96cccadc74a35d15126cda4263f6c63403fb57d9
EdgeOS-GRE-IPsec-Example.md
... | ... | @@ -0,0 +1,484 @@ |
1 | +# EdgeOS GRE/IPsec config example |
|
2 | +This is an example configuration, created on EdgeOS version 1.5.0alpha1, for the Ubiquiti EdgeRouter Lite derived from the config used on a peering router in AS64746. |
|
3 | + |
|
4 | +## Features |
|
5 | +* Zone-based firewall |
|
6 | +* BGP prefix filtering and route summarization |
|
7 | +* GRE/IPsec tunnel in transport mode with "plainrsa" public key authentication |
|
8 | +* TCP MSS clamping to avoid fragmentation |
|
9 | + |
|
10 | +## Setup |
|
11 | +This configuration assumes that both peers have static public IPs. |
|
12 | + |
|
13 | +You'll need to generate a public/private keypair for your router if you intend to use "plainrsa" authentication for your IPsec connections. The local public key listed in the output is what you'll send to your peer. |
|
14 | + |
|
15 | + ryan@edge1:~$ generate vpn rsa-key bits 4096 |
|
16 | + ryan@edge1:~$ show vpn ike rsa-keys |
|
17 | + |
|
18 | + Local public key (/config/ipsec.d/rsa-keys/localhost.key): |
|
19 | + |
|
20 | + 0sAQPNdF370ZEbN+kZUJQ10qnBlZujrg39ujfk20ILTjELksOIdJw/4jiU1MfpqFDKuB/XxERwJQp2POsFyV/n76jAgxIYBfFYfuaBcIH1rdNQtDhCnkmWzlueRXGEsz0Af79n8TKyQ9otzNhJ2cPE1CWCJbKqbIUN3piviLgGlItWNeya+Tl3Oj3ZfEVwr1QOvUAw32+m4L8T9jf1vqSlOTHpRpxxPWBrLEzstk0FOcZISji2JBpDOCU8Kpyyf74JM+LxsOIHwmS15b6iFZR3U9KZLqbbd0dSy/cM8P4XjrwM5UMyRDjrLqvuA/K/33BgtnxdQR3e9DJoYH3Qr8eRgSkR+jHyq06LvgHkHbMvrEjUnc3n8bg+YfR4oyJpIWsKjfIXmN1Q51KzxAPIAww+YSYUYtamSsQsspVAtMIQqR4e0r1In1qyoSn8VCPlksNMWpqYHbSjDo5HJYoSwxf2epzMtCvhenn0OuiH0xlgzziA+wBi6txksTMvJYcPJYnBVR2NIBjkWftOfmkY+rKMozViGjyd6kB7C8lqd8W7Ha5Ds2WxIY22DM3HcYH/zTp9z2xbuMOsbIgib/Y12Kh0wHyCz0lzFvs+d6CZwinyIXNKB/Vo4iiwT5luL5mGqf3pZx4zB+30GYSs/6MaELRF9BxD7tfqYCkOLXUtxyZ4Pdl2sw== |
|
21 | +If your peer sends you a key in PEM format (starts with `-----BEGIN PUBLIC KEY-----`), you'll need to convert it to the format used by EdgeOS (begins with `0s`) in order to insert it into the configuration. See [this forum post](http://community.ubnt.com/t5/EdgeMAX/ERL-lt-gt-Mikrotik-IPsec-Connections/m-p/534682#M13015) for a script to convert between the two key formats. |
|
22 | + |
|
23 | +## Configuration |
|
24 | + |
|
25 | + firewall { |
|
26 | + all-ping enable |
|
27 | + broadcast-ping disable |
|
28 | + ipv6-receive-redirects disable |
|
29 | + ipv6-src-route disable |
|
30 | + ip-src-route disable |
|
31 | + log-martians enable |
|
32 | + name DN42-to-Local { |
|
33 | + default-action reject |
|
34 | + rule 10 { |
|
35 | + action accept |
|
36 | + description Established/Related |
|
37 | + state { |
|
38 | + established enable |
|
39 | + related enable |
|
40 | + } |
|
41 | + } |
|
42 | + rule 20 { |
|
43 | + action accept |
|
44 | + description ICMP |
|
45 | + protocol icmp |
|
46 | + } |
|
47 | + rule 30 { |
|
48 | + action accept |
|
49 | + description BGP |
|
50 | + destination { |
|
51 | + port bgp |
|
52 | + } |
|
53 | + protocol tcp |
|
54 | + state { |
|
55 | + new enable |
|
56 | + } |
|
57 | + tcp { |
|
58 | + flags SYN,!ACK,!FIN,!RST |
|
59 | + } |
|
60 | + } |
|
61 | + } |
|
62 | + name DN42-to-LAN { |
|
63 | + default-action reject |
|
64 | + rule 10 { |
|
65 | + action accept |
|
66 | + description Established/Related |
|
67 | + state { |
|
68 | + established enable |
|
69 | + related enable |
|
70 | + } |
|
71 | + } |
|
72 | + rule 20 { |
|
73 | + action accept |
|
74 | + description ICMP |
|
75 | + protocol icmp |
|
76 | + } |
|
77 | + } |
|
78 | + name WAN-to-Local { |
|
79 | + default-action drop |
|
80 | + rule 10 { |
|
81 | + action accept |
|
82 | + description Established/Related |
|
83 | + state { |
|
84 | + established enable |
|
85 | + related enable |
|
86 | + } |
|
87 | + } |
|
88 | + rule 20 { |
|
89 | + action accept |
|
90 | + description ICMP |
|
91 | + protocol icmp |
|
92 | + } |
|
93 | + rule 30 { |
|
94 | + action accept |
|
95 | + description "SSH Management" |
|
96 | + destination { |
|
97 | + port 22 |
|
98 | + } |
|
99 | + protocol tcp |
|
100 | + state { |
|
101 | + new enable |
|
102 | + } |
|
103 | + tcp { |
|
104 | + flags SYN,!ACK,!FIN,!RST |
|
105 | + } |
|
106 | + } |
|
107 | + rule 40 { |
|
108 | + action accept |
|
109 | + description IKE |
|
110 | + destination { |
|
111 | + port 500,4500 |
|
112 | + } |
|
113 | + protocol udp |
|
114 | + } |
|
115 | + rule 50 { |
|
116 | + action accept |
|
117 | + description IPSEC/ESP |
|
118 | + protocol esp |
|
119 | + } |
|
120 | + rule 60 { |
|
121 | + action accept |
|
122 | + description "GRE over IPsec" |
|
123 | + ipsec { |
|
124 | + match-ipsec |
|
125 | + } |
|
126 | + protocol gre |
|
127 | + } |
|
128 | + } |
|
129 | + name established-only { |
|
130 | + default-action drop |
|
131 | + rule 10 { |
|
132 | + action accept |
|
133 | + description Established/Related |
|
134 | + state { |
|
135 | + established enable |
|
136 | + related enable |
|
137 | + } |
|
138 | + } |
|
139 | + } |
|
140 | + name allow-all-v4 { |
|
141 | + default-action accept |
|
142 | + } |
|
143 | + options { |
|
144 | + mss-clamp { |
|
145 | + interface-type tun |
|
146 | + mss 1300 |
|
147 | + } |
|
148 | + } |
|
149 | + receive-redirects disable |
|
150 | + send-redirects enable |
|
151 | + source-validation disable |
|
152 | + syn-cookies enable |
|
153 | + } |
|
154 | + interfaces { |
|
155 | + ethernet eth0 { |
|
156 | + address 192.0.2.2/30 |
|
157 | + description WAN |
|
158 | + duplex auto |
|
159 | + speed auto |
|
160 | + } |
|
161 | + ethernet eth1 { |
|
162 | + address 172.23.248.33/27 |
|
163 | + description LAN |
|
164 | + duplex auto |
|
165 | + speed auto |
|
166 | + } |
|
167 | + ethernet eth2 { |
|
168 | + disable |
|
169 | + duplex auto |
|
170 | + speed auto |
|
171 | + } |
|
172 | + loopback lo { |
|
173 | + address 172.23.248.2/32 |
|
174 | + } |
|
175 | + tunnel tun0 { |
|
176 | + address 172.23.248.10/31 |
|
177 | + description "CREST-DN42 AS64828" |
|
178 | + encapsulation gre |
|
179 | + local-ip 192.0.2.2 |
|
180 | + mtu 1400 |
|
181 | + multicast disable |
|
182 | + remote-ip 192.0.2.243 |
|
183 | + ttl 255 |
|
184 | + } |
|
185 | + } |
|
186 | + policy { |
|
187 | + prefix-list DN42-IPv4 { |
|
188 | + rule 1 { |
|
189 | + action permit |
|
190 | + description "DN42 native" |
|
191 | + ge 23 |
|
192 | + le 28 |
|
193 | + prefix 172.22.0.0/15 |
|
194 | + } |
|
195 | + rule 2 { |
|
196 | + action permit |
|
197 | + description "DN42 anycast" |
|
198 | + ge 32 |
|
199 | + prefix 172.22.0.0/24 |
|
200 | + } |
|
201 | + rule 3 { |
|
202 | + action permit |
|
203 | + description Freifunk |
|
204 | + ge 16 |
|
205 | + prefix 10.0.0.0/8 |
|
206 | + } |
|
207 | + rule 4 { |
|
208 | + action permit |
|
209 | + description ChaosVPN |
|
210 | + ge 23 |
|
211 | + prefix 172.31.0.0/16 |
|
212 | + } |
|
213 | + rule 65535 { |
|
214 | + action deny |
|
215 | + prefix 0.0.0.0/0 |
|
216 | + } |
|
217 | + } |
|
218 | + route-map DN42 { |
|
219 | + rule 1 { |
|
220 | + action permit |
|
221 | + match { |
|
222 | + ip { |
|
223 | + address { |
|
224 | + prefix-list DN42-IPv4 |
|
225 | + } |
|
226 | + } |
|
227 | + } |
|
228 | + } |
|
229 | + rule 65535 { |
|
230 | + action deny |
|
231 | + } |
|
232 | + } |
|
233 | + } |
|
234 | + protocols { |
|
235 | + bgp 64746 { |
|
236 | + aggregate-address 172.23.248.0/24 { |
|
237 | + summary-only |
|
238 | + } |
|
239 | + neighbor 172.23.248.11 { |
|
240 | + description CREST-DN42 |
|
241 | + peer-group DN42 |
|
242 | + remote-as 64828 |
|
243 | + update-source 172.23.248.10 |
|
244 | + } |
|
245 | + network 172.23.248.0/24 { |
|
246 | + } |
|
247 | + parameters { |
|
248 | + router-id 172.23.248.2 |
|
249 | + } |
|
250 | + peer-group DN42 { |
|
251 | + route-map { |
|
252 | + export DN42 |
|
253 | + import DN42 |
|
254 | + } |
|
255 | + soft-reconfiguration { |
|
256 | + inbound |
|
257 | + } |
|
258 | + } |
|
259 | + } |
|
260 | + static { |
|
261 | + route 0.0.0.0/0 { |
|
262 | + next-hop 192.0.2.1 { |
|
263 | + } |
|
264 | + } |
|
265 | + route 172.23.248.0/24 { |
|
266 | + blackhole { |
|
267 | + distance 255 |
|
268 | + } |
|
269 | + } |
|
270 | + } |
|
271 | + } |
|
272 | + service { |
|
273 | + nat { |
|
274 | + rule 6000 { |
|
275 | + outbound-interface eth0 |
|
276 | + type masquerade |
|
277 | + } |
|
278 | + } |
|
279 | + ssh { |
|
280 | + disable-password-authentication |
|
281 | + port 22 |
|
282 | + protocol-version v2 |
|
283 | + } |
|
284 | + ubnt-discover { |
|
285 | + disable |
|
286 | + } |
|
287 | + } |
|
288 | + system { |
|
289 | + config-management { |
|
290 | + commit-revisions 10 |
|
291 | + } |
|
292 | + domain-name ryan.dn42 |
|
293 | + host-name edge1 |
|
294 | + login { |
|
295 | + banner { |
|
296 | + pre-login "" |
|
297 | + } |
|
298 | + user ryan { |
|
299 | + authentication { |
|
300 | + encrypted-password :) |
|
301 | + public-keys ryan { |
|
302 | + key AAAAB3NzaC1yc2EAAAADAQABAAACAQCymzCbuc777hZ8acvK+68tB7WlZl9V8rQjeQCHny2f9Fy2uSnDHXymUzQJSBY8dr4QM07owCFyYciYqhJRBeBRiaP1dj6avzZzlrOC2xuXSWw4aCYVkEaBPWkntCvBjmPhtvA+x5w8qm0X+B41DG1D44qzrQSmL5geheQCHWSf48Za6RUvPxPuQ+xfBMlIaWscRn95NST2102sYwfl3GDJEqV8FqZ5gQeuG3LDRBQmVEZOSMFIN0pOrp6+UYDe6LSw8eD3uBNrkfbbwwEqjHKFNuYaIw/XNdY0nqhHec0KjsuPLHTQMc44h8CPL5ytAtjF1WnPAE4e3aDQFnB05V/3GThJI010bNkLw5zbGkq0QUa7SmFfAsyOg50grByqZWY/J997HXjWdsgK+7d3K4VQXlI1Uak6G2i0Vb5KX0Xv6dmFmsqwuomeGozBJOl3YebvHI/39Y1VcZls2Zkjg4dBWJQGhsZv8wAX8bf7owtLPE+PcWvX5dRmk44r93mk1M1PTz7XAJGXfeii/OV+QRZZkbzhi3h7VItF5Yv5nptMQUx+irUrIX3gaTHOu8cMTxtP52kIOGOEN/LmYbmrdc++QJNGGadopuZBDpCiR2xQhwQL5yKaXH6Rdenn9d0mdNTzdqw5QOUfjY+SqTMDqLk+ETY+YZ6fvJYDIm4yfgi//Q== |
|
303 | + type ssh-rsa |
|
304 | + } |
|
305 | + } |
|
306 | + level admin |
|
307 | + } |
|
308 | + } |
|
309 | + name-server 4.2.2.2 |
|
310 | + name-server 8.8.8.8 |
|
311 | + ntp { |
|
312 | + server 0.ubnt.pool.ntp.org { |
|
313 | + } |
|
314 | + server 1.ubnt.pool.ntp.org { |
|
315 | + } |
|
316 | + server 2.ubnt.pool.ntp.org { |
|
317 | + } |
|
318 | + server 3.ubnt.pool.ntp.org { |
|
319 | + } |
|
320 | + } |
|
321 | + offload { |
|
322 | + ipsec enable |
|
323 | + ipv4 { |
|
324 | + forwarding enable |
|
325 | + } |
|
326 | + ipv6 { |
|
327 | + forwarding enable |
|
328 | + } |
|
329 | + } |
|
330 | + options { |
|
331 | + reboot-on-panic true |
|
332 | + } |
|
333 | + package { |
|
334 | + repository squeeze { |
|
335 | + components "main contrib non-free" |
|
336 | + distribution squeeze |
|
337 | + password "" |
|
338 | + url http://http.us.debian.org/debian |
|
339 | + username "" |
|
340 | + } |
|
341 | + repository squeeze-security { |
|
342 | + components main |
|
343 | + distribution squeeze/updates |
|
344 | + password "" |
|
345 | + url http://security.debian.org |
|
346 | + username "" |
|
347 | + } |
|
348 | + repository squeeze-updates { |
|
349 | + components "main contrib non-free" |
|
350 | + distribution squeeze-updates |
|
351 | + password "" |
|
352 | + url http://http.us.debian.org/debian |
|
353 | + username "" |
|
354 | + } |
|
355 | + } |
|
356 | + syslog { |
|
357 | + global { |
|
358 | + facility all { |
|
359 | + level notice |
|
360 | + } |
|
361 | + facility protocols { |
|
362 | + level debug |
|
363 | + } |
|
364 | + } |
|
365 | + } |
|
366 | + } |
|
367 | + vpn { |
|
368 | + ipsec { |
|
369 | + auto-firewall-nat-exclude disable |
|
370 | + esp-group ESP-AES128-SHA1-DH5-TRANSPORT { |
|
371 | + compression disable |
|
372 | + lifetime 3600 |
|
373 | + mode transport |
|
374 | + pfs dh-group5 |
|
375 | + proposal 1 { |
|
376 | + encryption aes128 |
|
377 | + hash sha1 |
|
378 | + } |
|
379 | + } |
|
380 | + ike-group IKE-AES128-SHA1-DH5 { |
|
381 | + lifetime 28800 |
|
382 | + proposal 1 { |
|
383 | + dh-group 5 |
|
384 | + encryption aes128 |
|
385 | + hash sha1 |
|
386 | + } |
|
387 | + } |
|
388 | + ipsec-interfaces { |
|
389 | + interface eth0 |
|
390 | + } |
|
391 | + site-to-site { |
|
392 | + peer 192.0.2.243 { |
|
393 | + authentication { |
|
394 | + mode rsa |
|
395 | + rsa-key-name crest-dn42 |
|
396 | + } |
|
397 | + connection-type initiate |
|
398 | + default-esp-group ESP-AES128-SHA1-DH5-TRANSPORT |
|
399 | + ike-group IKE-AES128-SHA1-DH5 |
|
400 | + local-ip 192.0.2.2 |
|
401 | + tunnel 0 { |
|
402 | + allow-nat-networks disable |
|
403 | + allow-public-networks disable |
|
404 | + esp-group ESP-AES128-SHA1-DH5-TRANSPORT |
|
405 | + protocol gre |
|
406 | + } |
|
407 | + } |
|
408 | + } |
|
409 | + } |
|
410 | + rsa-keys { |
|
411 | + rsa-key-name crest-dn42 { |
|
412 | + rsa-key 0sAwEAAbsbRoUcgdm4A4Nm+PLxWcW+zFis7pkaJ0MkGVzM7VC8nmngkM+W2zqZyQ4NUTBKKfGOUc4Ogi6gyhlzUnHdag9tDERIX+BwlDO6G4arod9z9KqmJuX4AOYVjH5QlAPz7NDMAezVekGoVLPGdOAMPD6NN54ihLRH6V3if8AGoJRpiajhcgQipjeQnhH4QhsYK4XSjayGT1onQwA8nhy5kt4ofyqSale4Fl4166S9tCn4RKwtlJDjR6VIrg6op6Ip8+ke2vjEHPJHj6qVsxfRgOk2d8pY8oPVt8ayc5F1z+lqJ7R0fADfN+AQSaBqOMmg5dHDFYWwgYkU5egdVKS7Oko6uNuUWsZ0VEnRoPZ4syJEUbiF5wGfaVBaaVLZYUlRLQCffB4JKzp+JesVToCX6JYRfb4JYQWFCDeQfrqRZHM4r13h8MOWPn9cqXcP47RKJjzNp6595biUotmCbMHyy/uveMWxK6vDzPQRkywqMMJE2qOyACmbMnSce9KlYhvma82Vd+z/9/U9NEy0s5MaYNDn+q+KYT5My3NSv52F6sLVGrKxTk79tzUejZcoukJv+gf51Epam4kVHzPIal/khsfjZn6YCU2j5+qcdRmzF+SG5c2WicvEU2Gc4ratfYNEPxU5oArzHIhIz6x2nAF+szcx/x8GEyXPNHnxEboJB7ox |
|
413 | + } |
|
414 | + } |
|
415 | + } |
|
416 | + zone-policy { |
|
417 | + zone DN42 { |
|
418 | + default-action reject |
|
419 | + description DN42 |
|
420 | + from Local { |
|
421 | + firewall { |
|
422 | + name allow-all-v4 |
|
423 | + } |
|
424 | + } |
|
425 | + from LAN { |
|
426 | + firewall { |
|
427 | + name allow-all-v4 |
|
428 | + } |
|
429 | + } |
|
430 | + interface tun0 |
|
431 | + } |
|
432 | + zone LAN { |
|
433 | + default-action reject |
|
434 | + from DN42 { |
|
435 | + firewall { |
|
436 | + name DN42-to-LAN |
|
437 | + } |
|
438 | + } |
|
439 | + from Local { |
|
440 | + firewall { |
|
441 | + name allow-all-v4 |
|
442 | + } |
|
443 | + } |
|
444 | + from WAN { |
|
445 | + firewall { |
|
446 | + name established-only |
|
447 | + } |
|
448 | + } |
|
449 | + interface eth1 |
|
450 | + } |
|
451 | + zone Local { |
|
452 | + default-action reject |
|
453 | + from DN42 { |
|
454 | + firewall { |
|
455 | + name DN42-to-Local |
|
456 | + } |
|
457 | + } |
|
458 | + from LAN { |
|
459 | + firewall { |
|
460 | + name allow-all-v4 |
|
461 | + } |
|
462 | + } |
|
463 | + from WAN { |
|
464 | + firewall { |
|
465 | + name WAN-to-Local |
|
466 | + } |
|
467 | + } |
|
468 | + local-zone |
|
469 | + } |
|
470 | + zone WAN { |
|
471 | + default-action reject |
|
472 | + from LAN { |
|
473 | + firewall { |
|
474 | + name allow-all-v4 |
|
475 | + } |
|
476 | + } |
|
477 | + from Local { |
|
478 | + firewall { |
|
479 | + name allow-all-v4 |
|
480 | + } |
|
481 | + } |
|
482 | + interface eth0 |
|
483 | + } |
|
484 | + } |
|
... | ... | \ No newline at end of file |