diff options
Diffstat (limited to 'docs/configuration/vpn/ipsec.rst')
| -rw-r--r-- | docs/configuration/vpn/ipsec.rst | 657 |
1 files changed, 0 insertions, 657 deletions
diff --git a/docs/configuration/vpn/ipsec.rst b/docs/configuration/vpn/ipsec.rst deleted file mode 100644 index 5e44312d..00000000 --- a/docs/configuration/vpn/ipsec.rst +++ /dev/null @@ -1,657 +0,0 @@ -.. _ipsec: - -##### -IPsec -##### - -:abbr:`GRE (Generic Routing Encapsulation)`, GRE/IPsec (or IPIP/IPsec, -SIT/IPsec, or any other stateless tunnel protocol over IPsec) is the usual way -to protect the traffic inside a tunnel. - -An advantage of this scheme is that you get a real interface with its own -address, which makes it easier to setup static routes or use dynamic routing -protocols without having to modify IPsec policies. The other advantage is that -it greatly simplifies router to router communication, which can be tricky with -plain IPsec because the external outgoing address of the router usually doesn't -match the IPsec policy of a typical site-to-site setup and you would need to -add special configuration for it, or adjust the source address of the outgoing -traffic of your applications. GRE/IPsec has no such problem and is completely -transparent for applications. - -GRE/IPIP/SIT and IPsec are widely accepted standards, which make this scheme -easy to implement between VyOS and virtually any other router. - -For simplicity we'll assume that the protocol is GRE, it's not hard to guess -what needs to be changed to make it work with a different protocol. We assume -that IPsec will use pre-shared secret authentication and will use AES128/SHA1 -for the cipher and hash. Adjust this as necessary. - -.. NOTE:: VMware users should ensure that a VMXNET3 adapter is used. E1000 - adapters have known issues with GRE processing. - -************************************** -IKE (Internet Key Exchange) Attributes -************************************** - -IKE performs mutual authentication between two parties and establishes -an IKE security association (SA) that includes shared secret information -that can be used to efficiently establish SAs for Encapsulating Security -Payload (ESP) or Authentication Header (AH) and a set of cryptographic -algorithms to be used by the SAs to protect the traffic that they carry. -https://datatracker.ietf.org/doc/html/rfc5996 - -In VyOS, IKE attributes are specified through IKE groups. -Multiple proposals can be specified in a single group. - -VyOS IKE group has the next options: - -* ``close-action`` defines the action to take if the remote peer unexpectedly - closes a CHILD_SA: - - * ``none`` set action to none (default); - - * ``trap`` installs a trap policy for the CHILD_SA; - - * ``start`` tries to immediately re-create the CHILD_SA; - -* ``dead-peer-detection`` controls the use of the Dead Peer Detection protocol - (DPD, RFC 3706) where R_U_THERE notification messages (IKEv1) or empty - INFORMATIONAL messages (IKEv2) are periodically sent in order to check the - liveliness of the IPsec peer: - - * ``action`` keep-alive failure action: - - * ``trap`` installs a trap policy, which will catch matching traffic - and tries to re-negotiate the tunnel on-demand; - - * ``clear`` closes the CHILD_SA and does not take further action (default); - - * ``restart`` immediately tries to re-negotiate the CHILD_SA - under a fresh IKE_SA; - - * ``interval`` keep-alive interval in seconds <2-86400> (default 30); - - * ``timeout`` keep-alive timeout in seconds <2-86400> (default 120) IKEv1 only - -* ``ikev2-reauth`` whether rekeying of an IKE_SA should also reauthenticate - the peer. In IKEv1, reauthentication is always done. - Setting this parameter enables remote host re-authentication during an IKE - rekey. - -* ``key-exchange`` which protocol should be used to initialize the connection - If not set both protocols are handled and connections will use IKEv2 when - initiating, but accept any protocol version when responding: - - * ``ikev1`` use IKEv1 for Key Exchange; - - * ``ikev2`` use IKEv2 for Key Exchange; - -* ``lifetime`` IKE lifetime in seconds <0-86400> (default 28800); - -* ``disable-mobike`` disables MOBIKE Support. MOBIKE is only available for IKEv2 - and enabled by default. - -* ``mode`` IKEv1 Phase 1 Mode Selection: - - * ``main`` use Main mode for Key Exchanges in the IKEv1 Protocol - (Recommended Default); - - * ``aggressive`` use Aggressive mode for Key Exchanges in the IKEv1 protocol - aggressive mode is much more insecure compared to Main mode; - -* ``proposal`` the list of proposals and their parameters: - - * ``dh-group`` dh-group; - - * ``encryption`` encryption algorithm; - - * ``hash`` hash algorithm. - - * ``prf`` pseudo-random function. - -*********************************************** -ESP (Encapsulating Security Payload) Attributes -*********************************************** - -ESP is used to provide confidentiality, data origin authentication, -connectionless integrity, an anti-replay service (a form of partial sequence -integrity), and limited traffic flow confidentiality. -https://datatracker.ietf.org/doc/html/rfc4303 - -In VyOS, ESP attributes are specified through ESP groups. -Multiple proposals can be specified in a single group. - -VyOS ESP group has the next options: - -* ``compression`` Enables the IPComp(IP Payload Compression) protocol which - allows compressing the content of IP packets. - -* ``life-bytes`` ESP life in bytes <1024-26843545600000>. - Number of bytes transmitted over an IPsec SA before it expires; - -* ``life-packets`` ESP life in packets <1000-26843545600000>. - Number of packets transmitted over an IPsec SA before it expires; - -* ``lifetime`` ESP lifetime in seconds <30-86400> (default 3600). - How long a particular instance of a connection (a set of - encryption/authentication keys for user packets) should last, - from successful negotiation to expiry; - -* ``mode`` the type of the connection: - - * ``tunnel`` tunnel mode (default); - - * ``transport`` transport mode; - -* ``pfs`` whether Perfect Forward Secrecy of keys is desired on the - connection's keying channel and defines a Diffie-Hellman group for PFS: - - * ``enable`` Inherit Diffie-Hellman group from IKE group (default); - - * ``disable`` Disable PFS; - - * ``< dh-group >`` defines a Diffie-Hellman group for PFS; - -* ``proposal`` ESP-group proposal with number <1-65535>: - - * ``encryption`` encryption algorithm (default 128 bit AES-CBC); - - * ``hash`` hash algorithm (default sha1). - - * ``disable-rekey`` Do not locally initiate a re-key of the SA, remote - peer must re-key before expiration. - -*********************************************** -Options (Global IPsec settings) Attributes -*********************************************** - -* ``options`` - - * ``disable-route-autoinstall`` Do not automatically install routes to remote - networks; - - * ``flexvpn`` Allows FlexVPN vendor ID payload (IKEv2 only). Send the Cisco - FlexVPN vendor ID payload (IKEv2 only), which is required in order to make - Cisco brand devices allow negotiating a local traffic selector (from - strongSwan's point of view) that is not the assigned virtual IP address if - such an address is requested by strongSwan. Sending the Cisco FlexVPN - vendor ID prevents the peer from narrowing the initiator's local traffic - selector and allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0 - instead. This has been tested with a "tunnel mode ipsec ipv4" Cisco - template but should also work for GRE encapsulation; - - * ``interface`` Interface Name to use. The name of the interface on which - virtual IP addresses should be installed. If not specified the addresses - will be installed on the outbound interface; - - * ``virtual-ip`` Allows the installation of virtual-ip addresses. A comma - separated list of virtual IPs to request in IKEv2 configuration payloads or - IKEv1 Mode Config. The wildcard addresses 0.0.0.0 and :: request an - arbitrary address, specific addresses may be defined. The responder may - return a different address, or none at all. Define the ``virtual-address`` - option to configure the IP address in a site-to-site hierarchy. - -************************* -IPsec policy matching GRE -************************* - -The first and arguably cleaner option is to make your IPsec policy match GRE -packets between external addresses of your routers. This is the best option if -both routers have static external addresses. - -Suppose the LEFT router has external address 192.0.2.10 on its eth0 interface, -and the RIGHT router is 203.0.113.45 - -On the LEFT: - -.. code-block:: none - - # GRE tunnel - set interfaces tunnel tun0 encapsulation gre - set interfaces tunnel tun0 source-address 192.0.2.10 - set interfaces tunnel tun0 remote 203.0.113.45 - set interfaces tunnel tun0 address 10.10.10.1/30 - - ## IPsec - set vpn ipsec interface eth0 - - # Pre-shared-secret - set vpn ipsec authentication psk vyos id 192.0.2.10 - set vpn ipsec authentication psk vyos id 203.0.113.45 - set vpn ipsec authentication psk vyos secret MYSECRETKEY - - # IKE group - set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2' - set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes128' - set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha1' - - # ESP group - set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes128' - set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha1' - - # IPsec tunnel - set vpn ipsec site-to-site peer right authentication mode pre-shared-secret - set vpn ipsec site-to-site peer right authentication remote-id 203.0.113.45 - - set vpn ipsec site-to-site peer right ike-group MyIKEGroup - set vpn ipsec site-to-site peer right default-esp-group MyESPGroup - - set vpn ipsec site-to-site peer right local-address 192.0.2.10 - set vpn ipsec site-to-site peer right remote-address 203.0.113.45 - - # This will match all GRE traffic to the peer - set vpn ipsec site-to-site peer right tunnel 1 protocol gre - -On the RIGHT, setup by analogy and swap local and remote addresses. - - -Source tunnel from dummy interface -================================== - -The scheme above doesn't work when one of the routers has a dynamic external -address though. The classic workaround for this is to setup an address on a -loopback interface and use it as a source address for the GRE tunnel, then setup -an IPsec policy to match those loopback addresses. - -We assume that the LEFT router has static 192.0.2.10 address on eth0, and the -RIGHT router has a dynamic address on eth0. - -The peer names RIGHT and LEFT are used as informational text. - -**Setting up the GRE tunnel** - -On the LEFT: - -.. code-block:: none - - set interfaces dummy dum0 address 192.168.99.1/32 - - set interfaces tunnel tun0 encapsulation gre - set interfaces tunnel tun0 address 10.10.10.1/30 - set interfaces tunnel tun0 source-address 192.168.99.1 - set interfaces tunnel tun0 remote 192.168.99.2 - -On the RIGHT: - -.. code-block:: none - - set interfaces dummy dum0 address 192.168.99.2/32 - - set interfaces tunnel tun0 encapsulation gre - set interfaces tunnel tun0 address 10.10.10.2/30 - set interfaces tunnel tun0 source-address 192.168.99.2 - set interfaces tunnel tun0 remote 192.168.99.1 - -**Setting up IPSec** - -However, now you need to make IPsec work with dynamic address on one side. The -tricky part is that pre-shared secret authentication doesn't work with dynamic -address, so we'll have to use RSA keys. - -First, on both routers run the operational command "generate pki key-pair -install <key-pair name>". You may choose different length than 2048 of course. - -.. code-block:: none - - vyos@left# run generate pki key-pair install ipsec-LEFT - Enter private key type: [rsa, dsa, ec] (Default: rsa) - Enter private key bits: (Default: 2048) - Note: If you plan to use the generated key on this router, do not encrypt the private key. - Do you want to encrypt the private key with a passphrase? [y/N] N - Configure mode commands to install key pair: - Do you want to install the public key? [Y/n] Y - set pki key-pair ipsec-LEFT public key 'MIIBIjANBgkqh...' - Do you want to install the private key? [Y/n] Y - set pki key-pair ipsec-LEFT private key 'MIIEvgIBADAN...' - [edit] - -Configuration commands for the private and public key will be displayed on the -screen which needs to be set on the router first. -Note the command with the public key -(set pki key-pair ipsec-LEFT public key 'MIIBIjANBgkqh...'). -Then do the same on the opposite router: - -.. code-block:: none - - vyos@left# run generate pki key-pair install ipsec-RIGHT - -Note the command with the public key -(set pki key-pair ipsec-RIGHT public key 'FAAOCAQ8AMII...'). - -Now the noted public keys should be entered on the opposite routers. - -On the LEFT: - -.. code-block:: none - - set pki key-pair ipsec-RIGHT public key 'FAAOCAQ8AMII...' - -On the RIGHT: - -.. code-block:: none - - set pki key-pair ipsec-LEFT public key 'MIIBIjANBgkqh...' - -Now you are ready to setup IPsec. You'll need to use an ID instead of address -for the peer. - -On the LEFT (static address): - -.. code-block:: none - - set vpn ipsec interface eth0 - - set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128 - set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1 - - set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group 2 - set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128 - set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1 - - set vpn ipsec site-to-site peer RIGHT authentication local-id LEFT - set vpn ipsec site-to-site peer RIGHT authentication mode rsa - set vpn ipsec site-to-site peer RIGHT authentication rsa local-key ipsec-LEFT - set vpn ipsec site-to-site peer RIGHT authentication rsa remote-key ipsec-RIGHT - set vpn ipsec site-to-site peer RIGHT authentication remote-id RIGHT - set vpn ipsec site-to-site peer RIGHT default-esp-group MyESPGroup - set vpn ipsec site-to-site peer RIGHT ike-group MyIKEGroup - set vpn ipsec site-to-site peer RIGHT local-address 192.0.2.10 - set vpn ipsec site-to-site peer RIGHT connection-type respond - set vpn ipsec site-to-site peer RIGHT tunnel 1 local prefix 192.168.99.1/32 # Additional loopback address on the local - set vpn ipsec site-to-site peer RIGHT tunnel 1 remote prefix 192.168.99.2/32 # Additional loopback address on the remote - -On the RIGHT (dynamic address): - -.. code-block:: none - - set vpn ipsec interface eth0 - - set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128 - set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1 - - set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group 2 - set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128 - set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1 - - set vpn ipsec site-to-site peer LEFT authentication local-id RIGHT - set vpn ipsec site-to-site peer LEFT authentication mode rsa - set vpn ipsec site-to-site peer LEFT authentication rsa local-key ipsec-RIGHT - set vpn ipsec site-to-site peer LEFT authentication rsa remote-key ipsec-LEFT - set vpn ipsec site-to-site peer LEFT authentication remote-id LEFT - set vpn ipsec site-to-site peer LEFT connection-type initiate - set vpn ipsec site-to-site peer LEFT default-esp-group MyESPGroup - set vpn ipsec site-to-site peer LEFT ike-group MyIKEGroup - set vpn ipsec site-to-site peer LEFT local-address any - set vpn ipsec site-to-site peer LEFT remote-address 192.0.2.10 - set vpn ipsec site-to-site peer LEFT tunnel 1 local prefix 192.168.99.2/32 # Additional loopback address on the local - set vpn ipsec site-to-site peer LEFT tunnel 1 remote prefix 192.168.99.1/32 # Additional loopback address on the remote - - -******************************************* -IKEv2 IPSec road-warriors remote-access VPN -******************************************* - -Internet Key Exchange version 2, IKEv2 for short, is a request/response -protocol developed by both Cisco and Microsoft. It is used to establish and -secure IPv4/IPv6 connections, be it a site-to-site VPN or from a -road-warrior connecting to a hub site. IKEv2, when run in point-to-multipoint, -or remote-access/road-warrior mode, secures the server-side with another layer -by using an x509 signed server certificate. - -Key exchange and payload encryption is still done using IKE and ESP proposals -as known from IKEv1 but the connections are faster to establish, more reliable, -and also support roaming from IP to IP (called MOBIKE which makes sure your -connection does not drop when changing networks from e.g. WIFI to LTE and back). - -This feature closely works together with :ref:`pki` subsystem as you required -a x509 certificate. - -Example -======= - -This example uses CACert as certificate authority. - -.. code-block:: - - set pki ca CAcert_Class_3_Root certificate 'MIIGPTCCBCWgAwIBAgIDFOIoMA0GCSqGSIb3DQEBDQUAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnMB4XDTIxMDQxOTEyMTgzMFoXDTMxMDQxNzEyMTgzMFowVDEUMBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57aiX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6CjQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgiapNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPtXapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luLoFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGprmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVABfvpAgMBAAGjgfIwge8wDwYDVR0TAQH/BAUwAwEB/zBhBggrBgEFBQcBAQRVMFMwIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLkNBY2VydC5vcmcvMCwGCCsGAQUFBzAChiBodHRwOi8vd3d3LkNBY2VydC5vcmcvY2xhc3MzLmNydDBFBgNVHSAEPjA8MDoGCysGAQQBgZBKAgMBMCswKQYIKwYBBQUHAgEWHWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZy9jcHMucGhwMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHBzOi8vd3d3LmNhY2VydC5vcmcvY2xhc3MzLmNybDANBgkqhkiG9w0BAQ0FAAOCAgEAxh6td1y0KJvRyI1EEsC9dnYEgyEH+BGCf2vBlULAOBG1JXCNiwzB1Wz9HBoDfIv4BjGlnd5BKdSLm4TXPcE3hnGjH1thKR5dd3278K25FRkTFOY1gP+mGbQ3hZRB6IjDX+CyBqS7+ECpHTms7eo/mARN+Yz5R3lzUvXs3zSX+z534NzRg4i6iHNHWqakFcQNcA0PnksTB37vGD75pQGqeSmx51L6UzrIpn+274mhsaFNL85jhX+lKuk71MGjzwoThbuZ15xmkITnZtRQs6HhLSIqJWjDILIrxLqYHehK71xYwrRNhFb3TrsWaEJskrhveM0Os/vvoLNkh/L3iEQ5/LnmLMCYJNRALF7I7gsduAJNJrgKGMYvHkt1bo8uIXO8wgNV7qoU4JoaB1ML30QUqGcFr0TI06FFdgK2fwy5hulPxm6wuxW0v+iAtXYx/mRkwQpYbcVQtrIDvx1CT1k50cQxi+jIKjkcFWHw3kBoDnCos0/ukegPT7aQnk2AbL4c7nCkuAcEKw1BAlSETkfqi5btdlhh58MhewZv1LcL5zQyg8w1puclT3wXQvy8VwPGn0J/mGD4gLLZ9rGcHDUECokxFoWk+u5MCcVqmGbsyG4q5suS3CNslsHURfM8bQK4oLvHR8LCHEBMRcdFBn87cSvOK6eB1kdGKLA8ymXxZp8=' - set pki ca CAcert_Signing_Authority certificate 'MIIG7jCCBNagAwIBAgIBDzANBgkqhkiG9w0BAQsFADB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0wMzAzMzAxMjI5NDlaFw0zMzAzMjkxMjI5NDlaMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAziLA4kZ97DYoB1CW8qAzQIxL8TtmPzHlawI229Z89vGIj053NgVBlfkJ8BLPRoZzYLdufujAWGSuzbCtRRcMY/pnCujW0r8+55jE8Ez64AO7NV1sId6eINm6zWYyN3L69wj1x81YyY7nDl7qPv4coRQKFWyGhFtkZip6qUtTefWIonvuLwphK42yfk1WpRPs6tqSnqxEQR5YYGUFZvjARL3LlPdCfgv3ZWiYUQXw8wWRBB0bF4LsyFe7w2t6iPGwcswlWyCR7BYCEo8y6RcYSNDHBS4CMEK4JZwFaz+qOqfrU0j36NK2B5jcG8Y0f3/JHIJ6BVgrCFvzOKKrF11myZjXnhCLotLddJr3cQxyYN/Nb5gznZY0dj4kepKwDpUeb+agRThHqtdB7Uq3EvbXG4OKDy7YCbZZ16oE/9KTfWgu3YtLq1i6L43qlaegw1SJpfvbi1EinbLDvhG+LJGGi5Z4rSDTii8aP8bQUWWHIbEZAWV/RRyH9XzQQUxPKZgh/TMfdQwEUfoZd9vUFBzugcMd9Zi3aQaRIt0AUMyBMawSB3s42mhb5ivUfslfrejrckzzAeVLIL+aplfKkQABi6F1ITe1Yw1nPkZPcCBnzsXWWdsC4PDSy826YreQQejdIOQpvGQpQsgi3Hia/0PsmBsJUUtaWsJx8cTLc6nloQsCAwEAAaOCAX8wggF7MB0GA1UdDgQWBBQWtTIb1Mfz4OaO873SsDrusjkY0TAPBgNVHRMBAf8EBTADAQH/MDQGCWCGSAGG+EIBCAQnFiVodHRwOi8vd3d3LmNhY2VydC5vcmcvaW5kZXgucGhwP2lkPTEwMFYGCWCGSAGG+EIBDQRJFkdUbyBnZXQgeW91ciBvd24gY2VydGlmaWNhdGUgZm9yIEZSRUUgaGVhZCBvdmVyIHRvIGh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzAxBgNVHR8EKjAoMCagJKAihiBodHRwOi8vY3JsLmNhY2VydC5vcmcvcmV2b2tlLmNybDAzBglghkgBhvhCAQQEJhYkVVJJOmh0dHA6Ly9jcmwuY2FjZXJ0Lm9yZy9yZXZva2UuY3JsMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL29jc3AuY2FjZXJ0Lm9yZzAfBgNVHSMEGDAWgBQWtTIb1Mfz4OaO873SsDrusjkY0TANBgkqhkiG9w0BAQsFAAOCAgEAR5zXs6IX01JTt7Rq3b+bNRUhbO9vGBMggczo7R0qIh1kdhS6WzcrDoO6PkpuRg0L3qM7YQB6pw2V+ubzF7xl4C0HWltfzPTbzAHdJtjaJQw7QaBlmAYpN2CLB6Jeg8q/1Xpgdw/+IP1GRwdg7xUpReUA482l4MH1kf0W0ad94SuIfNWQHcdLApmno/SUh1bpZyeWrMnlhkGNDKMxCCQXQ360TwFHc8dfEAaq5ry6cZzm1oetrkSviE2qofxvv1VFiQ+9TX3/zkECCsUB/EjPM0lxFBmu9T5Ih+Eqns9ivmrEIQDv9tNyJHuLsDNqbUBal7OoiPZnXk9LH+qb+pLf1ofv5noy5vX2a5OKebHe+0Ex/A7e+G/HuOjVNqhZ9j5Nispfq9zNyOHGWD8ofj8DHwB50L1Xh5H+EbIoga/hJCQnRtxWkHP699T1JpLFYwapgplivF4TFv4fqp0nHTKC1x9gGrIgvuYJl1txIKmxXdfJzgscMzqpabhtHOMXOiwQBpWzyJkofF/w55e0LttZDBkEsilV/vW0CJsPs3eNaQF+iMWscGOkgLFlWsAS3HwyiYLNJo26aqyWPaIdc8E4ck7Sk08WrFrHIK3EHr4n1FZwmLpFAvucKqgl0hr+2jypyh5puA3KksHF3CsUzjMUvzxMhykh9zrMxQAHLBVrGwc=' - -After you obtain your server certificate you can import it from a file on the -local filesystem, or paste it into the CLI. Please note that when entering the -certificate manually you need to strip the ``-----BEGIN KEY-----`` and -``-----END KEY-----`` tags. Also, the certificate or key needs to be presented -in a single line without line breaks (``\n``). - -To import it from the filesystem use: - -.. code-block:: - - import pki certificate <name> file /path/to/cert.pem - -In our example the certificate name is called vyos: - -.. code-block:: - - set pki certificate vyos certificate 'MIIE45s...' - set pki certificate vyos private key 'MIIEvgI...' - -After the PKI certs are all set up we can start configuring our IPSec/IKE -proposals used for key-exchange end data encryption. The used encryption -ciphers and integrity algorithms vary from operating system to operating -system. The ones used in this post are validated to work on both Windows 10 -and iOS/iPadOS 14 to 17. - -.. code-block:: - - set vpn ipsec esp-group ESP-RW compression 'disable' - set vpn ipsec esp-group ESP-RW lifetime '3600' - set vpn ipsec esp-group ESP-RW pfs 'disable' - set vpn ipsec esp-group ESP-RW proposal 10 encryption 'aes128gcm128' - set vpn ipsec esp-group ESP-RW proposal 10 hash 'sha256' - - set vpn ipsec ike-group IKE-RW key-exchange 'ikev2' - set vpn ipsec ike-group IKE-RW lifetime '7200' - set vpn ipsec ike-group IKE-RW mobike 'enable' - set vpn ipsec ike-group IKE-RW proposal 10 dh-group '14' - set vpn ipsec ike-group IKE-RW proposal 10 encryption 'aes128gcm128' - set vpn ipsec ike-group IKE-RW proposal 10 hash 'sha256' - -Every connection/remote-access pool we configure also needs a pool where -we can draw our client IP addresses from. We provide one IPv4 and IPv6 pool. -Authorized clients will receive an IPv4 address from the 192.0.2.128/25 prefix -and an IPv6 address from the 2001:db8:2000::/64 prefix. We can also send some -DNS nameservers down for our clients to use with their connection. - -.. code-block:: - - set vpn ipsec remote-access pool ra-rw-ipv4 name-server '192.0.2.1' - set vpn ipsec remote-access pool ra-rw-ipv4 prefix '192.0.2.128/25' - set vpn ipsec remote-access pool ra-rw-ipv6 name-server '2001:db8:1000::1' - set vpn ipsec remote-access pool ra-rw-ipv6 prefix '2001:db8:2000::/64' - -VyOS supports multiple IKEv2 remote-access connections. Every connection can -have its own dedicated IKE/ESP ciphers, certificates or local listen address -for e.g. inbound load balancing. - -We configure a new connection named ``rw`` for road-warrior, that identifies -itself as ``192.0.2.1`` to the clients and uses the ``vyos`` certificate -signed by the `CAcert_Class3_Root`` intermediate CA. We select our previously -specified IKE/ESP groups and also link the IP address pool to draw addresses -from. - -.. code-block:: - - set vpn ipsec remote-access connection rw authentication id '192.0.2.1' - set vpn ipsec remote-access connection rw authentication server-mode 'x509' - set vpn ipsec remote-access connection rw authentication x509 ca-certificate 'CAcert_Class_3_Root' - set vpn ipsec remote-access connection rw authentication x509 certificate 'vyos' - set vpn ipsec remote-access connection rw esp-group 'ESP-RW' - set vpn ipsec remote-access connection rw ike-group 'IKE-RW' - set vpn ipsec remote-access connection rw local-address '192.0.2.1' - set vpn ipsec remote-access connection rw pool 'ra-rw-ipv4' - set vpn ipsec remote-access connection rw pool 'ra-rw-ipv6' - -VyOS also supports (currently) two different modes of authentication, local and -RADIUS. To create a new local user named ``vyos`` with password ``vyos`` use the -following commands. - -.. code-block:: - - set vpn ipsec remote-access connection rw authentication client-mode 'eap-mschapv2' - set vpn ipsec remote-access connection rw authentication local-users username vyos password 'vyos' - -If you feel better forwarding all authentication requests to your enterprises -RADIUS server, use the commands below. - -.. code-block:: - - set vpn ipsec remote-access connection rw authentication client-mode 'eap-radius' - set vpn ipsec remote-access radius server 192.0.2.2 key 'secret' - -Client Configuration -==================== - -Configuring VyOS to act as your IPSec access concentrator is one thing, but -you probably need to setup your client connecting to the server so they can -talk to the IPSec gateway. - -Microsoft Windows (10+) ------------------------ - -Windows 10 does not allow a user to choose the integrity and encryption ciphers -using the GUI and it uses some older proposals by default. A user can only -change the proposals on the client side by configuring the IPSec connection -profile via PowerShell. - -We generate a connection profile used by Windows clients that will connect to -the "rw" connection on our VyOS server on the VPN servers IP address/fqdn -`vpn.vyos.net`. - -.. note:: Microsoft Windows expects the server name to be also used in the - server's certificate common name, so it's best to use this DNS name for - your VPN connection. - -.. code-block:: - - vyos@vyos:~$ generate ipsec profile windows-remote-access rw remote vpn.vyos.net - - ==== <snip> ==== - Add-VpnConnection -Name "VyOS IKEv2 VPN" -ServerAddress "vpn.vyos.net" -TunnelType "Ikev2" - Set-VpnConnectionIPsecConfiguration -ConnectionName "VyOS IKEv2 VPN" -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants GCMAES128 -EncryptionMethod GCMAES128 -IntegrityCheckMethod SHA256128 -PfsGroup None -DHGroup "Group14" -PassThru -Force - ==== </snip> ==== - -As both Microsoft Windows and Apple iOS/iPadOS only support a certain set of -encryption ciphers and integrity algorithms we will validate the configured -IKE/ESP proposals and only list the compatible ones to the user — if multiple -are defined. If there are no matching proposals found — we can not generate a -profile for you. - -When first connecting to the new VPN the user is prompted to enter proper -credentials. - -Apple iOS/iPadOS (14.2+) ------------------------- - -Like on Microsoft Windows, Apple iOS/iPadOS out of the box does not expose -all available VPN options via the device GUI. - -If you want, need, and should use more advanced encryption ciphers (default -is still 3DES) you need to provision your device using a so-called "Device -Profile". A profile is a simple text file containing XML nodes with a -``.mobileconfig`` file extension that can be sent and opened on any device -from an E-Mail. - -Profile generation happens from the operational level and is as simple as -issuing the following command to create a profile to connect to the IKEv2 -access server at ``vpn.vyos.net`` with the configuration for the ``rw`` -remote-access connection group. - -.. note:: Apple iOS/iPadOS expects the server name to be also used in the - server's certificate common name, so it's best to use this DNS name for - your VPN connection. - -.. code-block:: - - vyos@vyos:~$ generate ipsec profile ios-remote-access rw remote vpn.vyos.net - - ==== <snip> ==== - <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> - <plist version="1.0"> - ... - </plist> - ==== </snip> ==== - -In the end, an XML structure is generated which can be saved as -``vyos.mobileconfig`` and sent to the device by E-Mail where it later can -be imported. - -During profile import, the user is asked to enter its IPSec credentials -(username and password) which is stored on the mobile. - -Operation Mode -============== - -.. opcmd:: show vpn ike sa - - Show all currently active IKE Security Associations. - -.. opcmd:: show vpn ike sa nat-traversal - - Show all currently active IKE Security Associations (SA) that are using - NAT Traversal. - -.. opcmd:: show vpn ike sa peer <peer_name> - - Show all currently active IKE Security Associations (SA) for a specific - peer. - -.. opcmd:: show vpn ike secrets - - Show all the configured pre-shared secret keys. - -.. opcmd:: show vpn ike status - - Show the detailed status information of IKE charon process. - -.. opcmd:: show vpn ipsec connections - - Show details of all available VPN connections - -.. opcmd:: show vpn ipsec policy - - Print out the list of existing crypto policies - -.. opcmd:: show vpn ipsec sa - - Show all active IPsec Security Associations (SA) - -.. opcmd:: show vpn ipsec sa detail - - Show a detailed information of all active IPsec Security Associations (SA) - in verbose format. - -.. opcmd:: show vpn ipsec state - - Print out the list of existing in-kernel crypto state - -.. opcmd:: show vpn ipsec status - - Show the status of running IPsec process and process ID. - -.. opcmd:: restart ipsec - - Restart the IPsec VPN process and re-establishes the connection. - -.. opcmd:: reset vpn ipsec site-to-site all - - Reset all site-to-site IPSec VPN sessions. It terminates all active - child_sa and reinitiates the connection. - -.. opcmd:: reset vpn ipsec site-to-site peer <name> - - Reset all tunnels for a given peer, can specify tunnel or vti interface. - It terminates a specific child_sa and reinitiates the connection. - -.. opcmd:: show log ipsec - - Show logs for IPsec |