.. _ipsec_general: ######################### IPsec General Information ######################### *********************** Information about IPsec *********************** IPsec is the framework used to secure data. IPsec accomplishes these goals by providing authentication, encryption of IP network packets, key exchange, and key management. VyOS uses Strongswan package to implement IPsec. **Authentication Header (AH)** is defined in :rfc:`4302`. It creates a hash using the IP header and data payload, and prepends it to the packet. This hash is used to validate that the data has not been changed during transfer over the network. **Encapsulating Security Payload (ESP)** is defined in :rfc:`4303`. It provides encryption and authentication of the data. There are two IPsec modes: **IPsec Transport Mode**: In transport mode, an IPSec header (AH or ESP) is inserted between the IP header and the upper layer protocol header. **IPsec Tunnel Mode:** In tunnel mode, the original IP packet is encapsulated in another IP datagram, and an IPsec header (AH or ESP) is inserted between the outer and inner headers. .. figure:: /_static/images/ESP_AH.png :scale: 80 % :alt: AH and ESP in Transport Mode and Tunnel Mode *************************** IKE (Internet Key Exchange) *************************** The default IPsec method for secure key negotiation is the Internet Key Exchange (IKE) protocol. IKE is designed to provide mutual authentication of systems, as well as to establish a shared secret key to create IPsec security associations. A security association (SA) includes all relevant attributes of the connection, including the cryptographic algorithm used, the IPsec mode, the encryption key, and other parameters related to the transmission of data over the VPN connection. IKEv1 ===== IKEv1 is the older version and is still used today. Nowadays, most manufacturers recommend using IKEv2 protocol. IKEv1 is described in the next RFCs: :rfc:`2409` (IKE), :rfc:`3407` (IPsec DOI), :rfc:`3947` (NAT-T), :rfc:`3948` (UDP Encapsulation of ESP Packets), :rfc:`3706` (DPD) IKEv1 operates in two phases to establish these IKE and IPsec SAs: * **Phase 1** provides mutual authentication of the IKE peers and establishment of the session key. This phase creates an IKE SA (a security association for IKE) using a DH exchange, cookies, and an ID exchange. Once an IKE SA is established, all IKE communication between the initiator and responder is protected with encryption and an integrity check that is authenticated. The purpose of IKE phase 1 is to facilitate a secure channel between the peers so that phase 2 negotiations can occur securely. IKE phase 1 offers two modes: Main and Aggressive. * **Main Mode** is used for site-to-site VPN connections. * **Aggressive Mode** is used for remote access VPN connections. * **Phase 2** provides for the negotiation and establishment of the IPsec SAs using ESP or AH to protect IP data traffic. IKEv2 ===== IKEv2 is described in :rfc:`7296`. The biggest difference between IKEv1 and IKEv2 is that IKEv2 is much simpler and more reliable than IKEv1 because fewer messages are exchanged during the establishment of the VPN and additional security capabilities are available. IKE Authentication ================== VyOS supports 3 authentication methods. * **Pre-shared keys**: In this method, both peers of the IPsec tunnel must have the same preshared keys. * **Digital certificates**: PKI is used in this method. * **RSA-keys**: If the RSA-keys method is used in your IKE policy, you need to make sure each peer has the other peer’s public keys. ************************* DPD (Dead Peer Detection) ************************* This is a mechanism used to detect when a VPN peer is no longer active. This mechanism has different algorithms in IKEv1 and IKEv2 in VyOS. DPD Requests are sent as ISAKMP R-U-THERE messages and DPD Responses are sent as ISAKMP R-U-THERE-ACK messages. In IKEv1, DPD sends messages every configured interval. The remote peer is considered unreachable if no response to these packets is received within the DPD timeout. In IKEv2, DPD sends messages every configured interval. If one request is not responded, Strongswan execute its retransmission algorithm with its timers. https://docs.strongswan.org/docs/5.9/config/retransmission.html ***************** Configuration IKE ***************** IKE (Internet Key Exchange) Attributes ====================================== VyOS IKE group has the next options: .. cfgcmd:: set vpn ipsec ike-group close-action Defines the action to take if the remote peer unexpectedly closes a CHILD_SA: * **none** - Set action to none (default), * **trap** - Installs a trap policy (IPsec policy without Security Association) for the CHILD_SA and traffic matching these policies will trigger acquire events that cause the daemon to establish the required IKE/IPsec SAs. * **start** - Tries to immediately re-create the CHILD_SA. .. cfgcmd:: set vpn ipsec ike-group ikev2-reauth Whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1, reauthentication is always done. Setting this parameter enables remote host re-authentication during an IKE rekey. .. cfgcmd:: set vpn ipsec ike-group key-exchange Which protocol should be used to initialize the connection If not set both protocols are handled and connections will use IKEv2 when initiating, but accept any protocol version when responding: * **ikev1** - Use IKEv1 for Key Exchange. * **ikev2** - Use IKEv2 for Key Exchange. .. cfgcmd:: set vpn ipsec ike-group lifetime IKE lifetime in seconds <0-86400> (default 28800). .. cfgcmd:: set vpn ipsec ike-group mode IKEv1 Phase 1 Mode Selection: * **main** - Use Main mode for Key Exchanges in the IKEv1 Protocol (Recommended Default). * **aggressive** - Use Aggressive mode for Key Exchanges in the IKEv1 protocol aggressive mode is much more insecure compared to Main mode. .. cfgcmd:: set vpn ipsec ike-group proposal dh-group Dh-group. Default value is **2**. .. cfgcmd:: set vpn ipsec ike-group proposal encryption Encryption algorithm. Default value is **aes128**. .. cfgcmd:: set vpn ipsec ike-group proposal hash Hash algorithm. Default value is **sha1**. .. cfgcmd:: set vpn ipsec ike-group proposal prf Pseudo-random function. DPD (Dead Peer Detection) Configuration ======================================= .. cfgcmd:: set vpn ipsec ike-group dead-peer-detection action Action to perform for this CHILD_SA on DPD timeout. * **trap** - Installs a trap policy (IPsec policy without Security Association), which will catch matching traffic and tries to re-negotiate the tunnel on-demand. * **clear** - Closes the CHILD_SA and does not take further action (default). * **restart** - Immediately tries to re-negotiate the CHILD_SA under a fresh IKE_SA. .. cfgcmd:: set vpn ipsec ike-group dead-peer-detection interval Keep-alive interval in seconds <2-86400> (default 30). .. cfgcmd:: set vpn ipsec ike-group dead-peer-detection timeout Keep-alive timeout in seconds <2-86400> (default 120) **IKEv1 only** ESP (Encapsulating Security Payload) Attributes =============================================== In VyOS, ESP attributes are specified through ESP groups. Multiple proposals can be specified in a single group. VyOS ESP group has the next options: .. cfgcmd:: set vpn ipsec esp-group compression Enables the IPComp(IP Payload Compression) protocol which allows compressing the content of IP packets. .. cfgcmd:: set vpn ipsec esp-group disable-rekey Do not locally initiate a re-key of the SA, remote peer must re-key before expiration. .. cfgcmd:: set vpn ipsec esp-group life-bytes ESP life in bytes <1024-26843545600000>. Number of bytes transmitted over an IPsec SA before it expires. .. cfgcmd:: set vpn ipsec esp-group life-packets ESP life in packets <1000-26843545600000>. Number of packets transmitted over an IPsec SA before it expires. .. cfgcmd:: set vpn ipsec esp-group lifetime ESP lifetime in seconds <30-86400> (default 3600). How long a particular instance of a connection (a set of encryption/authentication keys for user packets) should last, from successful negotiation to expiry. .. cfgcmd:: set vpn ipsec esp-group mode The type of the connection: * **tunnel** - Tunnel mode (default). * **transport** - Transport mode. .. cfgcmd:: set vpn ipsec esp-group pfs < dh-group> Whether Perfect Forward Secrecy of keys is desired on the connection's keying channel and defines a Diffie-Hellman group for PFS: * **enable** - Inherit Diffie-Hellman group from IKE group (default). * **disable** - Disable PFS. * **** - Defines a Diffie-Hellman group for PFS. .. cfgcmd:: set vpn ipsec esp-group proposal encryption Encryption algorithm. Default value is **aes128**. .. cfgcmd:: set vpn ipsec esp-group proposal hash Hash algorithm. Default value is **sha1**. Global IPsec Settings ===================== .. cfgcmd:: set vpn ipsec interface Interface name to restrict outbound IPsec policies. There is a possibility to specify multiple interfaces. If an interfaces are not specified, IPsec policies apply to all interfaces. .. cfgcmd:: set vpn ipsec log level Level of logging. Default value is **0**. .. cfgcmd:: set vpn ipsec log subsystem Subsystem of the daemon. Options ======= .. cfgcmd:: set vpn ipsec options disable-route-autoinstall Do not automatically install routes to remote networks. .. cfgcmd:: set vpn ipsec options flexvpn Allows FlexVPN vendor ID payload (IKEv2 only). Send the Cisco FlexVPN vendor ID payload (IKEv2 only), which is required in order to make Cisco brand devices allow negotiating a local traffic selector (from strongSwan's point of view) that is not the assigned virtual IP address if such an address is requested by strongSwan. Sending the Cisco FlexVPN vendor ID prevents the peer from narrowing the initiator's local traffic selector and allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0 instead. This has been tested with a "tunnel mode ipsec ipv4" Cisco template but should also work for GRE encapsulation. .. cfgcmd:: set vpn ipsec options interface Interface Name to use. The name of the interface on which virtual IP addresses should be installed. If not specified the addresses will be installed on the outbound interface. .. cfgcmd:: set vpn ipsec options virtual-ip Allows the installation of virtual-ip addresses.