summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
Diffstat (limited to 'docs')
-rw-r--r--docs/_static/images/policy-based-ipsec-and-firewall.pngbin0 -> 42987 bytes
-rw-r--r--docs/configexamples/index.rst1
-rw-r--r--docs/configexamples/policy-based-ipsec-and-firewall.rst281
3 files changed, 282 insertions, 0 deletions
diff --git a/docs/_static/images/policy-based-ipsec-and-firewall.png b/docs/_static/images/policy-based-ipsec-and-firewall.png
new file mode 100644
index 00000000..6e9d43ac
--- /dev/null
+++ b/docs/_static/images/policy-based-ipsec-and-firewall.png
Binary files differ
diff --git a/docs/configexamples/index.rst b/docs/configexamples/index.rst
index 80083fe1..a0413bfd 100644
--- a/docs/configexamples/index.rst
+++ b/docs/configexamples/index.rst
@@ -21,6 +21,7 @@ This chapter contains various configuration examples:
qos
segment-routing-isis
nmp
+ policy-based-ipsec-and-firewall
Configuration Blueprints (autotest)
diff --git a/docs/configexamples/policy-based-ipsec-and-firewall.rst b/docs/configexamples/policy-based-ipsec-and-firewall.rst
new file mode 100644
index 00000000..1f969453
--- /dev/null
+++ b/docs/configexamples/policy-based-ipsec-and-firewall.rst
@@ -0,0 +1,281 @@
+.. _examples-policy-based-ipsec-and-firewall:
+
+
+Policy-Based Site-to-Site VPN and Firewall Configuration
+--------------------------------------------------------
+
+This guide shows an example policy-based IKEv2 site-to-site VPN between two
+VyOS routers, and firewall configiuration.
+
+For simplicity, configuration and tests are done only using ipv4, and firewall
+configuration in done only on one router.
+
+Network Topology and requirements
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+This configuration example and the requirments consists on:
+
+- Two VyOS routers with public IP address.
+
+- 2 private subnets on each site.
+
+- Local subnets should be able to reach internet using source nat.
+
+- Communication between private subnets should be done through ipsec tunnel
+ without nat.
+
+- Configuration of basic firewall in one site, in order to:
+
+ - Protect the router on 'WAN' interface, allowing only ipsec connections
+ and ssh access from trusted ips.
+
+ - Allow access to the router only from trusted networks.
+
+ - Allow dns requests only only for local networks.
+
+ - Allow icmp on all interfaces.
+
+ - Allow all new connections from local subnets.
+
+ - Allow connections from LANs to LANs throught the tunnel.
+
+
+.. image:: /_static/images/policy-based-ipsec-and-firewall.png
+
+
+Configuration
+^^^^^^^^^^^^^
+
+Interface and routing configuration:
+
+.. code-block:: none
+
+ # LEFT router:
+ set interfaces ethernet eth0 address '198.51.100.14/30'
+ set interfaces ethernet eth1 vif 111 address '10.1.11.1/24'
+ set interfaces ethernet eth2 vif 112 address '10.1.12.1/24'
+ set protocols static route 0.0.0.0/0 next-hop 198.51.100.13
+
+ # RIGHT router:
+ set interfaces ethernet eth0 address '192.0.2.130/30'
+ set interfaces ethernet eth1 vif 221 address '10.2.21.1/24'
+ set interfaces ethernet eth2 vif 222 address '10.2.22.1/24'
+
+
+IPSec configuration:
+
+.. code-block:: none
+
+ # LEFT router:
+ set vpn ipsec authentication psk RIGHT id '198.51.100.14'
+ set vpn ipsec authentication psk RIGHT id '192.0.2.130'
+ set vpn ipsec authentication psk RIGHT secret 'p4ssw0rd'
+ set vpn ipsec esp-group ESP-GROUP mode 'tunnel'
+ set vpn ipsec esp-group ESP-GROUP proposal 1 encryption 'aes256'
+ set vpn ipsec esp-group ESP-GROUP proposal 1 hash 'sha256'
+ set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev2'
+ set vpn ipsec ike-group IKE-GROUP proposal 1 dh-group '14'
+ set vpn ipsec ike-group IKE-GROUP proposal 1 encryption 'aes256'
+ set vpn ipsec ike-group IKE-GROUP proposal 1 hash 'sha256'
+ set vpn ipsec interface 'eth0'
+ set vpn ipsec site-to-site peer RIGHT authentication mode 'pre-shared-secret'
+ set vpn ipsec site-to-site peer RIGHT connection-type 'initiate'
+ set vpn ipsec site-to-site peer RIGHT default-esp-group 'ESP-GROUP'
+ set vpn ipsec site-to-site peer RIGHT ike-group 'IKE-GROUP'
+ set vpn ipsec site-to-site peer RIGHT local-address '198.51.100.14'
+ set vpn ipsec site-to-site peer RIGHT remote-address '192.0.2.130'
+ set vpn ipsec site-to-site peer RIGHT tunnel 0 local prefix '10.1.11.0/24'
+ set vpn ipsec site-to-site peer RIGHT tunnel 0 remote prefix '10.2.21.0/24'
+ set vpn ipsec site-to-site peer RIGHT tunnel 1 local prefix '10.1.11.0/24'
+ set vpn ipsec site-to-site peer RIGHT tunnel 1 remote prefix '10.2.22.0/24'
+ set vpn ipsec site-to-site peer RIGHT tunnel 2 local prefix '10.1.12.0/24'
+ set vpn ipsec site-to-site peer RIGHT tunnel 2 remote prefix '10.2.21.0/24'
+ set vpn ipsec site-to-site peer RIGHT tunnel 3 local prefix '10.1.12.0/24'
+ set vpn ipsec site-to-site peer RIGHT tunnel 3 remote prefix '10.2.22.0/24'
+
+ # RIGHT router:
+ set vpn ipsec authentication psk LEFT id '192.0.2.130'
+ set vpn ipsec authentication psk LEFT id '198.51.100.14'
+ set vpn ipsec authentication psk LEFT secret 'p4ssw0rd'
+ set vpn ipsec esp-group ESP-GROUP mode 'tunnel'
+ set vpn ipsec esp-group ESP-GROUP proposal 1 encryption 'aes256'
+ set vpn ipsec esp-group ESP-GROUP proposal 1 hash 'sha256'
+ set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev2'
+ set vpn ipsec ike-group IKE-GROUP proposal 1 dh-group '14'
+ set vpn ipsec ike-group IKE-GROUP proposal 1 encryption 'aes256'
+ set vpn ipsec ike-group IKE-GROUP proposal 1 hash 'sha256'
+ set vpn ipsec interface 'eth0'
+ set vpn ipsec site-to-site peer LEFT authentication mode 'pre-shared-secret'
+ set vpn ipsec site-to-site peer LEFT connection-type 'respond'
+ set vpn ipsec site-to-site peer LEFT default-esp-group 'ESP-GROUP'
+ set vpn ipsec site-to-site peer LEFT ike-group 'IKE-GROUP'
+ set vpn ipsec site-to-site peer LEFT local-address '192.0.2.130'
+ set vpn ipsec site-to-site peer LEFT remote-address '198.51.100.14'
+ set vpn ipsec site-to-site peer LEFT tunnel 0 local prefix '10.2.21.0/24'
+ set vpn ipsec site-to-site peer LEFT tunnel 0 remote prefix '10.1.11.0/24'
+ set vpn ipsec site-to-site peer LEFT tunnel 1 local prefix '10.2.22.0/24'
+ set vpn ipsec site-to-site peer LEFT tunnel 1 remote prefix '10.1.11.0/24'
+ set vpn ipsec site-to-site peer LEFT tunnel 2 local prefix '10.2.21.0/24'
+ set vpn ipsec site-to-site peer LEFT tunnel 2 remote prefix '10.1.12.0/24'
+ set vpn ipsec site-to-site peer LEFT tunnel 3 local prefix '10.2.22.0/24'
+ set vpn ipsec site-to-site peer LEFT tunnel 3 remote prefix '10.1.12.0/24'
+
+Firewall Configuration:
+
+.. code-block:: none
+
+ # Firewall Groups:
+ set firewall group network-group LOCAL-NETS network '10.1.11.0/24'
+ set firewall group network-group LOCAL-NETS network '10.1.12.0/24'
+ set firewall group network-group REMOTE-NETS network '10.2.21.0/24'
+ set firewall group network-group REMOTE-NETS network '10.2.22.0/24'
+ set firewall group network-group TRUSTED network '198.51.100.125/32'
+ set firewall group network-group TRUSTED network '203.0.113.0/24'
+ set firewall group network-group TRUSTED network '10.1.11.0/24'
+ set firewall group network-group TRUSTED network '192.168.70.0/24'
+
+ # Forward traffic: default drop and only allow what is needed
+ set firewall ipv4 forward filter default-action 'drop'
+
+ # Forward traffic: global state policies
+ set firewall ipv4 forward filter rule 1 action 'accept'
+ set firewall ipv4 forward filter rule 1 state established 'enable'
+ set firewall ipv4 forward filter rule 1 state related 'enable'
+ set firewall ipv4 forward filter rule 2 action 'drop'
+ set firewall ipv4 forward filter rule 2 state invalid 'enable'
+
+ # Forward traffic: Accept all connections from local networks
+ set firewall ipv4 forward filter rule 10 action 'accept'
+ set firewall ipv4 forward filter rule 10 source group network-group 'LOCAL-NETS'
+
+ # Forward traffic: accept connections from remote LANs to local LANs
+ set firewall ipv4 forward filter rule 20 action 'accept'
+ set firewall ipv4 forward filter rule 20 destination group network-group 'LOCAL-NETS'
+ set firewall ipv4 forward filter rule 20 source group network-group 'REMOTE-NETS'
+
+ # Input traffic: default drop and only allow what is needed
+ set firewall ipv4 input filter default-action 'drop'
+
+ # Input traffic: global state policies
+ set firewall ipv4 input filter rule 1 action 'accept'
+ set firewall ipv4 input filter rule 1 state established 'enable'
+ set firewall ipv4 input filter rule 1 state related 'enable'
+ set firewall ipv4 input filter rule 2 action 'drop'
+ set firewall ipv4 input filter rule 2 state invalid 'enable'
+
+ # Input traffic: add rules needed for ipsec connection
+ set firewall ipv4 input filter rule 10 action 'accept'
+ set firewall ipv4 input filter rule 10 destination port '500,4500'
+ set firewall ipv4 input filter rule 10 inbound-interface interface-name 'eth0'
+ set firewall ipv4 input filter rule 10 protocol 'udp'
+ set firewall ipv4 input filter rule 15 action 'accept'
+ set firewall ipv4 input filter rule 15 inbound-interface interface-name 'eth0'
+ set firewall ipv4 input filter rule 15 protocol 'esp'
+
+ # Input traffic: accept ssh connection from trusted ips
+ set firewall ipv4 input filter rule 20 action 'accept'
+ set firewall ipv4 input filter rule 20 destination port '22'
+ set firewall ipv4 input filter rule 20 protocol 'tcp'
+ set firewall ipv4 input filter rule 20 source group network-group 'TRUSTED'
+
+ # Input traffic: accepd dns requests only from local networks.
+ set firewall ipv4 input filter rule 25 action 'accept'
+ set firewall ipv4 input filter rule 25 destination port '53'
+ set firewall ipv4 input filter rule 25 protocol 'udp'
+ set firewall ipv4 input filter rule 25 source group network-group 'LOCAL-NETS'
+
+ # Input traffic: allow icmp
+ set firewall ipv4 input filter rule 30 action 'accept'
+ set firewall ipv4 input filter rule 30 protocol 'icmp'
+
+And NAT Configuration:
+
+.. code-block:: none
+
+ set nat source rule 10 destination group network-group 'REMOTE-NETS'
+ set nat source rule 10 exclude
+ set nat source rule 10 outbound-interface 'eth0'
+ set nat source rule 10 source group network-group 'LOCAL-NETS'
+ set nat source rule 20 outbound-interface 'eth0'
+ set nat source rule 20 source group network-group 'LOCAL-NETS'
+ set nat source rule 20 translation address 'masquerade'
+
+Checking through op-mode commands
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+After some testing, we can check ipsec status, and counter on every tunnel:
+
+.. code-block:: none
+
+ vyos@LEFT:~$ show vpn ipsec sa
+ Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal
+ -------------- ------- -------- -------------- ---------------- ---------------- ----------- ---------------------------------------
+ RIGHT-tunnel-0 up 36m24s 840B/840B 10/10 192.0.2.130 192.0.2.130 AES_CBC_256/HMAC_SHA2_256_128/MODP_2048
+ RIGHT-tunnel-1 up 36m33s 588B/588B 7/7 192.0.2.130 192.0.2.130 AES_CBC_256/HMAC_SHA2_256_128/MODP_2048
+ RIGHT-tunnel-2 up 35m50s 1K/1K 15/15 192.0.2.130 192.0.2.130 AES_CBC_256/HMAC_SHA2_256_128/MODP_2048
+ RIGHT-tunnel-3 up 36m54s 2K/2K 32/32 192.0.2.130 192.0.2.130 AES_CBC_256/HMAC_SHA2_256_128/MODP_2048
+ vyos@LEFT:~$
+
+
+Also, we can check firewall counters:
+
+.. code-block:: none
+
+ vyos@LEFT:~$ show firewall
+ Rulesets Information
+
+ ---------------------------------
+ IPv4 Firewall "forward filter"
+
+ Rule Action Protocol Packets Bytes Conditions
+ ------- -------- ---------- --------- ------- ------------------------------------------------------
+ 1 accept all 681 96545 ct state { established, related } accept
+ 2 drop all 0 0 ct state invalid
+ 10 accept all 360 27205 ip saddr @N_LOCAL-NETS accept
+ 20 accept all 8 648 ip daddr @N_LOCAL-NETS ip saddr @N_REMOTE-NETS accept
+ default drop all
+
+ ---------------------------------
+ IPv4 Firewall "input filter"
+
+ Rule Action Protocol Packets Bytes Conditions
+ ------- -------- ---------- --------- ------- ----------------------------------------------
+ 1 accept all 901 123709 ct state { established, related } accept
+ 2 drop all 0 0 ct state invalid
+ 10 accept udp 0 0 udp dport { 500, 4500 } iifname "eth0" accept
+ 15 accept esp 0 0 meta l4proto esp iifname "eth0" accept
+ 20 accept tcp 1 60 tcp dport 22 ip saddr @N_TRUSTED accept
+ 25 accept udp 0 0 udp dport 53 ip saddr @N_LOCAL-NETS accept
+ 30 accept icmp 0 0 meta l4proto icmp accept
+ default drop all
+
+ vyos@LEFT:~$
+ vyos@LEFT:~$ show firewall statistics
+ Rulesets Statistics
+
+ ---------------------------------
+ IPv4 Firewall "forward filter"
+
+ Rule Packets Bytes Action Source Destination Inbound-Interface Outbound-interface
+ ------- --------- ------- -------- ----------- ------------- ------------------- --------------------
+ 1 681 96545 accept any any any any
+ 2 0 0 drop any any any any
+ 10 360 27205 accept LOCAL-NETS any any any
+ 20 8 648 accept REMOTE-NETS LOCAL-NETS any any
+ default N/A N/A drop any any any any
+
+ ---------------------------------
+ IPv4 Firewall "input filter"
+
+ Rule Packets Bytes Action Source Destination Inbound-Interface Outbound-interface
+ ------- --------- ------- -------- ---------- ------------- ------------------- --------------------
+ 1 905 124213 accept any any any any
+ 2 0 0 drop any any any any
+ 10 0 0 accept any any eth0 any
+ 15 0 0 accept any any eth0 any
+ 20 1 60 accept TRUSTED any any any
+ 25 0 0 accept LOCAL-NETS any any any
+ 30 0 0 accept any any any any
+ default N/A N/A drop any any any any
+
+ vyos@LEFT:~$
generated by cgit v1.2.3 (git 2.39.1) at 2025-10-31 20:19:33 +0000