth1' - set vpn ipsec site-to-site peer OFFICE-A authentication local-id '203.0.113.2' - set vpn ipsec site-to-site peer OFFICE-A authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer OFFICE-A authentication remote-id '198.51.100.3' - set vpn ipsec site-to-site peer OFFICE-A ike-group 'office-srv-ike' - set vpn ipsec site-to-site peer OFFICE-A local-address '203.0.113.2' - set vpn ipsec site-to-site peer OFFICE-A remote-address '198.51.100.3' - set vpn ipsec site-to-site peer OFFICE-A tunnel 0 esp-group 'office-srv-esp' - set vpn ipsec site-to-site peer OFFICE-A tunnel 0 local prefix '10.0.0.0/21' - set vpn ipsec site-to-site peer OFFICE-A tunnel 0 remote prefix '192.168.0.0/24' - -Show status of new setup: - -.. code-block:: none - - vyos@srv-gw0:~$ show vpn ike sa - Peer ID / IP Local ID / IP - ------------ ------------- - 203.0.113.2 198.51.100.3 - State Encrypt Hash D-H Grp NAT-T A-Time L-Time - ----- ------- ---- ------- ----- ------ ------ - up aes256 sha1 5 no 734 3600 - - vyos@srv-gw0:~$ show vpn ipsec sa - Peer ID / IP Local ID / IP - ------------ ------------- - 203.0.113.2 198.51.100.3 - Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto - ------ ----- ------------- ------- ---- ----- ------ ------ ----- - 0 up 7.5M/230.6K aes256 sha1 no 567 1800 all - -If there is SNAT rules on eth1, need to add exclude rule - -.. code-block:: none - - # server side - set nat source rule 10 destination address '10.0.0.0/24' - set nat source rule 10 'exclude' - set nat source rule 10 outbound-interface name 'eth1' - set nat source rule 10 source address '192.168.0.0/24' - - # remote office side - set nat source rule 10 destination address '192.168.0.0/24' - set nat source rule 10 'exclude' - set nat source rule 10 outbound-interface name 'eth1' - set nat source rule 10 source address '10.0.0.0/24' - -To allow traffic to pass through to clients, you need to add the following -rules. (if you used the default configuration at the top of this page) - -.. code-block:: none - - # server side - set firewall name OUTSIDE-LOCAL rule 32 action 'accept' - set firewall name OUTSIDE-LOCAL rule 32 source address '10.0.0.0/24' - - # remote office side - set firewall name OUTSIDE-LOCAL rule 32 action 'accept' - set firewall name OUTSIDE-LOCAL rule 32 source address '192.168.0.0/24' - -IKEv2 -^^^^^ - -Example: - -* left local_ip: 192.168.0.10 # VPN Gateway, behind NAT device -* left public_ip:172.18.201.10 -* right local_ip: 172.18.202.10 # right side WAN IP - -Imagine the following topology - -.. figure:: /_static/images/vpn_s2s_ikev2_c.png - :scale: 50 % - :alt: IPSec IKEv2 site2site VPN - - IPSec IKEv2 site2site VPN (source ./draw.io/vpn_s2s_ikev2.drawio) - -**LEFT:** -* WAN interface on `eth0.201` -* `eth0.201` interface IP: `172.18.201.10/24` -* `vti10` interface IP: `10.0.0.2/31` -* `dum0` interface IP: `10.0.11.1/24` (for testing purposes) - -**RIGHT:** -* WAN interface on `eth0.202` -* `eth0.201` interface IP: `172.18.202.10/24` -* `vti10` interface IP: `10.0.0.3/31` -* `dum0` interface IP: `10.0.12.1/24` (for testing purposes) - -.. note:: Don't get confused about the used /31 tunnel subnet. :rfc:`3021` - gives you additional information for using /31 subnets on point-to-point - links. - -**LEFT** - -.. code-block:: none - - set interfaces ethernet eth0 vif 201 address '172.18.201.10/24' - set interfaces dummy dum0 address '10.0.11.1/24' - set interfaces vti vti10 address '10.0.0.2/31' - - set vpn ipsec authentication psk peer_172-18-202-10 id '172.18.201.10' - set vpn ipsec authentication psk peer_172-18-202-10 id '172.18.202.10' - set vpn ipsec authentication psk peer_172-18-202-10 secret 'secretkey' - set vpn ipsec esp-group ESP_DEFAULT lifetime '3600' - set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel' - set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19' - set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128' - set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256' - set vpn ipsec ike-group IKEv2_DEFAULT close-action 'none' - set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'trap' - set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30' - set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120' - set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike - set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2' - set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800' - set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19' - set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128' - set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256' - set vpn ipsec interface 'eth0.201' - set vpn ipsec site-to-site peer peer_172-18-202-10 authentication local-id '172.18.201.10' - set vpn ipsec site-to-site peer peer_172-18-202-10 authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer peer_172-18-202-10 authentication remote-id '172.18.202.10' - set vpn ipsec site-to-site peer peer_172-18-202-10 connection-type 'initiate' - set vpn ipsec site-to-site peer peer_172-18-202-10 ike-group 'IKEv2_DEFAULT' - set vpn ipsec site-to-site peer peer_172-18-202-10 ikev2-reauth 'inherit' - set vpn ipsec site-to-site peer peer_172-18-202-10 local-address '172.18.201.10' - set vpn ipsec site-to-site peer peer_172-18-202-10 remote-address '172.18.202.10' - set vpn ipsec site-to-site peer peer_172-18-202-10 vti bind 'vti10' - set vpn ipsec site-to-site peer peer_172-18-202-10 vti esp-group 'ESP_DEFAULT' - - set protocols static interface-route 10.0.12.0/24 next-hop-interface vti10 - -**RIGHT** - -.. code-block:: none - - set interfaces ethernet eth0 vif 202 address '172.18.202.10/24' - set interfaces dummy dum0 address '10.0.12.1/24' - set interfaces vti vti10 address '10.0.0.3/31' - - set vpn ipsec authentication psk peer_172-18-201-10 id '172.18.202.10' - set vpn ipsec authentication psk peer_172-18-201-10 id '172.18.201.10' - set vpn ipsec authentication psk peer_172-18-201-10 secret 'secretkey' - set vpn ipsec esp-group ESP_DEFAULT lifetime '3600' - set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel' - set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19' - set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128' - set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256' - set vpn ipsec ike-group IKEv2_DEFAULT close-action 'none' - set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'trap' - set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30' - set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120' - set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike - set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2' - set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800' - set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19' - set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128' - set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256' - set vpn ipsec interface 'eth0.202' - set vpn ipsec site-to-site peer peer_172-18-201-10 authentication local-id '172.18.202.10' - set vpn ipsec site-to-site peer peer_172-18-201-10 authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer peer_172-18-201-10 authentication remote-id '172.18.201.10' - set vpn ipsec site-to-site peer peer_172-18-201-10 connection-type 'initiate' - set vpn ipsec site-to-site peer peer_172-18-201-10 ike-group 'IKEv2_DEFAULT' - set vpn ipsec site-to-site peer peer_172-18-201-10 ikev2-reauth 'inherit' - set vpn ipsec site-to-site peer peer_172-18-201-10 local-address '172.18.202.10' - set vpn ipsec site-to-site peer peer_172-18-201-10 remote-address '172.18.201.10' - set vpn ipsec site-to-site peer peer_172-18-201-10 vti bind 'vti10' - set vpn ipsec site-to-site peer peer_172-18-201-10 vti esp-group 'ESP_DEFAULT' - - set protocols static interface-route 10.0.11.0/24 next-hop-interface vti10 - -Key Parameters: - -* ``authentication local-id/remote-id`` - IKE identification is used for - validation of VPN peer devices during IKE negotiation. If you do not configure - local/remote-identity, the device uses the IPv4 or IPv6 address that - corresponds to the local/remote peer by default. - In certain network setups (like ipsec interface with dynamic address, or - behind the NAT ), the IKE ID received from the peer does not match the IKE - gateway configured on the device. This can lead to a Phase 1 validation - failure. - So, make sure to configure the local/remote id explicitly and ensure that the - IKE ID is the same as the remote-identity configured on the peer device. - -* ``disable-route-autoinstall`` - This option when configured disables the - routes installed in the default table 220 for site-to-site ipsec. - It is mostly used with VTI configuration. - -* ``dead-peer-detection action = clear | trap | restart`` - R_U_THERE - notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2) - are periodically sent in order to check the liveliness of the IPsec peer. The - values clear, trap, and restart all activate DPD and determine the action to - perform on a timeout. - With ``clear`` the connection is closed with no further actions taken. - ``trap`` installs a trap policy, which will catch matching traffic and tries - to re-negotiate the connection on demand. - ``restart`` will immediately trigger an attempt to re-negotiate the - connection. - -* ``close-action = none | clear | trap | start`` - defines the action to take - if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of - values). A closeaction should not be used if the peer uses reauthentication or - uniqueids. - - When the close-action option is set on the peers, the connection-type - of each peer has to considered carefully. For example, if the option is set - on both peers, then both would attempt to initiate and hold open multiple - copies of each child SA. This might lead to instability of the device or - cpu/memory utilization. - - Below flow-chart could be a quick reference for the close-action - combination depending on how the peer is configured. - -.. figure:: /_static/images/IPSec_close_action_settings.jpg - - Similar combinations are applicable for the dead-peer-detection. |
