edc1f9f84de6b342334237a9a04fe2dffe07705b
howto/IPsecWithPublicKeys/VyOSExample.md
| ... | ... | @@ -0,0 +1,135 @@ |
| 1 | +# IPsec with public key authentication on VyOS/EdgeOS |
|
| 2 | +## Setup |
|
| 3 | +### Generate an RSA keypair |
|
| 4 | + |
|
| 5 | + ubnt@ubnt:~$ generate vpn rsa-key bits 4096 random /dev/urandom |
|
| 6 | + Generating rsa-key to /config/ipsec.d/rsa-keys/localhost.key |
|
| 7 | + |
|
| 8 | + Your new local RSA key has been generated |
|
| 9 | + The public portion of the key is: |
|
| 10 | + |
|
| 11 | + 0sAQPNdF370ZEbN+kZUJQ10qnBlZujrg39ujfk20ILTjELksOIdJw/4jiU1MfpqFDKuB/XxERwJQp2POsFyV/n76jAgxIYBfFYfuaBcIH1rdNQtDhCnkmWzlueRXGEsz0Af79n8TKyQ9otzNhJ2cPE1CWCJbKqbIUN3piviLgGlItWNeya+Tl3Oj3ZfEVwr1QOvUAw32+m4L8T9jf1vqSlOTHpRpxxPWBrLEzstk0FOcZISji2JBpDOCU8Kpyyf74JM+LxsOIHwmS15b6iFZR3U9KZLqbbd0dSy/cM8P4XjrwM5UMyRDjrLqvuA/K/33BgtnxdQR3e9DJoYH3Qr8eRgSkR+jHyq06LvgHkHbMvrEjUnc3n8bg+YfR4oyJpIWsKjfIXmN1Q51KzxAPIAww+YSYUYtamSsQsspVAtMIQqR4e0r1In1qyoSn8VCPlksNMWpqYHbSjDo5HJYoSwxf2epzMtCvhenn0OuiH0xlgzziA+wBi6txksTMvJYcPJYnBVR2NIBjkWftOfmkY+rKMozViGjyd6kB7C8lqd8W7Ha5Ds2WxIY22DM3HcYH/zTp9z2xbuMOsbIgib/Y12Kh0wHyCz0lzFvs+d6CZwinyIXNKB/Vo4iiwT5luL5mGqf3pZx4zB+30GYSs/6MaELRF9BxD7tfqYCkOLXUtxyZ4Pdl2sw== |
|
| 12 | + |
|
| 13 | +### Exchange public keys with your peer |
|
| 14 | +1. Display the public key. Send the key data portion to your peer. |
|
| 15 | + |
|
| 16 | + ubnt@ubnt:~$ show vpn ike rsa-keys |
|
| 17 | + |
|
| 18 | + Local public key (/config/ipsec.d/rsa-keys/localhost.key): |
|
| 19 | + |
|
| 20 | + 0sAQPNdF370ZEbN+kZUJQ10qnBlZujrg39ujfk20ILTjELksOIdJw/4jiU1MfpqFDKuB/XxERwJQp2POsFyV/n76jAgxIYBfFYfuaBcIH1rdNQtDhCnkmWzlueRXGEsz0Af79n8TKyQ9otzNhJ2cPE1CWCJbKqbIUN3piviLgGlItWNeya+Tl3Oj3ZfEVwr1QOvUAw32+m4L8T9jf1vqSlOTHpRpxxPWBrLEzstk0FOcZISji2JBpDOCU8Kpyyf74JM+LxsOIHwmS15b6iFZR3U9KZLqbbd0dSy/cM8P4XjrwM5UMyRDjrLqvuA/K/33BgtnxdQR3e9DJoYH3Qr8eRgSkR+jHyq06LvgHkHbMvrEjUnc3n8bg+YfR4oyJpIWsKjfIXmN1Q51KzxAPIAww+YSYUYtamSsQsspVAtMIQqR4e0r1In1qyoSn8VCPlksNMWpqYHbSjDo5HJYoSwxf2epzMtCvhenn0OuiH0xlgzziA+wBi6txksTMvJYcPJYnBVR2NIBjkWftOfmkY+rKMozViGjyd6kB7C8lqd8W7Ha5Ds2WxIY22DM3HcYH/zTp9z2xbuMOsbIgib/Y12Kh0wHyCz0lzFvs+d6CZwinyIXNKB/Vo4iiwT5luL5mGqf3pZx4zB+30GYSs/6MaELRF9BxD7tfqYCkOLXUtxyZ4Pdl2sw== |
|
| 21 | + |
|
| 22 | +2. Convert your peer's public key to the Base64 RFC 3110 format using the [pubkey-converter][pubkey-converter] script, if necessary. |
|
| 23 | + |
|
| 24 | +[pubkey-converter]: https://github.com/ryanriske/pubkey-converter "Public key conversion script" |
|
| 25 | + |
|
| 26 | +## Configuration |
|
| 27 | +### Configure the phase 1 IKE parameters |
|
| 28 | +In this example, we'll use the following settings: |
|
| 29 | + |
|
| 30 | +| Key | Value | |
|
| 31 | +| :------------ | :------------ | |
|
| 32 | +| Encryption | AES-128 | |
|
| 33 | +| Hash | HMAC-SHA1 | |
|
| 34 | +| DH Group | 5 (modp1536) | |
|
| 35 | +| Lifetime | 28800 seconds | |
|
| 36 | +| Peer address | 192.0.2.2 | |
|
| 37 | +| Local address | 192.0.2.1 | |
|
| 38 | + |
|
| 39 | +1. Add your peer's public key |
|
| 40 | + |
|
| 41 | + vyos@vyos:~$ configure |
|
| 42 | + [edit] |
|
| 43 | + vyos@vyos# set vpn rsa-keys rsa-key-name my-peer rsa-key 0sAwEAAb4ETtKRLxcFNty56regsR61pq7hQl3NnjwABL16wZXGynKxZlj11VbdqcNwaTaqHZLV4Xfy867nImSs0DD9Cko5LzWwyM1Ih4SB+rIjfmBt7nRUrilnYvfWAONG1CLTI2tXnM/miNqiY+PxlCiMPr1KrTJWBWOknqqhhL2dOBfp3Ryx1yRxDACFG4wgpwmndJOnmefnV6qZXWiOdoIsBsBqQKiDY0g2uI+S3KxK27JL3KZWcA2ehhvtxmq4vwcMXplYeedei3EEmWxtddAZCApXor9bkVoVp2io+a0D1ALevYMD5SIygu55Q888n5puYNry/cUjX20/F/YK+J9u2UExWewN4AIt/jMNm7nJNWpuFHfLX1V/igHrdGzoEM0E/i+nGz9CWTVTLoFUmkTjpt31FPmomSVEI7MbNXG7cpa+X55PWd1apheR52XJZPZfCnMf1DjilYbLMRG05RK8zI3QlX3UXHira0dq4OBZ+Aow+dGp+jLmwjgdBDnkQdVu0iP6bp+5/oz6mWvDQ65EVECAIXKR5zIsiKn9ZU18H+lp4xWMjiSw3Y+87Y5KeQPmX73Ygolow6VvtCBvX8CS4Plszn3i0Qp8184eLEWIY314Z8Z+HwBAjUv3MkqI93leokAjMbt23ttaJbWlWgG47BAJOEcWlMFkDNcZtOngUrzF |
|
| 44 | + |
|
| 45 | +2. Configure an ISAKMP policy |
|
| 46 | + |
|
| 47 | + [edit] |
|
| 48 | + vyos@vyos# edit vpn ipsec ike-group FOO |
|
| 49 | + [edit vpn ipsec ike-group FOO] |
|
| 50 | + vyos@vyos# set lifetime 28800 |
|
| 51 | + [edit vpn ipsec ike-group FOO] |
|
| 52 | + vyos@vyos# set proposal 1 encryption aes128 |
|
| 53 | + [edit vpn ipsec ike-group FOO] |
|
| 54 | + vyos@vyos# set proposal 1 hash sha1 |
|
| 55 | + [edit vpn ipsec ike-group FOO] |
|
| 56 | + vyos@vyos# set proposal 1 dh-group 5 |
|
| 57 | + [edit vpn ipsec ike-group FOO] |
|
| 58 | + vyos@vyos# commit |
|
| 59 | + |
|
| 60 | +3. Set your peer definition to use the public key |
|
| 61 | + |
|
| 62 | + [edit vpn ipsec ike-group FOO] |
|
| 63 | + vyos@vyos# up |
|
| 64 | + [edit vpn ipsec] |
|
| 65 | + vyos@vyos# edit site-to-site peer 192.0.2.2 |
|
| 66 | + [edit vpn ipsec site-to-site peer 192.0.2.2] |
|
| 67 | + vyos@vyos# set authentication mode rsa |
|
| 68 | + [edit vpn ipsec site-to-site peer 192.0.2.2] |
|
| 69 | + vyos@vyos# set authentication rsa-key-name my-peer |
|
| 70 | + |
|
| 71 | +4. All done! Configure the phase 2 parameters as you otherwise would. |
|
| 72 | + |
|
| 73 | +## Full GRE/IPsec example |
|
| 74 | + interfaces { |
|
| 75 | + ethernet eth0 { |
|
| 76 | + address 192.0.2.2/30 |
|
| 77 | + description WAN |
|
| 78 | + duplex auto |
|
| 79 | + speed auto |
|
| 80 | + } |
|
| 81 | + tunnel tun0 { |
|
| 82 | + address 10.1.2.0/31 |
|
| 83 | + encapsulation gre |
|
| 84 | + local-ip 192.0.2.1 |
|
| 85 | + mtu 1400 |
|
| 86 | + multicast disable |
|
| 87 | + remote-ip 192.0.2.2 |
|
| 88 | + ttl 255 |
|
| 89 | + } |
|
| 90 | + } |
|
| 91 | + vpn { |
|
| 92 | + ipsec { |
|
| 93 | + esp-group BAR { |
|
| 94 | + compression disable |
|
| 95 | + lifetime 3600 |
|
| 96 | + mode transport |
|
| 97 | + pfs dh-group5 |
|
| 98 | + proposal 1 { |
|
| 99 | + encryption aes128 |
|
| 100 | + hash sha1 |
|
| 101 | + } |
|
| 102 | + } |
|
| 103 | + ike-group FOO { |
|
| 104 | + lifetime 28800 |
|
| 105 | + proposal 1 { |
|
| 106 | + dh-group 5 |
|
| 107 | + encryption aes128 |
|
| 108 | + hash sha1 |
|
| 109 | + } |
|
| 110 | + } |
|
| 111 | + ipsec-interfaces { |
|
| 112 | + interface eth0 |
|
| 113 | + } |
|
| 114 | + site-to-site { |
|
| 115 | + peer 192.0.2.2 { |
|
| 116 | + authentication { |
|
| 117 | + mode rsa |
|
| 118 | + rsa-key-name my-peer |
|
| 119 | + } |
|
| 120 | + connection-type initiate |
|
| 121 | + default-esp-group BAR |
|
| 122 | + ike-group FOO |
|
| 123 | + local-ip 192.0.2.1 |
|
| 124 | + tunnel 0 { |
|
| 125 | + protocol gre |
|
| 126 | + } |
|
| 127 | + } |
|
| 128 | + } |
|
| 129 | + } |
|
| 130 | + rsa-keys { |
|
| 131 | + rsa-key-name my-peer { |
|
| 132 | + rsa-key 0sAwEAAbsbRoUcgdm4A4Nm+PLxWcW+zFis7pkaJ0MkGVzM7VC8nmngkM+W2zqZyQ4NUTBKKfGOUc4Ogi6gyhlzUnHdag9tDERIX+BwlDO6G4arod9z9KqmJuX4AOYVjH5QlAPz7NDMAezVekGoVLPGdOAMPD6NN54ihLRH6V3if8AGoJRpiajhcgQipjeQnhH4QhsYK4XSjayGT1onQwA8nhy5kt4ofyqSale4Fl4166S9tCn4RKwtlJDjR6VIrg6op6Ip8+ke2vjEHPJHj6qVsxfRgOk2d8pY8oPVt8ayc5F1z+lqJ7R0fADfN+AQSaBqOMmg5dHDFYWwgYkU5egdVKS7Oko6uNuUWsZ0VEnRoPZ4syJEUbiF5wGfaVBaaVLZYUlRLQCffB4JKzp+JesVToCX6JYRfb4JYQWFCDeQfrqRZHM4r13h8MOWPn9cqXcP47RKJjzNp6595biUotmCbMHyy/uveMWxK6vDzPQRkywqMMJE2qOyACmbMnSce9KlYhvma82Vd+z/9/U9NEy0s5MaYNDn+q+KYT5My3NSv52F6sLVGrKxTk79tzUejZcoukJv+gf51Epam4kVHzPIal/khsfjZn6YCU2j5+qcdRmzF+SG5c2WicvEU2Gc4ratfYNEPxU5oArzHIhIz6x2nAF+szcx/x8GEyXPNHnxEboJB7ox |
|
| 133 | + } |
|
| 134 | + } |
|
| 135 | + } |
|
| ... | ... | \ No newline at end of file |