EdgeOS-GRE-IPsec-Example.md
... ...
@@ -0,0 +1,484 @@
1
+# EdgeOS GRE/IPsec config example
2
+This is an example configuration, created on EdgeOS version 1.5.0alpha1, for the Ubiquiti EdgeRouter Lite derived from the config used on a peering router in AS64746.
3
+
4
+## Features
5
+* Zone-based firewall
6
+* BGP prefix filtering and route summarization
7
+* GRE/IPsec tunnel in transport mode with "plainrsa" public key authentication
8
+* TCP MSS clamping to avoid fragmentation
9
+
10
+## Setup
11
+This configuration assumes that both peers have static public IPs.
12
+
13
+You'll need to generate a public/private keypair for your router if you intend to use "plainrsa" authentication for your IPsec connections. The local public key listed in the output is what you'll send to your peer.
14
+
15
+ ryan@edge1:~$ generate vpn rsa-key bits 4096
16
+ ryan@edge1:~$ show vpn ike rsa-keys
17
+
18
+ Local public key (/config/ipsec.d/rsa-keys/localhost.key):
19
+
20
+ 0sAQPNdF370ZEbN+kZUJQ10qnBlZujrg39ujfk20ILTjELksOIdJw/4jiU1MfpqFDKuB/XxERwJQp2POsFyV/n76jAgxIYBfFYfuaBcIH1rdNQtDhCnkmWzlueRXGEsz0Af79n8TKyQ9otzNhJ2cPE1CWCJbKqbIUN3piviLgGlItWNeya+Tl3Oj3ZfEVwr1QOvUAw32+m4L8T9jf1vqSlOTHpRpxxPWBrLEzstk0FOcZISji2JBpDOCU8Kpyyf74JM+LxsOIHwmS15b6iFZR3U9KZLqbbd0dSy/cM8P4XjrwM5UMyRDjrLqvuA/K/33BgtnxdQR3e9DJoYH3Qr8eRgSkR+jHyq06LvgHkHbMvrEjUnc3n8bg+YfR4oyJpIWsKjfIXmN1Q51KzxAPIAww+YSYUYtamSsQsspVAtMIQqR4e0r1In1qyoSn8VCPlksNMWpqYHbSjDo5HJYoSwxf2epzMtCvhenn0OuiH0xlgzziA+wBi6txksTMvJYcPJYnBVR2NIBjkWftOfmkY+rKMozViGjyd6kB7C8lqd8W7Ha5Ds2WxIY22DM3HcYH/zTp9z2xbuMOsbIgib/Y12Kh0wHyCz0lzFvs+d6CZwinyIXNKB/Vo4iiwT5luL5mGqf3pZx4zB+30GYSs/6MaELRF9BxD7tfqYCkOLXUtxyZ4Pdl2sw==
21
+If your peer sends you a key in PEM format (starts with `-----BEGIN PUBLIC KEY-----`), you'll need to convert it to the format used by EdgeOS (begins with `0s`) in order to insert it into the configuration. See [this forum post](http://community.ubnt.com/t5/EdgeMAX/ERL-lt-gt-Mikrotik-IPsec-Connections/m-p/534682#M13015) for a script to convert between the two key formats.
22
+
23
+## Configuration
24
+
25
+ firewall {
26
+ all-ping enable
27
+ broadcast-ping disable
28
+ ipv6-receive-redirects disable
29
+ ipv6-src-route disable
30
+ ip-src-route disable
31
+ log-martians enable
32
+ name DN42-to-Local {
33
+ default-action reject
34
+ rule 10 {
35
+ action accept
36
+ description Established/Related
37
+ state {
38
+ established enable
39
+ related enable
40
+ }
41
+ }
42
+ rule 20 {
43
+ action accept
44
+ description ICMP
45
+ protocol icmp
46
+ }
47
+ rule 30 {
48
+ action accept
49
+ description BGP
50
+ destination {
51
+ port bgp
52
+ }
53
+ protocol tcp
54
+ state {
55
+ new enable
56
+ }
57
+ tcp {
58
+ flags SYN,!ACK,!FIN,!RST
59
+ }
60
+ }
61
+ }
62
+ name DN42-to-LAN {
63
+ default-action reject
64
+ rule 10 {
65
+ action accept
66
+ description Established/Related
67
+ state {
68
+ established enable
69
+ related enable
70
+ }
71
+ }
72
+ rule 20 {
73
+ action accept
74
+ description ICMP
75
+ protocol icmp
76
+ }
77
+ }
78
+ name WAN-to-Local {
79
+ default-action drop
80
+ rule 10 {
81
+ action accept
82
+ description Established/Related
83
+ state {
84
+ established enable
85
+ related enable
86
+ }
87
+ }
88
+ rule 20 {
89
+ action accept
90
+ description ICMP
91
+ protocol icmp
92
+ }
93
+ rule 30 {
94
+ action accept
95
+ description "SSH Management"
96
+ destination {
97
+ port 22
98
+ }
99
+ protocol tcp
100
+ state {
101
+ new enable
102
+ }
103
+ tcp {
104
+ flags SYN,!ACK,!FIN,!RST
105
+ }
106
+ }
107
+ rule 40 {
108
+ action accept
109
+ description IKE
110
+ destination {
111
+ port 500,4500
112
+ }
113
+ protocol udp
114
+ }
115
+ rule 50 {
116
+ action accept
117
+ description IPSEC/ESP
118
+ protocol esp
119
+ }
120
+ rule 60 {
121
+ action accept
122
+ description "GRE over IPsec"
123
+ ipsec {
124
+ match-ipsec
125
+ }
126
+ protocol gre
127
+ }
128
+ }
129
+ name established-only {
130
+ default-action drop
131
+ rule 10 {
132
+ action accept
133
+ description Established/Related
134
+ state {
135
+ established enable
136
+ related enable
137
+ }
138
+ }
139
+ }
140
+ name allow-all-v4 {
141
+ default-action accept
142
+ }
143
+ options {
144
+ mss-clamp {
145
+ interface-type tun
146
+ mss 1300
147
+ }
148
+ }
149
+ receive-redirects disable
150
+ send-redirects enable
151
+ source-validation disable
152
+ syn-cookies enable
153
+ }
154
+ interfaces {
155
+ ethernet eth0 {
156
+ address 192.0.2.2/30
157
+ description WAN
158
+ duplex auto
159
+ speed auto
160
+ }
161
+ ethernet eth1 {
162
+ address 172.23.248.33/27
163
+ description LAN
164
+ duplex auto
165
+ speed auto
166
+ }
167
+ ethernet eth2 {
168
+ disable
169
+ duplex auto
170
+ speed auto
171
+ }
172
+ loopback lo {
173
+ address 172.23.248.2/32
174
+ }
175
+ tunnel tun0 {
176
+ address 172.23.248.10/31
177
+ description "CREST-DN42 AS64828"
178
+ encapsulation gre
179
+ local-ip 192.0.2.2
180
+ mtu 1400
181
+ multicast disable
182
+ remote-ip 192.0.2.243
183
+ ttl 255
184
+ }
185
+ }
186
+ policy {
187
+ prefix-list DN42-IPv4 {
188
+ rule 1 {
189
+ action permit
190
+ description "DN42 native"
191
+ ge 23
192
+ le 28
193
+ prefix 172.22.0.0/15
194
+ }
195
+ rule 2 {
196
+ action permit
197
+ description "DN42 anycast"
198
+ ge 32
199
+ prefix 172.22.0.0/24
200
+ }
201
+ rule 3 {
202
+ action permit
203
+ description Freifunk
204
+ ge 16
205
+ prefix 10.0.0.0/8
206
+ }
207
+ rule 4 {
208
+ action permit
209
+ description ChaosVPN
210
+ ge 23
211
+ prefix 172.31.0.0/16
212
+ }
213
+ rule 65535 {
214
+ action deny
215
+ prefix 0.0.0.0/0
216
+ }
217
+ }
218
+ route-map DN42 {
219
+ rule 1 {
220
+ action permit
221
+ match {
222
+ ip {
223
+ address {
224
+ prefix-list DN42-IPv4
225
+ }
226
+ }
227
+ }
228
+ }
229
+ rule 65535 {
230
+ action deny
231
+ }
232
+ }
233
+ }
234
+ protocols {
235
+ bgp 64746 {
236
+ aggregate-address 172.23.248.0/24 {
237
+ summary-only
238
+ }
239
+ neighbor 172.23.248.11 {
240
+ description CREST-DN42
241
+ peer-group DN42
242
+ remote-as 64828
243
+ update-source 172.23.248.10
244
+ }
245
+ network 172.23.248.0/24 {
246
+ }
247
+ parameters {
248
+ router-id 172.23.248.2
249
+ }
250
+ peer-group DN42 {
251
+ route-map {
252
+ export DN42
253
+ import DN42
254
+ }
255
+ soft-reconfiguration {
256
+ inbound
257
+ }
258
+ }
259
+ }
260
+ static {
261
+ route 0.0.0.0/0 {
262
+ next-hop 192.0.2.1 {
263
+ }
264
+ }
265
+ route 172.23.248.0/24 {
266
+ blackhole {
267
+ distance 255
268
+ }
269
+ }
270
+ }
271
+ }
272
+ service {
273
+ nat {
274
+ rule 6000 {
275
+ outbound-interface eth0
276
+ type masquerade
277
+ }
278
+ }
279
+ ssh {
280
+ disable-password-authentication
281
+ port 22
282
+ protocol-version v2
283
+ }
284
+ ubnt-discover {
285
+ disable
286
+ }
287
+ }
288
+ system {
289
+ config-management {
290
+ commit-revisions 10
291
+ }
292
+ domain-name ryan.dn42
293
+ host-name edge1
294
+ login {
295
+ banner {
296
+ pre-login ""
297
+ }
298
+ user ryan {
299
+ authentication {
300
+ encrypted-password :)
301
+ public-keys ryan {
302
+ key AAAAB3NzaC1yc2EAAAADAQABAAACAQCymzCbuc777hZ8acvK+68tB7WlZl9V8rQjeQCHny2f9Fy2uSnDHXymUzQJSBY8dr4QM07owCFyYciYqhJRBeBRiaP1dj6avzZzlrOC2xuXSWw4aCYVkEaBPWkntCvBjmPhtvA+x5w8qm0X+B41DG1D44qzrQSmL5geheQCHWSf48Za6RUvPxPuQ+xfBMlIaWscRn95NST2102sYwfl3GDJEqV8FqZ5gQeuG3LDRBQmVEZOSMFIN0pOrp6+UYDe6LSw8eD3uBNrkfbbwwEqjHKFNuYaIw/XNdY0nqhHec0KjsuPLHTQMc44h8CPL5ytAtjF1WnPAE4e3aDQFnB05V/3GThJI010bNkLw5zbGkq0QUa7SmFfAsyOg50grByqZWY/J997HXjWdsgK+7d3K4VQXlI1Uak6G2i0Vb5KX0Xv6dmFmsqwuomeGozBJOl3YebvHI/39Y1VcZls2Zkjg4dBWJQGhsZv8wAX8bf7owtLPE+PcWvX5dRmk44r93mk1M1PTz7XAJGXfeii/OV+QRZZkbzhi3h7VItF5Yv5nptMQUx+irUrIX3gaTHOu8cMTxtP52kIOGOEN/LmYbmrdc++QJNGGadopuZBDpCiR2xQhwQL5yKaXH6Rdenn9d0mdNTzdqw5QOUfjY+SqTMDqLk+ETY+YZ6fvJYDIm4yfgi//Q==
303
+ type ssh-rsa
304
+ }
305
+ }
306
+ level admin
307
+ }
308
+ }
309
+ name-server 4.2.2.2
310
+ name-server 8.8.8.8
311
+ ntp {
312
+ server 0.ubnt.pool.ntp.org {
313
+ }
314
+ server 1.ubnt.pool.ntp.org {
315
+ }
316
+ server 2.ubnt.pool.ntp.org {
317
+ }
318
+ server 3.ubnt.pool.ntp.org {
319
+ }
320
+ }
321
+ offload {
322
+ ipsec enable
323
+ ipv4 {
324
+ forwarding enable
325
+ }
326
+ ipv6 {
327
+ forwarding enable
328
+ }
329
+ }
330
+ options {
331
+ reboot-on-panic true
332
+ }
333
+ package {
334
+ repository squeeze {
335
+ components "main contrib non-free"
336
+ distribution squeeze
337
+ password ""
338
+ url http://http.us.debian.org/debian
339
+ username ""
340
+ }
341
+ repository squeeze-security {
342
+ components main
343
+ distribution squeeze/updates
344
+ password ""
345
+ url http://security.debian.org
346
+ username ""
347
+ }
348
+ repository squeeze-updates {
349
+ components "main contrib non-free"
350
+ distribution squeeze-updates
351
+ password ""
352
+ url http://http.us.debian.org/debian
353
+ username ""
354
+ }
355
+ }
356
+ syslog {
357
+ global {
358
+ facility all {
359
+ level notice
360
+ }
361
+ facility protocols {
362
+ level debug
363
+ }
364
+ }
365
+ }
366
+ }
367
+ vpn {
368
+ ipsec {
369
+ auto-firewall-nat-exclude disable
370
+ esp-group ESP-AES128-SHA1-DH5-TRANSPORT {
371
+ compression disable
372
+ lifetime 3600
373
+ mode transport
374
+ pfs dh-group5
375
+ proposal 1 {
376
+ encryption aes128
377
+ hash sha1
378
+ }
379
+ }
380
+ ike-group IKE-AES128-SHA1-DH5 {
381
+ lifetime 28800
382
+ proposal 1 {
383
+ dh-group 5
384
+ encryption aes128
385
+ hash sha1
386
+ }
387
+ }
388
+ ipsec-interfaces {
389
+ interface eth0
390
+ }
391
+ site-to-site {
392
+ peer 192.0.2.243 {
393
+ authentication {
394
+ mode rsa
395
+ rsa-key-name crest-dn42
396
+ }
397
+ connection-type initiate
398
+ default-esp-group ESP-AES128-SHA1-DH5-TRANSPORT
399
+ ike-group IKE-AES128-SHA1-DH5
400
+ local-ip 192.0.2.2
401
+ tunnel 0 {
402
+ allow-nat-networks disable
403
+ allow-public-networks disable
404
+ esp-group ESP-AES128-SHA1-DH5-TRANSPORT
405
+ protocol gre
406
+ }
407
+ }
408
+ }
409
+ }
410
+ rsa-keys {
411
+ rsa-key-name crest-dn42 {
412
+ rsa-key 0sAwEAAbsbRoUcgdm4A4Nm+PLxWcW+zFis7pkaJ0MkGVzM7VC8nmngkM+W2zqZyQ4NUTBKKfGOUc4Ogi6gyhlzUnHdag9tDERIX+BwlDO6G4arod9z9KqmJuX4AOYVjH5QlAPz7NDMAezVekGoVLPGdOAMPD6NN54ihLRH6V3if8AGoJRpiajhcgQipjeQnhH4QhsYK4XSjayGT1onQwA8nhy5kt4ofyqSale4Fl4166S9tCn4RKwtlJDjR6VIrg6op6Ip8+ke2vjEHPJHj6qVsxfRgOk2d8pY8oPVt8ayc5F1z+lqJ7R0fADfN+AQSaBqOMmg5dHDFYWwgYkU5egdVKS7Oko6uNuUWsZ0VEnRoPZ4syJEUbiF5wGfaVBaaVLZYUlRLQCffB4JKzp+JesVToCX6JYRfb4JYQWFCDeQfrqRZHM4r13h8MOWPn9cqXcP47RKJjzNp6595biUotmCbMHyy/uveMWxK6vDzPQRkywqMMJE2qOyACmbMnSce9KlYhvma82Vd+z/9/U9NEy0s5MaYNDn+q+KYT5My3NSv52F6sLVGrKxTk79tzUejZcoukJv+gf51Epam4kVHzPIal/khsfjZn6YCU2j5+qcdRmzF+SG5c2WicvEU2Gc4ratfYNEPxU5oArzHIhIz6x2nAF+szcx/x8GEyXPNHnxEboJB7ox
413
+ }
414
+ }
415
+ }
416
+ zone-policy {
417
+ zone DN42 {
418
+ default-action reject
419
+ description DN42
420
+ from Local {
421
+ firewall {
422
+ name allow-all-v4
423
+ }
424
+ }
425
+ from LAN {
426
+ firewall {
427
+ name allow-all-v4
428
+ }
429
+ }
430
+ interface tun0
431
+ }
432
+ zone LAN {
433
+ default-action reject
434
+ from DN42 {
435
+ firewall {
436
+ name DN42-to-LAN
437
+ }
438
+ }
439
+ from Local {
440
+ firewall {
441
+ name allow-all-v4
442
+ }
443
+ }
444
+ from WAN {
445
+ firewall {
446
+ name established-only
447
+ }
448
+ }
449
+ interface eth1
450
+ }
451
+ zone Local {
452
+ default-action reject
453
+ from DN42 {
454
+ firewall {
455
+ name DN42-to-Local
456
+ }
457
+ }
458
+ from LAN {
459
+ firewall {
460
+ name allow-all-v4
461
+ }
462
+ }
463
+ from WAN {
464
+ firewall {
465
+ name WAN-to-Local
466
+ }
467
+ }
468
+ local-zone
469
+ }
470
+ zone WAN {
471
+ default-action reject
472
+ from LAN {
473
+ firewall {
474
+ name allow-all-v4
475
+ }
476
+ }
477
+ from Local {
478
+ firewall {
479
+ name allow-all-v4
480
+ }
481
+ }
482
+ interface eth0
483
+ }
484
+ }
... ...
\ No newline at end of file