1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
|
.. _ipsec_general:
#########################
IPsec General Information
#########################
***********************
Information about IPsec
***********************
IPsec is the framework used to secure data.
IPsec accomplishes these goals by providing authentication,
encryption of IP network packets, key exchange, and key management.
VyOS uses Strongswan package to implement IPsec.
**Authentication Header (AH)** is defined in :rfc:`4302`. It creates
a hash using the IP header and data payload, and prepends it to the
packet. This hash is used to validate that the data has not been
changed during transfer over the network.
**Encapsulating Security Payload (ESP)** is defined in :rfc:`4303`.
It provides encryption and authentication of the data.
There are two IPsec modes:
**IPsec Transport Mode**:
In transport mode, an IPSec header (AH or ESP) is inserted
between the IP header and the upper layer protocol header.
**IPsec Tunnel Mode:**
In tunnel mode, the original IP packet is encapsulated in
another IP datagram, and an IPsec header (AH or ESP) is
inserted between the outer and inner headers.
.. figure:: /_static/images/ESP_AH.png
:scale: 80 %
:alt: AH and ESP in Transport Mode and Tunnel Mode
***************************
IKE (Internet Key Exchange)
***************************
The default IPsec method for secure key negotiation is the Internet Key
Exchange (IKE) protocol. IKE is designed to provide mutual authentication
of systems, as well as to establish a shared secret key to create IPsec
security associations. A security association (SA) includes all relevant
attributes of the connection, including the cryptographic algorithm used,
the IPsec mode, the encryption key, and other parameters related to the
transmission of data over the VPN connection.
IKEv1
=====
IKEv1 is the older version and is still used today. Nowadays, most
manufacturers recommend using IKEv2 protocol.
IKEv1 is described in the next RFCs: :rfc:`2409` (IKE), :rfc:`3407`
(IPsec DOI), :rfc:`3947` (NAT-T), :rfc:`3948` (UDP Encapsulation
of ESP Packets), :rfc:`3706` (DPD)
IKEv1 operates in two phases to establish these IKE and IPsec SAs:
* **Phase 1** provides mutual authentication of the IKE peers and
establishment of the session key. This phase creates an IKE SA (a
security association for IKE) using a DH exchange, cookies, and an
ID exchange. Once an IKE SA is established, all IKE communication
between the initiator and responder is protected with encryption
and an integrity check that is authenticated. The purpose of IKE
phase 1 is to facilitate a secure channel between the peers so that
phase 2 negotiations can occur securely. IKE phase 1 offers two modes:
Main and Aggressive.
* **Main Mode** is used for site-to-site VPN connections.
* **Aggressive Mode** is used for remote access VPN connections.
* **Phase 2** provides for the negotiation and establishment of the
IPsec SAs using ESP or AH to protect IP data traffic.
IKEv2
=====
IKEv2 is described in :rfc:`7296`. The biggest difference between IKEv1 and
IKEv2 is that IKEv2 is much simpler and more reliable than IKEv1 because
fewer messages are exchanged during the establishment of the VPN and
additional security capabilities are available.
IKE Authentication
==================
VyOS supports 3 authentication methods.
* **Pre-shared keys**: In this method, both peers of the IPsec
tunnel must have the same preshared keys.
* **Digital certificates**: PKI is used in this method.
* **RSA-keys**: If the RSA-keys method is used in your IKE policy,
you need to make sure each peer has the other peer’s public keys.
*************************
DPD (Dead Peer Detection)
*************************
This is a mechanism used to detect when a VPN peer is no longer active.
This mechanism has different algorithms in IKEv1 and IKEv2 in VyOS.
DPD Requests are sent as ISAKMP R-U-THERE messages and DPD Responses
are sent as ISAKMP R-U-THERE-ACK messages. In IKEv1, DPD sends messages
every configured interval. The remote peer is considered unreachable
if no response to these packets is received within the DPD timeout.
In IKEv2, DPD sends messages every configured interval. If one request
is not responded, Strongswan execute its retransmission algorithm with
its timers. https://docs.strongswan.org/docs/5.9/config/retransmission.html
*****************
Configuration IKE
*****************
IKE (Internet Key Exchange) Attributes
======================================
VyOS IKE group has the next options:
.. cfgcmd:: set vpn ipsec ike-group <name> close-action <action>
Defines the action to take if the remote peer unexpectedly
closes a CHILD_SA:
* **none** - Set action to none (default),
* **trap** - Installs a trap policy (IPsec policy without Security
Association) for the CHILD_SA and traffic matching these policies
will trigger acquire events that cause the daemon to establish the
required IKE/IPsec SAs.
* **start** - Tries to immediately re-create the CHILD_SA.
.. cfgcmd:: set vpn ipsec ike-group <name> ikev2-reauth
Whether rekeying of an IKE_SA should also reauthenticate
the peer. In IKEv1, reauthentication is always done.
Setting this parameter enables remote host re-authentication
during an IKE rekey.
.. cfgcmd:: set vpn ipsec ike-group <name> key-exchange
Which protocol should be used to initialize the connection
If not set both protocols are handled and connections will
use IKEv2 when initiating, but accept any protocol version
when responding:
* **ikev1** - Use IKEv1 for Key Exchange.
* **ikev2** - Use IKEv2 for Key Exchange.
.. cfgcmd:: set vpn ipsec ike-group <name> lifetime
IKE lifetime in seconds <0-86400> (default 28800).
.. cfgcmd:: set vpn ipsec ike-group <name> mode
IKEv1 Phase 1 Mode Selection:
* **main** - Use Main mode for Key Exchanges in the IKEv1 Protocol
(Recommended Default).
* **aggressive** - Use Aggressive mode for Key Exchanges in the IKEv1
protocol aggressive mode is much more insecure compared to Main mode.
.. cfgcmd:: set vpn ipsec ike-group <name> proposal <number> dh-group <dh-group number>
Dh-group. Default value is **2**.
.. cfgcmd:: set vpn ipsec ike-group <name> proposal <number> encryption <encryption>
Encryption algorithm. Default value is **aes128**.
.. cfgcmd:: set vpn ipsec ike-group <name> proposal <number> hash <hash>
Hash algorithm. Default value is **sha1**.
.. cfgcmd:: set vpn ipsec ike-group <name> proposal <number> prf <prf>
Pseudo-random function.
DPD (Dead Peer Detection) Configuration
=======================================
.. cfgcmd:: set vpn ipsec ike-group <name> dead-peer-detection action <action>
Action to perform for this CHILD_SA on DPD timeout.
* **trap** - Installs a trap policy (IPsec policy without Security
Association), which will catch matching traffic and tries to
re-negotiate the tunnel on-demand.
* **clear** - Closes the CHILD_SA and does not take further action
(default).
* **restart** - Immediately tries to re-negotiate the CHILD_SA
under a fresh IKE_SA.
.. cfgcmd:: set vpn ipsec ike-group <name> dead-peer-detection interval <interval>
Keep-alive interval in seconds <2-86400> (default 30).
.. cfgcmd:: set vpn ipsec ike-group <name> dead-peer-detection timeout <timeout>
Keep-alive timeout in seconds <2-86400> (default 120) **IKEv1 only**
ESP (Encapsulating Security Payload) Attributes
===============================================
In VyOS, ESP attributes are specified through ESP groups.
Multiple proposals can be specified in a single group.
VyOS ESP group has the next options:
.. cfgcmd:: set vpn ipsec esp-group <name> compression
Enables the IPComp(IP Payload Compression) protocol which allows
compressing the content of IP packets.
.. cfgcmd:: set vpn ipsec esp-group <name> disable-rekey
Do not locally initiate a re-key of the SA, remote peer must
re-key before expiration.
.. cfgcmd:: set vpn ipsec esp-group <name> life-bytes <bytes>
ESP life in bytes <1024-26843545600000>. Number of bytes
transmitted over an IPsec SA before it expires.
.. cfgcmd:: set vpn ipsec esp-group <name> life-packets <packets>
ESP life in packets <1000-26843545600000>.
Number of packets transmitted over an IPsec SA before it expires.
.. cfgcmd:: set vpn ipsec esp-group <name> lifetime <timeout>
ESP lifetime in seconds <30-86400> (default 3600).
How long a particular instance of a connection (a set of
encryption/authentication keys for user packets) should last,
from successful negotiation to expiry.
.. cfgcmd:: set vpn ipsec esp-group <name> mode <mode>
The type of the connection:
* **tunnel** - Tunnel mode (default).
* **transport** - Transport mode.
.. cfgcmd:: set vpn ipsec esp-group <name> pfs < dh-group>
Whether Perfect Forward Secrecy of keys is desired on the
connection's keying channel and defines a Diffie-Hellman group for
PFS:
* **enable** - Inherit Diffie-Hellman group from IKE group (default).
* **disable** - Disable PFS.
* **<dh-group>** - Defines a Diffie-Hellman group for PFS.
.. cfgcmd:: set vpn ipsec esp-group <name> proposal <number> encryption <encryption>
Encryption algorithm. Default value is **aes128**.
.. cfgcmd:: set vpn ipsec esp-group <name> proposal <number> hash <hash>
Hash algorithm. Default value is **sha1**.
Global IPsec Settings
=====================
.. cfgcmd:: set vpn ipsec interface <name>
Interface name to restrict outbound IPsec policies. There is a possibility
to specify multiple interfaces. If an interfaces are not specified, IPsec
policies apply to all interfaces.
.. cfgcmd:: set vpn ipsec log level <number>
Level of logging. Default value is **0**.
.. cfgcmd:: set vpn ipsec log subsystem <name>
Subsystem of the daemon.
Options
=======
.. cfgcmd:: set vpn ipsec options disable-route-autoinstall
Do not automatically install routes to remote
networks.
.. cfgcmd:: set vpn ipsec options flexvpn
Allows FlexVPN vendor ID payload (IKEv2 only). Send the Cisco
FlexVPN vendor ID payload (IKEv2 only), which is required in order to make
Cisco brand devices allow negotiating a local traffic selector (from
strongSwan's point of view) that is not the assigned virtual IP address if
such an address is requested by strongSwan. Sending the Cisco FlexVPN
vendor ID prevents the peer from narrowing the initiator's local traffic
selector and allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0
instead. This has been tested with a "tunnel mode ipsec ipv4" Cisco
template but should also work for GRE encapsulation.
.. cfgcmd:: set vpn ipsec options interface <name>
Interface Name to use. The name of the interface on which
virtual IP addresses should be installed. If not specified the addresses
will be installed on the outbound interface.
.. cfgcmd:: set vpn ipsec options virtual-ip
Allows the installation of virtual-ip addresses.
|
