dn42 wiki / EdgeOS GRE/IPsec config example

dn42

EdgeOS GRE/IPsec config example

This is an example configuration derived from the config used on a peering router in AS64746. It was created using EdgeOS version 1.5.0alpha1 on an EdgeRouter Lite.

Features

Setup

This configuration assumes that both peers have static public IPs.

You’ll need to generate a public/private keypair for your router if you intend to use “plainrsa” authentication for your IPsec connections. The local public key listed in the output is what you’ll send to your peer.

ryan@edge1:~$ generate vpn rsa-key bits 4096
ryan@edge1:~$ show vpn ike rsa-keys

Local public key (/config/ipsec.d/rsa-keys/localhost.key):

0sAQPNdF370ZEbN+kZUJQ10qnBlZujrg39ujfk20ILTjELksOIdJw/4jiU1MfpqFDKuB/XxERwJQp2POsFyV/n76jAgxIYBfFYfuaBcIH1rdNQtDhCnkmWzlueRXGEsz0Af79n8TKyQ9otzNhJ2cPE1CWCJbKqbIUN3piviLgGlItWNeya+Tl3Oj3ZfEVwr1QOvUAw32+m4L8T9jf1vqSlOTHpRpxxPWBrLEzstk0FOcZISji2JBpDOCU8Kpyyf74JM+LxsOIHwmS15b6iFZR3U9KZLqbbd0dSy/cM8P4XjrwM5UMyRDjrLqvuA/K/33BgtnxdQR3e9DJoYH3Qr8eRgSkR+jHyq06LvgHkHbMvrEjUnc3n8bg+YfR4oyJpIWsKjfIXmN1Q51KzxAPIAww+YSYUYtamSsQsspVAtMIQqR4e0r1In1qyoSn8VCPlksNMWpqYHbSjDo5HJYoSwxf2epzMtCvhenn0OuiH0xlgzziA+wBi6txksTMvJYcPJYnBVR2NIBjkWftOfmkY+rKMozViGjyd6kB7C8lqd8W7Ha5Ds2WxIY22DM3HcYH/zTp9z2xbuMOsbIgib/Y12Kh0wHyCz0lzFvs+d6CZwinyIXNKB/Vo4iiwT5luL5mGqf3pZx4zB+30GYSs/6MaELRF9BxD7tfqYCkOLXUtxyZ4Pdl2sw==

If your peer sends you a key in PEM format (starts with -----BEGIN PUBLIC KEY-----), you’ll need to convert it to the format used by EdgeOS (begins with 0s) in order to insert it into the configuration. See this forum post for a script to convert between the two key formats.

Configuration

    firewall {
        all-ping enable
        broadcast-ping disable
        ipv6-receive-redirects disable
        ipv6-src-route disable
        ip-src-route disable
        log-martians enable
        name DN42-to-Local {
            default-action reject
            rule 10 {
                action accept
                description Established/Related
                state {
                    established enable
                    related enable
                }
            }
            rule 20 {
                action accept
                description ICMP
                protocol icmp
            }
            rule 30 {
                action accept
                description BGP
                destination {
                    port bgp
                }
                protocol tcp
                state {
                    new enable
                }
                tcp {
                    flags SYN,!ACK,!FIN,!RST
                }
            }
        }
        name DN42-to-LAN {
            default-action reject
            rule 10 {
                action accept
                description Established/Related
                state {
                    established enable
                    related enable
                }
            }
            rule 20 {
                action accept
                description ICMP
                protocol icmp
            }
        }
        name WAN-to-Local {
            default-action drop
            rule 10 {
                action accept
                description Established/Related
                state {
                    established enable
                    related enable
                }
            }
            rule 20 {
                action accept
                description ICMP
                protocol icmp
            }
            rule 30 {
                action accept
                description "SSH Management"
                destination {
                    port 22
                }
                protocol tcp
                state {
                    new enable
                }
                tcp {
                    flags SYN,!ACK,!FIN,!RST
                }
            }
            rule 40 {
                action accept
                description IKE
                destination {
                    port 500,4500
                }
                protocol udp
            }
            rule 50 {
                action accept
                description IPSEC/ESP
                protocol esp
            }
            rule 60 {
                action accept
                description "GRE over IPsec"
                ipsec {
                    match-ipsec
                }
                protocol gre
            }
        }
        name established-only {
            default-action drop
            rule 10 {
                action accept
                description Established/Related
                state {
                    established enable
                    related enable
                }
            }
        }
        name allow-all-v4 {
            default-action accept
        }
        options {
            mss-clamp {
                interface-type tun
                mss 1300
            }
        }
        receive-redirects disable
        send-redirects enable
        source-validation disable
        syn-cookies enable
    }
    interfaces {
        ethernet eth0 {
            address 192.0.2.2/30
            description WAN
            duplex auto
            speed auto
        }
        ethernet eth1 {
            address 172.23.248.33/27
            description LAN
            duplex auto
            speed auto
        }
        ethernet eth2 {
            disable
            duplex auto
            speed auto
        }
        loopback lo {
            address 172.23.248.2/32
        }
        tunnel tun0 {
            address 172.23.248.10/31
            description "CREST-DN42 AS64828"
            encapsulation gre
            local-ip 192.0.2.2
            mtu 1400
            multicast disable
            remote-ip 192.0.2.243
            ttl 255
        }
    }
    policy {
        prefix-list AS64746-IPv4 {
            rule 1 {
                action permit
                le 32
                prefix 172.23.248.0/24
            }
        }
        prefix-list DN42-IPv4 {
            rule 1 {
                action permit
                description "DN42 native"
                ge 23
                le 28
                prefix 172.22.0.0/15
            }
            rule 2 {
                action permit
                description "DN42 anycast"
                ge 32
                prefix 172.22.0.0/24
            }
            rule 3 {
                action permit
                description Freifunk
                ge 16
                prefix 10.0.0.0/8
            }
            rule 4 {
                action permit
                description ChaosVPN
                ge 23
                prefix 172.31.0.0/16
            }
        }
        route-map AS64746 {
            rule 1 {
                action permit
                match {
                    ip {
                        address {
                            prefix-list AS64746-IPv4
                        }
                    }
                }
            }
        }
        route-map DN42 {
            rule 1 {
                action permit
                match {
                    ip {
                        address {
                            prefix-list DN42-IPv4
                        }
                    }
                }
            }
        }
    }
    protocols {
        bgp 64746 {
            aggregate-address 172.23.248.0/24 {
                summary-only
            }
            neighbor 172.23.248.11 {
                description CREST-DN42
                peer-group DN42
                remote-as 64828
                update-source 172.23.248.10
            }
            network 172.23.248.0/24 {
            }
            parameters {
                router-id 172.23.248.2
            }
            peer-group DN42 {
                route-map {
                    export DN42
                    import DN42
                }
                soft-reconfiguration {
                    inbound
                }
            }
            redistribute {
                connected {
                    route-map AS64746
                }
            }
        }
        static {
            route 0.0.0.0/0 {
                next-hop 192.0.2.1 {
                }
            }
            route 172.23.248.0/24 {
                blackhole {
                    distance 255
                }
            }
        }
    }
    service {
        nat {
            rule 6000 {
                outbound-interface eth0
                type masquerade
            }
        }
        ssh {
            disable-password-authentication
            port 22
            protocol-version v2
        }
        ubnt-discover {
            disable
        }
    }
    system {
        config-management {
            commit-revisions 10
        }
        domain-name ryan.dn42
        host-name edge1
        login {
            banner {
                pre-login ""
            }
            user ryan {
                authentication {
                    encrypted-password :)
                    public-keys ryan {
                        key AAAAB3NzaC1yc2EAAAADAQABAAACAQCymzCbuc777hZ8acvK+68tB7WlZl9V8rQjeQCHny2f9Fy2uSnDHXymUzQJSBY8dr4QM07owCFyYciYqhJRBeBRiaP1dj6avzZzlrOC2xuXSWw4aCYVkEaBPWkntCvBjmPhtvA+x5w8qm0X+B41DG1D44qzrQSmL5geheQCHWSf48Za6RUvPxPuQ+xfBMlIaWscRn95NST2102sYwfl3GDJEqV8FqZ5gQeuG3LDRBQmVEZOSMFIN0pOrp6+UYDe6LSw8eD3uBNrkfbbwwEqjHKFNuYaIw/XNdY0nqhHec0KjsuPLHTQMc44h8CPL5ytAtjF1WnPAE4e3aDQFnB05V/3GThJI010bNkLw5zbGkq0QUa7SmFfAsyOg50grByqZWY/J997HXjWdsgK+7d3K4VQXlI1Uak6G2i0Vb5KX0Xv6dmFmsqwuomeGozBJOl3YebvHI/39Y1VcZls2Zkjg4dBWJQGhsZv8wAX8bf7owtLPE+PcWvX5dRmk44r93mk1M1PTz7XAJGXfeii/OV+QRZZkbzhi3h7VItF5Yv5nptMQUx+irUrIX3gaTHOu8cMTxtP52kIOGOEN/LmYbmrdc++QJNGGadopuZBDpCiR2xQhwQL5yKaXH6Rdenn9d0mdNTzdqw5QOUfjY+SqTMDqLk+ETY+YZ6fvJYDIm4yfgi//Q==
                        type ssh-rsa
                    }
                }
                level admin
            }
        }
        name-server 4.2.2.2
        name-server 8.8.8.8
        ntp {
            server 0.ubnt.pool.ntp.org {
            }
            server 1.ubnt.pool.ntp.org {
            }
            server 2.ubnt.pool.ntp.org {
            }
            server 3.ubnt.pool.ntp.org {
            }
        }
        offload {
            ipsec enable
            ipv4 {
                forwarding enable
            }
            ipv6 {
                forwarding enable
            }
        }
        options {
            reboot-on-panic true
        }
        package {
            repository squeeze {
                components "main contrib non-free"
                distribution squeeze
                password ""
                url http://http.us.debian.org/debian
                username ""
            }
            repository squeeze-security {
                components main
                distribution squeeze/updates
                password ""
                url http://security.debian.org
                username ""
            }
            repository squeeze-updates {
                components "main contrib non-free"
                distribution squeeze-updates
                password ""
                url http://http.us.debian.org/debian
                username ""
            }
        }
        syslog {
            global {
                facility all {
                    level notice
                }
                facility protocols {
                    level debug
                }
            }
        }
    }
    vpn {
        ipsec {
            auto-firewall-nat-exclude disable
            esp-group ESP-AES128-SHA1-DH5-TRANSPORT {
                compression disable
                lifetime 3600
                mode transport
                pfs dh-group5
                proposal 1 {
                    encryption aes128
                    hash sha1
                }
            }
            ike-group IKE-AES128-SHA1-DH5 {
                lifetime 28800
                proposal 1 {
                    dh-group 5
                    encryption aes128
                    hash sha1
                }
            }
            ipsec-interfaces {
                interface eth0
            }
            site-to-site {
                peer 192.0.2.243 {
                    authentication {
                        mode rsa
                        rsa-key-name crest-dn42
                    }
                    connection-type initiate
                    default-esp-group ESP-AES128-SHA1-DH5-TRANSPORT
                    ike-group IKE-AES128-SHA1-DH5
                    local-ip 192.0.2.2
                    tunnel 0 {
                        allow-nat-networks disable
                        allow-public-networks disable
                        esp-group ESP-AES128-SHA1-DH5-TRANSPORT
                        protocol gre
                    }
                }
            }
        }
        rsa-keys {
            rsa-key-name crest-dn42 {
                rsa-key 0sAwEAAbsbRoUcgdm4A4Nm+PLxWcW+zFis7pkaJ0MkGVzM7VC8nmngkM+W2zqZyQ4NUTBKKfGOUc4Ogi6gyhlzUnHdag9tDERIX+BwlDO6G4arod9z9KqmJuX4AOYVjH5QlAPz7NDMAezVekGoVLPGdOAMPD6NN54ihLRH6V3if8AGoJRpiajhcgQipjeQnhH4QhsYK4XSjayGT1onQwA8nhy5kt4ofyqSale4Fl4166S9tCn4RKwtlJDjR6VIrg6op6Ip8+ke2vjEHPJHj6qVsxfRgOk2d8pY8oPVt8ayc5F1z+lqJ7R0fADfN+AQSaBqOMmg5dHDFYWwgYkU5egdVKS7Oko6uNuUWsZ0VEnRoPZ4syJEUbiF5wGfaVBaaVLZYUlRLQCffB4JKzp+JesVToCX6JYRfb4JYQWFCDeQfrqRZHM4r13h8MOWPn9cqXcP47RKJjzNp6595biUotmCbMHyy/uveMWxK6vDzPQRkywqMMJE2qOyACmbMnSce9KlYhvma82Vd+z/9/U9NEy0s5MaYNDn+q+KYT5My3NSv52F6sLVGrKxTk79tzUejZcoukJv+gf51Epam4kVHzPIal/khsfjZn6YCU2j5+qcdRmzF+SG5c2WicvEU2Gc4ratfYNEPxU5oArzHIhIz6x2nAF+szcx/x8GEyXPNHnxEboJB7ox
            }
        }
    }
    zone-policy {
        zone DN42 {
            default-action reject
            description DN42
            from Local {
                firewall {
                    name allow-all-v4
                }
            }
            from LAN {
                firewall {
                    name allow-all-v4
                }
            }
            interface tun0
        }
        zone LAN {
            default-action reject
            from DN42 {
                firewall {
                    name DN42-to-LAN
                }
            }
            from Local {
                firewall {
                    name allow-all-v4
                }
            }
            from WAN {
                firewall {
                    name established-only
                }
            }
            interface eth1
        }
        zone Local {
            default-action reject
            from DN42 {
                firewall {
                    name DN42-to-Local
                }
            }
            from LAN {
                firewall {
                    name allow-all-v4
                }
            }
            from WAN {
                firewall {
                    name WAN-to-Local
                }
            }
            local-zone
        }
        zone WAN {
            default-action reject
            from LAN {
                firewall {
                    name allow-all-v4
                }
            }
            from Local {
                firewall {
                    name allow-all-v4
                }
            }
            interface eth0
        }
    }