IPSec VPN (Vyatta)
Overview
This page covers the three overall steps of Vyatta configuration required to build an IPSec VPN endpoint
- FIREWALL
- Create network-group for remote VPN subnets
- Allow traffic from remote VPN subnets
- Allow Vyatta to receive ESP protocol
- Allow Vyatta to receive IKE protocol
- NETWORK ADDRESS TRANSLATION
- Exclude traffic destined for remote VPN subnets from NAT
- VIRTUAL PRIVATE NETWORK
- Define ESP group
- Define IKE group
- Set Vyatta IPSec interface
- Build tunnel configuration
Procedure
Create a firewall network group containing each of the remote subnets.
set firewall group network-group VPN-SUBNETS network %REMOTE_SUBNETS% **** Add each remote subnet ****
Add a new rule to allow all traffic from the VPN remote subnets to the Vyatta
set firewall name eth0-in rule %AA% action accept set firewall name eth0-in rule %AA% source group network-group VPN-SUBNETS
Add a new rule to allow ESP traffic to reach the Vyatta
set firewall name eth0-in rule %BB% action accept set firewall name eth0-in rule %BB% description ESP set firewall name eth0-in rule %BB% protocol esp
Add a rule to allow IKE traffic to reach the Vyatta
set firewall name eth0-in rule %CC% action accept set firewall name eth0-in rule %CC% description IKE set firewall name eth0-in rule %CC% destination port 500 set firewall name eth0-in rule %CC% protocol udp
Define a NAT exclusion rule so local traffic destined for the VPN remote subnets is not NAT'd and sent out the external interface.
set service nat rule QQ description "VPN EXCLUSION - %REMOTE_SUBNET%" **** Repeat rule for each remote subnet **** set service nat rule QQ destination address %REMOTE_SUBNET% **** Remote subnet **** set service nat rule QQ exclude set service nat rule QQ outbound-interface eth0 set service nat rule QQ source address %LOCAL_SUBNET% **** Local subnet **** set service nat rule QQ type source
If not already defined, create an ESP group. The settings below are typical.
If you need to modify the ESP settings, add additional groups (e.g. ESP2, ESP3 etc) rather than change the default.
set vpn ipsec esp-group ESP1 set vpn ipsec esp-group ESP1 compression disable set vpn ipsec esp-group ESP1 lifetime 3600 set vpn ipsec esp-group ESP1 mode tunnel set vpn ipsec esp-group ESP1 pfs dh-group2 set vpn ipsec esp-group ESP1 proposal 1 encryption 3des set vpn ipsec esp-group ESP1 proposal 1 hash md5
If not already defined, create an IKE group. The settings below are typical.
If you need to modify the IKE settings, add additional groups (e.g. IKE2, IKE3 etc) rather than change the default.
set vpn ipsec ike-group IKE1 set vpn ipsec ike-group IKE1 dead-peer-detection set vpn ipsec ike-group IKE1 dead-peer-detection action restart set vpn ipsec ike-group IKE1 dead-peer-detection interval 30 set vpn ipsec ike-group IKE1 dead-peer-detection timeout 120 set vpn ipsec ike-group IKE1 lifetime 28800 set vpn ipsec ike-group IKE1 proposal 1 dh-group 2 set vpn ipsec ike-group IKE1 proposal 1 encryption 3des set vpn ipsec ike-group IKE1 proposal 1 hash md5
Define the Vyatta interface to use for the IPSec VPN
set vpn ipsec ipsec-interfaces interface eth0
Build the IPSec VPN policy for this particular remote peer. Repeat the tunnel section for each local & remote subnet pairing. Repeat the remote peer section for each distinct IPSec VPN you require.
set vpn ipsec site-to-site peer %REMOTE_PEER_IP% **** Add peer for each remote VPN endpoint *** set vpn ipsec site-to-site peer %REMOTE_PEER_IP% authentication mode pre-shared-secret set vpn ipsec site-to-site peer %REMOTE_PEER_IP% authentication pre-shared-secret ****************
set vpn ipsec site-to-site peer %REMOTE_PEER_IP% ike-group IKE1 set vpn ipsec site-to-site peer %REMOTE_PEER_IP% local-ip %VYATTA_IPSEC_IP% **** External eth0 IP Vyatta listens for IPSec on **** set vpn ipsec site-to-site peer %REMOTE_PEER_IP% tunnel 1 allow-nat-networks disable set vpn ipsec site-to-site peer %REMOTE_PEER_IP% tunnel 1 allow-public-networks disable set vpn ipsec site-to-site peer %REMOTE_PEER_IP% tunnel 1 esp-group ESP1 set vpn ipsec site-to-site peer %REMOTE_PEER_IP% tunnel 1 local-subnet a.b.c.d/n **** Local subnet **** set vpn ipsec site-to-site peer %REMOTE_PEER_IP% tunnel 1 remote-subnet a.b.c.d/n **** Remote subnet ****
Troubleshooting
- Show Phase 1 status
show vpn ike sa peer 213.253.2.10
- Replace IP with peer address (just tab)
- Show Phase 2 status
show vpn ipsec sa detail
- Show log
show log
Reset VPN
You can't disable and renable a VPN tunnel, you can reset the process, but this isn't always effective
- Show the current config
show configuration commands
- Copy all lines starting
set vpn ipsec
- Enter config mode
configuration
- Delete Site 2 Site config
delete vpn ipsec
- Apply change
commit
- Re-add site 2 site config - paste in copied lines
- Apply change
commit