IPSec VPN (Vyatta)

From vwiki
Jump to navigation Jump to search

Overview

This page covers the three overall steps of Vyatta configuration required to build an IPSec VPN endpoint

  • FIREWALL
    • Create network-group for remote VPN subnets
    • Allow traffic from remote VPN subnets
    • Allow Vyatta to receive ESP protocol
    • Allow Vyatta to receive IKE protocol
  • NETWORK ADDRESS TRANSLATION
    • Exclude traffic destined for remote VPN subnets from NAT
  • VIRTUAL PRIVATE NETWORK
    • Define ESP group
    • Define IKE group
    • Set Vyatta IPSec interface
    • Build tunnel configuration

Procedure

Create a firewall network group containing each of the remote subnets.

set firewall group network-group VPN-SUBNETS network %REMOTE_SUBNETS%			**** Add each remote subnet ****

Add a new rule to allow all traffic from the VPN remote subnets to the Vyatta

set firewall name eth0-in rule %AA% action accept
set firewall name eth0-in rule %AA% source group network-group VPN-SUBNETS

Add a new rule to allow ESP traffic to reach the Vyatta

set firewall name eth0-in rule %BB% action accept
set firewall name eth0-in rule %BB% description ESP
set firewall name eth0-in rule %BB% protocol esp

Add a rule to allow IKE traffic to reach the Vyatta

set firewall name eth0-in rule %CC% action accept
set firewall name eth0-in rule %CC% description IKE
set firewall name eth0-in rule %CC% destination port 500
set firewall name eth0-in rule %CC% protocol udp

Define a NAT exclusion rule so local traffic destined for the VPN remote subnets is not NAT'd and sent out the external interface.

set service nat rule QQ description "VPN EXCLUSION - %REMOTE_SUBNET%"			**** Repeat rule for each remote subnet ****
set service nat rule QQ destination address %REMOTE_SUBNET%				**** Remote subnet ****
set service nat rule QQ exclude 
set service nat rule QQ outbound-interface eth0
set service nat rule QQ source address %LOCAL_SUBNET% 					**** Local subnet ****
set service nat rule QQ type source

If not already defined, create an ESP group. The settings below are typical.
If you need to modify the ESP settings, add additional groups (e.g. ESP2, ESP3 etc) rather than change the default.

set vpn ipsec esp-group ESP1
set vpn ipsec esp-group ESP1 compression disable
set vpn ipsec esp-group ESP1 lifetime 3600
set vpn ipsec esp-group ESP1 mode tunnel
set vpn ipsec esp-group ESP1 pfs dh-group2
set vpn ipsec esp-group ESP1 proposal 1 encryption 3des
set vpn ipsec esp-group ESP1 proposal 1 hash md5

If not already defined, create an IKE group. The settings below are typical.
If you need to modify the IKE settings, add additional groups (e.g. IKE2, IKE3 etc) rather than change the default.

set vpn ipsec ike-group IKE1
set vpn ipsec ike-group IKE1 dead-peer-detection
set vpn ipsec ike-group IKE1 dead-peer-detection action restart
set vpn ipsec ike-group IKE1 dead-peer-detection interval 30
set vpn ipsec ike-group IKE1 dead-peer-detection timeout 120
set vpn ipsec ike-group IKE1 lifetime 28800
set vpn ipsec ike-group IKE1 proposal 1 dh-group 2
set vpn ipsec ike-group IKE1 proposal 1 encryption 3des
set vpn ipsec ike-group IKE1 proposal 1 hash md5

Define the Vyatta interface to use for the IPSec VPN

set vpn ipsec ipsec-interfaces interface eth0

Build the IPSec VPN policy for this particular remote peer. Repeat the tunnel section for each local & remote subnet pairing. Repeat the remote peer section for each distinct IPSec VPN you require.

set vpn ipsec site-to-site peer %REMOTE_PEER_IP% 						**** Add peer for each remote VPN endpoint ***
set vpn ipsec site-to-site peer %REMOTE_PEER_IP% authentication mode pre-shared-secret
set vpn ipsec site-to-site peer %REMOTE_PEER_IP% authentication pre-shared-secret ****************
set vpn ipsec site-to-site peer %REMOTE_PEER_IP% ike-group IKE1
set vpn ipsec site-to-site peer %REMOTE_PEER_IP% local-ip %VYATTA_IPSEC_IP%			**** External eth0 IP Vyatta listens for IPSec on ****
set vpn ipsec site-to-site peer %REMOTE_PEER_IP% tunnel 1 allow-nat-networks disable
set vpn ipsec site-to-site peer %REMOTE_PEER_IP% tunnel 1 allow-public-networks disable
set vpn ipsec site-to-site peer %REMOTE_PEER_IP% tunnel 1 esp-group ESP1
set vpn ipsec site-to-site peer %REMOTE_PEER_IP% tunnel 1 local-subnet a.b.c.d/n		**** Local subnet ****
set vpn ipsec site-to-site peer %REMOTE_PEER_IP% tunnel 1 remote-subnet a.b.c.d/n		**** Remote subnet ****

Troubleshooting

  • Show Phase 1 status
    • show vpn ike sa peer 213.253.2.10
    • Replace IP with peer address (just tab)
  • Show Phase 2 status
    • show vpn ipsec sa detail
  • Show log
    • show log

Reset VPN

You can't disable and renable a VPN tunnel, you can reset the process, but this isn't always effective

  1. Show the current config
    • show configuration commands
  2. Copy all lines starting set vpn ipsec
  3. Enter config mode
    • configuration
  4. Delete Site 2 Site config
    • delete vpn ipsec
  5. Apply change
    • commit
  6. Re-add site 2 site config - paste in copied lines
  7. Apply change
    • commit