summaryrefslogtreecommitdiff
path: root/docs/configexamples/policy-based-ipsec-and-firewall.rst
blob: 2337c1acbadefed0167107efc643a225580a6b5b (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
.. _examples-policy-based-ipsec-and-firewall:


Policy-Based Site-to-Site VPN and Firewall Configuration
--------------------------------------------------------

This guide shows an example policy-based IKEv2 site-to-site VPN between two
VyOS routers, and firewall configuration.

For simplicity, configuration and tests are done only using IPv4, and firewall
configuration is done only on one router.

Network Topology and requirements
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

This configuration example and the requirments consists of:

- Two VyOS routers with public IP address.

- 2 private subnets on each site.

- Local subnets should be able to reach internet using source NAT.

- Communication between private subnets should be done through IPSec tunnel
  without NAT.

- Configuration of basic firewall in one site, in order to:

    - Protect the router on 'WAN' interface, allowing only IPSec connections
      and SSH access from trusted IPs.

    - Allow access to the router only from trusted networks.
    
    - Allow DNS requests only only for local networks.

    - Allow ICMP on all interfaces.

    - Allow all new connections from local subnets.

    - Allow connections from LANs to LANs throught the tunnel.


.. image:: /_static/images/policy-based-ipsec-and-firewall.png


Configuration
^^^^^^^^^^^^^

Interface and routing configuration:

.. code-block:: none

    # LEFT router:
    set interfaces ethernet eth0 address '198.51.100.14/30'
    set interfaces ethernet eth1 vif 111 address '10.1.11.1/24'
    set interfaces ethernet eth2 vif 112 address '10.1.12.1/24'
    set protocols static route 0.0.0.0/0 next-hop 198.51.100.13

    # RIGHT router:
    set interfaces ethernet eth0 address '192.0.2.130/30'
    set interfaces ethernet eth1 vif 221 address '10.2.21.1/24'
    set interfaces ethernet eth2 vif 222 address '10.2.22.1/24'


IPSec configuration:

.. code-block:: none

    # LEFT router:
    set vpn ipsec authentication psk RIGHT id '198.51.100.14'
    set vpn ipsec authentication psk RIGHT id '192.0.2.130'
    set vpn ipsec authentication psk RIGHT secret 'p4ssw0rd'
    set vpn ipsec esp-group ESP-GROUP mode 'tunnel'
    set vpn ipsec esp-group ESP-GROUP proposal 1 encryption 'aes256'
    set vpn ipsec esp-group ESP-GROUP proposal 1 hash 'sha256'
    set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev2'
    set vpn ipsec ike-group IKE-GROUP proposal 1 dh-group '14'
    set vpn ipsec ike-group IKE-GROUP proposal 1 encryption 'aes256'
    set vpn ipsec ike-group IKE-GROUP proposal 1 hash 'sha256'
    set vpn ipsec interface 'eth0'
    set vpn ipsec site-to-site peer RIGHT authentication mode 'pre-shared-secret'
    set vpn ipsec site-to-site peer RIGHT connection-type 'initiate'
    set vpn ipsec site-to-site peer RIGHT default-esp-group 'ESP-GROUP'
    set vpn ipsec site-to-site peer RIGHT ike-group 'IKE-GROUP'
    set vpn ipsec site-to-site peer RIGHT local-address '198.51.100.14'
    set vpn ipsec site-to-site peer RIGHT remote-address '192.0.2.130'
    set vpn ipsec site-to-site peer RIGHT tunnel 0 local prefix '10.1.11.0/24'
    set vpn ipsec site-to-site peer RIGHT tunnel 0 remote prefix '10.2.21.0/24'
    set vpn ipsec site-to-site peer RIGHT tunnel 1 local prefix '10.1.11.0/24'
    set vpn ipsec site-to-site peer RIGHT tunnel 1 remote prefix '10.2.22.0/24'
    set vpn ipsec site-to-site peer RIGHT tunnel 2 local prefix '10.1.12.0/24'
    set vpn ipsec site-to-site peer RIGHT tunnel 2 remote prefix '10.2.21.0/24'
    set vpn ipsec site-to-site peer RIGHT tunnel 3 local prefix '10.1.12.0/24'
    set vpn ipsec site-to-site peer RIGHT tunnel 3 remote prefix '10.2.22.0/24'

    # RIGHT router:
    set vpn ipsec authentication psk LEFT id '192.0.2.130'
    set vpn ipsec authentication psk LEFT id '198.51.100.14'
    set vpn ipsec authentication psk LEFT secret 'p4ssw0rd'
    set vpn ipsec esp-group ESP-GROUP mode 'tunnel'
    set vpn ipsec esp-group ESP-GROUP proposal 1 encryption 'aes256'
    set vpn ipsec esp-group ESP-GROUP proposal 1 hash 'sha256'
    set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev2'
    set vpn ipsec ike-group IKE-GROUP proposal 1 dh-group '14'
    set vpn ipsec ike-group IKE-GROUP proposal 1 encryption 'aes256'
    set vpn ipsec ike-group IKE-GROUP proposal 1 hash 'sha256'
    set vpn ipsec interface 'eth0'
    set vpn ipsec site-to-site peer LEFT authentication mode 'pre-shared-secret'
    set vpn ipsec site-to-site peer LEFT connection-type 'respond'
    set vpn ipsec site-to-site peer LEFT default-esp-group 'ESP-GROUP'
    set vpn ipsec site-to-site peer LEFT ike-group 'IKE-GROUP'
    set vpn ipsec site-to-site peer LEFT local-address '192.0.2.130'
    set vpn ipsec site-to-site peer LEFT remote-address '198.51.100.14'
    set vpn ipsec site-to-site peer LEFT tunnel 0 local prefix '10.2.21.0/24'
    set vpn ipsec site-to-site peer LEFT tunnel 0 remote prefix '10.1.11.0/24'
    set vpn ipsec site-to-site peer LEFT tunnel 1 local prefix '10.2.22.0/24'
    set vpn ipsec site-to-site peer LEFT tunnel 1 remote prefix '10.1.11.0/24'
    set vpn ipsec site-to-site peer LEFT tunnel 2 local prefix '10.2.21.0/24'
    set vpn ipsec site-to-site peer LEFT tunnel 2 remote prefix '10.1.12.0/24'
    set vpn ipsec site-to-site peer LEFT tunnel 3 local prefix '10.2.22.0/24'
    set vpn ipsec site-to-site peer LEFT tunnel 3 remote prefix '10.1.12.0/24'

Firewall Configuration:

.. code-block:: none

    # Firewall Groups:
    set firewall group network-group LOCAL-NETS network '10.1.11.0/24'
    set firewall group network-group LOCAL-NETS network '10.1.12.0/24'
    set firewall group network-group REMOTE-NETS network '10.2.21.0/24'
    set firewall group network-group REMOTE-NETS network '10.2.22.0/24'
    set firewall group network-group TRUSTED network '198.51.100.125/32'
    set firewall group network-group TRUSTED network '203.0.113.0/24'
    set firewall group network-group TRUSTED network '10.1.11.0/24'
    set firewall group network-group TRUSTED network '192.168.70.0/24'

    # Forward traffic: default drop and only allow what is needed
    set firewall ipv4 forward filter default-action 'drop'
    
    # Forward traffic: global state policies
    set firewall ipv4 forward filter rule 1 action 'accept'
    set firewall ipv4 forward filter rule 1 state established 'enable'
    set firewall ipv4 forward filter rule 1 state related 'enable'
    set firewall ipv4 forward filter rule 2 action 'drop'
    set firewall ipv4 forward filter rule 2 state invalid 'enable'
    
    # Forward traffic: Accept all connections from local networks
    set firewall ipv4 forward filter rule 10 action 'accept'
    set firewall ipv4 forward filter rule 10 source group network-group 'LOCAL-NETS'
    
    # Forward traffic: accept connections from remote LANs to local LANs
    set firewall ipv4 forward filter rule 20 action 'accept'
    set firewall ipv4 forward filter rule 20 destination group network-group 'LOCAL-NETS'
    set firewall ipv4 forward filter rule 20 source group network-group 'REMOTE-NETS'

    # Input traffic: default drop and only allow what is needed
    set firewall ipv4 input filter default-action 'drop'

    # Input traffic: global state policies
    set firewall ipv4 input filter rule 1 action 'accept'
    set firewall ipv4 input filter rule 1 state established 'enable'
    set firewall ipv4 input filter rule 1 state related 'enable'
    set firewall ipv4 input filter rule 2 action 'drop'
    set firewall ipv4 input filter rule 2 state invalid 'enable'

    # Input traffic: add rules needed for ipsec connection
    set firewall ipv4 input filter rule 10 action 'accept'
    set firewall ipv4 input filter rule 10 destination port '500,4500'
    set firewall ipv4 input filter rule 10 inbound-interface interface-name 'eth0'
    set firewall ipv4 input filter rule 10 protocol 'udp'
    set firewall ipv4 input filter rule 15 action 'accept'
    set firewall ipv4 input filter rule 15 inbound-interface interface-name 'eth0'
    set firewall ipv4 input filter rule 15 protocol 'esp'

    # Input traffic: accept ssh connection from trusted ips
    set firewall ipv4 input filter rule 20 action 'accept'
    set firewall ipv4 input filter rule 20 destination port '22'
    set firewall ipv4 input filter rule 20 protocol 'tcp'
    set firewall ipv4 input filter rule 20 source group network-group 'TRUSTED'

    # Input traffic: accepd dns requests only from local networks.
    set firewall ipv4 input filter rule 25 action 'accept'
    set firewall ipv4 input filter rule 25 destination port '53'
    set firewall ipv4 input filter rule 25 protocol 'udp'
    set firewall ipv4 input filter rule 25 source group network-group 'LOCAL-NETS'

    # Input traffic: allow icmp
    set firewall ipv4 input filter rule 30 action 'accept'
    set firewall ipv4 input filter rule 30 protocol 'icmp'

And NAT Configuration:

.. code-block:: none

    set nat source rule 10 destination group network-group 'REMOTE-NETS'
    set nat source rule 10 exclude
    set nat source rule 10 outbound-interface name 'eth0'
    set nat source rule 10 source group network-group 'LOCAL-NETS'
    set nat source rule 20 outbound-interface name 'eth0'
    set nat source rule 20 source group network-group 'LOCAL-NETS'
    set nat source rule 20 translation address 'masquerade'

Checking through op-mode commands
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

After some testing, we can check IPSec status, and counter on every tunnel:

.. code-block:: none

    vyos@LEFT:~$ show vpn ipsec sa
    Connection      State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
    --------------  -------  --------  --------------  ----------------  ----------------  -----------  ---------------------------------------
    RIGHT-tunnel-0  up       36m24s    840B/840B       10/10             192.0.2.130       192.0.2.130  AES_CBC_256/HMAC_SHA2_256_128/MODP_2048
    RIGHT-tunnel-1  up       36m33s    588B/588B       7/7               192.0.2.130       192.0.2.130  AES_CBC_256/HMAC_SHA2_256_128/MODP_2048
    RIGHT-tunnel-2  up       35m50s    1K/1K           15/15             192.0.2.130       192.0.2.130  AES_CBC_256/HMAC_SHA2_256_128/MODP_2048
    RIGHT-tunnel-3  up       36m54s    2K/2K           32/32             192.0.2.130       192.0.2.130  AES_CBC_256/HMAC_SHA2_256_128/MODP_2048
    vyos@LEFT:~$ 


Also, we can check firewall counters:

.. code-block:: none

    vyos@LEFT:~$ show firewall
    Rulesets Information

    ---------------------------------
    IPv4 Firewall "forward filter"

    Rule     Action    Protocol      Packets    Bytes  Conditions
    -------  --------  ----------  ---------  -------  ------------------------------------------------------
    1        accept    all               681    96545  ct state { established, related }  accept
    2        drop      all                 0        0  ct state invalid
    10       accept    all               360    27205  ip saddr @N_LOCAL-NETS  accept
    20       accept    all                 8      648  ip daddr @N_LOCAL-NETS ip saddr @N_REMOTE-NETS  accept
    default  drop      all

    ---------------------------------
    IPv4 Firewall "input filter"

    Rule     Action    Protocol      Packets    Bytes  Conditions
    -------  --------  ----------  ---------  -------  ----------------------------------------------
    1        accept    all               901   123709  ct state { established, related }  accept
    2        drop      all                 0        0  ct state invalid
    10       accept    udp                 0        0  udp dport { 500, 4500 } iifname "eth0"  accept
    15       accept    esp                 0        0  meta l4proto esp iifname "eth0"  accept
    20       accept    tcp                 1       60  tcp dport 22 ip saddr @N_TRUSTED  accept
    25       accept    udp                 0        0  udp dport 53 ip saddr @N_LOCAL-NETS  accept
    30       accept    icmp                0        0  meta l4proto icmp  accept
    default  drop      all

    vyos@LEFT:~$ 
    vyos@LEFT:~$ show firewall statistics 
    Rulesets Statistics

    ---------------------------------
    IPv4 Firewall "forward filter"

    Rule     Packets    Bytes    Action    Source       Destination    Inbound-Interface    Outbound-interface
    -------  ---------  -------  --------  -----------  -------------  -------------------  --------------------
    1        681        96545    accept    any          any            any                  any
    2        0          0        drop      any          any            any                  any
    10       360        27205    accept    LOCAL-NETS   any            any                  any
    20       8          648      accept    REMOTE-NETS  LOCAL-NETS     any                  any
    default  N/A        N/A      drop      any          any            any                  any

    ---------------------------------
    IPv4 Firewall "input filter"

    Rule     Packets    Bytes    Action    Source      Destination    Inbound-Interface    Outbound-interface
    -------  ---------  -------  --------  ----------  -------------  -------------------  --------------------
    1        905        124213   accept    any         any            any                  any
    2        0          0        drop      any         any            any                  any
    10       0          0        accept    any         any            eth0                 any
    15       0          0        accept    any         any            eth0                 any
    20       1          60       accept    TRUSTED     any            any                  any
    25       0          0        accept    LOCAL-NETS  any            any                  any
    30       0          0        accept    any         any            any                  any
    default  N/A        N/A      drop      any         any            any                  any

    vyos@LEFT:~$