Merge pull request #1082 from nicolas-fort/blueprint-fwall-ipsec

Config blueprints: Add new example in configuration blueprints
2025-10-26 08:41:46 +01:00 · 2023-09-13 20:40:26 +02:00 · 2023-09-13 20:40:26 +02:00 · ed13fc4624
commit ed13fc4624
parent 55b1909b03 ee209ead6d
3 changed files with 282 additions and 0 deletions
--- a/docs/_static/images/policy-based-ipsec-and-firewall.png
+++ b/docs/_static/images/policy-based-ipsec-and-firewall.png
--- a/docs/configexamples/index.rst
+++ b/docs/configexamples/index.rst
@ -21,6 +21,7 @@ This chapter contains various configuration examples:
   qos
   segment-routing-isis
   nmp
+   policy-based-ipsec-and-firewall


 Configuration Blueprints (autotest)
--- a/docs/configexamples/policy-based-ipsec-and-firewall.rst
+++ b/docs/configexamples/policy-based-ipsec-and-firewall.rst
@ -0,0 +1,281 @@
+.. _examples-policy-based-ipsec-and-firewall:
+
+
+Policy-Based Site-to-Site VPN and Firewall Configuration
+--------------------------------------------------------
+
+This guide shows an example policy-based IKEv2 site-to-site VPN between two
+VyOS routers, and firewall configiuration.
+
+For simplicity, configuration and tests are done only using ipv4, and firewall
+configuration in done only on one router.
+
+Network Topology and requirements
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+This configuration example and the requirments consists on:
+
+- Two VyOS routers with public IP address.
+
+- 2 private subnets on each site.
+
+- Local subnets should be able to reach internet using source nat.
+
+- Communication between private subnets should be done through ipsec tunnel
+  without nat.
+
+- Configuration of basic firewall in one site, in order to:
+
+    - Protect the router on 'WAN' interface, allowing only ipsec connections
+      and ssh access from trusted ips.
+
+    - Allow access to the router only from trusted networks.
+    
+    - Allow dns requests only only for local networks.
+
+    - Allow icmp on all interfaces.
+
+    - Allow all new connections from local subnets.
+
+    - Allow connections from LANs to LANs throught the tunnel.
+
+
+.. image:: /_static/images/policy-based-ipsec-and-firewall.png
+
+
+Configuration
+^^^^^^^^^^^^^
+
+Interface and routing configuration:
+
+.. code-block:: none
+
+    # LEFT router:
+    set interfaces ethernet eth0 address '198.51.100.14/30'
+    set interfaces ethernet eth1 vif 111 address '10.1.11.1/24'
+    set interfaces ethernet eth2 vif 112 address '10.1.12.1/24'
+    set protocols static route 0.0.0.0/0 next-hop 198.51.100.13
+
+    # RIGHT router:
+    set interfaces ethernet eth0 address '192.0.2.130/30'
+    set interfaces ethernet eth1 vif 221 address '10.2.21.1/24'
+    set interfaces ethernet eth2 vif 222 address '10.2.22.1/24'
+
+
+IPSec configuration:
+
+.. code-block:: none
+
+    # LEFT router:
+    set vpn ipsec authentication psk RIGHT id '198.51.100.14'
+    set vpn ipsec authentication psk RIGHT id '192.0.2.130'
+    set vpn ipsec authentication psk RIGHT secret 'p4ssw0rd'
+    set vpn ipsec esp-group ESP-GROUP mode 'tunnel'
+    set vpn ipsec esp-group ESP-GROUP proposal 1 encryption 'aes256'
+    set vpn ipsec esp-group ESP-GROUP proposal 1 hash 'sha256'
+    set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev2'
+    set vpn ipsec ike-group IKE-GROUP proposal 1 dh-group '14'
+    set vpn ipsec ike-group IKE-GROUP proposal 1 encryption 'aes256'
+    set vpn ipsec ike-group IKE-GROUP proposal 1 hash 'sha256'
+    set vpn ipsec interface 'eth0'
+    set vpn ipsec site-to-site peer RIGHT authentication mode 'pre-shared-secret'
+    set vpn ipsec site-to-site peer RIGHT connection-type 'initiate'
+    set vpn ipsec site-to-site peer RIGHT default-esp-group 'ESP-GROUP'
+    set vpn ipsec site-to-site peer RIGHT ike-group 'IKE-GROUP'
+    set vpn ipsec site-to-site peer RIGHT local-address '198.51.100.14'
+    set vpn ipsec site-to-site peer RIGHT remote-address '192.0.2.130'
+    set vpn ipsec site-to-site peer RIGHT tunnel 0 local prefix '10.1.11.0/24'
+    set vpn ipsec site-to-site peer RIGHT tunnel 0 remote prefix '10.2.21.0/24'
+    set vpn ipsec site-to-site peer RIGHT tunnel 1 local prefix '10.1.11.0/24'
+    set vpn ipsec site-to-site peer RIGHT tunnel 1 remote prefix '10.2.22.0/24'
+    set vpn ipsec site-to-site peer RIGHT tunnel 2 local prefix '10.1.12.0/24'
+    set vpn ipsec site-to-site peer RIGHT tunnel 2 remote prefix '10.2.21.0/24'
+    set vpn ipsec site-to-site peer RIGHT tunnel 3 local prefix '10.1.12.0/24'
+    set vpn ipsec site-to-site peer RIGHT tunnel 3 remote prefix '10.2.22.0/24'
+
+    # RIGHT router:
+    set vpn ipsec authentication psk LEFT id '192.0.2.130'
+    set vpn ipsec authentication psk LEFT id '198.51.100.14'
+    set vpn ipsec authentication psk LEFT secret 'p4ssw0rd'
+    set vpn ipsec esp-group ESP-GROUP mode 'tunnel'
+    set vpn ipsec esp-group ESP-GROUP proposal 1 encryption 'aes256'
+    set vpn ipsec esp-group ESP-GROUP proposal 1 hash 'sha256'
+    set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev2'
+    set vpn ipsec ike-group IKE-GROUP proposal 1 dh-group '14'
+    set vpn ipsec ike-group IKE-GROUP proposal 1 encryption 'aes256'
+    set vpn ipsec ike-group IKE-GROUP proposal 1 hash 'sha256'
+    set vpn ipsec interface 'eth0'
+    set vpn ipsec site-to-site peer LEFT authentication mode 'pre-shared-secret'
+    set vpn ipsec site-to-site peer LEFT connection-type 'respond'
+    set vpn ipsec site-to-site peer LEFT default-esp-group 'ESP-GROUP'
+    set vpn ipsec site-to-site peer LEFT ike-group 'IKE-GROUP'
+    set vpn ipsec site-to-site peer LEFT local-address '192.0.2.130'
+    set vpn ipsec site-to-site peer LEFT remote-address '198.51.100.14'
+    set vpn ipsec site-to-site peer LEFT tunnel 0 local prefix '10.2.21.0/24'
+    set vpn ipsec site-to-site peer LEFT tunnel 0 remote prefix '10.1.11.0/24'
+    set vpn ipsec site-to-site peer LEFT tunnel 1 local prefix '10.2.22.0/24'
+    set vpn ipsec site-to-site peer LEFT tunnel 1 remote prefix '10.1.11.0/24'
+    set vpn ipsec site-to-site peer LEFT tunnel 2 local prefix '10.2.21.0/24'
+    set vpn ipsec site-to-site peer LEFT tunnel 2 remote prefix '10.1.12.0/24'
+    set vpn ipsec site-to-site peer LEFT tunnel 3 local prefix '10.2.22.0/24'
+    set vpn ipsec site-to-site peer LEFT tunnel 3 remote prefix '10.1.12.0/24'
+
+Firewall Configuration:
+
+.. code-block:: none
+
+    # Firewall Groups:
+    set firewall group network-group LOCAL-NETS network '10.1.11.0/24'
+    set firewall group network-group LOCAL-NETS network '10.1.12.0/24'
+    set firewall group network-group REMOTE-NETS network '10.2.21.0/24'
+    set firewall group network-group REMOTE-NETS network '10.2.22.0/24'
+    set firewall group network-group TRUSTED network '198.51.100.125/32'
+    set firewall group network-group TRUSTED network '203.0.113.0/24'
+    set firewall group network-group TRUSTED network '10.1.11.0/24'
+    set firewall group network-group TRUSTED network '192.168.70.0/24'
+
+    # Forward traffic: default drop and only allow what is needed
+    set firewall ipv4 forward filter default-action 'drop'
+    
+    # Forward traffic: global state policies
+    set firewall ipv4 forward filter rule 1 action 'accept'
+    set firewall ipv4 forward filter rule 1 state established 'enable'
+    set firewall ipv4 forward filter rule 1 state related 'enable'
+    set firewall ipv4 forward filter rule 2 action 'drop'
+    set firewall ipv4 forward filter rule 2 state invalid 'enable'
+    
+    # Forward traffic: Accept all connections from local networks
+    set firewall ipv4 forward filter rule 10 action 'accept'
+    set firewall ipv4 forward filter rule 10 source group network-group 'LOCAL-NETS'
+    
+    # Forward traffic: accept connections from remote LANs to local LANs
+    set firewall ipv4 forward filter rule 20 action 'accept'
+    set firewall ipv4 forward filter rule 20 destination group network-group 'LOCAL-NETS'
+    set firewall ipv4 forward filter rule 20 source group network-group 'REMOTE-NETS'
+
+    # Input traffic: default drop and only allow what is needed
+    set firewall ipv4 input filter default-action 'drop'
+
+    # Input traffic: global state policies
+    set firewall ipv4 input filter rule 1 action 'accept'
+    set firewall ipv4 input filter rule 1 state established 'enable'
+    set firewall ipv4 input filter rule 1 state related 'enable'
+    set firewall ipv4 input filter rule 2 action 'drop'
+    set firewall ipv4 input filter rule 2 state invalid 'enable'
+
+    # Input traffic: add rules needed for ipsec connection
+    set firewall ipv4 input filter rule 10 action 'accept'
+    set firewall ipv4 input filter rule 10 destination port '500,4500'
+    set firewall ipv4 input filter rule 10 inbound-interface interface-name 'eth0'
+    set firewall ipv4 input filter rule 10 protocol 'udp'
+    set firewall ipv4 input filter rule 15 action 'accept'
+    set firewall ipv4 input filter rule 15 inbound-interface interface-name 'eth0'
+    set firewall ipv4 input filter rule 15 protocol 'esp'
+
+    # Input traffic: accept ssh connection from trusted ips
+    set firewall ipv4 input filter rule 20 action 'accept'
+    set firewall ipv4 input filter rule 20 destination port '22'
+    set firewall ipv4 input filter rule 20 protocol 'tcp'
+    set firewall ipv4 input filter rule 20 source group network-group 'TRUSTED'
+
+    # Input traffic: accepd dns requests only from local networks.
+    set firewall ipv4 input filter rule 25 action 'accept'
+    set firewall ipv4 input filter rule 25 destination port '53'
+    set firewall ipv4 input filter rule 25 protocol 'udp'
+    set firewall ipv4 input filter rule 25 source group network-group 'LOCAL-NETS'
+
+    # Input traffic: allow icmp
+    set firewall ipv4 input filter rule 30 action 'accept'
+    set firewall ipv4 input filter rule 30 protocol 'icmp'
+
+And NAT Configuration:
+
+.. code-block:: none
+
+    set nat source rule 10 destination group network-group 'REMOTE-NETS'
+    set nat source rule 10 exclude
+    set nat source rule 10 outbound-interface 'eth0'
+    set nat source rule 10 source group network-group 'LOCAL-NETS'
+    set nat source rule 20 outbound-interface 'eth0'
+    set nat source rule 20 source group network-group 'LOCAL-NETS'
+    set nat source rule 20 translation address 'masquerade'
+
+Checking through op-mode commands
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+After some testing, we can check ipsec status, and counter on every tunnel:
+
+.. code-block:: none
+
+    vyos@LEFT:~$ show vpn ipsec sa
+    Connection      State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
+    --------------  -------  --------  --------------  ----------------  ----------------  -----------  ---------------------------------------
+    RIGHT-tunnel-0  up       36m24s    840B/840B       10/10             192.0.2.130       192.0.2.130  AES_CBC_256/HMAC_SHA2_256_128/MODP_2048
+    RIGHT-tunnel-1  up       36m33s    588B/588B       7/7               192.0.2.130       192.0.2.130  AES_CBC_256/HMAC_SHA2_256_128/MODP_2048
+    RIGHT-tunnel-2  up       35m50s    1K/1K           15/15             192.0.2.130       192.0.2.130  AES_CBC_256/HMAC_SHA2_256_128/MODP_2048
+    RIGHT-tunnel-3  up       36m54s    2K/2K           32/32             192.0.2.130       192.0.2.130  AES_CBC_256/HMAC_SHA2_256_128/MODP_2048
+    vyos@LEFT:~$ 
+
+
+Also, we can check firewall counters:
+
+.. code-block:: none
+
+    vyos@LEFT:~$ show firewall
+    Rulesets Information
+
+    ---------------------------------
+    IPv4 Firewall "forward filter"
+
+    Rule     Action    Protocol      Packets    Bytes  Conditions
+    -------  --------  ----------  ---------  -------  ------------------------------------------------------
+    1        accept    all               681    96545  ct state { established, related }  accept
+    2        drop      all                 0        0  ct state invalid
+    10       accept    all               360    27205  ip saddr @N_LOCAL-NETS  accept
+    20       accept    all                 8      648  ip daddr @N_LOCAL-NETS ip saddr @N_REMOTE-NETS  accept
+    default  drop      all
+
+    ---------------------------------
+    IPv4 Firewall "input filter"
+
+    Rule     Action    Protocol      Packets    Bytes  Conditions
+    -------  --------  ----------  ---------  -------  ----------------------------------------------
+    1        accept    all               901   123709  ct state { established, related }  accept
+    2        drop      all                 0        0  ct state invalid
+    10       accept    udp                 0        0  udp dport { 500, 4500 } iifname "eth0"  accept
+    15       accept    esp                 0        0  meta l4proto esp iifname "eth0"  accept
+    20       accept    tcp                 1       60  tcp dport 22 ip saddr @N_TRUSTED  accept
+    25       accept    udp                 0        0  udp dport 53 ip saddr @N_LOCAL-NETS  accept
+    30       accept    icmp                0        0  meta l4proto icmp  accept
+    default  drop      all
+
+    vyos@LEFT:~$ 
+    vyos@LEFT:~$ show firewall statistics 
+    Rulesets Statistics
+
+    ---------------------------------
+    IPv4 Firewall "forward filter"
+
+    Rule     Packets    Bytes    Action    Source       Destination    Inbound-Interface    Outbound-interface
+    -------  ---------  -------  --------  -----------  -------------  -------------------  --------------------
+    1        681        96545    accept    any          any            any                  any
+    2        0          0        drop      any          any            any                  any
+    10       360        27205    accept    LOCAL-NETS   any            any                  any
+    20       8          648      accept    REMOTE-NETS  LOCAL-NETS     any                  any
+    default  N/A        N/A      drop      any          any            any                  any
+
+    ---------------------------------
+    IPv4 Firewall "input filter"
+
+    Rule     Packets    Bytes    Action    Source      Destination    Inbound-Interface    Outbound-interface
+    -------  ---------  -------  --------  ----------  -------------  -------------------  --------------------
+    1        905        124213   accept    any         any            any                  any
+    2        0          0        drop      any         any            any                  any
+    10       0          0        accept    any         any            eth0                 any
+    15       0          0        accept    any         any            eth0                 any
+    20       1          60       accept    TRUSTED     any            any                  any
+    25       0          0        accept    LOCAL-NETS  any            any                  any
+    30       0          0        accept    any         any            any                  any
+    default  N/A        N/A      drop      any         any            any                  any
+
+    vyos@LEFT:~$