vyos/vyos-documentation
1
0
Fork 0
mirror of https://github.com/vyos/vyos-documentation.git synced 2025-10-26 01:31:44 +02:00
Code Issues Packages Projects Releases Wiki Activity

Updated site-to-site IPsec VPN documentation (#1660)

Browse Source 
* Updated site-to-site IPsec VPN documentation

Added general theoretical IPsec documentation.
Changed site-to-site IPsec VPN documentation.
Added steps for configuration.
Added documentation for troubleshooting site-to-site IPsec VPN.
Backported from https://github.com/vyos/vyos-documentation/pull/1653

---------

Co-authored-by: aapostoliuk <aapostoliuk@vyos.io>
Co-authored-by: Daniil Baturin <daniil@baturin.org>
This commit is contained in:
aapostoliuk 2025-07-28 15:51:55 +03:00 committed by GitHub
parent 2ff18f0cb9
commit 6ec864e8d3
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
11 changed files with 1383 additions and 1087 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
docs/_static/images/ESP_AH.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 35 KiB

BIN
docs/_static/images/IPSec_close_action_settings.jpg vendored
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 69 KiB

BIN
docs/_static/images/IPSec_close_action_settings.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 22 KiB

2
docs/configuration/vpn/dmvpn.rst
View File

@ -40,7 +40,7 @@ Configuration
* Please refer to the :ref:`tunnel-interface` documentation for the individual
tunnel related options.
* Please refer to the :ref:`ipsec` documentation for the individual IPSec
* Please refer to the :ref:`ipsec_general` documentation for individual IPSec
related options.
.. cfgcmd:: set protocols nhrp tunnel <tunnel> cisco-authentication <secret>

4
docs/configuration/vpn/index.rst
View File

@ -7,7 +7,7 @@ VPN
:maxdepth: 1
:includehidden:
ipsec
ipsec/index
l2tp
openconnect
pptp
@ -22,4 +22,4 @@ pages to sort
:includehidden:
dmvpn
site2site_ipsec

657
docs/configuration/vpn/ipsec.rst
View File

@ -1,657 +0,0 @@
.. _ipsec:
#####
IPsec
#####
:abbr:`GRE (Generic Routing Encapsulation)`, GRE/IPsec (or IPIP/IPsec,
SIT/IPsec, or any other stateless tunnel protocol over IPsec) is the usual way
to protect the traffic inside a tunnel.
An advantage of this scheme is that you get a real interface with its own
address, which makes it easier to setup static routes or use dynamic routing
protocols without having to modify IPsec policies. The other advantage is that
it greatly simplifies router to router communication, which can be tricky with
plain IPsec because the external outgoing address of the router usually doesn't
match the IPsec policy of a typical site-to-site setup and you would need to
add special configuration for it, or adjust the source address of the outgoing
traffic of your applications. GRE/IPsec has no such problem and is completely
transparent for applications.
GRE/IPIP/SIT and IPsec are widely accepted standards, which make this scheme
easy to implement between VyOS and virtually any other router.
For simplicity we'll assume that the protocol is GRE, it's not hard to guess
what needs to be changed to make it work with a different protocol. We assume
that IPsec will use pre-shared secret authentication and will use AES128/SHA1
for the cipher and hash. Adjust this as necessary.
.. NOTE:: VMware users should ensure that a VMXNET3 adapter is used. E1000
adapters have known issues with GRE processing.
**************************************
IKE (Internet Key Exchange) Attributes
**************************************
IKE performs mutual authentication between two parties and establishes
an IKE security association (SA) that includes shared secret information
that can be used to efficiently establish SAs for Encapsulating Security
Payload (ESP) or Authentication Header (AH) and a set of cryptographic
algorithms to be used by the SAs to protect the traffic that they carry.
https://datatracker.ietf.org/doc/html/rfc5996
In VyOS, IKE attributes are specified through IKE groups.
Multiple proposals can be specified in a single group.
VyOS IKE group has the next options:
* ``close-action`` defines the action to take if the remote peer unexpectedly
closes a CHILD_SA:
* ``none`` set action to none (default);
* ``trap`` installs a trap policy for the CHILD_SA;
* ``start`` tries to immediately re-create the CHILD_SA;
* ``dead-peer-detection`` controls the use of the Dead Peer Detection protocol
(DPD, RFC 3706) where R_U_THERE notification messages (IKEv1) or empty
INFORMATIONAL messages (IKEv2) are periodically sent in order to check the
liveliness of the IPsec peer:
* ``action`` keep-alive failure action:
* ``trap`` installs a trap policy, which will catch matching traffic
and tries to re-negotiate the tunnel on-demand;
* ``clear`` closes the CHILD_SA and does not take further action (default);
* ``restart`` immediately tries to re-negotiate the CHILD_SA
under a fresh IKE_SA;
* ``interval`` keep-alive interval in seconds <2-86400> (default 30);
* ``timeout`` keep-alive timeout in seconds <2-86400> (default 120) IKEv1 only
* ``ikev2-reauth`` whether rekeying of an IKE_SA should also reauthenticate
the peer. In IKEv1, reauthentication is always done.
Setting this parameter enables remote host re-authentication during an IKE
rekey.
* ``key-exchange`` which protocol should be used to initialize the connection
If not set both protocols are handled and connections will use IKEv2 when
initiating, but accept any protocol version when responding:
* ``ikev1`` use IKEv1 for Key Exchange;
* ``ikev2`` use IKEv2 for Key Exchange;
* ``lifetime`` IKE lifetime in seconds <0-86400> (default 28800);
* ``disable-mobike`` disables MOBIKE Support. MOBIKE is only available for IKEv2
and enabled by default.
* ``mode`` IKEv1 Phase 1 Mode Selection:
* ``main`` use Main mode for Key Exchanges in the IKEv1 Protocol
(Recommended Default);
* ``aggressive`` use Aggressive mode for Key Exchanges in the IKEv1 protocol
aggressive mode is much more insecure compared to Main mode;
* ``proposal`` the list of proposals and their parameters:
* ``dh-group`` dh-group;
* ``encryption`` encryption algorithm;
* ``hash`` hash algorithm.
* ``prf`` pseudo-random function.
***********************************************
ESP (Encapsulating Security Payload) Attributes
***********************************************
ESP is used to provide confidentiality, data origin authentication,
connectionless integrity, an anti-replay service (a form of partial sequence
integrity), and limited traffic flow confidentiality.
https://datatracker.ietf.org/doc/html/rfc4303
In VyOS, ESP attributes are specified through ESP groups.
Multiple proposals can be specified in a single group.
VyOS ESP group has the next options:
* ``compression`` Enables the IPComp(IP Payload Compression) protocol which
allows compressing the content of IP packets.
* ``life-bytes`` ESP life in bytes <1024-26843545600000>.
Number of bytes transmitted over an IPsec SA before it expires;
* ``life-packets`` ESP life in packets <1000-26843545600000>.
Number of packets transmitted over an IPsec SA before it expires;
* ``lifetime`` ESP lifetime in seconds <30-86400> (default 3600).
How long a particular instance of a connection (a set of
encryption/authentication keys for user packets) should last,
from successful negotiation to expiry;
* ``mode`` the type of the connection:
* ``tunnel`` tunnel mode (default);
* ``transport`` transport mode;
* ``pfs`` whether Perfect Forward Secrecy of keys is desired on the
connection's keying channel and defines a Diffie-Hellman group for PFS:
* ``enable`` Inherit Diffie-Hellman group from IKE group (default);
* ``disable`` Disable PFS;
* ``< dh-group >`` defines a Diffie-Hellman group for PFS;
* ``proposal`` ESP-group proposal with number <1-65535>:
* ``encryption`` encryption algorithm (default 128 bit AES-CBC);
* ``hash`` hash algorithm (default sha1).
* ``disable-rekey`` Do not locally initiate a re-key of the SA, remote
peer must re-key before expiration.
***********************************************
Options (Global IPsec settings) Attributes
***********************************************
* ``options``
* ``disable-route-autoinstall`` Do not automatically install routes to remote
networks;
* ``flexvpn`` Allows FlexVPN vendor ID payload (IKEv2 only). Send the Cisco
FlexVPN vendor ID payload (IKEv2 only), which is required in order to make
Cisco brand devices allow negotiating a local traffic selector (from
strongSwan's point of view) that is not the assigned virtual IP address if
such an address is requested by strongSwan. Sending the Cisco FlexVPN
vendor ID prevents the peer from narrowing the initiator's local traffic
selector and allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0
instead. This has been tested with a "tunnel mode ipsec ipv4" Cisco
template but should also work for GRE encapsulation;
* ``interface`` Interface Name to use. The name of the interface on which
virtual IP addresses should be installed. If not specified the addresses
will be installed on the outbound interface;
* ``virtual-ip`` Allows the installation of virtual-ip addresses. A comma
separated list of virtual IPs to request in IKEv2 configuration payloads or
IKEv1 Mode Config. The wildcard addresses 0.0.0.0 and :: request an
arbitrary address, specific addresses may be defined. The responder may
return a different address, or none at all. Define the ``virtual-address``
option to configure the IP address in a site-to-site hierarchy.
*************************
IPsec policy matching GRE
*************************
The first and arguably cleaner option is to make your IPsec policy match GRE
packets between external addresses of your routers. This is the best option if
both routers have static external addresses.
Suppose the LEFT router has external address 192.0.2.10 on its eth0 interface,
and the RIGHT router is 203.0.113.45
On the LEFT:
.. code-block:: none
# GRE tunnel
set interfaces tunnel tun0 encapsulation gre
set interfaces tunnel tun0 source-address 192.0.2.10
set interfaces tunnel tun0 remote 203.0.113.45
set interfaces tunnel tun0 address 10.10.10.1/30
## IPsec
set vpn ipsec interface eth0
# Pre-shared-secret
set vpn ipsec authentication psk vyos id 192.0.2.10
set vpn ipsec authentication psk vyos id 203.0.113.45
set vpn ipsec authentication psk vyos secret MYSECRETKEY
# IKE group
set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2'
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes128'
set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha1'
# ESP group
set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes128'
set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha1'
# IPsec tunnel
set vpn ipsec site-to-site peer right authentication mode pre-shared-secret
set vpn ipsec site-to-site peer right authentication remote-id 203.0.113.45
set vpn ipsec site-to-site peer right ike-group MyIKEGroup
set vpn ipsec site-to-site peer right default-esp-group MyESPGroup
set vpn ipsec site-to-site peer right local-address 192.0.2.10
set vpn ipsec site-to-site peer right remote-address 203.0.113.45
# This will match all GRE traffic to the peer
set vpn ipsec site-to-site peer right tunnel 1 protocol gre
On the RIGHT, setup by analogy and swap local and remote addresses.
Source tunnel from dummy interface
==================================
The scheme above doesn't work when one of the routers has a dynamic external
address though. The classic workaround for this is to setup an address on a
loopback interface and use it as a source address for the GRE tunnel, then setup
an IPsec policy to match those loopback addresses.
We assume that the LEFT router has static 192.0.2.10 address on eth0, and the
RIGHT router has a dynamic address on eth0.
The peer names RIGHT and LEFT are used as informational text.
**Setting up the GRE tunnel**
On the LEFT:
.. code-block:: none
set interfaces dummy dum0 address 192.168.99.1/32
set interfaces tunnel tun0 encapsulation gre
set interfaces tunnel tun0 address 10.10.10.1/30
set interfaces tunnel tun0 source-address 192.168.99.1
set interfaces tunnel tun0 remote 192.168.99.2
On the RIGHT:
.. code-block:: none
set interfaces dummy dum0 address 192.168.99.2/32
set interfaces tunnel tun0 encapsulation gre
set interfaces tunnel tun0 address 10.10.10.2/30
set interfaces tunnel tun0 source-address 192.168.99.2
set interfaces tunnel tun0 remote 192.168.99.1
**Setting up IPSec**
However, now you need to make IPsec work with dynamic address on one side. The
tricky part is that pre-shared secret authentication doesn't work with dynamic
address, so we'll have to use RSA keys.
First, on both routers run the operational command "generate pki key-pair
install <key-pair name>". You may choose different length than 2048 of course.
.. code-block:: none
vyos@left# run generate pki key-pair install ipsec-LEFT
Enter private key type: [rsa, dsa, ec] (Default: rsa)
Enter private key bits: (Default: 2048)
Note: If you plan to use the generated key on this router, do not encrypt the private key.
Do you want to encrypt the private key with a passphrase? [y/N] N
Configure mode commands to install key pair:
Do you want to install the public key? [Y/n] Y
set pki key-pair ipsec-LEFT public key 'MIIBIjANBgkqh...'
Do you want to install the private key? [Y/n] Y
set pki key-pair ipsec-LEFT private key 'MIIEvgIBADAN...'
[edit]
Configuration commands for the private and public key will be displayed on the
screen which needs to be set on the router first.
Note the command with the public key
(set pki key-pair ipsec-LEFT public key 'MIIBIjANBgkqh...').
Then do the same on the opposite router:
.. code-block:: none
vyos@left# run generate pki key-pair install ipsec-RIGHT
Note the command with the public key
(set pki key-pair ipsec-RIGHT public key 'FAAOCAQ8AMII...').
Now the noted public keys should be entered on the opposite routers.
On the LEFT:
.. code-block:: none
set pki key-pair ipsec-RIGHT public key 'FAAOCAQ8AMII...'
On the RIGHT:
.. code-block:: none
set pki key-pair ipsec-LEFT public key 'MIIBIjANBgkqh...'
Now you are ready to setup IPsec. You'll need to use an ID instead of address
for the peer.
On the LEFT (static address):
.. code-block:: none
set vpn ipsec interface eth0
set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128
set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1
set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group 2
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128
set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1
set vpn ipsec site-to-site peer RIGHT authentication local-id LEFT
set vpn ipsec site-to-site peer RIGHT authentication mode rsa
set vpn ipsec site-to-site peer RIGHT authentication rsa local-key ipsec-LEFT
set vpn ipsec site-to-site peer RIGHT authentication rsa remote-key ipsec-RIGHT
set vpn ipsec site-to-site peer RIGHT authentication remote-id RIGHT
set vpn ipsec site-to-site peer RIGHT default-esp-group MyESPGroup
set vpn ipsec site-to-site peer RIGHT ike-group MyIKEGroup
set vpn ipsec site-to-site peer RIGHT local-address 192.0.2.10
set vpn ipsec site-to-site peer RIGHT connection-type respond
set vpn ipsec site-to-site peer RIGHT tunnel 1 local prefix 192.168.99.1/32 # Additional loopback address on the local
set vpn ipsec site-to-site peer RIGHT tunnel 1 remote prefix 192.168.99.2/32 # Additional loopback address on the remote
On the RIGHT (dynamic address):
.. code-block:: none
set vpn ipsec interface eth0
set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128
set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1
set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group 2
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128
set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1
set vpn ipsec site-to-site peer LEFT authentication local-id RIGHT
set vpn ipsec site-to-site peer LEFT authentication mode rsa
set vpn ipsec site-to-site peer LEFT authentication rsa local-key ipsec-RIGHT
set vpn ipsec site-to-site peer LEFT authentication rsa remote-key ipsec-LEFT
set vpn ipsec site-to-site peer LEFT authentication remote-id LEFT
set vpn ipsec site-to-site peer LEFT connection-type initiate
set vpn ipsec site-to-site peer LEFT default-esp-group MyESPGroup
set vpn ipsec site-to-site peer LEFT ike-group MyIKEGroup
set vpn ipsec site-to-site peer LEFT local-address any
set vpn ipsec site-to-site peer LEFT remote-address 192.0.2.10
set vpn ipsec site-to-site peer LEFT tunnel 1 local prefix 192.168.99.2/32 # Additional loopback address on the local
set vpn ipsec site-to-site peer LEFT tunnel 1 remote prefix 192.168.99.1/32 # Additional loopback address on the remote
*******************************************
IKEv2 IPSec road-warriors remote-access VPN
*******************************************
Internet Key Exchange version 2, IKEv2 for short, is a request/response
protocol developed by both Cisco and Microsoft. It is used to establish and
secure IPv4/IPv6 connections, be it a site-to-site VPN or from a
road-warrior connecting to a hub site. IKEv2, when run in point-to-multipoint,
or remote-access/road-warrior mode, secures the server-side with another layer
by using an x509 signed server certificate.
Key exchange and payload encryption is still done using IKE and ESP proposals
as known from IKEv1 but the connections are faster to establish, more reliable,
and also support roaming from IP to IP (called MOBIKE which makes sure your
connection does not drop when changing networks from e.g. WIFI to LTE and back).
This feature closely works together with :ref:`pki` subsystem as you required
a x509 certificate.
Example
=======
This example uses CACert as certificate authority.
.. code-block::
set pki ca CAcert_Class_3_Root certificate 'MIIGPTCCBCWgAwIBAgIDFOIoMA0GCSqGSIb3DQEBDQUAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnMB4XDTIxMDQxOTEyMTgzMFoXDTMxMDQxNzEyMTgzMFowVDEUMBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57aiX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6CjQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgiapNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPtXapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luLoFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGprmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVABfvpAgMBAAGjgfIwge8wDwYDVR0TAQH/BAUwAwEB/zBhBggrBgEFBQcBAQRVMFMwIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLkNBY2VydC5vcmcvMCwGCCsGAQUFBzAChiBodHRwOi8vd3d3LkNBY2VydC5vcmcvY2xhc3MzLmNydDBFBgNVHSAEPjA8MDoGCysGAQQBgZBKAgMBMCswKQYIKwYBBQUHAgEWHWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZy9jcHMucGhwMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHBzOi8vd3d3LmNhY2VydC5vcmcvY2xhc3MzLmNybDANBgkqhkiG9w0BAQ0FAAOCAgEAxh6td1y0KJvRyI1EEsC9dnYEgyEH+BGCf2vBlULAOBG1JXCNiwzB1Wz9HBoDfIv4BjGlnd5BKdSLm4TXPcE3hnGjH1thKR5dd3278K25FRkTFOY1gP+mGbQ3hZRB6IjDX+CyBqS7+ECpHTms7eo/mARN+Yz5R3lzUvXs3zSX+z534NzRg4i6iHNHWqakFcQNcA0PnksTB37vGD75pQGqeSmx51L6UzrIpn+274mhsaFNL85jhX+lKuk71MGjzwoThbuZ15xmkITnZtRQs6HhLSIqJWjDILIrxLqYHehK71xYwrRNhFb3TrsWaEJskrhveM0Os/vvoLNkh/L3iEQ5/LnmLMCYJNRALF7I7gsduAJNJrgKGMYvHkt1bo8uIXO8wgNV7qoU4JoaB1ML30QUqGcFr0TI06FFdgK2fwy5hulPxm6wuxW0v+iAtXYx/mRkwQpYbcVQtrIDvx1CT1k50cQxi+jIKjkcFWHw3kBoDnCos0/ukegPT7aQnk2AbL4c7nCkuAcEKw1BAlSETkfqi5btdlhh58MhewZv1LcL5zQyg8w1puclT3wXQvy8VwPGn0J/mGD4gLLZ9rGcHDUECokxFoWk+u5MCcVqmGbsyG4q5suS3CNslsHURfM8bQK4oLvHR8LCHEBMRcdFBn87cSvOK6eB1kdGKLA8ymXxZp8='
set pki ca CAcert_Signing_Authority certificate 'MIIG7jCCBNagAwIBAgIBDzANBgkqhkiG9w0BAQsFADB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0wMzAzMzAxMjI5NDlaFw0zMzAzMjkxMjI5NDlaMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAziLA4kZ97DYoB1CW8qAzQIxL8TtmPzHlawI229Z89vGIj053NgVBlfkJ8BLPRoZzYLdufujAWGSuzbCtRRcMY/pnCujW0r8+55jE8Ez64AO7NV1sId6eINm6zWYyN3L69wj1x81YyY7nDl7qPv4coRQKFWyGhFtkZip6qUtTefWIonvuLwphK42yfk1WpRPs6tqSnqxEQR5YYGUFZvjARL3LlPdCfgv3ZWiYUQXw8wWRBB0bF4LsyFe7w2t6iPGwcswlWyCR7BYCEo8y6RcYSNDHBS4CMEK4JZwFaz+qOqfrU0j36NK2B5jcG8Y0f3/JHIJ6BVgrCFvzOKKrF11myZjXnhCLotLddJr3cQxyYN/Nb5gznZY0dj4kepKwDpUeb+agRThHqtdB7Uq3EvbXG4OKDy7YCbZZ16oE/9KTfWgu3YtLq1i6L43qlaegw1SJpfvbi1EinbLDvhG+LJGGi5Z4rSDTii8aP8bQUWWHIbEZAWV/RRyH9XzQQUxPKZgh/TMfdQwEUfoZd9vUFBzugcMd9Zi3aQaRIt0AUMyBMawSB3s42mhb5ivUfslfrejrckzzAeVLIL+aplfKkQABi6F1ITe1Yw1nPkZPcCBnzsXWWdsC4PDSy826YreQQejdIOQpvGQpQsgi3Hia/0PsmBsJUUtaWsJx8cTLc6nloQsCAwEAAaOCAX8wggF7MB0GA1UdDgQWBBQWtTIb1Mfz4OaO873SsDrusjkY0TAPBgNVHRMBAf8EBTADAQH/MDQGCWCGSAGG+EIBCAQnFiVodHRwOi8vd3d3LmNhY2VydC5vcmcvaW5kZXgucGhwP2lkPTEwMFYGCWCGSAGG+EIBDQRJFkdUbyBnZXQgeW91ciBvd24gY2VydGlmaWNhdGUgZm9yIEZSRUUgaGVhZCBvdmVyIHRvIGh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzAxBgNVHR8EKjAoMCagJKAihiBodHRwOi8vY3JsLmNhY2VydC5vcmcvcmV2b2tlLmNybDAzBglghkgBhvhCAQQEJhYkVVJJOmh0dHA6Ly9jcmwuY2FjZXJ0Lm9yZy9yZXZva2UuY3JsMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL29jc3AuY2FjZXJ0Lm9yZzAfBgNVHSMEGDAWgBQWtTIb1Mfz4OaO873SsDrusjkY0TANBgkqhkiG9w0BAQsFAAOCAgEAR5zXs6IX01JTt7Rq3b+bNRUhbO9vGBMggczo7R0qIh1kdhS6WzcrDoO6PkpuRg0L3qM7YQB6pw2V+ubzF7xl4C0HWltfzPTbzAHdJtjaJQw7QaBlmAYpN2CLB6Jeg8q/1Xpgdw/+IP1GRwdg7xUpReUA482l4MH1kf0W0ad94SuIfNWQHcdLApmno/SUh1bpZyeWrMnlhkGNDKMxCCQXQ360TwFHc8dfEAaq5ry6cZzm1oetrkSviE2qofxvv1VFiQ+9TX3/zkECCsUB/EjPM0lxFBmu9T5Ih+Eqns9ivmrEIQDv9tNyJHuLsDNqbUBal7OoiPZnXk9LH+qb+pLf1ofv5noy5vX2a5OKebHe+0Ex/A7e+G/HuOjVNqhZ9j5Nispfq9zNyOHGWD8ofj8DHwB50L1Xh5H+EbIoga/hJCQnRtxWkHP699T1JpLFYwapgplivF4TFv4fqp0nHTKC1x9gGrIgvuYJl1txIKmxXdfJzgscMzqpabhtHOMXOiwQBpWzyJkofF/w55e0LttZDBkEsilV/vW0CJsPs3eNaQF+iMWscGOkgLFlWsAS3HwyiYLNJo26aqyWPaIdc8E4ck7Sk08WrFrHIK3EHr4n1FZwmLpFAvucKqgl0hr+2jypyh5puA3KksHF3CsUzjMUvzxMhykh9zrMxQAHLBVrGwc='
After you obtain your server certificate you can import it from a file on the
local filesystem, or paste it into the CLI. Please note that when entering the
certificate manually you need to strip the ``-----BEGIN KEY-----`` and
``-----END KEY-----`` tags. Also, the certificate or key needs to be presented
in a single line without line breaks (``\n``).
To import it from the filesystem use:
.. code-block::
import pki certificate <name> file /path/to/cert.pem
In our example the certificate name is called vyos:
.. code-block::
set pki certificate vyos certificate 'MIIE45s...'
set pki certificate vyos private key 'MIIEvgI...'
After the PKI certs are all set up we can start configuring our IPSec/IKE
proposals used for key-exchange end data encryption. The used encryption
ciphers and integrity algorithms vary from operating system to operating
system. The ones used in this post are validated to work on both Windows 10
and iOS/iPadOS 14 to 17.
.. code-block::
set vpn ipsec esp-group ESP-RW compression 'disable'
set vpn ipsec esp-group ESP-RW lifetime '3600'
set vpn ipsec esp-group ESP-RW pfs 'disable'
set vpn ipsec esp-group ESP-RW proposal 10 encryption 'aes128gcm128'
set vpn ipsec esp-group ESP-RW proposal 10 hash 'sha256'
set vpn ipsec ike-group IKE-RW key-exchange 'ikev2'
set vpn ipsec ike-group IKE-RW lifetime '7200'
set vpn ipsec ike-group IKE-RW mobike 'enable'
set vpn ipsec ike-group IKE-RW proposal 10 dh-group '14'
set vpn ipsec ike-group IKE-RW proposal 10 encryption 'aes128gcm128'
set vpn ipsec ike-group IKE-RW proposal 10 hash 'sha256'
Every connection/remote-access pool we configure also needs a pool where
we can draw our client IP addresses from. We provide one IPv4 and IPv6 pool.
Authorized clients will receive an IPv4 address from the 192.0.2.128/25 prefix
and an IPv6 address from the 2001:db8:2000::/64 prefix. We can also send some
DNS nameservers down for our clients to use with their connection.
.. code-block::
set vpn ipsec remote-access pool ra-rw-ipv4 name-server '192.0.2.1'
set vpn ipsec remote-access pool ra-rw-ipv4 prefix '192.0.2.128/25'
set vpn ipsec remote-access pool ra-rw-ipv6 name-server '2001:db8:1000::1'
set vpn ipsec remote-access pool ra-rw-ipv6 prefix '2001:db8:2000::/64'
VyOS supports multiple IKEv2 remote-access connections. Every connection can
have its own dedicated IKE/ESP ciphers, certificates or local listen address
for e.g. inbound load balancing.
We configure a new connection named ``rw`` for road-warrior, that identifies
itself as ``192.0.2.1`` to the clients and uses the ``vyos`` certificate
signed by the `CAcert_Class3_Root`` intermediate CA. We select our previously
specified IKE/ESP groups and also link the IP address pool to draw addresses
from.
.. code-block::
set vpn ipsec remote-access connection rw authentication id '192.0.2.1'
set vpn ipsec remote-access connection rw authentication server-mode 'x509'
set vpn ipsec remote-access connection rw authentication x509 ca-certificate 'CAcert_Class_3_Root'
set vpn ipsec remote-access connection rw authentication x509 certificate 'vyos'
set vpn ipsec remote-access connection rw esp-group 'ESP-RW'
set vpn ipsec remote-access connection rw ike-group 'IKE-RW'
set vpn ipsec remote-access connection rw local-address '192.0.2.1'
set vpn ipsec remote-access connection rw pool 'ra-rw-ipv4'
set vpn ipsec remote-access connection rw pool 'ra-rw-ipv6'
VyOS also supports (currently) two different modes of authentication, local and
RADIUS. To create a new local user named ``vyos`` with password ``vyos`` use the
following commands.
.. code-block::
set vpn ipsec remote-access connection rw authentication client-mode 'eap-mschapv2'
set vpn ipsec remote-access connection rw authentication local-users username vyos password 'vyos'
If you feel better forwarding all authentication requests to your enterprises
RADIUS server, use the commands below.
.. code-block::
set vpn ipsec remote-access connection rw authentication client-mode 'eap-radius'
set vpn ipsec remote-access radius server 192.0.2.2 key 'secret'
Client Configuration
====================
Configuring VyOS to act as your IPSec access concentrator is one thing, but
you probably need to setup your client connecting to the server so they can
talk to the IPSec gateway.
Microsoft Windows (10+)
-----------------------
Windows 10 does not allow a user to choose the integrity and encryption ciphers
using the GUI and it uses some older proposals by default. A user can only
change the proposals on the client side by configuring the IPSec connection
profile via PowerShell.
We generate a connection profile used by Windows clients that will connect to
the "rw" connection on our VyOS server on the VPN servers IP address/fqdn
`vpn.vyos.net`.
.. note:: Microsoft Windows expects the server name to be also used in the
server's certificate common name, so it's best to use this DNS name for
your VPN connection.
.. code-block::
vyos@vyos:~$ generate ipsec profile windows-remote-access rw remote vpn.vyos.net
==== <snip> ====
Add-VpnConnection -Name "VyOS IKEv2 VPN" -ServerAddress "vpn.vyos.net" -TunnelType "Ikev2"
Set-VpnConnectionIPsecConfiguration -ConnectionName "VyOS IKEv2 VPN" -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants GCMAES128 -EncryptionMethod GCMAES128 -IntegrityCheckMethod SHA256128 -PfsGroup None -DHGroup "Group14" -PassThru -Force
==== </snip> ====
As both Microsoft Windows and Apple iOS/iPadOS only support a certain set of
encryption ciphers and integrity algorithms we will validate the configured
IKE/ESP proposals and only list the compatible ones to the user — if multiple
are defined. If there are no matching proposals found — we can not generate a
profile for you.
When first connecting to the new VPN the user is prompted to enter proper
credentials.
Apple iOS/iPadOS (14.2+)
------------------------
Like on Microsoft Windows, Apple iOS/iPadOS out of the box does not expose
all available VPN options via the device GUI.
If you want, need, and should use more advanced encryption ciphers (default
is still 3DES) you need to provision your device using a so-called "Device
Profile". A profile is a simple text file containing XML nodes with a
``.mobileconfig`` file extension that can be sent and opened on any device
from an E-Mail.
Profile generation happens from the operational level and is as simple as
issuing the following command to create a profile to connect to the IKEv2
access server at ``vpn.vyos.net`` with the configuration for the ``rw``
remote-access connection group.
.. note:: Apple iOS/iPadOS expects the server name to be also used in the
server's certificate common name, so it's best to use this DNS name for
your VPN connection.
.. code-block::
vyos@vyos:~$ generate ipsec profile ios-remote-access rw remote vpn.vyos.net
==== <snip> ====
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
...
</plist>
==== </snip> ====
In the end, an XML structure is generated which can be saved as
``vyos.mobileconfig`` and sent to the device by E-Mail where it later can
be imported.
During profile import, the user is asked to enter its IPSec credentials
(username and password) which is stored on the mobile.
Operation Mode
==============
.. opcmd:: show vpn ike sa
Show all currently active IKE Security Associations.
.. opcmd:: show vpn ike sa nat-traversal
Show all currently active IKE Security Associations (SA) that are using
NAT Traversal.
.. opcmd:: show vpn ike sa peer <peer_name>
Show all currently active IKE Security Associations (SA) for a specific
peer.
.. opcmd:: show vpn ike secrets
Show all the configured pre-shared secret keys.
.. opcmd:: show vpn ike status
Show the detailed status information of IKE charon process.
.. opcmd:: show vpn ipsec connections
Show details of all available VPN connections
.. opcmd:: show vpn ipsec policy
Print out the list of existing crypto policies
.. opcmd:: show vpn ipsec sa
Show all active IPsec Security Associations (SA)
.. opcmd:: show vpn ipsec sa detail
Show a detailed information of all active IPsec Security Associations (SA)
in verbose format.
.. opcmd:: show vpn ipsec state
Print out the list of existing in-kernel crypto state
.. opcmd:: show vpn ipsec status
Show the status of running IPsec process and process ID.
.. opcmd:: restart ipsec
Restart the IPsec VPN process and re-establishes the connection.
.. opcmd:: reset vpn ipsec site-to-site all
Reset all site-to-site IPSec VPN sessions. It terminates all active
child_sa and reinitiates the connection.
.. opcmd:: reset vpn ipsec site-to-site peer <name>
Reset all tunnels for a given peer, can specify tunnel or vti interface.
It terminates a specific child_sa and reinitiates the connection.
.. opcmd:: show log ipsec
Show logs for IPsec

20
docs/configuration/vpn/ipsec/index.rst Normal file
View File

@ -0,0 +1,20 @@
#####
IPsec
#####
.. toctree::
:maxdepth: 1
:includehidden:
ipsec_general
site2site_ipsec
troubleshooting_ipsec
pages to sort
.. toctree::
:maxdepth: 1
:includehidden:

308
docs/configuration/vpn/ipsec/ipsec_general.rst Normal file
View File

@ -0,0 +1,308 @@
.. _ipsec_general:
#########################
IPsec General Information
#########################
***********************
Information about IPsec
***********************
IPsec is the framework used to secure data.
IPsec accomplishes these goals by providing authentication,
encryption of IP network packets, key exchange, and key management.
VyOS uses strongSwan for its IPsec implementation.
**Authentication Header (AH)** is defined in :rfc:`4302`. It creates
a hash using the IP header and data payload, and prepends it to the
packet. This hash is used to validate that the data has not been
changed during transfer over the network.
**Encapsulating Security Payload (ESP)** is defined in :rfc:`4303`.
It provides encryption and authentication of the data.
There are two IPsec modes:
**IPsec Transport Mode**:
In transport mode, an IPSec header (AH or ESP) is inserted
between the IP header and the upper layer protocol header.
**IPsec Tunnel Mode:**
In tunnel mode, the original IP packet is encapsulated in
another IP datagram, and an IPsec header (AH or ESP) is
inserted between the outer and inner headers.
.. figure:: /_static/images/ESP_AH.png
:scale: 80 %
:alt: AH and ESP in Transport Mode and Tunnel Mode
***************************
IKE (Internet Key Exchange)
***************************
The default IPsec method for secure key negotiation is the Internet Key
Exchange (IKE) protocol. IKE is designed to provide mutual authentication
of systems, as well as to establish a shared secret key to create IPsec
security associations. A security association (SA) includes all relevant
attributes of the connection, including the cryptographic algorithm used,
the IPsec mode, the encryption key, and other parameters related to the
transmission of data over the VPN connection.
IKEv1
=====
IKEv1 is the older version and is still used today. Nowadays, most
manufacturers recommend using IKEv2 protocol.
IKEv1 is described in the next RFCs: :rfc:`2409` (IKE), :rfc:`3407`
(IPsec DOI), :rfc:`3947` (NAT-T), :rfc:`3948` (UDP Encapsulation
of ESP Packets), :rfc:`3706` (DPD)
IKEv1 operates in two phases to establish these IKE and IPsec SAs:
* **Phase 1** provides mutual authentication of the IKE peers and
establishment of the session key. This phase creates an IKE SA (a
security association for IKE) using a DH exchange, cookies, and an
ID exchange. Once an IKE SA is established, all IKE communication
between the initiator and responder is protected with encryption
and an integrity check that is authenticated. The purpose of IKE
phase 1 is to facilitate a secure channel between the peers so that
phase 2 negotiations can occur securely. IKE phase 1 offers two modes:
Main and Aggressive.
* **Main Mode** is used for site-to-site VPN connections.
* **Aggressive Mode** is used for remote access VPN connections.
* **Phase 2** provides for the negotiation and establishment of the
IPsec SAs using ESP or AH to protect IP data traffic.
IKEv2
=====
IKEv2 is described in :rfc:`7296`. The biggest difference between IKEv1 and
IKEv2 is that IKEv2 is much simpler and more reliable than IKEv1 because
fewer messages are exchanged during the establishment of the VPN and
additional security capabilities are available.
IKE Authentication
==================
VyOS supports 3 authentication methods.
* **Pre-shared keys**: In this method, both peers of the IPsec
tunnel must have the same preshared keys.
* **Digital certificates**: PKI is used in this method.
* **RSA-keys**: If the RSA-keys method is used in your IKE policy,
you need to make sure each peer has the other peers public keys.
*************************
DPD (Dead Peer Detection)
*************************
This is a mechanism used to detect when a VPN peer is no longer active.
This mechanism has different algorithms in IKEv1 and IKEv2 in VyOS.
DPD Requests are sent as ISAKMP R-U-THERE messages and DPD Responses
are sent as ISAKMP R-U-THERE-ACK messages. In IKEv1, DPD sends messages
every configured interval. The remote peer is considered unreachable
if no response to these packets is received within the DPD timeout.
In IKEv2, DPD sends messages every configured interval. If one request
does not receive a response, strongSwan executes its retransmission algorithm with
its timers. https://docs.strongswan.org/docs/5.9/config/retransmission.html
*****************
Configuration IKE
*****************
IKE (Internet Key Exchange) Attributes
======================================
VyOS IKE group has the next options:
.. cfgcmd:: set vpn ipsec ike-group <name> close-action <action>
Defines the action to take if the remote peer unexpectedly
closes a CHILD_SA:
* **none** - Set action to none (default),
* **trap** - Installs a trap policy (IPsec policy without Security
Association) for the CHILD_SA and traffic matching these policies
will trigger acquire events that cause the daemon to establish the
required IKE/IPsec SAs.
* **start** - Tries to immediately re-create the CHILD_SA.
.. cfgcmd:: set vpn ipsec ike-group <name> ikev2-reauth
Whether rekeying of an IKE_SA should also reauthenticate
the peer. In IKEv1, reauthentication is always done.
Setting this parameter enables remote host re-authentication
during an IKE rekey.
.. cfgcmd:: set vpn ipsec ike-group <name> key-exchange
Which protocol should be used to initialize the connection
If not set both protocols are handled and connections will
use IKEv2 when initiating, but accept any protocol version
when responding:
* **ikev1** - Use IKEv1 for Key Exchange.
* **ikev2** - Use IKEv2 for Key Exchange.
.. cfgcmd:: set vpn ipsec ike-group <name> lifetime
IKE lifetime in seconds <0-86400> (default 28800).
.. cfgcmd:: set vpn ipsec ike-group <name> mode
IKEv1 Phase 1 Mode Selection:
* **main** - Use Main mode for Key Exchanges in the IKEv1 Protocol
(Recommended Default).
* **aggressive** - Use Aggressive mode for Key Exchanges in the IKEv1
protocol aggressive mode is much more insecure compared to Main mode.
.. cfgcmd:: set vpn ipsec ike-group <name> proposal <number> dh-group <dh-group number>
Diffie-Hellman algorithm group. Default value is **2**.
.. cfgcmd:: set vpn ipsec ike-group <name> proposal <number> encryption <encryption>
Encryption algorithm. Default value is **aes128**.
.. cfgcmd:: set vpn ipsec ike-group <name> proposal <number> hash <hash>
Hash algorithm. Default value is **sha1**.
.. cfgcmd:: set vpn ipsec ike-group <name> proposal <number> prf <prf>
Pseudo-random function.
DPD (Dead Peer Detection) Configuration
=======================================
.. cfgcmd:: set vpn ipsec ike-group <name> dead-peer-detection action <action>
Action to perform for this CHILD_SA on DPD timeout.
* **trap** - Installs a trap policy (IPsec policy without Security
Association), which will catch matching traffic and tries to
re-negotiate the tunnel on-demand.
* **clear** - Closes the CHILD_SA and does not take further action
(default).
* **restart** - Immediately tries to re-negotiate the CHILD_SA
under a fresh IKE_SA.
.. cfgcmd:: set vpn ipsec ike-group <name> dead-peer-detection interval <interval>
Keep-alive interval in seconds <2-86400> (default 30).
.. cfgcmd:: set vpn ipsec ike-group <name> dead-peer-detection timeout <timeout>
Keep-alive timeout in seconds <2-86400> (default 120) **IKEv1 only**
ESP (Encapsulating Security Payload) Attributes
===============================================
In VyOS, ESP attributes are specified through ESP groups.
Multiple proposals can be specified in a single group.
VyOS ESP group has the next options:
.. cfgcmd:: set vpn ipsec esp-group <name> compression
Enables the IPComp(IP Payload Compression) protocol which allows
compressing the content of IP packets.
.. cfgcmd:: set vpn ipsec esp-group <name> disable-rekey
Do not locally initiate a re-key of the SA, remote peer must
re-key before expiration.
.. cfgcmd:: set vpn ipsec esp-group <name> life-bytes <bytes>
ESP life in bytes <1024-26843545600000>. Number of bytes
transmitted over an IPsec SA before it expires.
.. cfgcmd:: set vpn ipsec esp-group <name> life-packets <packets>
ESP life in packets <1000-26843545600000>.
Number of packets transmitted over an IPsec SA before it expires.
.. cfgcmd:: set vpn ipsec esp-group <name> lifetime <timeout>
ESP lifetime in seconds <30-86400> (default 3600).
How long a particular instance of a connection (a set of
encryption/authentication keys for user packets) should last,
from successful negotiation to expiry.
.. cfgcmd:: set vpn ipsec esp-group <name> mode <mode>
The type of the connection:
* **tunnel** - Tunnel mode (default).
* **transport** - Transport mode.
.. cfgcmd:: set vpn ipsec esp-group <name> pfs < dh-group>
Whether Perfect Forward Secrecy of keys is desired on the
connection's keying channel and defines a Diffie-Hellman group for
PFS:
* **enable** - Inherit Diffie-Hellman group from IKE group (default).
* **disable** - Disable PFS.
* **<dh-group>** - Defines a Diffie-Hellman group for PFS.
.. cfgcmd:: set vpn ipsec esp-group <name> proposal <number> encryption <encryption>
Encryption algorithm. Default value is **aes128**.
.. cfgcmd:: set vpn ipsec esp-group <name> proposal <number> hash <hash>
Hash algorithm. Default value is **sha1**.
Global IPsec Settings
=====================
.. cfgcmd:: set vpn ipsec interface <name>
Interface name to restrict outbound IPsec policies. There is a possibility
to specify multiple interfaces. If an interfaces are not specified, IPsec
policies apply to all interfaces.
.. cfgcmd:: set vpn ipsec log level <number>
Level of logging. Default value is **0**.
.. cfgcmd:: set vpn ipsec log subsystem <name>
Subsystem of the daemon.
Options
=======
.. cfgcmd:: set vpn ipsec options disable-route-autoinstall
Do not automatically install routes to remote
networks.
.. cfgcmd:: set vpn ipsec options flexvpn
Allows FlexVPN vendor ID payload (IKEv2 only). Send the Cisco
FlexVPN vendor ID payload (IKEv2 only), which is required in order to make
Cisco brand devices allow negotiating a local traffic selector (from
strongSwan's point of view) that is not the assigned virtual IP address if
such an address is requested by strongSwan. Sending the Cisco FlexVPN
vendor ID prevents the peer from narrowing the initiator's local traffic
selector and allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0
instead. This has been tested with a "tunnel mode ipsec ipv4" Cisco
template but should also work for GRE encapsulation.
.. cfgcmd:: set vpn ipsec options interface <name>
Interface Name to use. The name of the interface on which
virtual IP addresses should be installed. If not specified the addresses
will be installed on the outbound interface.
.. cfgcmd:: set vpn ipsec options virtual-ip
Allows the installation of virtual-ip addresses.

729
docs/configuration/vpn/ipsec/site2site_ipsec.rst Normal file
View File

@ -0,0 +1,729 @@
.. _size2site_ipsec:
######################
IPsec Site-to-Site VPN
######################
****************************
IPsec Site-to-Site VPN Types
****************************
VyOS supports two types of IPsec VPN: Policy-based IPsec VPN and Route-based
IPsec VPN.
Policy-based VPN
================
Policy-based VPN is based on static configured policies. Each policy creates
individual IPSec SA. Traffic matches these SAs encrypted and directed to the
remote peer.
Route-Based VPN
===============
Route-based VPN is based on secure traffic passing over Virtual Tunnel
Interfaces (VTIs). This type of IPsec VPNs allows using routing protocols.
******************************
Configuration Site-to-Site VPN
******************************
Requirements and Prerequisites for Site-to-Site VPN
===================================================
**Negotiated parameters that need to match**
Phase 1
* IKE version
* Authentication
* Encryption
* Hashing
* PRF
* Lifetime
.. note:: Strongswan recommends to use the same lifetime value on both peers
Phase 2
* Encryption
* Hashing
* PFS
* Mode (tunnel or transport)
* Lifetime
.. note:: Strongswan recommends to use the same lifetime value on both peers
* Remote and Local networks in SA must be compatible on both peers
Configuration Steps for Site-to-Site VPN
========================================
The next example shows the configuration one of the router participating in
IPsec VPN.
Tunnel information:
* Phase 1:
* encryption: AES256
* hash: SHA256
* PRF: SHA256
* DH: 14
* lifetime: 28800
* Phase 2:
* IPsec mode: tunnel
* encryption: AES256
* hash: SHA256
* PFS: inherited from DH Phase 1
* lifetime: 3600
* If Policy based VPN is used
* Remote network is 192.168.50.0/24. Local network is 192.168.10.0/24
* If Route based VPN is used
* IP of the VTI interface is 10.0.0.1/30
.. note:: We do not recommend using policy-based vpn and route-based vpn configurations to the same peer.
**1. Configure ike-group (IKE Phase 1)**
.. code-block:: none
set vpn ipsec ike-group IKE close-action 'start'
set vpn ipsec ike-group IKE key-exchange 'ikev1'
set vpn ipsec ike-group IKE lifetime '28800'
set vpn ipsec ike-group IKE proposal 10 dh-group '14'
set vpn ipsec ike-group IKE proposal 10 encryption 'aes256'
set vpn ipsec ike-group IKE proposal 10 hash 'sha256'
set vpn ipsec ike-group IKE proposal 10 prf 'prfsha256'
**2. Configure ESP-group (IKE Phase 2)**
.. code-block:: none
set vpn ipsec esp-group ESP lifetime '3600'
set vpn ipsec esp-group ESP mode 'tunnel'
set vpn ipsec esp-group ESP pfs 'enable'
set vpn ipsec esp-group ESP proposal 10 encryption 'aes256'
set vpn ipsec esp-group ESP proposal 10 hash 'sha256'
**3. Specify interface facing to the protected destination.**
.. code-block:: none
set vpn ipsec interface eth0
**4. Configure PSK keys and authentication ids for this key if authentication type is PSK**
.. code-block:: none
set vpn ipsec authentication psk PSK-KEY id '192.168.0.2'
set vpn ipsec authentication psk PSK-KEY id '192.168.5.2'
set vpn ipsec authentication psk PSK-KEY secret 'vyos'
To set base64 secret encode plaintext password to base64 and set secret-type
.. code-block:: none
echo -n "vyos" | base64
dnlvcw==
.. code-block:: none
set vpn ipsec authentication psk PSK-KEY secret 'dnlvcw=='
set vpn ipsec authentication psk PSK-KEY secret-type base64
**5. Configure peer and apply IKE-group and esp-group to peer.**
.. code-block:: none
set vpn ipsec site-to-site peer PEER1 authentication local-id '192.168.0.2'
set vpn ipsec site-to-site peer PEER1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer PEER1 authentication remote-id '192.168.5.2'
set vpn ipsec site-to-site peer PEER1 connection-type 'initiate'
set vpn ipsec site-to-site peer PEER1 default-esp-group 'ESP'
set vpn ipsec site-to-site peer PEER1 ike-group 'IKE'
set vpn ipsec site-to-site peer PEER1 local-address '192.168.0.2'
set vpn ipsec site-to-site peer PEER1 remote-address '192.168.5.2'
Peer selects the key from step 4 according to local-id/remote-id pair.
**6. Depends to vpn type (route-based vpn or policy-based vpn).**
**6.1 For Policy-based VPN configure SAs using tunnel command specifying remote and local networks.**
.. code-block:: none
set vpn ipsec site-to-site peer PEER1 tunnel 1 local prefix '192.168.10.0/24'
set vpn ipsec site-to-site peer PEER1 tunnel 1 remote prefix '192.168.50.0/24'
**6.2 For Route-based VPN create VTI interface, set IP address to this interface and bind this interface to the vpn peer.**
.. code-block:: none
set interfaces vti vti1 address 10.0.0.1/30
set vpn ipsec site-to-site peer PEER1 vti bind vti1
set vpn ipsec options disable-route-autoinstall
Create routing between local networks via VTI interface using dynamic or
static routing.
.. code-block:: none
set protocol static route 192.168.50.0/24 next-hop 10.0.0.2
Initiator and Responder Connection Types
========================================
In Site-to-Site IPsec VPN it is recommended that one peer should be an
initiator and the other - the responder. The initiator actively establishes
the VPN tunnel. The responder passively waits for the remote peer to
establish the VPN tunnel. Depends on selected role it is recommended
select proper values for close-action and DPD action.
The result of wrong value selection can be unstable work of the VPN.
* Duplicate CHILD SA creation.
* None of the VPN sides initiates the tunnel establishment.
Below flow-chart could be a quick reference for the close-action
combination depending on how the peer is configured.
.. figure:: /_static/images/IPSec_close_action_settings.png
Similar combinations are applicable for the dead-peer-detection.
Detailed Configuration Commands
===============================
PSK Key Authentication
----------------------
.. cfgcmd:: set vpn ipsec authentication psk <name> dhcp-interface
ID for authentication generated from DHCP address
dynamically.
.. cfgcmd:: set vpn ipsec authentication psk id <id>
static ID's for authentication. In general local and remote
address ``<x.x.x.x>``, ``<h:h:h:h:h:h:h:h>`` or ``%any``.
.. cfgcmd:: set vpn ipsec authentication psk secret <secret>
A predefined shared secret used in configured mode
``pre-shared-secret``. Base64-encoded secrets are allowed if
`secret-type base64` is configured.
.. cfgcmd:: set vpn ipsec authentication psk secret-type <type>
Specifies the secret type:
* **plaintext** - Plain text type (default value).
* **base64** - Base64 type.
Peer Configuration
------------------
Peer Authentication Commands
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication mode <mode>
Mode for authentication between VyOS and remote peer:
* **pre-shared-secret** - Use predefined shared secret phrase.
* **rsa** - Use simple shared RSA key.
* **x509** - Use certificates infrastructure for authentication.
.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication local-id <id>
ID for the local VyOS router. If defined, during the authentication
it will be send to remote peer.
.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication remote-id <id>
ID for remote peer, instead of using peer name or
address. Useful in case if the remote peer is behind NAT
or if ``mode x509`` is used.
.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication rsa local-key <key>
Name of PKI key-pair with local private key.
.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication rsa remote-key <key>
Name of PKI key-pair with remote public key.
.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication rsa passphrase <passphrase>
Local private key passphrase.
.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication use-x509-id <id>
Use local ID from x509 certificate. Cannot be used when
``id`` is defined.
.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication x509 ca-certificate <name>
Name of CA certificate in PKI configuration. Using for authenticating
remote peer in x509 mode.
.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication x509 certificate <name>
Name of certificate in PKI configuration, which will be used
for authenticating local router on remote peer.
.. cfgcmd:: set vpn ipsec authentication x509 passphrase <passphrase>
Private key passphrase, if needed.
Global Peer Configuration Commands
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
.. cfgcmd:: set vpn ipsec site-to-site peer <name> connection-type <type>
Operational mode defines how to handle this connection process.
* **initiate** - does initial connection to remote peer immediately
after configuring and after boot. In this mode the connection will
not be restarted in case of disconnection, therefore should be used
only together with DPD or another session tracking methods.
* **respond** - does not try to initiate a connection to a remote
peer. In this mode, the IPsec session will be established only
after initiation from a remote peer. Could be useful when there
is no direct connectivity to the peer due to firewall or NAT in
the middle of the local and remote side.
* **none** - loads the connection only, which then can be manually
initiated or used as a responder configuration.
.. cfgcmd:: set vpn ipsec site-to-site peer <name> default-esp-group <name>
Name of ESP group to use by default for traffic encryption.
Might be overwritten by individual settings for tunnel or VTI
interface binding.
.. cfgcmd:: set vpn ipsec site-to-site peer <name> description <description>
Description for this peer.
.. cfgcmd:: set vpn ipsec site-to-site peer <name> dhcp-interface <interface>
Specify the interface which IP address, received from DHCP for IPSec
connection with this peer, will be used as ``local-address``.
.. cfgcmd:: set vpn ipsec site-to-site peer <name> force-udp-encapsulation
Force encapsulation of ESP into UDP datagrams. Useful in case if
between local and remote side is firewall or NAT, which not
allows passing plain ESP packets between them.
.. cfgcmd:: set vpn ipsec site-to-site peer <name> ike-group <name>
Name of IKE group to use for key exchanges.
.. cfgcmd:: set vpn ipsec site-to-site peer <name> local-address <address>
Local IP address for IPsec connection with this peer.
If defined ``any``, then an IP address which configured on interface with
default route will be used.
.. cfgcmd:: set vpn ipsec site-to-site peer <name> remote-address <address>
Remote IP address or hostname for IPsec connection. IPv4 or IPv6
address is used when a peer has a public static IP address. Hostname
is a DNS name which could be used when a peer has a public IP
address and DNS name, but an IP address could be changed from time
to time.
.. cfgcmd:: set vpn ipsec site-to-site peer <name> replay-window <size>
IPsec replay window to configure for CHILD_SAs
(default: 32), a value of 0 disables IPsec replay protection.
.. cfgcmd:: set vpn ipsec site-to-site peer <name> virtual-address <address>
Defines a virtual IP address which is requested by the initiator and
one or several IPv4 and/or IPv6 addresses are assigned from multiple
pools by the responder. The wildcard addresses 0.0.0.0 and ::
request an arbitrary address, specific addresses may be defined.
CHILD SAs Configuration Commands
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Policy-Based CHILD SAs Configuration Commands
"""""""""""""""""""""""""""""""""""""""""""""
Every configured tunnel under peer configuration is a new CHILD SA.
.. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> disable
Disable this tunnel.
.. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> esp-group <name>
Specify ESP group for this CHILD SA.
.. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> priority <number>
Priority for policy-based IPsec VPN tunnels (lowest value more
preferable).
.. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> protocol <name>
Define the protocol for match traffic, which should be encrypted and
send to this peer.
.. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> local prefix <network>
IP network at the local side.
.. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> local port <number>
Local port number. Have effect only when used together with
``prefix``.
.. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> remote prefix <network>
IP network at the remote side.
.. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> remote port <number>
Remote port number. Have effect only when used together with
``prefix``.
Route-Based CHILD SAs Configuration Commands
"""""""""""""""""""""""""""""""""""""""""""""
To configure route-based VPN it is enough to create vti interface and
bind it to the peer. Any traffic, which will be send to VTI interface
will be encrypted and send to this peer. Using VTI makes IPsec
configuration much flexible and easier in complex situation, and
allows to dynamically add/delete remote networks, reachable via a
peer, as in this mode router don't need to create additional SA/policy
for each remote network.
.. warning:: When using site-to-site IPsec with VTI interfaces,
be sure to disable route autoinstall.
.. code-block:: none
set vpn ipsec options disable-route-autoinstall
.. cfgcmd:: set vpn ipsec site-to-site peer <name> vti bind <interface>
VTI interface to bind to this peer.
.. cfgcmd:: set vpn ipsec site-to-site peer <name> vti esp-group <name>
ESP group for encrypt traffic, passed this VTI interface.
Traffic-selectors parameters for traffic that should pass via vti
interface.
.. cfgcmd:: set vpn ipsec site-to-site peer <name> vti traffic-selector local prefix <network>
Local prefix for interesting traffic.
.. cfgcmd:: set vpn ipsec site-to-site peer <name> vti traffic-selector remote prefix <network>
Remote prefix for interesting traffic.
IPsec Op-mode Commands
======================
.. opcmd:: show vpn ike sa
Shows active IKE SAs information.
.. opcmd:: show vpn ike secrets
Shows configured authentication keys.
.. opcmd:: show vpn ike status
Shows Strongswan daemon status.
.. opcmd:: show vpn ipsec connections
Shows summary status of all configured IKE and IPsec SAs.
.. opcmd:: show vpn ipsec sa [detail]
Shows active IPsec SAs information.
.. opcmd:: show vpn ipsec status
Shows status of IPsec process.
.. opcmd:: show vpn ipsec policy
Shows the in-kernel crypto policies.
.. opcmd:: show vpn ipsec state
Shows the in-kernel crypto state.
.. opcmd:: show log ipsec
Shows IPsec logs.
.. opcmd:: reset vpn ipsec site-to-site all
Clear all ipsec connection and reinitiate them if VyOS is configured
as initiator.
.. opcmd:: reset vpn ipsec site-to-site peer <name>
Clear all peer IKE SAs with IPsec SAs and reinitiate them if VyOS is
configured as initiator.
.. opcmd:: reset vpn ipsec site-to-site peer <name> tunnel <number>
Clear scpecific IPsec SA and reinitiate it if VyOS is configured as
initiator.
.. opcmd:: reset vpn ipsec site-to-site peer <name> vti <number>
Clear IPsec SA which is map to vti interface of this peer and
reinitiate it if VyOS is configured as initiator.
.. opcmd:: restart ipsec
Restart Strongswan daemon.
*********
Examples:
*********
Policy-Based VPN Example
========================
**PEER1:**
* WAN interface on `eth0`
* `eth0` interface IP: `10.0.1.2/30`
* `dum0` interface IP: `192.168.0.1/24` (for testing purposes)
* Initiator
**PEER2:**
* WAN interface on `eth0`
* `eth0` interface IP: `10.0.2.2/30`
* `dum0` interface IP: `192.168.1.0/24` (for testing purposes)
* Responder
.. code-block:: none
# PEER1
set interfaces dummy dum0 address '192.168.0.1/32'
set interfaces ethernet eth0 address '10.0.1.2/30'
set protocols static route 0.0.0.0/0 next-hop 10.0.1.1
set vpn ipsec authentication psk AUTH-PSK id '10.0.1.2'
set vpn ipsec authentication psk AUTH-PSK id '10.0.2.2'
set vpn ipsec authentication psk AUTH-PSK secret 'test'
set vpn ipsec esp-group ESP-GRPOUP lifetime '3600'
set vpn ipsec esp-group ESP-GRPOUP proposal 10 encryption 'aes256'
set vpn ipsec esp-group ESP-GRPOUP proposal 10 hash 'sha1'
set vpn ipsec ike-group IKE-GROUP close-action 'start'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'restart'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '30'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection timeout '120'
set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev1'
set vpn ipsec ike-group IKE-GROUP lifetime '28800'
set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group '14'
set vpn ipsec ike-group IKE-GROUP proposal 10 encryption 'aes256'
set vpn ipsec ike-group IKE-GROUP proposal 10 hash 'sha1'
set vpn ipsec interface 'eth0'
set vpn ipsec site-to-site peer PEER2 authentication local-id '10.0.1.2'
set vpn ipsec site-to-site peer PEER2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer PEER2 authentication remote-id '10.0.2.2'
set vpn ipsec site-to-site peer PEER2 connection-type 'initiate'
set vpn ipsec site-to-site peer PEER2 default-esp-group 'ESP-GRPOUP'
set vpn ipsec site-to-site peer PEER2 ike-group 'IKE-GROUP'
set vpn ipsec site-to-site peer PEER2 local-address '10.0.1.2'
set vpn ipsec site-to-site peer PEER2 remote-address '10.0.2.2'
set vpn ipsec site-to-site peer PEER2 tunnel 0 local prefix '192.168.0.0/24'
set vpn ipsec site-to-site peer PEER2 tunnel 0 remote prefix '192.168.1.0/24'
# PEER2
set interfaces dummy dum0 address '192.168.1.1/32'
set interfaces ethernet eth0 address '10.0.2.2/30'
set protocols static route 0.0.0.0/0 next-hop 10.0.2.1
set vpn ipsec authentication psk AUTH-PSK id '10.0.1.2'
set vpn ipsec authentication psk AUTH-PSK id '10.0.2.2'
set vpn ipsec authentication psk AUTH-PSK secret 'test'
set vpn ipsec esp-group ESP-GRPOUP lifetime '3600'
set vpn ipsec esp-group ESP-GRPOUP proposal 10 encryption 'aes256'
set vpn ipsec esp-group ESP-GRPOUP proposal 10 hash 'sha1'
set vpn ipsec ike-group IKE-GROUP close-action 'none'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'clear'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '30'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection timeout '120'
set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev1'
set vpn ipsec ike-group IKE-GROUP lifetime '28800'
set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group '14'
set vpn ipsec ike-group IKE-GROUP proposal 10 encryption 'aes256'
set vpn ipsec ike-group IKE-GROUP proposal 10 hash 'sha1'
set vpn ipsec interface 'eth0'
set vpn ipsec site-to-site peer PEER1 authentication local-id '10.0.2.2'
set vpn ipsec site-to-site peer PEER1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer PEER1 authentication remote-id '10.0.1.2'
set vpn ipsec site-to-site peer PEER1 connection-type 'respond'
set vpn ipsec site-to-site peer PEER1 default-esp-group 'ESP-GRPOUP'
set vpn ipsec site-to-site peer PEER1 ike-group 'IKE-GROUP'
set vpn ipsec site-to-site peer PEER1 local-address '10.0.2.2'
set vpn ipsec site-to-site peer PEER1 remote-address '10.0.1.2'
set vpn ipsec site-to-site peer PEER1 tunnel 0 local prefix '192.168.1.0/24'
set vpn ipsec site-to-site peer PEER1 tunnel 0 remote prefix '192.168.0.0/24'
Show status of policy-based IPsec VPN setup:
.. code-block:: none
vyos@PEER2:~$ show vpn ike sa
Peer ID / IP Local ID / IP
------------ -------------
10.0.1.2 10.0.1.2 10.0.2.2 10.0.2.2
State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time
----- ------ ------- ---- --------- ----- ------ ------
up IKEv1 AES_CBC_256 HMAC_SHA1_96 MODP_2048 no 1254 25633
vyos@srv-gw0:~$ show vpn ipsec sa
Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal
-------------- ------- -------- -------------- ---------------- ---------------- ----------- ----------------------------------
PEER1-tunnel-0 up 20m42s 0B/0B 0/0 10.0.1.2 10.0.1.2 AES_CBC_256/HMAC_SHA1_96/MODP_2048
vyos@PEER2:~$ show vpn ipsec connections
Connection State Type Remote address Local TS Remote TS Local id Remote id Proposal
-------------- ------- ------ ---------------- -------------- -------------- ---------- ----------- ----------------------------------
PEER1 up IKEv1 10.0.1.2 - - 10.0.2.2 10.0.1.2 AES_CBC/256/HMAC_SHA1_96/MODP_2048
PEER1-tunnel-0 up IPsec 10.0.1.2 192.168.1.0/24 192.168.0.0/24 10.0.2.2 10.0.1.2 AES_CBC/256/HMAC_SHA1_96/MODP_2048
If there is SNAT rules on eth0, need to add exclude rule
.. code-block:: none
# PEER1 side
set nat source rule 10 destination address '192.168.1.0/24'
set nat source rule 10 'exclude'
set nat source rule 10 outbound-interface name 'eth0'
set nat source rule 10 source address '192.168.0.0/24'
# PEER2 side
set nat source rule 10 destination address '192.168.0.0/24'
set nat source rule 10 'exclude'
set nat source rule 10 outbound-interface name 'eth0'
set nat source rule 10 source address '192.168.1.0/24'
Route-Based VPN Example
=======================
**PEER1:**
* WAN interface on `eth0`
* `eth0` interface IP: `10.0.1.2/30`
* 'vti0' interface IP: `10.100.100.1/30`
* `dum0` interface IP: `192.168.0.1/24` (for testing purposes)
* Role: Initiator
**PEER2:**
* WAN interface on `eth0`
* `eth0` interface IP: `10.0.2.2/30`
* 'vti0' interface IP: `10.100.100.2/30`
* `dum0` interface IP: `192.168.1.0/24` (for testing purposes)
* Role: Responder
.. code-block:: none
# PEER1
set interfaces dummy dum0 address '192.168.0.1/32'
set interfaces ethernet eth0 address '10.0.1.2/30'
set interfaces vti vti0 address '10.100.100.1/30'
set protocols static route 0.0.0.0/0 next-hop 10.0.1.1
set protocols static route 192.168.1.0/24 next-hop 10.100.100.2
set vpn ipsec authentication psk AUTH-PSK id '10.0.1.2'
set vpn ipsec authentication psk AUTH-PSK id '10.0.2.2'
set vpn ipsec authentication psk AUTH-PSK secret 'test'
set vpn ipsec esp-group ESP-GRPOUP lifetime '3600'
set vpn ipsec esp-group ESP-GRPOUP proposal 10 encryption 'aes256'
set vpn ipsec esp-group ESP-GRPOUP proposal 10 hash 'sha1'
set vpn ipsec ike-group IKE-GROUP close-action 'start'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'restart'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '30'
set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev2'
set vpn ipsec ike-group IKE-GROUP lifetime '28800'
set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group '14'
set vpn ipsec ike-group IKE-GROUP proposal 10 encryption 'aes256'
set vpn ipsec ike-group IKE-GROUP proposal 10 hash 'sha1'
set vpn ipsec interface 'eth0'
set vpn ipsec options disable-route-autoinstall
set vpn ipsec site-to-site peer PEER2 authentication local-id '10.0.1.2'
set vpn ipsec site-to-site peer PEER2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer PEER2 authentication remote-id '10.0.2.2'
set vpn ipsec site-to-site peer PEER2 connection-type 'initiate'
set vpn ipsec site-to-site peer PEER2 default-esp-group 'ESP-GRPOUP'
set vpn ipsec site-to-site peer PEER2 ike-group 'IKE-GROUP'
set vpn ipsec site-to-site peer PEER2 local-address '10.0.1.2'
set vpn ipsec site-to-site peer PEER2 remote-address '10.0.2.2'
set vpn ipsec site-to-site peer PEER2 vti bind 'vti0'
# PEER2
set interfaces dummy dum0 address '192.168.1.1/32'
set interfaces ethernet eth0 address '10.0.2.2/30'
set interfaces vti vti0 address '10.100.100.2/30'
set protocols static route 0.0.0.0/0 next-hop 10.0.2.1
set protocols static route 192.168.0.0/24 next-hop 10.100.100.1
set vpn ipsec authentication psk AUTH-PSK id '10.0.1.2'
set vpn ipsec authentication psk AUTH-PSK id '10.0.2.2'
set vpn ipsec authentication psk AUTH-PSK secret 'test'
set vpn ipsec esp-group ESP-GRPOUP lifetime '3600'
set vpn ipsec esp-group ESP-GRPOUP proposal 10 encryption 'aes256'
set vpn ipsec esp-group ESP-GRPOUP proposal 10 hash 'sha1'
set vpn ipsec ike-group IKE-GROUP close-action 'none'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'clear'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '30'
set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev2'
set vpn ipsec ike-group IKE-GROUP lifetime '28800'
set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group '14'
set vpn ipsec ike-group IKE-GROUP proposal 10 encryption 'aes256'
set vpn ipsec ike-group IKE-GROUP proposal 10 hash 'sha1'
set vpn ipsec interface 'eth0'
set vpn ipsec options disable-route-autoinstall
set vpn ipsec site-to-site peer PEER1 authentication local-id '10.0.2.2'
set vpn ipsec site-to-site peer PEER1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer PEER1 authentication remote-id '10.0.1.2'
set vpn ipsec site-to-site peer PEER1 connection-type 'respond'
set vpn ipsec site-to-site peer PEER1 default-esp-group 'ESP-GRPOUP'
set vpn ipsec site-to-site peer PEER1 ike-group 'IKE-GROUP'
set vpn ipsec site-to-site peer PEER1 local-address '10.0.2.2'
set vpn ipsec site-to-site peer PEER1 remote-address '10.0.1.2'
set vpn ipsec site-to-site peer PEER1 vti bind 'vti0'
Show status of route-based IPsec VPN setup:
.. code-block:: none
vyos@PEER2:~$ show vpn ike sa
Peer ID / IP Local ID / IP
------------ -------------
10.0.1.2 10.0.1.2 10.0.2.2 10.0.2.2
State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time
----- ------ ------- ---- --------- ----- ------ ------
up IKEv2 AES_CBC_256 HMAC_SHA1_96 MODP_2048 no 404 27650
vyos@PEER2:~$ show vpn ipsec sa
Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal
------------ ------- -------- -------------- ---------------- ---------------- ----------- ----------------------------------
PEER1-vti up 3m28s 0B/0B 0/0 10.0.1.2 10.0.1.2 AES_CBC_256/HMAC_SHA1_96/MODP_2048
vyos@PEER2:~$ show vpn ipsec connections
Connection State Type Remote address Local TS Remote TS Local id Remote id Proposal
------------ ------- ------ ---------------- ---------- ----------- ---------- ----------- ----------------------------------
PEER1 up IKEv2 10.0.1.2 - - 10.0.2.2 10.0.1.2 AES_CBC/256/HMAC_SHA1_96/MODP_2048
PEER1-vti up IPsec 10.0.1.2 0.0.0.0/0 0.0.0.0/0 10.0.2.2 10.0.1.2 AES_CBC/256/HMAC_SHA1_96/MODP_2048
::/0 ::/0

323
docs/configuration/vpn/ipsec/troubleshooting_ipsec.rst Normal file
View File

@ -0,0 +1,323 @@
.. _troubleshooting_ipsec:
######################################
Troubleshooting Site-to-Site VPN IPsec
######################################
************
Introduction
************
This document describes the methodology to monitor and troubleshoot
Site-to-Site VPN IPsec.
Steps for troubleshooting problems with Site-to-Site VPN IPsec:
1. Ping the remote site through the tunnel using the source and
destination IPs included in the policy.
2. Check connectivity between the routers using the ping command
(if ICMP traffic is allowed).
3. Check the IKE SAs' statuses.
4. Check the IPsec SAs' statuses.
5. Check logs to view debug messages.
**********************
Checking IKE SA Status
**********************
The next command shows IKE SAs' statuses.
.. code-block:: none
vyos@vyos:~$ show vpn ike sa
Peer ID / IP Local ID / IP
------------ -------------
192.168.1.2 192.168.1.2 192.168.0.1 192.168.0.1
State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time
----- ------ ------- ---- --------- ----- ------ ------
up IKEv2 AES_CBC_128 HMAC_SHA1_96 MODP_2048 no 162 27023
This command shows the next information:
- IKE SA status.
- Selected IKE version.
- Selected Encryption, Hash and Diffie-Hellman Group.
- NAT-T.
- ID and IP of both peers.
- A-Time: established time, L-Time: time for next rekeying.
**************************
IPsec SA (CHILD SA) Status
**************************
The next commands show IPsec SAs' statuses.
.. code-block:: none
vyos@vyos:~$ show vpn ipsec sa
Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal
------------- ------- -------- -------------- ---------------- ---------------- ----------- ----------------------------------
PEER-tunnel-1 up 16m30s 168B/168B 2/2 192.168.1.2 192.168.1.2 AES_CBC_128/HMAC_SHA1_96/MODP_2048
.. code-block:: none
vyos@vyos:~$ show vpn ipsec sa detail
PEER: #1, ESTABLISHED, IKEv2, 101275ac719d5a1b_i* 68ea4ec3bed3bf0c_r
local '192.168.0.1' @ 192.168.0.1[4500]
remote '192.168.1.2' @ 192.168.1.2[4500]
AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
established 4054s ago, rekeying in 23131s
PEER-tunnel-1: #2, reqid 1, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA1_96/MODP_2048
installed 1065s ago, rekeying in 1998s, expires in 2535s
in c5821882, 168 bytes, 2 packets, 81s ago
out c433406a, 168 bytes, 2 packets, 81s ago
local 10.0.0.0/24
remote 10.0.1.0/24
These commands show the next information:
- IPsec SA status.
- Uptime and time for the next rekeing.
- Amount of transferred data.
- Remote and local ID and IP.
- Selected Encryption, Hash and Diffie-Hellman Group.
- Mode (tunnel or transport).
- Remote and local prefixes which are use for policy.
There is a possibility to view the summarized information of SAs' status
.. code-block:: none
vyos@vyos:~$ show vpn ipsec connections
Connection State Type Remote address Local TS Remote TS Local id Remote id Proposal
------------- ------- ------ ---------------- ----------- ----------- ----------- ----------- ----------------------------------
PEER up IKEv2 192.168.1.2 - - 192.168.0.1 192.168.1.2 AES_CBC/128/HMAC_SHA1_96/MODP_2048
PEER-tunnel-1 up IPsec 192.168.1.2 10.0.0.0/24 10.0.1.0/24 192.168.0.1 192.168.1.2 AES_CBC/128/HMAC_SHA1_96/MODP_2048
**************************
Viewing Logs for Debugging
**************************
If IKE SAs or IPsec SAs are down, need to debug IPsec connectivity
using logs ``show log ipsec``
The next example of the successful IPsec connection initialization.
.. code-block:: none
vyos@vyos:~$ show log ipsec
Jun 20 14:29:47 charon[2428]: 02[NET] <PEER|1> received packet: from 192.168.1.2[500] to 192.168.0.1[500] (472 bytes)
Jun 20 14:29:47 charon[2428]: 02[ENC] <PEER|1> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Jun 20 14:29:47 charon-systemd[2428]: received packet: from 192.168.1.2[500] to 192.168.0.1[500] (472 bytes)
Jun 20 14:29:47 charon[2428]: 02[CFG] <PEER|1> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Jun 20 14:29:47 charon-systemd[2428]: parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Jun 20 14:29:47 charon-systemd[2428]: selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Jun 20 14:29:47 charon[2428]: 02[IKE] <PEER|1> authentication of '192.168.0.1' (myself) with pre-shared key
Jun 20 14:29:47 charon-systemd[2428]: authentication of '192.168.0.1' (myself) with pre-shared key
Jun 20 14:29:47 charon[2428]: 02[IKE] <PEER|1> establishing CHILD_SA PEER-tunnel-1{1}
Jun 20 14:29:47 charon-systemd[2428]: establishing CHILD_SA PEER-tunnel-1{1}
Jun 20 14:29:47 charon[2428]: 02[ENC] <PEER|1> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Jun 20 14:29:47 charon-systemd[2428]: generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Jun 20 14:29:47 charon[2428]: 02[NET] <PEER|1> sending packet: from 192.168.0.1[4500] to 192.168.1.2[4500] (268 bytes)
Jun 20 14:29:47 charon-systemd[2428]: sending packet: from 192.168.0.1[4500] to 192.168.1.2[4500] (268 bytes)
Jun 20 14:29:47 charon[2428]: 13[NET] <PEER|1> received packet: from 192.168.1.2[4500] to 192.168.0.1[4500] (220 bytes)
Jun 20 14:29:47 charon[2428]: 13[ENC] <PEER|1> parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
Jun 20 14:29:47 charon-systemd[2428]: received packet: from 192.168.1.2[4500] to 192.168.0.1[4500] (220 bytes)
Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> authentication of '192.168.1.2' with pre-shared key successful
Jun 20 14:29:47 charon-systemd[2428]: parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> peer supports MOBIKE
Jun 20 14:29:47 charon-systemd[2428]: authentication of '192.168.1.2' with pre-shared key successful
Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> IKE_SA PEER[1] established between 192.168.0.1[192.168.0.1]...192.168.1.2[192.168.1.2]
Jun 20 14:29:47 charon-systemd[2428]: peer supports MOBIKE
Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> scheduling rekeying in 27703s
Jun 20 14:29:47 charon-systemd[2428]: IKE_SA PEER[1] established between 192.168.0.1[192.168.0.1]...192.168.1.2[192.168.1.2]
Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> maximum IKE_SA lifetime 30583s
Jun 20 14:29:47 charon-systemd[2428]: scheduling rekeying in 27703s
Jun 20 14:29:47 charon[2428]: 13[CFG] <PEER|1> selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Jun 20 14:29:47 charon-systemd[2428]: maximum IKE_SA lifetime 30583s
Jun 20 14:29:47 charon-systemd[2428]: selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> CHILD_SA PEER-tunnel-1{1} established with SPIs cb94fb3f_i ca99c8a9_o and TS 10.0.0.0/24 === 10.0.1.0/24
Jun 20 14:29:47 charon-systemd[2428]: CHILD_SA PEER-tunnel-1{1} established with SPIs cb94fb3f_i ca99c8a9_o and TS 10.0.0.0/24 === 10.0.1.0/24
************************
Troubleshooting Examples
************************
IKE PROPOSAL are Different
==========================
In this situation, IKE SAs can be down or not active.
.. code-block:: none
vyos@vyos:~$ show vpn ike sa
The problem is in IKE phase (Phase 1). The next step is checking debug logs.
Responder Side:
.. code-block:: none
Jun 23 07:36:33 charon[2440]: 01[CFG] <1> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Jun 23 07:36:33 charon-systemd[2440]: received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Jun 23 07:36:33 charon[2440]: 01[CFG] <1> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Jun 23 07:36:33 charon-systemd[2440]: configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Jun 23 07:36:33 charon[2440]: 01[IKE] <1> received proposals unacceptable
Jun 23 07:36:33 charon-systemd[2440]: received proposals unacceptable
Jun 23 07:36:33 charon[2440]: 01[ENC] <1> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Initiator side:
.. code-block:: none
Jun 23 07:36:32 charon-systemd[2444]: parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
Jun 23 07:36:32 charon[2444]: 14[IKE] <PEER|1> received NO_PROPOSAL_CHOSEN notify error
Jun 23 07:36:32 charon-systemd[2444]: received NO_PROPOSAL_CHOSEN notify error
The notification **NO_PROPOSAL_CHOSEN** means that the proposal mismatch.
On the Responder side there is concrete information where is mismatch.
Encryption **AES_CBC_128** is configured in IKE policy on the responder
but **AES_CBC_256** is configured on the initiator side.
PSK Secret Mismatch
===================
In this situation, IKE SAs can be down or not active.
.. code-block:: none
vyos@vyos:~$ show vpn ike sa
The problem is in IKE phase (Phase 1). The next step is checking debug logs.
Responder:
.. code-block:: none
Jun 23 08:07:26 charon-systemd[2440]: tried 1 shared key for '192.168.1.2' - '192.168.0.1', but MAC mismatched
Jun 23 08:07:26 charon[2440]: 13[ENC] <PEER|3> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Initiator side:
.. code-block:: none
Jun 23 08:07:24 charon[2436]: 12[ENC] <PEER|1> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Jun 23 08:07:24 charon-systemd[2436]: parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Jun 23 08:07:24 charon[2436]: 12[IKE] <PEER|1> received AUTHENTICATION_FAILED notify error
Jun 23 08:07:24 charon-systemd[2436]: received AUTHENTICATION_FAILED notify error
The notification **AUTHENTICATION_FAILED** means that the authentication
is failed. There is a reason to check PSK on both side.
ESP Proposal Mismatch
=====================
The output of **show** commands shows us that IKE SA is established but
IPSec SA is not.
.. code-block:: none
vyos@vyos:~$ show vpn ike sa
Peer ID / IP Local ID / IP
------------ -------------
192.168.1.2 192.168.1.2 192.168.0.1 192.168.0.1
State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time
----- ------ ------- ---- --------- ----- ------ ------
up IKEv2 AES_CBC_128 HMAC_SHA1_96 MODP_2048 no 158 26817
.. code-block:: none
vyos@vyos:~$ show vpn ipsec sa
Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal
------------ ------- -------- -------------- ---------------- ---------------- ----------- ----------
The next step is checking debug logs.
Initiator side:
.. code-block:: none
Jun 23 08:16:10 charon[3789]: 13[NET] <PEER|1> received packet: from 192.168.1.2[500] to 192.168.0.1[500] (472 bytes)
Jun 23 08:16:10 charon[3789]: 13[ENC] <PEER|1> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Jun 23 08:16:10 charon-systemd[3789]: received packet: from 192.168.1.2[500] to 192.168.0.1[500] (472 bytes)
Jun 23 08:16:10 charon[3789]: 13[CFG] <PEER|1> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Jun 23 08:16:10 charon-systemd[3789]: parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Jun 23 08:16:10 charon-systemd[3789]: selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Jun 23 08:16:10 charon[3789]: 13[IKE] <PEER|1> authentication of '192.168.0.1' (myself) with pre-shared key
Jun 23 08:16:10 charon-systemd[3789]: authentication of '192.168.0.1' (myself) with pre-shared key
Jun 23 08:16:10 charon[3789]: 13[IKE] <PEER|1> establishing CHILD_SA PEER-tunnel-1{1}
Jun 23 08:16:10 charon-systemd[3789]: establishing CHILD_SA PEER-tunnel-1{1}
Jun 23 08:16:10 charon[3789]: 13[ENC] <PEER|1> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Jun 23 08:16:10 charon-systemd[3789]: generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Jun 23 08:16:10 charon[3789]: 13[NET] <PEER|1> sending packet: from 192.168.0.1[4500] to 192.168.1.2[4500] (268 bytes)
Jun 23 08:16:10 charon-systemd[3789]: sending packet: from 192.168.0.1[4500] to 192.168.1.2[4500] (268 bytes)
Jun 23 08:16:10 charon[3789]: 09[NET] <PEER|1> received packet: from 192.168.1.2[4500] to 192.168.0.1[4500] (140 bytes)
Jun 23 08:16:10 charon-systemd[3789]: received packet: from 192.168.1.2[4500] to 192.168.0.1[4500] (140 bytes)
Jun 23 08:16:10 charon[3789]: 09[ENC] <PEER|1> parsed IKE_AUTH response 1 [ IDr AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(NO_PROP) ]
Jun 23 08:16:10 charon-systemd[3789]: parsed IKE_AUTH response 1 [ IDr AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(NO_PROP) ]
Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> authentication of '192.168.1.2' with pre-shared key successful
Jun 23 08:16:10 charon-systemd[3789]: authentication of '192.168.1.2' with pre-shared key successful
Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> peer supports MOBIKE
Jun 23 08:16:10 charon-systemd[3789]: peer supports MOBIKE
Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> IKE_SA PEER[1] established between 192.168.0.1[192.168.0.1]...192.168.1.2[192.168.1.2]
Jun 23 08:16:10 charon-systemd[3789]: IKE_SA PEER[1] established between 192.168.0.1[192.168.0.1]...192.168.1.2[192.168.1.2]
Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> scheduling rekeying in 26975s
Jun 23 08:16:10 charon-systemd[3789]: scheduling rekeying in 26975s
Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> maximum IKE_SA lifetime 29855s
Jun 23 08:16:10 charon-systemd[3789]: maximum IKE_SA lifetime 29855s
Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Jun 23 08:16:10 charon-systemd[3789]: received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> failed to establish CHILD_SA, keeping IKE_SA
Jun 23 08:16:10 charon-systemd[3789]: failed to establish CHILD_SA, keeping IKE_SA
There are messages: **NO_PROPOSAL_CHOSEN** and
**failed to establish CHILD_SA** which refers that the problem is in
the IPsec(ESP) proposal mismatch.
The reason of this problem is showed on the responder side.
.. code-block:: none
Jun 23 08:16:12 charon[2440]: 01[CFG] <PEER|5> received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Jun 23 08:16:12 charon-systemd[2440]: received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Jun 23 08:16:12 charon[2440]: 01[CFG] <PEER|5> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ
Jun 23 08:16:12 charon-systemd[2440]: configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ
Jun 23 08:16:12 charon[2440]: 01[IKE] <PEER|5> no acceptable proposal found
Jun 23 08:16:12 charon-systemd[2440]: no acceptable proposal found
Jun 23 08:16:12 charon[2440]: 01[IKE] <PEER|5> failed to establish CHILD_SA, keeping IKE_SA
Encryption **AES_CBC_128** is configured in IKE policy on the responder but **AES_CBC_256**
is configured on the initiator side.
Prefixes in Policies Mismatch
=============================
As in previous situation, IKE SA is in up state but IPsec SA is not up.
According to logs we can see **TS_UNACCEPTABLE** notification. It means
that prefixes (traffic selectors) mismatch on both sides
Initiator:
.. code-block:: none
Jun 23 14:13:17 charon[4996]: 11[IKE] <PEER|1> received TS_UNACCEPTABLE notify, no CHILD_SA built
Jun 23 14:13:17 charon-systemd[4996]: maximum IKE_SA lifetime 29437s
Jun 23 14:13:17 charon[4996]: 11[IKE] <PEER|1> failed to establish CHILD_SA, keeping IKE_SA
Jun 23 14:13:17 charon-systemd[4996]: received TS_UNACCEPTABLE notify, no CHILD_SA built
Jun 23 14:13:17 charon-systemd[4996]: failed to establish CHILD_SA, keeping IKE_SA
The reason of this problem is showed on the responder side.
.. code-block:: none
Jun 23 14:13:19 charon[2440]: 01[IKE] <PEER|7> traffic selectors 10.0.2.0/24 === 10.0.0.0/24 unacceptable
Jun 23 14:13:19 charon-systemd[2440]: traffic selectors 10.0.2.0/24 === 10.0.0.0/24 unacceptable
Jun 23 14:13:19 charon[2440]: 01[IKE] <PEER|7> failed to establish CHILD_SA, keeping IKE_SA
Jun 23 14:13:19 charon-systemd[2440]: failed to establish CHILD_SA, keeping IKE_SA
Jun 23 14:13:19 charon[2440]: 01[ENC] <PEER|7> generating IKE_AUTH response 1 [ IDr AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(TS_UNACCEPT) ]
Jun 23 14:13:19 charon-systemd[2440]: generating IKE_AUTH response 1 [ IDr AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(TS_UNACCEPT) ]
Traffic selectors **10.0.2.0/24 === 10.0.0.0/24** are unacceptable on the
responder side.

427
docs/configuration/vpn/site2site_ipsec.rst
View File

@ -1,427 +0,0 @@
.. _size2site_ipsec:
Site-to-Site
============
Site-to-site mode provides a way to add remote peers, which could be configured
to exchange encrypted information between them and VyOS itself or
connected/routed networks.
To configure site-to-site connection you need to add peers with the
``set vpn ipsec site-to-site peer <name>`` command.
The peer name must be an alphanumeric and can have hypen or underscore as
special characters. It is purely informational.
Each site-to-site peer has the next options:
* ``authentication`` - configure authentication between VyOS and a remote peer.
Suboptions:
* ``psk`` - Preshared secret key name:
* ``dhcp-interface`` - ID for authentication generated from DHCP address
dynamically;
* ``id`` - static ID's for authentication. In general local and remote
address ``<x.x.x.x>``, ``<h:h:h:h:h:h:h:h>`` or ``%any``;
* ``secret`` - predefined shared secret. Used if configured mode
``pre-shared-secret``;
* ``local-id`` - ID for the local VyOS router. If defined, during the
authentication
it will be send to remote peer;
* ``mode`` - mode for authentication between VyOS and remote peer:
* ``pre-shared-secret`` - use predefined shared secret phrase;
* ``rsa`` - use simple shared RSA key. The key must be defined in the
``set vpn rsa-keys`` section;
* ``x509`` - use certificates infrastructure for authentication.
* ``remote-id`` - define an ID for remote peer, instead of using peer name or
address. Useful in case if the remote peer is behind NAT or if ``mode x509``
is used;
* ``rsa-key-name`` - shared RSA key for authentication. The key must be defined
in the ``set vpn rsa-keys`` section;
* ``use-x509-id`` - use local ID from x509 certificate. Cannot be used when
``id`` is defined;
* ``x509`` - options for x509 authentication mode:
* ``ca-cert-file`` - CA certificate file. Using for authenticating
remote peer;
* ``cert-file`` - certificate file, which will be used for authenticating
local router on remote peer;
* ``crl-file`` - file with the Certificate Revocation List. Using to check if
a certificate for the remote peer is valid or revoked;
* ``key`` - a private key, which will be used for authenticating local router
on remote peer:
* ``file`` - path to the key file;
* ``password`` - passphrase private key, if needed.
* ``connection-type`` - how to handle this connection process. Possible
variants:
* ``initiate`` - does initial connection to remote peer immediately after
configuring and after boot. In this mode the connection will not be restarted
in case of disconnection, therefore should be used only together with DPD or
another session tracking methods;
* ``respond`` - does not try to initiate a connection to a remote peer. In this
mode, the IPSec session will be established only after initiation from a
remote peer. Could be useful when there is no direct connectivity to the
peer due to firewall or NAT in the middle of the local and remote side.
* ``none`` - loads the connection only, which then can be manually initiated or
used as a responder configuration.
* ``default-esp-group`` - ESP group to use by default for traffic encryption.
Might be overwritten by individual settings for tunnel or VTI interface
binding;
* ``description`` - description for this peer;
* ``dhcp-interface`` - use an IP address, received from DHCP for IPSec
connection with this peer, instead of ``local-address``;
* ``force-udp-encapsulation`` - force encapsulation of ESP into UDP datagrams.
Useful in case if between local and remote side is firewall or NAT, which not
allows passing plain ESP packets between them;
* ``ike-group`` - IKE group to use for key exchanges;
* ``ikev2-reauth`` - reauthenticate remote peer during the rekeying process.
Can be used only with IKEv2.
Create a new IKE_SA from the scratch and try to recreate all IPsec SAs;
* ``local-address`` - local IP address for IPSec connection with this peer.
If defined ``any``, then an IP address which configured on interface with
default route will be used;
* ``remote-address`` - remote IP address or hostname for IPSec connection.
IPv4 or IPv6 address is used when a peer has a public static IP address.
Hostname is a DNS name which could be used when a peer has a public IP
address and DNS name, but an IP address could be changed from time to time.
* ``tunnel`` - define criteria for traffic to be matched for encrypting and send
it to a peer:
* ``disable`` - disable this tunnel;
* ``esp-group`` - define ESP group for encrypt traffic, defined by this tunnel;
* ``local`` - define a local source for match traffic, which should be
encrypted and send to this peer:
* ``port`` - define port. Have effect only when used together with ``prefix``;
* ``prefix`` - IP network at local side.
* ``protocol`` - define the protocol for match traffic, which should be
encrypted and send to this peer;
* ``remote`` - define the remote destination for match traffic, which should be
encrypted and send to this peer:
* ``port`` - define port. Have effect only when used together with ``prefix``;
* ``prefix`` - IP network at remote side.
* ``vti`` - use a VTI interface for traffic encryption. Any traffic, which will
be send to VTI interface will be encrypted and send to this peer. Using VTI
makes IPSec configuration much flexible and easier in complex situation, and
allows to dynamically add/delete remote networks, reachable via a peer, as in
this mode router don't need to create additional SA/policy for each remote
network:
* ``bind`` - select a VTI interface to bind to this peer;
* ``esp-group`` - define ESP group for encrypt traffic, passed this VTI
interface.
* ``virtual-address`` - Defines a virtual IP address which is requested by the
initiator and one or several IPv4 and/or IPv6 addresses are assigned from
multiple pools by the responder.
Examples:
------------------
IKEv1
^^^^^
Example:
* WAN interface on `eth1`
* left subnet: `192.168.0.0/24` site1, server side (i.e. locality, actually
there is no client or server roles)
* left local_ip: `198.51.100.3` # server side WAN IP
* right subnet: `10.0.0.0/24` site2,remote office side
* right local_ip: `203.0.113.2` # remote office side WAN IP
.. code-block:: none
# server config
set vpn ipsec authentication psk OFFICE-B id '198.51.100.3'
set vpn ipsec authentication psk OFFICE-B id '203.0.113.2'
set vpn ipsec authentication psk OFFICE-B secret 'SomePreSharedKey'
set vpn ipsec esp-group office-srv-esp lifetime '1800'
set vpn ipsec esp-group office-srv-esp mode 'tunnel'
set vpn ipsec esp-group office-srv-esp pfs 'enable'
set vpn ipsec esp-group office-srv-esp proposal 1 encryption 'aes256'
set vpn ipsec esp-group office-srv-esp proposal 1 hash 'sha1'
set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1'
set vpn ipsec ike-group office-srv-ike lifetime '3600'
set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256'
set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1'
set vpn ipsec interface 'eth1'
set vpn ipsec site-to-site peer OFFICE-B authentication local-id '198.51.100.3'
set vpn ipsec site-to-site peer OFFICE-B authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer OFFICE-B authentication remote-id '203.0.113.2'
set vpn ipsec site-to-site peer OFFICE-B ike-group 'office-srv-ike'
set vpn ipsec site-to-site peer OFFICE-B local-address '198.51.100.3'
set vpn ipsec site-to-site peer OFFICE-B remote-address '203.0.113.2'
set vpn ipsec site-to-site peer OFFICE-B tunnel 0 esp-group 'office-srv-esp'
set vpn ipsec site-to-site peer OFFICE-B tunnel 0 local prefix '192.168.0.0/24'
set vpn ipsec site-to-site peer OFFICE-B tunnel 0 remote prefix '10.0.0.0/21'
# remote office config
set vpn ipsec authentication psk OFFICE-A id '198.51.100.3'
set vpn ipsec authentication psk OFFICE-A id '203.0.113.2'
set vpn ipsec authentication psk OFFICE-A secret 'SomePreSharedKey'
set vpn ipsec esp-group office-srv-esp lifetime '1800'
set vpn ipsec esp-group office-srv-esp mode 'tunnel'
set vpn ipsec esp-group office-srv-esp pfs 'enable'
set vpn ipsec esp-group office-srv-esp proposal 1 encryption 'aes256'
set vpn ipsec esp-group office-srv-esp proposal 1 hash 'sha1'
set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1'
set vpn ipsec ike-group office-srv-ike lifetime '3600'
set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256'
set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1'
set vpn ipsec interface 'eth1'
set vpn ipsec site-to-site peer OFFICE-A authentication local-id '203.0.113.2'
set vpn ipsec site-to-site peer OFFICE-A authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer OFFICE-A authentication remote-id '198.51.100.3'
set vpn ipsec site-to-site peer OFFICE-A ike-group 'office-srv-ike'
set vpn ipsec site-to-site peer OFFICE-A local-address '203.0.113.2'
set vpn ipsec site-to-site peer OFFICE-A remote-address '198.51.100.3'
set vpn ipsec site-to-site peer OFFICE-A tunnel 0 esp-group 'office-srv-esp'
set vpn ipsec site-to-site peer OFFICE-A tunnel 0 local prefix '10.0.0.0/21'
set vpn ipsec site-to-site peer OFFICE-A tunnel 0 remote prefix '192.168.0.0/24'
Show status of new setup:
.. code-block:: none
vyos@srv-gw0:~$ show vpn ike sa
Peer ID / IP Local ID / IP
------------ -------------
203.0.113.2 198.51.100.3
State Encrypt Hash D-H Grp NAT-T A-Time L-Time
----- ------- ---- ------- ----- ------ ------
up aes256 sha1 5 no 734 3600
vyos@srv-gw0:~$ show vpn ipsec sa
Peer ID / IP Local ID / IP
------------ -------------
203.0.113.2 198.51.100.3
Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto
------ ----- ------------- ------- ---- ----- ------ ------ -----
0 up 7.5M/230.6K aes256 sha1 no 567 1800 all
If there is SNAT rules on eth1, need to add exclude rule
.. code-block:: none
# server side
set nat source rule 10 destination address '10.0.0.0/24'
set nat source rule 10 'exclude'
set nat source rule 10 outbound-interface name 'eth1'
set nat source rule 10 source address '192.168.0.0/24'
# remote office side
set nat source rule 10 destination address '192.168.0.0/24'
set nat source rule 10 'exclude'
set nat source rule 10 outbound-interface name 'eth1'
set nat source rule 10 source address '10.0.0.0/24'
To allow traffic to pass through to clients, you need to add the following
rules. (if you used the default configuration at the top of this page)
.. code-block:: none
# server side
set firewall name OUTSIDE-LOCAL rule 32 action 'accept'
set firewall name OUTSIDE-LOCAL rule 32 source address '10.0.0.0/24'
# remote office side
set firewall name OUTSIDE-LOCAL rule 32 action 'accept'
set firewall name OUTSIDE-LOCAL rule 32 source address '192.168.0.0/24'
IKEv2
^^^^^
Example:
* left local_ip: 192.168.0.10 # VPN Gateway, behind NAT device
* left public_ip:172.18.201.10
* right local_ip: 172.18.202.10 # right side WAN IP
Imagine the following topology
.. figure:: /_static/images/vpn_s2s_ikev2_c.png
:scale: 50 %
:alt: IPSec IKEv2 site2site VPN
IPSec IKEv2 site2site VPN (source ./draw.io/vpn_s2s_ikev2.drawio)
**LEFT:**
* WAN interface on `eth0.201`
* `eth0.201` interface IP: `172.18.201.10/24`
* `vti10` interface IP: `10.0.0.2/31`
* `dum0` interface IP: `10.0.11.1/24` (for testing purposes)
**RIGHT:**
* WAN interface on `eth0.202`
* `eth0.201` interface IP: `172.18.202.10/24`
* `vti10` interface IP: `10.0.0.3/31`
* `dum0` interface IP: `10.0.12.1/24` (for testing purposes)
.. note:: Don't get confused about the used /31 tunnel subnet. :rfc:`3021`
gives you additional information for using /31 subnets on point-to-point
links.
**LEFT**
.. code-block:: none
set interfaces ethernet eth0 vif 201 address '172.18.201.10/24'
set interfaces dummy dum0 address '10.0.11.1/24'
set interfaces vti vti10 address '10.0.0.2/31'
set vpn ipsec authentication psk peer_172-18-202-10 id '172.18.201.10'
set vpn ipsec authentication psk peer_172-18-202-10 id '172.18.202.10'
set vpn ipsec authentication psk peer_172-18-202-10 secret 'secretkey'
set vpn ipsec esp-group ESP_DEFAULT lifetime '3600'
set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel'
set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19'
set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128'
set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256'
set vpn ipsec ike-group IKEv2_DEFAULT close-action 'none'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'trap'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120'
set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike
set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2'
set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256'
set vpn ipsec interface 'eth0.201'
set vpn ipsec site-to-site peer peer_172-18-202-10 authentication local-id '172.18.201.10'
set vpn ipsec site-to-site peer peer_172-18-202-10 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer peer_172-18-202-10 authentication remote-id '172.18.202.10'
set vpn ipsec site-to-site peer peer_172-18-202-10 connection-type 'initiate'
set vpn ipsec site-to-site peer peer_172-18-202-10 ike-group 'IKEv2_DEFAULT'
set vpn ipsec site-to-site peer peer_172-18-202-10 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer peer_172-18-202-10 local-address '172.18.201.10'
set vpn ipsec site-to-site peer peer_172-18-202-10 remote-address '172.18.202.10'
set vpn ipsec site-to-site peer peer_172-18-202-10 vti bind 'vti10'
set vpn ipsec site-to-site peer peer_172-18-202-10 vti esp-group 'ESP_DEFAULT'
set protocols static interface-route 10.0.12.0/24 next-hop-interface vti10
**RIGHT**
.. code-block:: none
set interfaces ethernet eth0 vif 202 address '172.18.202.10/24'
set interfaces dummy dum0 address '10.0.12.1/24'
set interfaces vti vti10 address '10.0.0.3/31'
set vpn ipsec authentication psk peer_172-18-201-10 id '172.18.202.10'
set vpn ipsec authentication psk peer_172-18-201-10 id '172.18.201.10'
set vpn ipsec authentication psk peer_172-18-201-10 secret 'secretkey'
set vpn ipsec esp-group ESP_DEFAULT lifetime '3600'
set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel'
set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19'
set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128'
set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256'
set vpn ipsec ike-group IKEv2_DEFAULT close-action 'none'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'trap'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120'
set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike
set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2'
set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256'
set vpn ipsec interface 'eth0.202'
set vpn ipsec site-to-site peer peer_172-18-201-10 authentication local-id '172.18.202.10'
set vpn ipsec site-to-site peer peer_172-18-201-10 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer peer_172-18-201-10 authentication remote-id '172.18.201.10'
set vpn ipsec site-to-site peer peer_172-18-201-10 connection-type 'initiate'
set vpn ipsec site-to-site peer peer_172-18-201-10 ike-group 'IKEv2_DEFAULT'
set vpn ipsec site-to-site peer peer_172-18-201-10 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer peer_172-18-201-10 local-address '172.18.202.10'
set vpn ipsec site-to-site peer peer_172-18-201-10 remote-address '172.18.201.10'
set vpn ipsec site-to-site peer peer_172-18-201-10 vti bind 'vti10'
set vpn ipsec site-to-site peer peer_172-18-201-10 vti esp-group 'ESP_DEFAULT'
set protocols static interface-route 10.0.11.0/24 next-hop-interface vti10
Key Parameters:
* ``authentication local-id/remote-id`` - IKE identification is used for
validation of VPN peer devices during IKE negotiation. If you do not configure
local/remote-identity, the device uses the IPv4 or IPv6 address that
corresponds to the local/remote peer by default.
In certain network setups (like ipsec interface with dynamic address, or
behind the NAT ), the IKE ID received from the peer does not match the IKE
gateway configured on the device. This can lead to a Phase 1 validation
failure.
So, make sure to configure the local/remote id explicitly and ensure that the
IKE ID is the same as the remote-identity configured on the peer device.
* ``disable-route-autoinstall`` - This option when configured disables the
routes installed in the default table 220 for site-to-site ipsec.
It is mostly used with VTI configuration.
* ``dead-peer-detection action = clear | trap | restart`` - R_U_THERE
notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2)
are periodically sent in order to check the liveliness of the IPsec peer. The
values clear, trap, and restart all activate DPD and determine the action to
perform on a timeout.
With ``clear`` the connection is closed with no further actions taken.
``trap`` installs a trap policy, which will catch matching traffic and tries
to re-negotiate the connection on demand.
``restart`` will immediately trigger an attempt to re-negotiate the
connection.
* ``close-action = none | clear | trap | start`` - defines the action to take
if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of
values). A closeaction should not be used if the peer uses reauthentication or
uniqueids.
When the close-action option is set on the peers, the connection-type
of each peer has to considered carefully. For example, if the option is set
on both peers, then both would attempt to initiate and hold open multiple
copies of each child SA. This might lead to instability of the device or
cpu/memory utilization.
Below flow-chart could be a quick reference for the close-action
combination depending on how the peer is configured.
.. figure:: /_static/images/IPSec_close_action_settings.jpg
Similar combinations are applicable for the dead-peer-detection.