Changes in 4a90506: Renamed EdgeOS GRE IPsec Example to /howto/EdgeOS GRE IPsec Example

EdgeOS-GRE-IPsec-Example.md

@@ -1,501 +0,0 @@

-# EdgeOS GRE/IPsec config example

-This is an example configuration derived from the config used on a peering router in AS64746. It was created using EdgeOS version 1.5.0alpha1 on an EdgeRouter Lite.

-

-## Features

-* Zone-based firewall

-* BGP prefix filtering and route summarization

-* GRE/IPsec tunnel in transport mode with "plainrsa" public key authentication

-* TCP MSS clamping to avoid fragmentation

-

-## Setup

-This configuration assumes that both peers have static public IPs.

-

-You'll need to generate a public/private keypair for your router if you intend to use "plainrsa" authentication for your IPsec connections. The local public key listed in the output is what you'll send to your peer.

-

- ryan@edge1:~$ generate vpn rsa-key bits 4096

- ryan@edge1:~$ show vpn ike rsa-keys

-

- Local public key (/config/ipsec.d/rsa-keys/localhost.key):

-

- 0sAQPNdF370ZEbN+kZUJQ10qnBlZujrg39ujfk20ILTjELksOIdJw/4jiU1MfpqFDKuB/XxERwJQp2POsFyV/n76jAgxIYBfFYfuaBcIH1rdNQtDhCnkmWzlueRXGEsz0Af79n8TKyQ9otzNhJ2cPE1CWCJbKqbIUN3piviLgGlItWNeya+Tl3Oj3ZfEVwr1QOvUAw32+m4L8T9jf1vqSlOTHpRpxxPWBrLEzstk0FOcZISji2JBpDOCU8Kpyyf74JM+LxsOIHwmS15b6iFZR3U9KZLqbbd0dSy/cM8P4XjrwM5UMyRDjrLqvuA/K/33BgtnxdQR3e9DJoYH3Qr8eRgSkR+jHyq06LvgHkHbMvrEjUnc3n8bg+YfR4oyJpIWsKjfIXmN1Q51KzxAPIAww+YSYUYtamSsQsspVAtMIQqR4e0r1In1qyoSn8VCPlksNMWpqYHbSjDo5HJYoSwxf2epzMtCvhenn0OuiH0xlgzziA+wBi6txksTMvJYcPJYnBVR2NIBjkWftOfmkY+rKMozViGjyd6kB7C8lqd8W7Ha5Ds2WxIY22DM3HcYH/zTp9z2xbuMOsbIgib/Y12Kh0wHyCz0lzFvs+d6CZwinyIXNKB/Vo4iiwT5luL5mGqf3pZx4zB+30GYSs/6MaELRF9BxD7tfqYCkOLXUtxyZ4Pdl2sw==

-If your peer sends you a key in PEM format (starts with `-----BEGIN PUBLIC KEY-----`), you'll need to convert it to the format used by EdgeOS (begins with `0s`) in order to insert it into the configuration. See [this forum post](http://community.ubnt.com/t5/EdgeMAX/ERL-lt-gt-Mikrotik-IPsec-Connections/m-p/534682#M13015) for a script to convert between the two key formats.

-

-## Configuration

-

- firewall {

- all-ping enable

- broadcast-ping disable

- ipv6-receive-redirects disable

- ipv6-src-route disable

- ip-src-route disable

- log-martians enable

- name DN42-to-Local {

- default-action reject

- rule 10 {

- action accept

- description Established/Related

- state {

- established enable

- related enable

- }

- }

- rule 20 {

- action accept

- description ICMP

- protocol icmp

- }

- rule 30 {

- action accept

- description BGP

- destination {

- port bgp

- }

- protocol tcp

- state {

- new enable

- }

- tcp {

- flags SYN,!ACK,!FIN,!RST

- }

- }

- }

- name DN42-to-LAN {

- default-action reject

- rule 10 {

- action accept

- description Established/Related

- state {

- established enable

- related enable

- }

- }

- rule 20 {

- action accept

- description ICMP

- protocol icmp

- }

- }

- name WAN-to-Local {

- default-action drop

- rule 10 {

- action accept

- description Established/Related

- state {

- established enable

- related enable

- }

- }

- rule 20 {

- action accept

- description ICMP

- protocol icmp

- }

- rule 30 {

- action accept

- description "SSH Management"

- destination {

- port 22

- }

- protocol tcp

- state {

- new enable

- }

- tcp {

- flags SYN,!ACK,!FIN,!RST

- }

- }

- rule 40 {

- action accept

- description IKE

- destination {

- port 500,4500

- }

- protocol udp

- }

- rule 50 {

- action accept

- description IPSEC/ESP

- protocol esp

- }

- rule 60 {

- action accept

- description "GRE over IPsec"

- ipsec {

- match-ipsec

- }

- protocol gre

- }

- }

- name established-only {

- default-action drop

- rule 10 {

- action accept

- description Established/Related

- state {

- established enable

- related enable

- }

- }

- }

- name allow-all-v4 {

- default-action accept

- }

- options {

- mss-clamp {

- interface-type tun

- mss 1300

- }

- }

- receive-redirects disable

- send-redirects enable

- source-validation disable

- syn-cookies enable

- }

- interfaces {

- ethernet eth0 {

- address 192.0.2.2/30

- description WAN

- duplex auto

- speed auto

- }

- ethernet eth1 {

- address 172.23.248.33/27

- description LAN

- duplex auto

- speed auto

- }

- ethernet eth2 {

- disable

- duplex auto

- speed auto

- }

- loopback lo {

- address 172.23.248.2/32

- }

- tunnel tun0 {

- address 172.23.248.10/31

- description "CREST-DN42 AS64828"

- encapsulation gre

- local-ip 192.0.2.2

- mtu 1400

- multicast disable

- remote-ip 192.0.2.243

- ttl 255

- }

- }

- policy {

- prefix-list AS64746-IPv4 {

- rule 1 {

- action permit

- le 32

- prefix 172.23.248.0/24

- }

- }

- prefix-list DN42-IPv4 {

- rule 1 {

- action permit

- description "DN42 native"

- ge 23

- le 28

- prefix 172.22.0.0/15

- }

- rule 2 {

- action permit

- description "DN42 anycast"

- ge 32

- prefix 172.22.0.0/24

- }

- rule 3 {

- action permit

- description Freifunk

- ge 16

- prefix 10.0.0.0/8

- }

- rule 4 {

- action permit

- description ChaosVPN

- ge 23

- prefix 172.31.0.0/16

- }

- }

- route-map AS64746 {

- rule 1 {

- action permit

- match {

- ip {

- address {

- prefix-list AS64746-IPv4

- }

- }

- }

- }

- }

- route-map DN42 {

- rule 1 {

- action permit

- match {

- ip {

- address {

- prefix-list DN42-IPv4

- }

- }

- }

- }

- }

- }

- protocols {

- bgp 64746 {

- aggregate-address 172.23.248.0/24 {

- summary-only

- }

- neighbor 172.23.248.11 {

- description CREST-DN42

- peer-group DN42

- remote-as 64828

- update-source 172.23.248.10

- }

- network 172.23.248.0/24 {

- }

- parameters {

- router-id 172.23.248.2

- }

- peer-group DN42 {

- route-map {

- export DN42

- import DN42

- }

- soft-reconfiguration {

- inbound

- }

- }

- redistribute {

- connected {

- route-map AS64746

- }

- }

- }

- static {

- route 0.0.0.0/0 {

- next-hop 192.0.2.1 {

- }

- }

- route 172.23.248.0/24 {

- blackhole {

- distance 255

- }

- }

- }

- }

- service {

- nat {

- rule 6000 {

- outbound-interface eth0

- type masquerade

- }

- }

- ssh {

- disable-password-authentication

- port 22

- protocol-version v2

- }

- ubnt-discover {

- disable

- }

- }

- system {

- config-management {

- commit-revisions 10

- }

- domain-name ryan.dn42

- host-name edge1

- login {

- banner {

- pre-login ""

- }

- user ryan {

- authentication {

- encrypted-password :)

- public-keys ryan {

- key AAAAB3NzaC1yc2EAAAADAQABAAACAQCymzCbuc777hZ8acvK+68tB7WlZl9V8rQjeQCHny2f9Fy2uSnDHXymUzQJSBY8dr4QM07owCFyYciYqhJRBeBRiaP1dj6avzZzlrOC2xuXSWw4aCYVkEaBPWkntCvBjmPhtvA+x5w8qm0X+B41DG1D44qzrQSmL5geheQCHWSf48Za6RUvPxPuQ+xfBMlIaWscRn95NST2102sYwfl3GDJEqV8FqZ5gQeuG3LDRBQmVEZOSMFIN0pOrp6+UYDe6LSw8eD3uBNrkfbbwwEqjHKFNuYaIw/XNdY0nqhHec0KjsuPLHTQMc44h8CPL5ytAtjF1WnPAE4e3aDQFnB05V/3GThJI010bNkLw5zbGkq0QUa7SmFfAsyOg50grByqZWY/J997HXjWdsgK+7d3K4VQXlI1Uak6G2i0Vb5KX0Xv6dmFmsqwuomeGozBJOl3YebvHI/39Y1VcZls2Zkjg4dBWJQGhsZv8wAX8bf7owtLPE+PcWvX5dRmk44r93mk1M1PTz7XAJGXfeii/OV+QRZZkbzhi3h7VItF5Yv5nptMQUx+irUrIX3gaTHOu8cMTxtP52kIOGOEN/LmYbmrdc++QJNGGadopuZBDpCiR2xQhwQL5yKaXH6Rdenn9d0mdNTzdqw5QOUfjY+SqTMDqLk+ETY+YZ6fvJYDIm4yfgi//Q==

- type ssh-rsa

- }

- }

- level admin

- }

- }

- name-server 4.2.2.2

- name-server 8.8.8.8

- ntp {

- server 0.ubnt.pool.ntp.org {

- }

- server 1.ubnt.pool.ntp.org {

- }

- server 2.ubnt.pool.ntp.org {

- }

- server 3.ubnt.pool.ntp.org {

- }

- }

- offload {

- ipsec enable

- ipv4 {

- forwarding enable

- }

- ipv6 {

- forwarding enable

- }

- }

- options {

- reboot-on-panic true

- }

- package {

- repository squeeze {

- components "main contrib non-free"

- distribution squeeze

- password ""

- url http://http.us.debian.org/debian

- username ""

- }

- repository squeeze-security {

- components main

- distribution squeeze/updates

- password ""

- url http://security.debian.org

- username ""

- }

- repository squeeze-updates {

- components "main contrib non-free"

- distribution squeeze-updates

- password ""

- url http://http.us.debian.org/debian

- username ""

- }

- }

- syslog {

- global {

- facility all {

- level notice

- }

- facility protocols {

- level debug

- }

- }

- }

- }

- vpn {

- ipsec {

- auto-firewall-nat-exclude disable

- esp-group ESP-AES128-SHA1-DH5-TRANSPORT {

- compression disable

- lifetime 3600

- mode transport

- pfs dh-group5

- proposal 1 {

- encryption aes128

- hash sha1

- }

- }

- ike-group IKE-AES128-SHA1-DH5 {

- lifetime 28800

- proposal 1 {

- dh-group 5

- encryption aes128

- hash sha1

- }

- }

- ipsec-interfaces {

- interface eth0

- }

- site-to-site {

- peer 192.0.2.243 {

- authentication {

- mode rsa

- rsa-key-name crest-dn42

- }

- connection-type initiate

- default-esp-group ESP-AES128-SHA1-DH5-TRANSPORT

- ike-group IKE-AES128-SHA1-DH5

- local-ip 192.0.2.2

- tunnel 0 {

- allow-nat-networks disable

- allow-public-networks disable

- esp-group ESP-AES128-SHA1-DH5-TRANSPORT

- protocol gre

- }

- }

- }

- }

- rsa-keys {

- rsa-key-name crest-dn42 {

- rsa-key 0sAwEAAbsbRoUcgdm4A4Nm+PLxWcW+zFis7pkaJ0MkGVzM7VC8nmngkM+W2zqZyQ4NUTBKKfGOUc4Ogi6gyhlzUnHdag9tDERIX+BwlDO6G4arod9z9KqmJuX4AOYVjH5QlAPz7NDMAezVekGoVLPGdOAMPD6NN54ihLRH6V3if8AGoJRpiajhcgQipjeQnhH4QhsYK4XSjayGT1onQwA8nhy5kt4ofyqSale4Fl4166S9tCn4RKwtlJDjR6VIrg6op6Ip8+ke2vjEHPJHj6qVsxfRgOk2d8pY8oPVt8ayc5F1z+lqJ7R0fADfN+AQSaBqOMmg5dHDFYWwgYkU5egdVKS7Oko6uNuUWsZ0VEnRoPZ4syJEUbiF5wGfaVBaaVLZYUlRLQCffB4JKzp+JesVToCX6JYRfb4JYQWFCDeQfrqRZHM4r13h8MOWPn9cqXcP47RKJjzNp6595biUotmCbMHyy/uveMWxK6vDzPQRkywqMMJE2qOyACmbMnSce9KlYhvma82Vd+z/9/U9NEy0s5MaYNDn+q+KYT5My3NSv52F6sLVGrKxTk79tzUejZcoukJv+gf51Epam4kVHzPIal/khsfjZn6YCU2j5+qcdRmzF+SG5c2WicvEU2Gc4ratfYNEPxU5oArzHIhIz6x2nAF+szcx/x8GEyXPNHnxEboJB7ox

- }

- }

- }

- zone-policy {

- zone DN42 {

- default-action reject

- description DN42

- from Local {

- firewall {

- name allow-all-v4

- }

- }

- from LAN {

- firewall {

- name allow-all-v4

- }

- }

- interface tun0

- }

- zone LAN {

- default-action reject

- from DN42 {

- firewall {

- name DN42-to-LAN

- }

- }

- from Local {

- firewall {

- name allow-all-v4

- }

- }

- from WAN {

- firewall {

- name established-only

- }

- }

- interface eth1

- }

- zone Local {

- default-action reject

- from DN42 {

- firewall {

- name DN42-to-Local

- }

- }

- from LAN {

- firewall {

- name allow-all-v4

- }

- }

- from WAN {

- firewall {

- name WAN-to-Local

- }

- }

- local-zone

- }

- zone WAN {

- default-action reject

- from LAN {

- firewall {

- name allow-all-v4

- }

- }

- from Local {

- firewall {

- name allow-all-v4

- }

- }

- interface eth0

- }

- }

\ No newline at end of file

howto/EdgeOS-GRE-IPsec-Example.md

@@ -0,0 +1,501 @@

+# EdgeOS GRE/IPsec config example

+This is an example configuration derived from the config used on a peering router in AS64746. It was created using EdgeOS version 1.5.0alpha1 on an EdgeRouter Lite.

+

+## Features

+* Zone-based firewall

+* BGP prefix filtering and route summarization

+* GRE/IPsec tunnel in transport mode with "plainrsa" public key authentication

+* TCP MSS clamping to avoid fragmentation

+

+## Setup

+This configuration assumes that both peers have static public IPs.

+

+You'll need to generate a public/private keypair for your router if you intend to use "plainrsa" authentication for your IPsec connections. The local public key listed in the output is what you'll send to your peer.

+

+ ryan@edge1:~$ generate vpn rsa-key bits 4096

+ ryan@edge1:~$ show vpn ike rsa-keys

+

+ Local public key (/config/ipsec.d/rsa-keys/localhost.key):

+

+ 0sAQPNdF370ZEbN+kZUJQ10qnBlZujrg39ujfk20ILTjELksOIdJw/4jiU1MfpqFDKuB/XxERwJQp2POsFyV/n76jAgxIYBfFYfuaBcIH1rdNQtDhCnkmWzlueRXGEsz0Af79n8TKyQ9otzNhJ2cPE1CWCJbKqbIUN3piviLgGlItWNeya+Tl3Oj3ZfEVwr1QOvUAw32+m4L8T9jf1vqSlOTHpRpxxPWBrLEzstk0FOcZISji2JBpDOCU8Kpyyf74JM+LxsOIHwmS15b6iFZR3U9KZLqbbd0dSy/cM8P4XjrwM5UMyRDjrLqvuA/K/33BgtnxdQR3e9DJoYH3Qr8eRgSkR+jHyq06LvgHkHbMvrEjUnc3n8bg+YfR4oyJpIWsKjfIXmN1Q51KzxAPIAww+YSYUYtamSsQsspVAtMIQqR4e0r1In1qyoSn8VCPlksNMWpqYHbSjDo5HJYoSwxf2epzMtCvhenn0OuiH0xlgzziA+wBi6txksTMvJYcPJYnBVR2NIBjkWftOfmkY+rKMozViGjyd6kB7C8lqd8W7Ha5Ds2WxIY22DM3HcYH/zTp9z2xbuMOsbIgib/Y12Kh0wHyCz0lzFvs+d6CZwinyIXNKB/Vo4iiwT5luL5mGqf3pZx4zB+30GYSs/6MaELRF9BxD7tfqYCkOLXUtxyZ4Pdl2sw==

+If your peer sends you a key in PEM format (starts with `-----BEGIN PUBLIC KEY-----`), you'll need to convert it to the format used by EdgeOS (begins with `0s`) in order to insert it into the configuration. See [this forum post](http://community.ubnt.com/t5/EdgeMAX/ERL-lt-gt-Mikrotik-IPsec-Connections/m-p/534682#M13015) for a script to convert between the two key formats.

+

+## Configuration

+

+ firewall {

+ all-ping enable

+ broadcast-ping disable

+ ipv6-receive-redirects disable

+ ipv6-src-route disable

+ ip-src-route disable

+ log-martians enable

+ name DN42-to-Local {

+ default-action reject

+ rule 10 {

+ action accept

+ description Established/Related

+ state {

+ established enable

+ related enable

+ }

+ }

+ rule 20 {

+ action accept

+ description ICMP

+ protocol icmp

+ }

+ rule 30 {

+ action accept

+ description BGP

+ destination {

+ port bgp

+ }

+ protocol tcp

+ state {

+ new enable

+ }

+ tcp {

+ flags SYN,!ACK,!FIN,!RST

+ }

+ }

+ }

+ name DN42-to-LAN {

+ default-action reject

+ rule 10 {

+ action accept

+ description Established/Related

+ state {

+ established enable

+ related enable

+ }

+ }

+ rule 20 {

+ action accept

+ description ICMP

+ protocol icmp

+ }

+ }

+ name WAN-to-Local {

+ default-action drop

+ rule 10 {

+ action accept

+ description Established/Related

+ state {

+ established enable

+ related enable

+ }

+ }

+ rule 20 {

+ action accept

+ description ICMP

+ protocol icmp

+ }

+ rule 30 {

+ action accept

+ description "SSH Management"

+ destination {

+ port 22

+ }

+ protocol tcp

+ state {

+ new enable

+ }

+ tcp {

+ flags SYN,!ACK,!FIN,!RST

+ }

+ }

+ rule 40 {

+ action accept

+ description IKE

+ destination {

+ port 500,4500

+ }

+ protocol udp

+ }

+ rule 50 {

+ action accept

+ description IPSEC/ESP

+ protocol esp

+ }

+ rule 60 {

+ action accept

+ description "GRE over IPsec"

+ ipsec {

+ match-ipsec

+ }

+ protocol gre

+ }

+ }

+ name established-only {

+ default-action drop

+ rule 10 {

+ action accept

+ description Established/Related

+ state {

+ established enable

+ related enable

+ }

+ }

+ }

+ name allow-all-v4 {

+ default-action accept

+ }

+ options {

+ mss-clamp {

+ interface-type tun

+ mss 1300

+ }

+ }

+ receive-redirects disable

+ send-redirects enable

+ source-validation disable

+ syn-cookies enable

+ }

+ interfaces {

+ ethernet eth0 {

+ address 192.0.2.2/30

+ description WAN

+ duplex auto

+ speed auto

+ }

+ ethernet eth1 {

+ address 172.23.248.33/27

+ description LAN

+ duplex auto

+ speed auto

+ }

+ ethernet eth2 {

+ disable

+ duplex auto

+ speed auto

+ }

+ loopback lo {

+ address 172.23.248.2/32

+ }

+ tunnel tun0 {

+ address 172.23.248.10/31

+ description "CREST-DN42 AS64828"

+ encapsulation gre

+ local-ip 192.0.2.2

+ mtu 1400

+ multicast disable

+ remote-ip 192.0.2.243

+ ttl 255

+ }

+ }

+ policy {

+ prefix-list AS64746-IPv4 {

+ rule 1 {

+ action permit

+ le 32

+ prefix 172.23.248.0/24

+ }

+ }

+ prefix-list DN42-IPv4 {

+ rule 1 {

+ action permit

+ description "DN42 native"

+ ge 23

+ le 28

+ prefix 172.22.0.0/15

+ }

+ rule 2 {

+ action permit

+ description "DN42 anycast"

+ ge 32

+ prefix 172.22.0.0/24

+ }

+ rule 3 {

+ action permit

+ description Freifunk

+ ge 16

+ prefix 10.0.0.0/8

+ }

+ rule 4 {

+ action permit

+ description ChaosVPN

+ ge 23

+ prefix 172.31.0.0/16

+ }

+ }

+ route-map AS64746 {

+ rule 1 {

+ action permit

+ match {

+ ip {

+ address {

+ prefix-list AS64746-IPv4

+ }

+ }

+ }

+ }

+ }

+ route-map DN42 {

+ rule 1 {

+ action permit

+ match {

+ ip {

+ address {

+ prefix-list DN42-IPv4

+ }

+ }

+ }

+ }

+ }

+ }

+ protocols {

+ bgp 64746 {

+ aggregate-address 172.23.248.0/24 {

+ summary-only

+ }

+ neighbor 172.23.248.11 {

+ description CREST-DN42

+ peer-group DN42

+ remote-as 64828

+ update-source 172.23.248.10

+ }

+ network 172.23.248.0/24 {

+ }

+ parameters {

+ router-id 172.23.248.2

+ }

+ peer-group DN42 {

+ route-map {

+ export DN42

+ import DN42

+ }

+ soft-reconfiguration {

+ inbound

+ }

+ }

+ redistribute {

+ connected {

+ route-map AS64746

+ }

+ }

+ }

+ static {

+ route 0.0.0.0/0 {

+ next-hop 192.0.2.1 {

+ }

+ }

+ route 172.23.248.0/24 {

+ blackhole {

+ distance 255

+ }

+ }

+ }

+ }

+ service {

+ nat {

+ rule 6000 {

+ outbound-interface eth0

+ type masquerade

+ }

+ }

+ ssh {

+ disable-password-authentication

+ port 22

+ protocol-version v2

+ }

+ ubnt-discover {

+ disable

+ }

+ }

+ system {

+ config-management {

+ commit-revisions 10

+ }

+ domain-name ryan.dn42

+ host-name edge1

+ login {

+ banner {

+ pre-login ""

+ }

+ user ryan {

+ authentication {

+ encrypted-password :)

+ public-keys ryan {

+ key AAAAB3NzaC1yc2EAAAADAQABAAACAQCymzCbuc777hZ8acvK+68tB7WlZl9V8rQjeQCHny2f9Fy2uSnDHXymUzQJSBY8dr4QM07owCFyYciYqhJRBeBRiaP1dj6avzZzlrOC2xuXSWw4aCYVkEaBPWkntCvBjmPhtvA+x5w8qm0X+B41DG1D44qzrQSmL5geheQCHWSf48Za6RUvPxPuQ+xfBMlIaWscRn95NST2102sYwfl3GDJEqV8FqZ5gQeuG3LDRBQmVEZOSMFIN0pOrp6+UYDe6LSw8eD3uBNrkfbbwwEqjHKFNuYaIw/XNdY0nqhHec0KjsuPLHTQMc44h8CPL5ytAtjF1WnPAE4e3aDQFnB05V/3GThJI010bNkLw5zbGkq0QUa7SmFfAsyOg50grByqZWY/J997HXjWdsgK+7d3K4VQXlI1Uak6G2i0Vb5KX0Xv6dmFmsqwuomeGozBJOl3YebvHI/39Y1VcZls2Zkjg4dBWJQGhsZv8wAX8bf7owtLPE+PcWvX5dRmk44r93mk1M1PTz7XAJGXfeii/OV+QRZZkbzhi3h7VItF5Yv5nptMQUx+irUrIX3gaTHOu8cMTxtP52kIOGOEN/LmYbmrdc++QJNGGadopuZBDpCiR2xQhwQL5yKaXH6Rdenn9d0mdNTzdqw5QOUfjY+SqTMDqLk+ETY+YZ6fvJYDIm4yfgi//Q==

+ type ssh-rsa

+ }

+ }

+ level admin

+ }

+ }

+ name-server 4.2.2.2

+ name-server 8.8.8.8

+ ntp {

+ server 0.ubnt.pool.ntp.org {

+ }

+ server 1.ubnt.pool.ntp.org {

+ }

+ server 2.ubnt.pool.ntp.org {

+ }

+ server 3.ubnt.pool.ntp.org {

+ }

+ }

+ offload {

+ ipsec enable

+ ipv4 {

+ forwarding enable

+ }

+ ipv6 {

+ forwarding enable

+ }

+ }

+ options {

+ reboot-on-panic true

+ }

+ package {

+ repository squeeze {

+ components "main contrib non-free"

+ distribution squeeze

+ password ""

+ url http://http.us.debian.org/debian

+ username ""

+ }

+ repository squeeze-security {

+ components main

+ distribution squeeze/updates

+ password ""

+ url http://security.debian.org

+ username ""

+ }

+ repository squeeze-updates {

+ components "main contrib non-free"

+ distribution squeeze-updates

+ password ""

+ url http://http.us.debian.org/debian

+ username ""

+ }

+ }

+ syslog {

+ global {

+ facility all {

+ level notice

+ }

+ facility protocols {

+ level debug

+ }

+ }

+ }

+ }

+ vpn {

+ ipsec {

+ auto-firewall-nat-exclude disable

+ esp-group ESP-AES128-SHA1-DH5-TRANSPORT {

+ compression disable

+ lifetime 3600

+ mode transport

+ pfs dh-group5

+ proposal 1 {

+ encryption aes128

+ hash sha1

+ }

+ }

+ ike-group IKE-AES128-SHA1-DH5 {

+ lifetime 28800

+ proposal 1 {

+ dh-group 5

+ encryption aes128

+ hash sha1

+ }

+ }

+ ipsec-interfaces {

+ interface eth0

+ }

+ site-to-site {

+ peer 192.0.2.243 {

+ authentication {

+ mode rsa

+ rsa-key-name crest-dn42

+ }

+ connection-type initiate

+ default-esp-group ESP-AES128-SHA1-DH5-TRANSPORT

+ ike-group IKE-AES128-SHA1-DH5

+ local-ip 192.0.2.2

+ tunnel 0 {

+ allow-nat-networks disable

+ allow-public-networks disable

+ esp-group ESP-AES128-SHA1-DH5-TRANSPORT

+ protocol gre

+ }

+ }

+ }

+ }

+ rsa-keys {

+ rsa-key-name crest-dn42 {

+ rsa-key 0sAwEAAbsbRoUcgdm4A4Nm+PLxWcW+zFis7pkaJ0MkGVzM7VC8nmngkM+W2zqZyQ4NUTBKKfGOUc4Ogi6gyhlzUnHdag9tDERIX+BwlDO6G4arod9z9KqmJuX4AOYVjH5QlAPz7NDMAezVekGoVLPGdOAMPD6NN54ihLRH6V3if8AGoJRpiajhcgQipjeQnhH4QhsYK4XSjayGT1onQwA8nhy5kt4ofyqSale4Fl4166S9tCn4RKwtlJDjR6VIrg6op6Ip8+ke2vjEHPJHj6qVsxfRgOk2d8pY8oPVt8ayc5F1z+lqJ7R0fADfN+AQSaBqOMmg5dHDFYWwgYkU5egdVKS7Oko6uNuUWsZ0VEnRoPZ4syJEUbiF5wGfaVBaaVLZYUlRLQCffB4JKzp+JesVToCX6JYRfb4JYQWFCDeQfrqRZHM4r13h8MOWPn9cqXcP47RKJjzNp6595biUotmCbMHyy/uveMWxK6vDzPQRkywqMMJE2qOyACmbMnSce9KlYhvma82Vd+z/9/U9NEy0s5MaYNDn+q+KYT5My3NSv52F6sLVGrKxTk79tzUejZcoukJv+gf51Epam4kVHzPIal/khsfjZn6YCU2j5+qcdRmzF+SG5c2WicvEU2Gc4ratfYNEPxU5oArzHIhIz6x2nAF+szcx/x8GEyXPNHnxEboJB7ox

+ }

+ }

+ }

+ zone-policy {

+ zone DN42 {

+ default-action reject

+ description DN42

+ from Local {

+ firewall {

+ name allow-all-v4

+ }

+ }

+ from LAN {

+ firewall {

+ name allow-all-v4

+ }

+ }

+ interface tun0

+ }

+ zone LAN {

+ default-action reject

+ from DN42 {

+ firewall {

+ name DN42-to-LAN

+ }

+ }

+ from Local {

+ firewall {

+ name allow-all-v4

+ }

+ }

+ from WAN {

+ firewall {

+ name established-only

+ }

+ }

+ interface eth1

+ }

+ zone Local {

+ default-action reject

+ from DN42 {

+ firewall {

+ name DN42-to-Local

+ }

+ }

+ from LAN {

+ firewall {

+ name allow-all-v4

+ }

+ }

+ from WAN {

+ firewall {

+ name WAN-to-Local

+ }

+ }

+ local-zone

+ }

+ zone WAN {

+ default-action reject

+ from LAN {

+ firewall {

+ name allow-all-v4

+ }

+ }

+ from Local {

+ firewall {

+ name allow-all-v4

+ }

+ }

+ interface eth0

+ }

+ }

\ No newline at end of file

...	...	@@ -1,501 +0,0 @@
1		-# EdgeOS GRE/IPsec config example
2		-This is an example configuration derived from the config used on a peering router in AS64746. It was created using EdgeOS version 1.5.0alpha1 on an EdgeRouter Lite.
3		-
4		-## Features
5		-* Zone-based firewall
6		-* BGP prefix filtering and route summarization
7		-* GRE/IPsec tunnel in transport mode with "plainrsa" public key authentication
8		-* TCP MSS clamping to avoid fragmentation
9		-
10		-## Setup
11		-This configuration assumes that both peers have static public IPs.
12		-
13		-You'll need to generate a public/private keypair for your router if you intend to use "plainrsa" authentication for your IPsec connections. The local public key listed in the output is what you'll send to your peer.
14		-
15		- ryan@edge1:~$ generate vpn rsa-key bits 4096
16		- ryan@edge1:~$ show vpn ike rsa-keys
17		-
18		- Local public key (/config/ipsec.d/rsa-keys/localhost.key):
19		-
20		- 0sAQPNdF370ZEbN+kZUJQ10qnBlZujrg39ujfk20ILTjELksOIdJw/4jiU1MfpqFDKuB/XxERwJQp2POsFyV/n76jAgxIYBfFYfuaBcIH1rdNQtDhCnkmWzlueRXGEsz0Af79n8TKyQ9otzNhJ2cPE1CWCJbKqbIUN3piviLgGlItWNeya+Tl3Oj3ZfEVwr1QOvUAw32+m4L8T9jf1vqSlOTHpRpxxPWBrLEzstk0FOcZISji2JBpDOCU8Kpyyf74JM+LxsOIHwmS15b6iFZR3U9KZLqbbd0dSy/cM8P4XjrwM5UMyRDjrLqvuA/K/33BgtnxdQR3e9DJoYH3Qr8eRgSkR+jHyq06LvgHkHbMvrEjUnc3n8bg+YfR4oyJpIWsKjfIXmN1Q51KzxAPIAww+YSYUYtamSsQsspVAtMIQqR4e0r1In1qyoSn8VCPlksNMWpqYHbSjDo5HJYoSwxf2epzMtCvhenn0OuiH0xlgzziA+wBi6txksTMvJYcPJYnBVR2NIBjkWftOfmkY+rKMozViGjyd6kB7C8lqd8W7Ha5Ds2WxIY22DM3HcYH/zTp9z2xbuMOsbIgib/Y12Kh0wHyCz0lzFvs+d6CZwinyIXNKB/Vo4iiwT5luL5mGqf3pZx4zB+30GYSs/6MaELRF9BxD7tfqYCkOLXUtxyZ4Pdl2sw==
21		-If your peer sends you a key in PEM format (starts with `-----BEGIN PUBLIC KEY-----`), you'll need to convert it to the format used by EdgeOS (begins with `0s`) in order to insert it into the configuration. See [this forum post](http://community.ubnt.com/t5/EdgeMAX/ERL-lt-gt-Mikrotik-IPsec-Connections/m-p/534682#M13015) for a script to convert between the two key formats.
22		-
23		-## Configuration
24		-
25		- firewall {
26		- all-ping enable
27		- broadcast-ping disable
28		- ipv6-receive-redirects disable
29		- ipv6-src-route disable
30		- ip-src-route disable
31		- log-martians enable
32		- name DN42-to-Local {
33		- default-action reject
34		- rule 10 {
35		- action accept
36		- description Established/Related
37		- state {
38		- established enable
39		- related enable
40		- }
41		- }
42		- rule 20 {
43		- action accept
44		- description ICMP
45		- protocol icmp
46		- }
47		- rule 30 {
48		- action accept
49		- description BGP
50		- destination {
51		- port bgp
52		- }
53		- protocol tcp
54		- state {
55		- new enable
56		- }
57		- tcp {
58		- flags SYN,!ACK,!FIN,!RST
59		- }
60		- }
61		- }
62		- name DN42-to-LAN {
63		- default-action reject
64		- rule 10 {
65		- action accept
66		- description Established/Related
67		- state {
68		- established enable
69		- related enable
70		- }
71		- }
72		- rule 20 {
73		- action accept
74		- description ICMP
75		- protocol icmp
76		- }
77		- }
78		- name WAN-to-Local {
79		- default-action drop
80		- rule 10 {
81		- action accept
82		- description Established/Related
83		- state {
84		- established enable
85		- related enable
86		- }
87		- }
88		- rule 20 {
89		- action accept
90		- description ICMP
91		- protocol icmp
92		- }
93		- rule 30 {
94		- action accept
95		- description "SSH Management"
96		- destination {
97		- port 22
98		- }
99		- protocol tcp
100		- state {
101		- new enable
102		- }
103		- tcp {
104		- flags SYN,!ACK,!FIN,!RST
105		- }
106		- }
107		- rule 40 {
108		- action accept
109		- description IKE
110		- destination {
111		- port 500,4500
112		- }
113		- protocol udp
114		- }
115		- rule 50 {
116		- action accept
117		- description IPSEC/ESP
118		- protocol esp
119		- }
120		- rule 60 {
121		- action accept
122		- description "GRE over IPsec"
123		- ipsec {
124		- match-ipsec
125		- }
126		- protocol gre
127		- }
128		- }
129		- name established-only {
130		- default-action drop
131		- rule 10 {
132		- action accept
133		- description Established/Related
134		- state {
135		- established enable
136		- related enable
137		- }
138		- }
139		- }
140		- name allow-all-v4 {
141		- default-action accept
142		- }
143		- options {
144		- mss-clamp {
145		- interface-type tun
146		- mss 1300
147		- }
148		- }
149		- receive-redirects disable
150		- send-redirects enable
151		- source-validation disable
152		- syn-cookies enable
153		- }
154		- interfaces {
155		- ethernet eth0 {
156		- address 192.0.2.2/30
157		- description WAN
158		- duplex auto
159		- speed auto
160		- }
161		- ethernet eth1 {
162		- address 172.23.248.33/27
163		- description LAN
164		- duplex auto
165		- speed auto
166		- }
167		- ethernet eth2 {
168		- disable
169		- duplex auto
170		- speed auto
171		- }
172		- loopback lo {
173		- address 172.23.248.2/32
174		- }
175		- tunnel tun0 {
176		- address 172.23.248.10/31
177		- description "CREST-DN42 AS64828"
178		- encapsulation gre
179		- local-ip 192.0.2.2
180		- mtu 1400
181		- multicast disable
182		- remote-ip 192.0.2.243
183		- ttl 255
184		- }
185		- }
186		- policy {
187		- prefix-list AS64746-IPv4 {
188		- rule 1 {
189		- action permit
190		- le 32
191		- prefix 172.23.248.0/24
192		- }
193		- }
194		- prefix-list DN42-IPv4 {
195		- rule 1 {
196		- action permit
197		- description "DN42 native"
198		- ge 23
199		- le 28
200		- prefix 172.22.0.0/15
201		- }
202		- rule 2 {
203		- action permit
204		- description "DN42 anycast"
205		- ge 32
206		- prefix 172.22.0.0/24
207		- }
208		- rule 3 {
209		- action permit
210		- description Freifunk
211		- ge 16
212		- prefix 10.0.0.0/8
213		- }
214		- rule 4 {
215		- action permit
216		- description ChaosVPN
217		- ge 23
218		- prefix 172.31.0.0/16
219		- }
220		- }
221		- route-map AS64746 {
222		- rule 1 {
223		- action permit
224		- match {
225		- ip {
226		- address {
227		- prefix-list AS64746-IPv4
228		- }
229		- }
230		- }
231		- }
232		- }
233		- route-map DN42 {
234		- rule 1 {
235		- action permit
236		- match {
237		- ip {
238		- address {
239		- prefix-list DN42-IPv4
240		- }
241		- }
242		- }
243		- }
244		- }
245		- }
246		- protocols {
247		- bgp 64746 {
248		- aggregate-address 172.23.248.0/24 {
249		- summary-only
250		- }
251		- neighbor 172.23.248.11 {
252		- description CREST-DN42
253		- peer-group DN42
254		- remote-as 64828
255		- update-source 172.23.248.10
256		- }
257		- network 172.23.248.0/24 {
258		- }
259		- parameters {
260		- router-id 172.23.248.2
261		- }
262		- peer-group DN42 {
263		- route-map {
264		- export DN42
265		- import DN42
266		- }
267		- soft-reconfiguration {
268		- inbound
269		- }
270		- }
271		- redistribute {
272		- connected {
273		- route-map AS64746
274		- }
275		- }
276		- }
277		- static {
278		- route 0.0.0.0/0 {
279		- next-hop 192.0.2.1 {
280		- }
281		- }
282		- route 172.23.248.0/24 {
283		- blackhole {
284		- distance 255
285		- }
286		- }
287		- }
288		- }
289		- service {
290		- nat {
291		- rule 6000 {
292		- outbound-interface eth0
293		- type masquerade
294		- }
295		- }
296		- ssh {
297		- disable-password-authentication
298		- port 22
299		- protocol-version v2
300		- }
301		- ubnt-discover {
302		- disable
303		- }
304		- }
305		- system {
306		- config-management {
307		- commit-revisions 10
308		- }
309		- domain-name ryan.dn42
310		- host-name edge1
311		- login {
312		- banner {
313		- pre-login ""
314		- }
315		- user ryan {
316		- authentication {
317		- encrypted-password :)
318		- public-keys ryan {
319		- key AAAAB3NzaC1yc2EAAAADAQABAAACAQCymzCbuc777hZ8acvK+68tB7WlZl9V8rQjeQCHny2f9Fy2uSnDHXymUzQJSBY8dr4QM07owCFyYciYqhJRBeBRiaP1dj6avzZzlrOC2xuXSWw4aCYVkEaBPWkntCvBjmPhtvA+x5w8qm0X+B41DG1D44qzrQSmL5geheQCHWSf48Za6RUvPxPuQ+xfBMlIaWscRn95NST2102sYwfl3GDJEqV8FqZ5gQeuG3LDRBQmVEZOSMFIN0pOrp6+UYDe6LSw8eD3uBNrkfbbwwEqjHKFNuYaIw/XNdY0nqhHec0KjsuPLHTQMc44h8CPL5ytAtjF1WnPAE4e3aDQFnB05V/3GThJI010bNkLw5zbGkq0QUa7SmFfAsyOg50grByqZWY/J997HXjWdsgK+7d3K4VQXlI1Uak6G2i0Vb5KX0Xv6dmFmsqwuomeGozBJOl3YebvHI/39Y1VcZls2Zkjg4dBWJQGhsZv8wAX8bf7owtLPE+PcWvX5dRmk44r93mk1M1PTz7XAJGXfeii/OV+QRZZkbzhi3h7VItF5Yv5nptMQUx+irUrIX3gaTHOu8cMTxtP52kIOGOEN/LmYbmrdc++QJNGGadopuZBDpCiR2xQhwQL5yKaXH6Rdenn9d0mdNTzdqw5QOUfjY+SqTMDqLk+ETY+YZ6fvJYDIm4yfgi//Q==
320		- type ssh-rsa
321		- }
322		- }
323		- level admin
324		- }
325		- }
326		- name-server 4.2.2.2
327		- name-server 8.8.8.8
328		- ntp {
329		- server 0.ubnt.pool.ntp.org {
330		- }
331		- server 1.ubnt.pool.ntp.org {
332		- }
333		- server 2.ubnt.pool.ntp.org {
334		- }
335		- server 3.ubnt.pool.ntp.org {
336		- }
337		- }
338		- offload {
339		- ipsec enable
340		- ipv4 {
341		- forwarding enable
342		- }
343		- ipv6 {
344		- forwarding enable
345		- }
346		- }
347		- options {
348		- reboot-on-panic true
349		- }
350		- package {
351		- repository squeeze {
352		- components "main contrib non-free"
353		- distribution squeeze
354		- password ""
355		- url http://http.us.debian.org/debian
356		- username ""
357		- }
358		- repository squeeze-security {
359		- components main
360		- distribution squeeze/updates
361		- password ""
362		- url http://security.debian.org
363		- username ""
364		- }
365		- repository squeeze-updates {
366		- components "main contrib non-free"
367		- distribution squeeze-updates
368		- password ""
369		- url http://http.us.debian.org/debian
370		- username ""
371		- }
372		- }
373		- syslog {
374		- global {
375		- facility all {
376		- level notice
377		- }
378		- facility protocols {
379		- level debug
380		- }
381		- }
382		- }
383		- }
384		- vpn {
385		- ipsec {
386		- auto-firewall-nat-exclude disable
387		- esp-group ESP-AES128-SHA1-DH5-TRANSPORT {
388		- compression disable
389		- lifetime 3600
390		- mode transport
391		- pfs dh-group5
392		- proposal 1 {
393		- encryption aes128
394		- hash sha1
395		- }
396		- }
397		- ike-group IKE-AES128-SHA1-DH5 {
398		- lifetime 28800
399		- proposal 1 {
400		- dh-group 5
401		- encryption aes128
402		- hash sha1
403		- }
404		- }
405		- ipsec-interfaces {
406		- interface eth0
407		- }
408		- site-to-site {
409		- peer 192.0.2.243 {
410		- authentication {
411		- mode rsa
412		- rsa-key-name crest-dn42
413		- }
414		- connection-type initiate
415		- default-esp-group ESP-AES128-SHA1-DH5-TRANSPORT
416		- ike-group IKE-AES128-SHA1-DH5
417		- local-ip 192.0.2.2
418		- tunnel 0 {
419		- allow-nat-networks disable
420		- allow-public-networks disable
421		- esp-group ESP-AES128-SHA1-DH5-TRANSPORT
422		- protocol gre
423		- }
424		- }
425		- }
426		- }
427		- rsa-keys {
428		- rsa-key-name crest-dn42 {
429		- rsa-key 0sAwEAAbsbRoUcgdm4A4Nm+PLxWcW+zFis7pkaJ0MkGVzM7VC8nmngkM+W2zqZyQ4NUTBKKfGOUc4Ogi6gyhlzUnHdag9tDERIX+BwlDO6G4arod9z9KqmJuX4AOYVjH5QlAPz7NDMAezVekGoVLPGdOAMPD6NN54ihLRH6V3if8AGoJRpiajhcgQipjeQnhH4QhsYK4XSjayGT1onQwA8nhy5kt4ofyqSale4Fl4166S9tCn4RKwtlJDjR6VIrg6op6Ip8+ke2vjEHPJHj6qVsxfRgOk2d8pY8oPVt8ayc5F1z+lqJ7R0fADfN+AQSaBqOMmg5dHDFYWwgYkU5egdVKS7Oko6uNuUWsZ0VEnRoPZ4syJEUbiF5wGfaVBaaVLZYUlRLQCffB4JKzp+JesVToCX6JYRfb4JYQWFCDeQfrqRZHM4r13h8MOWPn9cqXcP47RKJjzNp6595biUotmCbMHyy/uveMWxK6vDzPQRkywqMMJE2qOyACmbMnSce9KlYhvma82Vd+z/9/U9NEy0s5MaYNDn+q+KYT5My3NSv52F6sLVGrKxTk79tzUejZcoukJv+gf51Epam4kVHzPIal/khsfjZn6YCU2j5+qcdRmzF+SG5c2WicvEU2Gc4ratfYNEPxU5oArzHIhIz6x2nAF+szcx/x8GEyXPNHnxEboJB7ox
430		- }
431		- }
432		- }
433		- zone-policy {
434		- zone DN42 {
435		- default-action reject
436		- description DN42
437		- from Local {
438		- firewall {
439		- name allow-all-v4
440		- }
441		- }
442		- from LAN {
443		- firewall {
444		- name allow-all-v4
445		- }
446		- }
447		- interface tun0
448		- }
449		- zone LAN {
450		- default-action reject
451		- from DN42 {
452		- firewall {
453		- name DN42-to-LAN
454		- }
455		- }
456		- from Local {
457		- firewall {
458		- name allow-all-v4
459		- }
460		- }
461		- from WAN {
462		- firewall {
463		- name established-only
464		- }
465		- }
466		- interface eth1
467		- }
468		- zone Local {
469		- default-action reject
470		- from DN42 {
471		- firewall {
472		- name DN42-to-Local
473		- }
474		- }
475		- from LAN {
476		- firewall {
477		- name allow-all-v4
478		- }
479		- }
480		- from WAN {
481		- firewall {
482		- name WAN-to-Local
483		- }
484		- }
485		- local-zone
486		- }
487		- zone WAN {
488		- default-action reject
489		- from LAN {
490		- firewall {
491		- name allow-all-v4
492		- }
493		- }
494		- from Local {
495		- firewall {
496		- name allow-all-v4
497		- }
498		- }
499		- interface eth0
500		- }
501		- }
...	...	\ No newline at end of file

...	...	@@ -0,0 +1,501 @@
	1	+# EdgeOS GRE/IPsec config example
	2	+This is an example configuration derived from the config used on a peering router in AS64746. It was created using EdgeOS version 1.5.0alpha1 on an EdgeRouter Lite.
	3	+
	4	+## Features
	5	+* Zone-based firewall
	6	+* BGP prefix filtering and route summarization
	7	+* GRE/IPsec tunnel in transport mode with "plainrsa" public key authentication
	8	+* TCP MSS clamping to avoid fragmentation
	9	+
	10	+## Setup
	11	+This configuration assumes that both peers have static public IPs.
	12	+
	13	+You'll need to generate a public/private keypair for your router if you intend to use "plainrsa" authentication for your IPsec connections. The local public key listed in the output is what you'll send to your peer.
	14	+
	15	+ ryan@edge1:~$ generate vpn rsa-key bits 4096
	16	+ ryan@edge1:~$ show vpn ike rsa-keys
	17	+
	18	+ Local public key (/config/ipsec.d/rsa-keys/localhost.key):
	19	+
	20	+ 0sAQPNdF370ZEbN+kZUJQ10qnBlZujrg39ujfk20ILTjELksOIdJw/4jiU1MfpqFDKuB/XxERwJQp2POsFyV/n76jAgxIYBfFYfuaBcIH1rdNQtDhCnkmWzlueRXGEsz0Af79n8TKyQ9otzNhJ2cPE1CWCJbKqbIUN3piviLgGlItWNeya+Tl3Oj3ZfEVwr1QOvUAw32+m4L8T9jf1vqSlOTHpRpxxPWBrLEzstk0FOcZISji2JBpDOCU8Kpyyf74JM+LxsOIHwmS15b6iFZR3U9KZLqbbd0dSy/cM8P4XjrwM5UMyRDjrLqvuA/K/33BgtnxdQR3e9DJoYH3Qr8eRgSkR+jHyq06LvgHkHbMvrEjUnc3n8bg+YfR4oyJpIWsKjfIXmN1Q51KzxAPIAww+YSYUYtamSsQsspVAtMIQqR4e0r1In1qyoSn8VCPlksNMWpqYHbSjDo5HJYoSwxf2epzMtCvhenn0OuiH0xlgzziA+wBi6txksTMvJYcPJYnBVR2NIBjkWftOfmkY+rKMozViGjyd6kB7C8lqd8W7Ha5Ds2WxIY22DM3HcYH/zTp9z2xbuMOsbIgib/Y12Kh0wHyCz0lzFvs+d6CZwinyIXNKB/Vo4iiwT5luL5mGqf3pZx4zB+30GYSs/6MaELRF9BxD7tfqYCkOLXUtxyZ4Pdl2sw==
	21	+If your peer sends you a key in PEM format (starts with `-----BEGIN PUBLIC KEY-----`), you'll need to convert it to the format used by EdgeOS (begins with `0s`) in order to insert it into the configuration. See [this forum post](http://community.ubnt.com/t5/EdgeMAX/ERL-lt-gt-Mikrotik-IPsec-Connections/m-p/534682#M13015) for a script to convert between the two key formats.
	22	+
	23	+## Configuration
	24	+
	25	+ firewall {
	26	+ all-ping enable
	27	+ broadcast-ping disable
	28	+ ipv6-receive-redirects disable
	29	+ ipv6-src-route disable
	30	+ ip-src-route disable
	31	+ log-martians enable
	32	+ name DN42-to-Local {
	33	+ default-action reject
	34	+ rule 10 {
	35	+ action accept
	36	+ description Established/Related
	37	+ state {
	38	+ established enable
	39	+ related enable
	40	+ }
	41	+ }
	42	+ rule 20 {
	43	+ action accept
	44	+ description ICMP
	45	+ protocol icmp
	46	+ }
	47	+ rule 30 {
	48	+ action accept
	49	+ description BGP
	50	+ destination {
	51	+ port bgp
	52	+ }
	53	+ protocol tcp
	54	+ state {
	55	+ new enable
	56	+ }
	57	+ tcp {
	58	+ flags SYN,!ACK,!FIN,!RST
	59	+ }
	60	+ }
	61	+ }
	62	+ name DN42-to-LAN {
	63	+ default-action reject
	64	+ rule 10 {
	65	+ action accept
	66	+ description Established/Related
	67	+ state {
	68	+ established enable
	69	+ related enable
	70	+ }
	71	+ }
	72	+ rule 20 {
	73	+ action accept
	74	+ description ICMP
	75	+ protocol icmp
	76	+ }
	77	+ }
	78	+ name WAN-to-Local {
	79	+ default-action drop
	80	+ rule 10 {
	81	+ action accept
	82	+ description Established/Related
	83	+ state {
	84	+ established enable
	85	+ related enable
	86	+ }
	87	+ }
	88	+ rule 20 {
	89	+ action accept
	90	+ description ICMP
	91	+ protocol icmp
	92	+ }
	93	+ rule 30 {
	94	+ action accept
	95	+ description "SSH Management"
	96	+ destination {
	97	+ port 22
	98	+ }
	99	+ protocol tcp
	100	+ state {
	101	+ new enable
	102	+ }
	103	+ tcp {
	104	+ flags SYN,!ACK,!FIN,!RST
	105	+ }
	106	+ }
	107	+ rule 40 {
	108	+ action accept
	109	+ description IKE
	110	+ destination {
	111	+ port 500,4500
	112	+ }
	113	+ protocol udp
	114	+ }
	115	+ rule 50 {
	116	+ action accept
	117	+ description IPSEC/ESP
	118	+ protocol esp
	119	+ }
	120	+ rule 60 {
	121	+ action accept
	122	+ description "GRE over IPsec"
	123	+ ipsec {
	124	+ match-ipsec
	125	+ }
	126	+ protocol gre
	127	+ }
	128	+ }
	129	+ name established-only {
	130	+ default-action drop
	131	+ rule 10 {
	132	+ action accept
	133	+ description Established/Related
	134	+ state {
	135	+ established enable
	136	+ related enable
	137	+ }
	138	+ }
	139	+ }
	140	+ name allow-all-v4 {
	141	+ default-action accept
	142	+ }
	143	+ options {
	144	+ mss-clamp {
	145	+ interface-type tun
	146	+ mss 1300
	147	+ }
	148	+ }
	149	+ receive-redirects disable
	150	+ send-redirects enable
	151	+ source-validation disable
	152	+ syn-cookies enable
	153	+ }
	154	+ interfaces {
	155	+ ethernet eth0 {
	156	+ address 192.0.2.2/30
	157	+ description WAN
	158	+ duplex auto
	159	+ speed auto
	160	+ }
	161	+ ethernet eth1 {
	162	+ address 172.23.248.33/27
	163	+ description LAN
	164	+ duplex auto
	165	+ speed auto
	166	+ }
	167	+ ethernet eth2 {
	168	+ disable
	169	+ duplex auto
	170	+ speed auto
	171	+ }
	172	+ loopback lo {
	173	+ address 172.23.248.2/32
	174	+ }
	175	+ tunnel tun0 {
	176	+ address 172.23.248.10/31
	177	+ description "CREST-DN42 AS64828"
	178	+ encapsulation gre
	179	+ local-ip 192.0.2.2
	180	+ mtu 1400
	181	+ multicast disable
	182	+ remote-ip 192.0.2.243
	183	+ ttl 255
	184	+ }
	185	+ }
	186	+ policy {
	187	+ prefix-list AS64746-IPv4 {
	188	+ rule 1 {
	189	+ action permit
	190	+ le 32
	191	+ prefix 172.23.248.0/24
	192	+ }
	193	+ }
	194	+ prefix-list DN42-IPv4 {
	195	+ rule 1 {
	196	+ action permit
	197	+ description "DN42 native"
	198	+ ge 23
	199	+ le 28
	200	+ prefix 172.22.0.0/15
	201	+ }
	202	+ rule 2 {
	203	+ action permit
	204	+ description "DN42 anycast"
	205	+ ge 32
	206	+ prefix 172.22.0.0/24
	207	+ }
	208	+ rule 3 {
	209	+ action permit
	210	+ description Freifunk
	211	+ ge 16
	212	+ prefix 10.0.0.0/8
	213	+ }
	214	+ rule 4 {
	215	+ action permit
	216	+ description ChaosVPN
	217	+ ge 23
	218	+ prefix 172.31.0.0/16
	219	+ }
	220	+ }
	221	+ route-map AS64746 {
	222	+ rule 1 {
	223	+ action permit
	224	+ match {
	225	+ ip {
	226	+ address {
	227	+ prefix-list AS64746-IPv4
	228	+ }
	229	+ }
	230	+ }
	231	+ }
	232	+ }
	233	+ route-map DN42 {
	234	+ rule 1 {
	235	+ action permit
	236	+ match {
	237	+ ip {
	238	+ address {
	239	+ prefix-list DN42-IPv4
	240	+ }
	241	+ }
	242	+ }
	243	+ }
	244	+ }
	245	+ }
	246	+ protocols {
	247	+ bgp 64746 {
	248	+ aggregate-address 172.23.248.0/24 {
	249	+ summary-only
	250	+ }
	251	+ neighbor 172.23.248.11 {
	252	+ description CREST-DN42
	253	+ peer-group DN42
	254	+ remote-as 64828
	255	+ update-source 172.23.248.10
	256	+ }
	257	+ network 172.23.248.0/24 {
	258	+ }
	259	+ parameters {
	260	+ router-id 172.23.248.2
	261	+ }
	262	+ peer-group DN42 {
	263	+ route-map {
	264	+ export DN42
	265	+ import DN42
	266	+ }
	267	+ soft-reconfiguration {
	268	+ inbound
	269	+ }
	270	+ }
	271	+ redistribute {
	272	+ connected {
	273	+ route-map AS64746
	274	+ }
	275	+ }
	276	+ }
	277	+ static {
	278	+ route 0.0.0.0/0 {
	279	+ next-hop 192.0.2.1 {
	280	+ }
	281	+ }
	282	+ route 172.23.248.0/24 {
	283	+ blackhole {
	284	+ distance 255
	285	+ }
	286	+ }
	287	+ }
	288	+ }
	289	+ service {
	290	+ nat {
	291	+ rule 6000 {
	292	+ outbound-interface eth0
	293	+ type masquerade
	294	+ }
	295	+ }
	296	+ ssh {
	297	+ disable-password-authentication
	298	+ port 22
	299	+ protocol-version v2
	300	+ }
	301	+ ubnt-discover {
	302	+ disable
	303	+ }
	304	+ }
	305	+ system {
	306	+ config-management {
	307	+ commit-revisions 10
	308	+ }
	309	+ domain-name ryan.dn42
	310	+ host-name edge1
	311	+ login {
	312	+ banner {
	313	+ pre-login ""
	314	+ }
	315	+ user ryan {
	316	+ authentication {
	317	+ encrypted-password :)
	318	+ public-keys ryan {
	319	+ key AAAAB3NzaC1yc2EAAAADAQABAAACAQCymzCbuc777hZ8acvK+68tB7WlZl9V8rQjeQCHny2f9Fy2uSnDHXymUzQJSBY8dr4QM07owCFyYciYqhJRBeBRiaP1dj6avzZzlrOC2xuXSWw4aCYVkEaBPWkntCvBjmPhtvA+x5w8qm0X+B41DG1D44qzrQSmL5geheQCHWSf48Za6RUvPxPuQ+xfBMlIaWscRn95NST2102sYwfl3GDJEqV8FqZ5gQeuG3LDRBQmVEZOSMFIN0pOrp6+UYDe6LSw8eD3uBNrkfbbwwEqjHKFNuYaIw/XNdY0nqhHec0KjsuPLHTQMc44h8CPL5ytAtjF1WnPAE4e3aDQFnB05V/3GThJI010bNkLw5zbGkq0QUa7SmFfAsyOg50grByqZWY/J997HXjWdsgK+7d3K4VQXlI1Uak6G2i0Vb5KX0Xv6dmFmsqwuomeGozBJOl3YebvHI/39Y1VcZls2Zkjg4dBWJQGhsZv8wAX8bf7owtLPE+PcWvX5dRmk44r93mk1M1PTz7XAJGXfeii/OV+QRZZkbzhi3h7VItF5Yv5nptMQUx+irUrIX3gaTHOu8cMTxtP52kIOGOEN/LmYbmrdc++QJNGGadopuZBDpCiR2xQhwQL5yKaXH6Rdenn9d0mdNTzdqw5QOUfjY+SqTMDqLk+ETY+YZ6fvJYDIm4yfgi//Q==
	320	+ type ssh-rsa
	321	+ }
	322	+ }
	323	+ level admin
	324	+ }
	325	+ }
	326	+ name-server 4.2.2.2
	327	+ name-server 8.8.8.8
	328	+ ntp {
	329	+ server 0.ubnt.pool.ntp.org {
	330	+ }
	331	+ server 1.ubnt.pool.ntp.org {
	332	+ }
	333	+ server 2.ubnt.pool.ntp.org {
	334	+ }
	335	+ server 3.ubnt.pool.ntp.org {
	336	+ }
	337	+ }
	338	+ offload {
	339	+ ipsec enable
	340	+ ipv4 {
	341	+ forwarding enable
	342	+ }
	343	+ ipv6 {
	344	+ forwarding enable
	345	+ }
	346	+ }
	347	+ options {
	348	+ reboot-on-panic true
	349	+ }
	350	+ package {
	351	+ repository squeeze {
	352	+ components "main contrib non-free"
	353	+ distribution squeeze
	354	+ password ""
	355	+ url http://http.us.debian.org/debian
	356	+ username ""
	357	+ }
	358	+ repository squeeze-security {
	359	+ components main
	360	+ distribution squeeze/updates
	361	+ password ""
	362	+ url http://security.debian.org
	363	+ username ""
	364	+ }
	365	+ repository squeeze-updates {
	366	+ components "main contrib non-free"
	367	+ distribution squeeze-updates
	368	+ password ""
	369	+ url http://http.us.debian.org/debian
	370	+ username ""
	371	+ }
	372	+ }
	373	+ syslog {
	374	+ global {
	375	+ facility all {
	376	+ level notice
	377	+ }
	378	+ facility protocols {
	379	+ level debug
	380	+ }
	381	+ }
	382	+ }
	383	+ }
	384	+ vpn {
	385	+ ipsec {
	386	+ auto-firewall-nat-exclude disable
	387	+ esp-group ESP-AES128-SHA1-DH5-TRANSPORT {
	388	+ compression disable
	389	+ lifetime 3600
	390	+ mode transport
	391	+ pfs dh-group5
	392	+ proposal 1 {
	393	+ encryption aes128
	394	+ hash sha1
	395	+ }
	396	+ }
	397	+ ike-group IKE-AES128-SHA1-DH5 {
	398	+ lifetime 28800
	399	+ proposal 1 {
	400	+ dh-group 5
	401	+ encryption aes128
	402	+ hash sha1
	403	+ }
	404	+ }
	405	+ ipsec-interfaces {
	406	+ interface eth0
	407	+ }
	408	+ site-to-site {
	409	+ peer 192.0.2.243 {
	410	+ authentication {
	411	+ mode rsa
	412	+ rsa-key-name crest-dn42
	413	+ }
	414	+ connection-type initiate
	415	+ default-esp-group ESP-AES128-SHA1-DH5-TRANSPORT
	416	+ ike-group IKE-AES128-SHA1-DH5
	417	+ local-ip 192.0.2.2
	418	+ tunnel 0 {
	419	+ allow-nat-networks disable
	420	+ allow-public-networks disable
	421	+ esp-group ESP-AES128-SHA1-DH5-TRANSPORT
	422	+ protocol gre
	423	+ }
	424	+ }
	425	+ }
	426	+ }
	427	+ rsa-keys {
	428	+ rsa-key-name crest-dn42 {
	429	+ rsa-key 0sAwEAAbsbRoUcgdm4A4Nm+PLxWcW+zFis7pkaJ0MkGVzM7VC8nmngkM+W2zqZyQ4NUTBKKfGOUc4Ogi6gyhlzUnHdag9tDERIX+BwlDO6G4arod9z9KqmJuX4AOYVjH5QlAPz7NDMAezVekGoVLPGdOAMPD6NN54ihLRH6V3if8AGoJRpiajhcgQipjeQnhH4QhsYK4XSjayGT1onQwA8nhy5kt4ofyqSale4Fl4166S9tCn4RKwtlJDjR6VIrg6op6Ip8+ke2vjEHPJHj6qVsxfRgOk2d8pY8oPVt8ayc5F1z+lqJ7R0fADfN+AQSaBqOMmg5dHDFYWwgYkU5egdVKS7Oko6uNuUWsZ0VEnRoPZ4syJEUbiF5wGfaVBaaVLZYUlRLQCffB4JKzp+JesVToCX6JYRfb4JYQWFCDeQfrqRZHM4r13h8MOWPn9cqXcP47RKJjzNp6595biUotmCbMHyy/uveMWxK6vDzPQRkywqMMJE2qOyACmbMnSce9KlYhvma82Vd+z/9/U9NEy0s5MaYNDn+q+KYT5My3NSv52F6sLVGrKxTk79tzUejZcoukJv+gf51Epam4kVHzPIal/khsfjZn6YCU2j5+qcdRmzF+SG5c2WicvEU2Gc4ratfYNEPxU5oArzHIhIz6x2nAF+szcx/x8GEyXPNHnxEboJB7ox
	430	+ }
	431	+ }
	432	+ }
	433	+ zone-policy {
	434	+ zone DN42 {
	435	+ default-action reject
	436	+ description DN42
	437	+ from Local {
	438	+ firewall {
	439	+ name allow-all-v4
	440	+ }
	441	+ }
	442	+ from LAN {
	443	+ firewall {
	444	+ name allow-all-v4
	445	+ }
	446	+ }
	447	+ interface tun0
	448	+ }
	449	+ zone LAN {
	450	+ default-action reject
	451	+ from DN42 {
	452	+ firewall {
	453	+ name DN42-to-LAN
	454	+ }
	455	+ }
	456	+ from Local {
	457	+ firewall {
	458	+ name allow-all-v4
	459	+ }
	460	+ }
	461	+ from WAN {
	462	+ firewall {
	463	+ name established-only
	464	+ }
	465	+ }
	466	+ interface eth1
	467	+ }
	468	+ zone Local {
	469	+ default-action reject
	470	+ from DN42 {
	471	+ firewall {
	472	+ name DN42-to-Local
	473	+ }
	474	+ }
	475	+ from LAN {
	476	+ firewall {
	477	+ name allow-all-v4
	478	+ }
	479	+ }
	480	+ from WAN {
	481	+ firewall {
	482	+ name WAN-to-Local
	483	+ }
	484	+ }
	485	+ local-zone
	486	+ }
	487	+ zone WAN {
	488	+ default-action reject
	489	+ from LAN {
	490	+ firewall {
	491	+ name allow-all-v4
	492	+ }
	493	+ }
	494	+ from Local {
	495	+ firewall {
	496	+ name allow-all-v4
	497	+ }
	498	+ }
	499	+ interface eth0
	500	+ }
	501	+ }
...	...	\ No newline at end of file