Changes in 81a12e7: Created EdgeOS GRE IPsec Example (markdown)

EdgeOS-GRE-IPsec-Example.md

@@ -0,0 +1,484 @@

+# EdgeOS GRE/IPsec config example

+This is an example configuration, created on EdgeOS version 1.5.0alpha1, for the Ubiquiti EdgeRouter Lite derived from the config used on a peering router in AS64746.

+

+## Features

+* Zone-based firewall

+* BGP prefix filtering and route summarization

+* GRE/IPsec tunnel in transport mode with "plainrsa" public key authentication

+* TCP MSS clamping to avoid fragmentation

+

+## Setup

+This configuration assumes that both peers have static public IPs.

+

+You'll need to generate a public/private keypair for your router if you intend to use "plainrsa" authentication for your IPsec connections. The local public key listed in the output is what you'll send to your peer.

+

+ ryan@edge1:~$ generate vpn rsa-key bits 4096

+ ryan@edge1:~$ show vpn ike rsa-keys

+

+ Local public key (/config/ipsec.d/rsa-keys/localhost.key):

+

+ 0sAQPNdF370ZEbN+kZUJQ10qnBlZujrg39ujfk20ILTjELksOIdJw/4jiU1MfpqFDKuB/XxERwJQp2POsFyV/n76jAgxIYBfFYfuaBcIH1rdNQtDhCnkmWzlueRXGEsz0Af79n8TKyQ9otzNhJ2cPE1CWCJbKqbIUN3piviLgGlItWNeya+Tl3Oj3ZfEVwr1QOvUAw32+m4L8T9jf1vqSlOTHpRpxxPWBrLEzstk0FOcZISji2JBpDOCU8Kpyyf74JM+LxsOIHwmS15b6iFZR3U9KZLqbbd0dSy/cM8P4XjrwM5UMyRDjrLqvuA/K/33BgtnxdQR3e9DJoYH3Qr8eRgSkR+jHyq06LvgHkHbMvrEjUnc3n8bg+YfR4oyJpIWsKjfIXmN1Q51KzxAPIAww+YSYUYtamSsQsspVAtMIQqR4e0r1In1qyoSn8VCPlksNMWpqYHbSjDo5HJYoSwxf2epzMtCvhenn0OuiH0xlgzziA+wBi6txksTMvJYcPJYnBVR2NIBjkWftOfmkY+rKMozViGjyd6kB7C8lqd8W7Ha5Ds2WxIY22DM3HcYH/zTp9z2xbuMOsbIgib/Y12Kh0wHyCz0lzFvs+d6CZwinyIXNKB/Vo4iiwT5luL5mGqf3pZx4zB+30GYSs/6MaELRF9BxD7tfqYCkOLXUtxyZ4Pdl2sw==

+If your peer sends you a key in PEM format (starts with `-----BEGIN PUBLIC KEY-----`), you'll need to convert it to the format used by EdgeOS (begins with `0s`) in order to insert it into the configuration. See [this forum post](http://community.ubnt.com/t5/EdgeMAX/ERL-lt-gt-Mikrotik-IPsec-Connections/m-p/534682#M13015) for a script to convert between the two key formats.

+

+## Configuration

+

+ firewall {

+ all-ping enable

+ broadcast-ping disable

+ ipv6-receive-redirects disable

+ ipv6-src-route disable

+ ip-src-route disable

+ log-martians enable

+ name DN42-to-Local {

+ default-action reject

+ rule 10 {

+ action accept

+ description Established/Related

+ state {

+ established enable

+ related enable

+ }

+ }

+ rule 20 {

+ action accept

+ description ICMP

+ protocol icmp

+ }

+ rule 30 {

+ action accept

+ description BGP

+ destination {

+ port bgp

+ }

+ protocol tcp

+ state {

+ new enable

+ }

+ tcp {

+ flags SYN,!ACK,!FIN,!RST

+ }

+ }

+ }

+ name DN42-to-LAN {

+ default-action reject

+ rule 10 {

+ action accept

+ description Established/Related

+ state {

+ established enable

+ related enable

+ }

+ }

+ rule 20 {

+ action accept

+ description ICMP

+ protocol icmp

+ }

+ }

+ name WAN-to-Local {

+ default-action drop

+ rule 10 {

+ action accept

+ description Established/Related

+ state {

+ established enable

+ related enable

+ }

+ }

+ rule 20 {

+ action accept

+ description ICMP

+ protocol icmp

+ }

+ rule 30 {

+ action accept

+ description "SSH Management"

+ destination {

+ port 22

+ }

+ protocol tcp

+ state {

+ new enable

+ }

+ tcp {

+ flags SYN,!ACK,!FIN,!RST

+ }

+ }

+ rule 40 {

+ action accept

+ description IKE

+ destination {

+ port 500,4500

+ }

+ protocol udp

+ }

+ rule 50 {

+ action accept

+ description IPSEC/ESP

+ protocol esp

+ }

+ rule 60 {

+ action accept

+ description "GRE over IPsec"

+ ipsec {

+ match-ipsec

+ }

+ protocol gre

+ }

+ }

+ name established-only {

+ default-action drop

+ rule 10 {

+ action accept

+ description Established/Related

+ state {

+ established enable

+ related enable

+ }

+ }

+ }

+ name allow-all-v4 {

+ default-action accept

+ }

+ options {

+ mss-clamp {

+ interface-type tun

+ mss 1300

+ }

+ }

+ receive-redirects disable

+ send-redirects enable

+ source-validation disable

+ syn-cookies enable

+ }

+ interfaces {

+ ethernet eth0 {

+ address 192.0.2.2/30

+ description WAN

+ duplex auto

+ speed auto

+ }

+ ethernet eth1 {

+ address 172.23.248.33/27

+ description LAN

+ duplex auto

+ speed auto

+ }

+ ethernet eth2 {

+ disable

+ duplex auto

+ speed auto

+ }

+ loopback lo {

+ address 172.23.248.2/32

+ }

+ tunnel tun0 {

+ address 172.23.248.10/31

+ description "CREST-DN42 AS64828"

+ encapsulation gre

+ local-ip 192.0.2.2

+ mtu 1400

+ multicast disable

+ remote-ip 192.0.2.243

+ ttl 255

+ }

+ }

+ policy {

+ prefix-list DN42-IPv4 {

+ rule 1 {

+ action permit

+ description "DN42 native"

+ ge 23

+ le 28

+ prefix 172.22.0.0/15

+ }

+ rule 2 {

+ action permit

+ description "DN42 anycast"

+ ge 32

+ prefix 172.22.0.0/24

+ }

+ rule 3 {

+ action permit

+ description Freifunk

+ ge 16

+ prefix 10.0.0.0/8

+ }

+ rule 4 {

+ action permit

+ description ChaosVPN

+ ge 23

+ prefix 172.31.0.0/16

+ }

+ rule 65535 {

+ action deny

+ prefix 0.0.0.0/0

+ }

+ }

+ route-map DN42 {

+ rule 1 {

+ action permit

+ match {

+ ip {

+ address {

+ prefix-list DN42-IPv4

+ }

+ }

+ }

+ }

+ rule 65535 {

+ action deny

+ }

+ }

+ }

+ protocols {

+ bgp 64746 {

+ aggregate-address 172.23.248.0/24 {

+ summary-only

+ }

+ neighbor 172.23.248.11 {

+ description CREST-DN42

+ peer-group DN42

+ remote-as 64828

+ update-source 172.23.248.10

+ }

+ network 172.23.248.0/24 {

+ }

+ parameters {

+ router-id 172.23.248.2

+ }

+ peer-group DN42 {

+ route-map {

+ export DN42

+ import DN42

+ }

+ soft-reconfiguration {

+ inbound

+ }

+ }

+ }

+ static {

+ route 0.0.0.0/0 {

+ next-hop 192.0.2.1 {

+ }

+ }

+ route 172.23.248.0/24 {

+ blackhole {

+ distance 255

+ }

+ }

+ }

+ }

+ service {

+ nat {

+ rule 6000 {

+ outbound-interface eth0

+ type masquerade

+ }

+ }

+ ssh {

+ disable-password-authentication

+ port 22

+ protocol-version v2

+ }

+ ubnt-discover {

+ disable

+ }

+ }

+ system {

+ config-management {

+ commit-revisions 10

+ }

+ domain-name ryan.dn42

+ host-name edge1

+ login {

+ banner {

+ pre-login ""

+ }

+ user ryan {

+ authentication {

+ encrypted-password :)

+ public-keys ryan {

+ key AAAAB3NzaC1yc2EAAAADAQABAAACAQCymzCbuc777hZ8acvK+68tB7WlZl9V8rQjeQCHny2f9Fy2uSnDHXymUzQJSBY8dr4QM07owCFyYciYqhJRBeBRiaP1dj6avzZzlrOC2xuXSWw4aCYVkEaBPWkntCvBjmPhtvA+x5w8qm0X+B41DG1D44qzrQSmL5geheQCHWSf48Za6RUvPxPuQ+xfBMlIaWscRn95NST2102sYwfl3GDJEqV8FqZ5gQeuG3LDRBQmVEZOSMFIN0pOrp6+UYDe6LSw8eD3uBNrkfbbwwEqjHKFNuYaIw/XNdY0nqhHec0KjsuPLHTQMc44h8CPL5ytAtjF1WnPAE4e3aDQFnB05V/3GThJI010bNkLw5zbGkq0QUa7SmFfAsyOg50grByqZWY/J997HXjWdsgK+7d3K4VQXlI1Uak6G2i0Vb5KX0Xv6dmFmsqwuomeGozBJOl3YebvHI/39Y1VcZls2Zkjg4dBWJQGhsZv8wAX8bf7owtLPE+PcWvX5dRmk44r93mk1M1PTz7XAJGXfeii/OV+QRZZkbzhi3h7VItF5Yv5nptMQUx+irUrIX3gaTHOu8cMTxtP52kIOGOEN/LmYbmrdc++QJNGGadopuZBDpCiR2xQhwQL5yKaXH6Rdenn9d0mdNTzdqw5QOUfjY+SqTMDqLk+ETY+YZ6fvJYDIm4yfgi//Q==

+ type ssh-rsa

+ }

+ }

+ level admin

+ }

+ }

+ name-server 4.2.2.2

+ name-server 8.8.8.8

+ ntp {

+ server 0.ubnt.pool.ntp.org {

+ }

+ server 1.ubnt.pool.ntp.org {

+ }

+ server 2.ubnt.pool.ntp.org {

+ }

+ server 3.ubnt.pool.ntp.org {

+ }

+ }

+ offload {

+ ipsec enable

+ ipv4 {

+ forwarding enable

+ }

+ ipv6 {

+ forwarding enable

+ }

+ }

+ options {

+ reboot-on-panic true

+ }

+ package {

+ repository squeeze {

+ components "main contrib non-free"

+ distribution squeeze

+ password ""

+ url http://http.us.debian.org/debian

+ username ""

+ }

+ repository squeeze-security {

+ components main

+ distribution squeeze/updates

+ password ""

+ url http://security.debian.org

+ username ""

+ }

+ repository squeeze-updates {

+ components "main contrib non-free"

+ distribution squeeze-updates

+ password ""

+ url http://http.us.debian.org/debian

+ username ""

+ }

+ }

+ syslog {

+ global {

+ facility all {

+ level notice

+ }

+ facility protocols {

+ level debug

+ }

+ }

+ }

+ }

+ vpn {

+ ipsec {

+ auto-firewall-nat-exclude disable

+ esp-group ESP-AES128-SHA1-DH5-TRANSPORT {

+ compression disable

+ lifetime 3600

+ mode transport

+ pfs dh-group5

+ proposal 1 {

+ encryption aes128

+ hash sha1

+ }

+ }

+ ike-group IKE-AES128-SHA1-DH5 {

+ lifetime 28800

+ proposal 1 {

+ dh-group 5

+ encryption aes128

+ hash sha1

+ }

+ }

+ ipsec-interfaces {

+ interface eth0

+ }

+ site-to-site {

+ peer 192.0.2.243 {

+ authentication {

+ mode rsa

+ rsa-key-name crest-dn42

+ }

+ connection-type initiate

+ default-esp-group ESP-AES128-SHA1-DH5-TRANSPORT

+ ike-group IKE-AES128-SHA1-DH5

+ local-ip 192.0.2.2

+ tunnel 0 {

+ allow-nat-networks disable

+ allow-public-networks disable

+ esp-group ESP-AES128-SHA1-DH5-TRANSPORT

+ protocol gre

+ }

+ }

+ }

+ }

+ rsa-keys {

+ rsa-key-name crest-dn42 {

+ rsa-key 0sAwEAAbsbRoUcgdm4A4Nm+PLxWcW+zFis7pkaJ0MkGVzM7VC8nmngkM+W2zqZyQ4NUTBKKfGOUc4Ogi6gyhlzUnHdag9tDERIX+BwlDO6G4arod9z9KqmJuX4AOYVjH5QlAPz7NDMAezVekGoVLPGdOAMPD6NN54ihLRH6V3if8AGoJRpiajhcgQipjeQnhH4QhsYK4XSjayGT1onQwA8nhy5kt4ofyqSale4Fl4166S9tCn4RKwtlJDjR6VIrg6op6Ip8+ke2vjEHPJHj6qVsxfRgOk2d8pY8oPVt8ayc5F1z+lqJ7R0fADfN+AQSaBqOMmg5dHDFYWwgYkU5egdVKS7Oko6uNuUWsZ0VEnRoPZ4syJEUbiF5wGfaVBaaVLZYUlRLQCffB4JKzp+JesVToCX6JYRfb4JYQWFCDeQfrqRZHM4r13h8MOWPn9cqXcP47RKJjzNp6595biUotmCbMHyy/uveMWxK6vDzPQRkywqMMJE2qOyACmbMnSce9KlYhvma82Vd+z/9/U9NEy0s5MaYNDn+q+KYT5My3NSv52F6sLVGrKxTk79tzUejZcoukJv+gf51Epam4kVHzPIal/khsfjZn6YCU2j5+qcdRmzF+SG5c2WicvEU2Gc4ratfYNEPxU5oArzHIhIz6x2nAF+szcx/x8GEyXPNHnxEboJB7ox

+ }

+ }

+ }

+ zone-policy {

+ zone DN42 {

+ default-action reject

+ description DN42

+ from Local {

+ firewall {

+ name allow-all-v4

+ }

+ }

+ from LAN {

+ firewall {

+ name allow-all-v4

+ }

+ }

+ interface tun0

+ }

+ zone LAN {

+ default-action reject

+ from DN42 {

+ firewall {

+ name DN42-to-LAN

+ }

+ }

+ from Local {

+ firewall {

+ name allow-all-v4

+ }

+ }

+ from WAN {

+ firewall {

+ name established-only

+ }

+ }

+ interface eth1

+ }

+ zone Local {

+ default-action reject

+ from DN42 {

+ firewall {

+ name DN42-to-Local

+ }

+ }

+ from LAN {

+ firewall {

+ name allow-all-v4

+ }

+ }

+ from WAN {

+ firewall {

+ name WAN-to-Local

+ }

+ }

+ local-zone

+ }

+ zone WAN {

+ default-action reject

+ from LAN {

+ firewall {

+ name allow-all-v4

+ }

+ }

+ from Local {

+ firewall {

+ name allow-all-v4

+ }

+ }

+ interface eth0

+ }

+ }

\ No newline at end of file

...	...	@@ -0,0 +1,484 @@
	1	+# EdgeOS GRE/IPsec config example
	2	+This is an example configuration, created on EdgeOS version 1.5.0alpha1, for the Ubiquiti EdgeRouter Lite derived from the config used on a peering router in AS64746.
	3	+
	4	+## Features
	5	+* Zone-based firewall
	6	+* BGP prefix filtering and route summarization
	7	+* GRE/IPsec tunnel in transport mode with "plainrsa" public key authentication
	8	+* TCP MSS clamping to avoid fragmentation
	9	+
	10	+## Setup
	11	+This configuration assumes that both peers have static public IPs.
	12	+
	13	+You'll need to generate a public/private keypair for your router if you intend to use "plainrsa" authentication for your IPsec connections. The local public key listed in the output is what you'll send to your peer.
	14	+
	15	+ ryan@edge1:~$ generate vpn rsa-key bits 4096
	16	+ ryan@edge1:~$ show vpn ike rsa-keys
	17	+
	18	+ Local public key (/config/ipsec.d/rsa-keys/localhost.key):
	19	+
	20	+ 0sAQPNdF370ZEbN+kZUJQ10qnBlZujrg39ujfk20ILTjELksOIdJw/4jiU1MfpqFDKuB/XxERwJQp2POsFyV/n76jAgxIYBfFYfuaBcIH1rdNQtDhCnkmWzlueRXGEsz0Af79n8TKyQ9otzNhJ2cPE1CWCJbKqbIUN3piviLgGlItWNeya+Tl3Oj3ZfEVwr1QOvUAw32+m4L8T9jf1vqSlOTHpRpxxPWBrLEzstk0FOcZISji2JBpDOCU8Kpyyf74JM+LxsOIHwmS15b6iFZR3U9KZLqbbd0dSy/cM8P4XjrwM5UMyRDjrLqvuA/K/33BgtnxdQR3e9DJoYH3Qr8eRgSkR+jHyq06LvgHkHbMvrEjUnc3n8bg+YfR4oyJpIWsKjfIXmN1Q51KzxAPIAww+YSYUYtamSsQsspVAtMIQqR4e0r1In1qyoSn8VCPlksNMWpqYHbSjDo5HJYoSwxf2epzMtCvhenn0OuiH0xlgzziA+wBi6txksTMvJYcPJYnBVR2NIBjkWftOfmkY+rKMozViGjyd6kB7C8lqd8W7Ha5Ds2WxIY22DM3HcYH/zTp9z2xbuMOsbIgib/Y12Kh0wHyCz0lzFvs+d6CZwinyIXNKB/Vo4iiwT5luL5mGqf3pZx4zB+30GYSs/6MaELRF9BxD7tfqYCkOLXUtxyZ4Pdl2sw==
	21	+If your peer sends you a key in PEM format (starts with `-----BEGIN PUBLIC KEY-----`), you'll need to convert it to the format used by EdgeOS (begins with `0s`) in order to insert it into the configuration. See [this forum post](http://community.ubnt.com/t5/EdgeMAX/ERL-lt-gt-Mikrotik-IPsec-Connections/m-p/534682#M13015) for a script to convert between the two key formats.
	22	+
	23	+## Configuration
	24	+
	25	+ firewall {
	26	+ all-ping enable
	27	+ broadcast-ping disable
	28	+ ipv6-receive-redirects disable
	29	+ ipv6-src-route disable
	30	+ ip-src-route disable
	31	+ log-martians enable
	32	+ name DN42-to-Local {
	33	+ default-action reject
	34	+ rule 10 {
	35	+ action accept
	36	+ description Established/Related
	37	+ state {
	38	+ established enable
	39	+ related enable
	40	+ }
	41	+ }
	42	+ rule 20 {
	43	+ action accept
	44	+ description ICMP
	45	+ protocol icmp
	46	+ }
	47	+ rule 30 {
	48	+ action accept
	49	+ description BGP
	50	+ destination {
	51	+ port bgp
	52	+ }
	53	+ protocol tcp
	54	+ state {
	55	+ new enable
	56	+ }
	57	+ tcp {
	58	+ flags SYN,!ACK,!FIN,!RST
	59	+ }
	60	+ }
	61	+ }
	62	+ name DN42-to-LAN {
	63	+ default-action reject
	64	+ rule 10 {
	65	+ action accept
	66	+ description Established/Related
	67	+ state {
	68	+ established enable
	69	+ related enable
	70	+ }
	71	+ }
	72	+ rule 20 {
	73	+ action accept
	74	+ description ICMP
	75	+ protocol icmp
	76	+ }
	77	+ }
	78	+ name WAN-to-Local {
	79	+ default-action drop
	80	+ rule 10 {
	81	+ action accept
	82	+ description Established/Related
	83	+ state {
	84	+ established enable
	85	+ related enable
	86	+ }
	87	+ }
	88	+ rule 20 {
	89	+ action accept
	90	+ description ICMP
	91	+ protocol icmp
	92	+ }
	93	+ rule 30 {
	94	+ action accept
	95	+ description "SSH Management"
	96	+ destination {
	97	+ port 22
	98	+ }
	99	+ protocol tcp
	100	+ state {
	101	+ new enable
	102	+ }
	103	+ tcp {
	104	+ flags SYN,!ACK,!FIN,!RST
	105	+ }
	106	+ }
	107	+ rule 40 {
	108	+ action accept
	109	+ description IKE
	110	+ destination {
	111	+ port 500,4500
	112	+ }
	113	+ protocol udp
	114	+ }
	115	+ rule 50 {
	116	+ action accept
	117	+ description IPSEC/ESP
	118	+ protocol esp
	119	+ }
	120	+ rule 60 {
	121	+ action accept
	122	+ description "GRE over IPsec"
	123	+ ipsec {
	124	+ match-ipsec
	125	+ }
	126	+ protocol gre
	127	+ }
	128	+ }
	129	+ name established-only {
	130	+ default-action drop
	131	+ rule 10 {
	132	+ action accept
	133	+ description Established/Related
	134	+ state {
	135	+ established enable
	136	+ related enable
	137	+ }
	138	+ }
	139	+ }
	140	+ name allow-all-v4 {
	141	+ default-action accept
	142	+ }
	143	+ options {
	144	+ mss-clamp {
	145	+ interface-type tun
	146	+ mss 1300
	147	+ }
	148	+ }
	149	+ receive-redirects disable
	150	+ send-redirects enable
	151	+ source-validation disable
	152	+ syn-cookies enable
	153	+ }
	154	+ interfaces {
	155	+ ethernet eth0 {
	156	+ address 192.0.2.2/30
	157	+ description WAN
	158	+ duplex auto
	159	+ speed auto
	160	+ }
	161	+ ethernet eth1 {
	162	+ address 172.23.248.33/27
	163	+ description LAN
	164	+ duplex auto
	165	+ speed auto
	166	+ }
	167	+ ethernet eth2 {
	168	+ disable
	169	+ duplex auto
	170	+ speed auto
	171	+ }
	172	+ loopback lo {
	173	+ address 172.23.248.2/32
	174	+ }
	175	+ tunnel tun0 {
	176	+ address 172.23.248.10/31
	177	+ description "CREST-DN42 AS64828"
	178	+ encapsulation gre
	179	+ local-ip 192.0.2.2
	180	+ mtu 1400
	181	+ multicast disable
	182	+ remote-ip 192.0.2.243
	183	+ ttl 255
	184	+ }
	185	+ }
	186	+ policy {
	187	+ prefix-list DN42-IPv4 {
	188	+ rule 1 {
	189	+ action permit
	190	+ description "DN42 native"
	191	+ ge 23
	192	+ le 28
	193	+ prefix 172.22.0.0/15
	194	+ }
	195	+ rule 2 {
	196	+ action permit
	197	+ description "DN42 anycast"
	198	+ ge 32
	199	+ prefix 172.22.0.0/24
	200	+ }
	201	+ rule 3 {
	202	+ action permit
	203	+ description Freifunk
	204	+ ge 16
	205	+ prefix 10.0.0.0/8
	206	+ }
	207	+ rule 4 {
	208	+ action permit
	209	+ description ChaosVPN
	210	+ ge 23
	211	+ prefix 172.31.0.0/16
	212	+ }
	213	+ rule 65535 {
	214	+ action deny
	215	+ prefix 0.0.0.0/0
	216	+ }
	217	+ }
	218	+ route-map DN42 {
	219	+ rule 1 {
	220	+ action permit
	221	+ match {
	222	+ ip {
	223	+ address {
	224	+ prefix-list DN42-IPv4
	225	+ }
	226	+ }
	227	+ }
	228	+ }
	229	+ rule 65535 {
	230	+ action deny
	231	+ }
	232	+ }
	233	+ }
	234	+ protocols {
	235	+ bgp 64746 {
	236	+ aggregate-address 172.23.248.0/24 {
	237	+ summary-only
	238	+ }
	239	+ neighbor 172.23.248.11 {
	240	+ description CREST-DN42
	241	+ peer-group DN42
	242	+ remote-as 64828
	243	+ update-source 172.23.248.10
	244	+ }
	245	+ network 172.23.248.0/24 {
	246	+ }
	247	+ parameters {
	248	+ router-id 172.23.248.2
	249	+ }
	250	+ peer-group DN42 {
	251	+ route-map {
	252	+ export DN42
	253	+ import DN42
	254	+ }
	255	+ soft-reconfiguration {
	256	+ inbound
	257	+ }
	258	+ }
	259	+ }
	260	+ static {
	261	+ route 0.0.0.0/0 {
	262	+ next-hop 192.0.2.1 {
	263	+ }
	264	+ }
	265	+ route 172.23.248.0/24 {
	266	+ blackhole {
	267	+ distance 255
	268	+ }
	269	+ }
	270	+ }
	271	+ }
	272	+ service {
	273	+ nat {
	274	+ rule 6000 {
	275	+ outbound-interface eth0
	276	+ type masquerade
	277	+ }
	278	+ }
	279	+ ssh {
	280	+ disable-password-authentication
	281	+ port 22
	282	+ protocol-version v2
	283	+ }
	284	+ ubnt-discover {
	285	+ disable
	286	+ }
	287	+ }
	288	+ system {
	289	+ config-management {
	290	+ commit-revisions 10
	291	+ }
	292	+ domain-name ryan.dn42
	293	+ host-name edge1
	294	+ login {
	295	+ banner {
	296	+ pre-login ""
	297	+ }
	298	+ user ryan {
	299	+ authentication {
	300	+ encrypted-password :)
	301	+ public-keys ryan {
	302	+ key AAAAB3NzaC1yc2EAAAADAQABAAACAQCymzCbuc777hZ8acvK+68tB7WlZl9V8rQjeQCHny2f9Fy2uSnDHXymUzQJSBY8dr4QM07owCFyYciYqhJRBeBRiaP1dj6avzZzlrOC2xuXSWw4aCYVkEaBPWkntCvBjmPhtvA+x5w8qm0X+B41DG1D44qzrQSmL5geheQCHWSf48Za6RUvPxPuQ+xfBMlIaWscRn95NST2102sYwfl3GDJEqV8FqZ5gQeuG3LDRBQmVEZOSMFIN0pOrp6+UYDe6LSw8eD3uBNrkfbbwwEqjHKFNuYaIw/XNdY0nqhHec0KjsuPLHTQMc44h8CPL5ytAtjF1WnPAE4e3aDQFnB05V/3GThJI010bNkLw5zbGkq0QUa7SmFfAsyOg50grByqZWY/J997HXjWdsgK+7d3K4VQXlI1Uak6G2i0Vb5KX0Xv6dmFmsqwuomeGozBJOl3YebvHI/39Y1VcZls2Zkjg4dBWJQGhsZv8wAX8bf7owtLPE+PcWvX5dRmk44r93mk1M1PTz7XAJGXfeii/OV+QRZZkbzhi3h7VItF5Yv5nptMQUx+irUrIX3gaTHOu8cMTxtP52kIOGOEN/LmYbmrdc++QJNGGadopuZBDpCiR2xQhwQL5yKaXH6Rdenn9d0mdNTzdqw5QOUfjY+SqTMDqLk+ETY+YZ6fvJYDIm4yfgi//Q==
	303	+ type ssh-rsa
	304	+ }
	305	+ }
	306	+ level admin
	307	+ }
	308	+ }
	309	+ name-server 4.2.2.2
	310	+ name-server 8.8.8.8
	311	+ ntp {
	312	+ server 0.ubnt.pool.ntp.org {
	313	+ }
	314	+ server 1.ubnt.pool.ntp.org {
	315	+ }
	316	+ server 2.ubnt.pool.ntp.org {
	317	+ }
	318	+ server 3.ubnt.pool.ntp.org {
	319	+ }
	320	+ }
	321	+ offload {
	322	+ ipsec enable
	323	+ ipv4 {
	324	+ forwarding enable
	325	+ }
	326	+ ipv6 {
	327	+ forwarding enable
	328	+ }
	329	+ }
	330	+ options {
	331	+ reboot-on-panic true
	332	+ }
	333	+ package {
	334	+ repository squeeze {
	335	+ components "main contrib non-free"
	336	+ distribution squeeze
	337	+ password ""
	338	+ url http://http.us.debian.org/debian
	339	+ username ""
	340	+ }
	341	+ repository squeeze-security {
	342	+ components main
	343	+ distribution squeeze/updates
	344	+ password ""
	345	+ url http://security.debian.org
	346	+ username ""
	347	+ }
	348	+ repository squeeze-updates {
	349	+ components "main contrib non-free"
	350	+ distribution squeeze-updates
	351	+ password ""
	352	+ url http://http.us.debian.org/debian
	353	+ username ""
	354	+ }
	355	+ }
	356	+ syslog {
	357	+ global {
	358	+ facility all {
	359	+ level notice
	360	+ }
	361	+ facility protocols {
	362	+ level debug
	363	+ }
	364	+ }
	365	+ }
	366	+ }
	367	+ vpn {
	368	+ ipsec {
	369	+ auto-firewall-nat-exclude disable
	370	+ esp-group ESP-AES128-SHA1-DH5-TRANSPORT {
	371	+ compression disable
	372	+ lifetime 3600
	373	+ mode transport
	374	+ pfs dh-group5
	375	+ proposal 1 {
	376	+ encryption aes128
	377	+ hash sha1
	378	+ }
	379	+ }
	380	+ ike-group IKE-AES128-SHA1-DH5 {
	381	+ lifetime 28800
	382	+ proposal 1 {
	383	+ dh-group 5
	384	+ encryption aes128
	385	+ hash sha1
	386	+ }
	387	+ }
	388	+ ipsec-interfaces {
	389	+ interface eth0
	390	+ }
	391	+ site-to-site {
	392	+ peer 192.0.2.243 {
	393	+ authentication {
	394	+ mode rsa
	395	+ rsa-key-name crest-dn42
	396	+ }
	397	+ connection-type initiate
	398	+ default-esp-group ESP-AES128-SHA1-DH5-TRANSPORT
	399	+ ike-group IKE-AES128-SHA1-DH5
	400	+ local-ip 192.0.2.2
	401	+ tunnel 0 {
	402	+ allow-nat-networks disable
	403	+ allow-public-networks disable
	404	+ esp-group ESP-AES128-SHA1-DH5-TRANSPORT
	405	+ protocol gre
	406	+ }
	407	+ }
	408	+ }
	409	+ }
	410	+ rsa-keys {
	411	+ rsa-key-name crest-dn42 {
	412	+ rsa-key 0sAwEAAbsbRoUcgdm4A4Nm+PLxWcW+zFis7pkaJ0MkGVzM7VC8nmngkM+W2zqZyQ4NUTBKKfGOUc4Ogi6gyhlzUnHdag9tDERIX+BwlDO6G4arod9z9KqmJuX4AOYVjH5QlAPz7NDMAezVekGoVLPGdOAMPD6NN54ihLRH6V3if8AGoJRpiajhcgQipjeQnhH4QhsYK4XSjayGT1onQwA8nhy5kt4ofyqSale4Fl4166S9tCn4RKwtlJDjR6VIrg6op6Ip8+ke2vjEHPJHj6qVsxfRgOk2d8pY8oPVt8ayc5F1z+lqJ7R0fADfN+AQSaBqOMmg5dHDFYWwgYkU5egdVKS7Oko6uNuUWsZ0VEnRoPZ4syJEUbiF5wGfaVBaaVLZYUlRLQCffB4JKzp+JesVToCX6JYRfb4JYQWFCDeQfrqRZHM4r13h8MOWPn9cqXcP47RKJjzNp6595biUotmCbMHyy/uveMWxK6vDzPQRkywqMMJE2qOyACmbMnSce9KlYhvma82Vd+z/9/U9NEy0s5MaYNDn+q+KYT5My3NSv52F6sLVGrKxTk79tzUejZcoukJv+gf51Epam4kVHzPIal/khsfjZn6YCU2j5+qcdRmzF+SG5c2WicvEU2Gc4ratfYNEPxU5oArzHIhIz6x2nAF+szcx/x8GEyXPNHnxEboJB7ox
	413	+ }
	414	+ }
	415	+ }
	416	+ zone-policy {
	417	+ zone DN42 {
	418	+ default-action reject
	419	+ description DN42
	420	+ from Local {
	421	+ firewall {
	422	+ name allow-all-v4
	423	+ }
	424	+ }
	425	+ from LAN {
	426	+ firewall {
	427	+ name allow-all-v4
	428	+ }
	429	+ }
	430	+ interface tun0
	431	+ }
	432	+ zone LAN {
	433	+ default-action reject
	434	+ from DN42 {
	435	+ firewall {
	436	+ name DN42-to-LAN
	437	+ }
	438	+ }
	439	+ from Local {
	440	+ firewall {
	441	+ name allow-all-v4
	442	+ }
	443	+ }
	444	+ from WAN {
	445	+ firewall {
	446	+ name established-only
	447	+ }
	448	+ }
	449	+ interface eth1
	450	+ }
	451	+ zone Local {
	452	+ default-action reject
	453	+ from DN42 {
	454	+ firewall {
	455	+ name DN42-to-Local
	456	+ }
	457	+ }
	458	+ from LAN {
	459	+ firewall {
	460	+ name allow-all-v4
	461	+ }
	462	+ }
	463	+ from WAN {
	464	+ firewall {
	465	+ name WAN-to-Local
	466	+ }
	467	+ }
	468	+ local-zone
	469	+ }
	470	+ zone WAN {
	471	+ default-action reject
	472	+ from LAN {
	473	+ firewall {
	474	+ name allow-all-v4
	475	+ }
	476	+ }
	477	+ from Local {
	478	+ firewall {
	479	+ name allow-all-v4
	480	+ }
	481	+ }
	482	+ interface eth0
	483	+ }
	484	+ }
...	...	\ No newline at end of file