===== IPsec ===== .. sidebar:: Contents .. contents:: :depth: 2 :local: IPsec is a secure network protocol suite that authenticates and encrypts data packets to provide secure encrypted communication. It can protect data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec relies on different protocols to perform various functions: * **Authentication Header (AH)**: provides connectionless data integrity and data origin authentication for IP datagrams. * **Encapsulating Security Payload (ESP)**: provides confidentiality, connectionless data integrity, data origin authentication and traffic-flow confidentiality. * **Internet Key Exchange (IKE and IKEv2)**: its purpose is to generate security associations (SA) between the bundle of algorithms and parameters necessary for AH and/or ESP operations. OSDx supports both transport and tunnel modes, IKE and IKEv2, many encryption and hashing algorithms and multiple ways to perform authentication. Configuration ============= IPsec can be configured via the following command :osdx:cfg:`vpn ipsec`. There are two different ways to set up VPN IPsec tunnels: * Using :doc:`Site-to-Site ` configuration. * Using Dynamic Multipoint VPN (DMVP) configuration. DMVPN and Site-to-Site instances need three different configuration profiles or groups: * **IKE profile** (or :osdx:cfg:`vpn ipsec ike-group *`). * **Authentication profile** (or :osdx:cfg:`vpn ipsec auth-profile *`). * **Encapsulating profile** (or :osdx:cfg:`vpn ipsec esp-group *`). .. raw:: html
----------- IKE profile ----------- As previously mentioned, IKE performs mutual authentication between two parties and establishes an IKE security association (SA) that includes shared secret information that can be used to efficiently establish SAs for ESP, AH and a set of cryptographic algorithms to be used by SAs to protect the traffic. In OSDx, IKE attributes are specified through ``ike-groups`` and multiple proposals can be specified in a single group. The IKE version can be configured using command :osdx:cfg:`vpn ipsec ike-group * key-exchange *`. If not specified, ``ikev1`` is used by default. The ``dead-peer-detection`` (DPD) mechanism can be enabled and customized using command :osdx:cfg:`vpn ipsec ike-group * dead-peer-detection`. This allows the device to send periodic notification messages to check the activity of the IPsec connection. **Configuration examples:** .. note:: Example using IKEv2, DPD enabled with a 1-minute interval and a lifetime of 1 day. A single proposal was defined, using ``aes256gcm128`` for encryption, ``sha256`` for hashing, and Diffie-Hellman group 19 (``ecp256``). .. code-block:: none set vpn ipsec ike-group IKE_SPOKE dead-peer-detection interval 60 set vpn ipsec ike-group IKE_SPOKE key-exchange ikev2 set vpn ipsec ike-group IKE_SPOKE lifetime 86400 set vpn ipsec ike-group IKE_SPOKE proposal 1 dh-group 19 set vpn ipsec ike-group IKE_SPOKE proposal 1 encryption aes256gcm128 set vpn ipsec ike-group IKE_SPOKE proposal 1 hash sha256 .. dropdown:: Click here to see the available configuration commands: .. osdx:cmdtree:: cfg :maxdepth: 3 vpn ipsec ike-group ---------------------- Authentication profile ---------------------- In order to configure an authentication profile, both network sides (i.e., ``remote`` and ``local``) can be specified. If the parameters are the same, command :osdx:cfg:`vpn ipsec auth-profile * mirror-config *` can be used. Currently, OSDx supports the following authentication mechanisms: * Pre-Shared Key (PSK). * Certificate-based authentication (X.509). * Extensible Authentication Protocol (EAP). * Remote Authentication Dial-In User Service (RADIUS). Additionally, OSDx supports some advanced authentication mechanisms to provide more security to the VPN connection: * **Extended Authentication** (XAuth, `RFC2026 `_): increases security by requiring remote client users to authenticate with additional credentials in a separate exchange. This mechanism is only available for **IKEv1** exchange methods. * **Post-Quantum Pre-Shared Key (PPK)** is also an enhanced security mechanism to make the connection resistant to quantum computers. In this case, it must be used with a **IKEv2** exchange method. This mechanism is based on `RFC8784 `_. Basically, both peers separately exchange (out-of-band) a pre-shared key, which is used in the peering process. However, this key will not be transmitted in any way during the IKE exchange and its ID will be used instead. In most cases, except for X.509 and RADIUS, the secrets and IDs are defined in separate commands, so that they can be referenced as needed in the authentication profile by using some regular expressions or magic values. The secrets are stored in the ``global-secrets`` section, meanwhile the IDs are specified in the ``local`` and ``remote`` sections. **Configuration examples:** .. note:: Example using IKE IDs and Pre-Shared Key: .. code-block:: none set vpn ipsec auth-profile PSK_AUTH global-secrets ike-psk my_psk_id secret mypassword set vpn ipsec auth-profile PSK_AUTH global-secrets ike-psk other_psk_id secret otherpassword set vpn ipsec auth-profile PSK_AUTH local auth ike-psk id my_psk_id set vpn ipsec auth-profile PSK_AUTH remote auth ike-psk id other_psk_id .. note:: Example using SCEP to automatically retrieve X.509 credentials: .. code-block:: none set vpn ipsec auth-profile SCEP_AUTH mode x509 set vpn ipsec auth-profile SCEP_AUTH x509 csr SCEP_CSR .. note:: XAuth adds per-user authentication at the end of the IKE exchange, where each user connecting to the VPN provides a unique username and password. The server is responsible for verifying this information, ensuring that the user is authorized to access the VPN. Example configuration using XAuth with PSK: .. code-block:: none set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk my_psk_id secret my_psk_secret set vpn ipsec auth-profile AUTH-SA global-secrets xauth my_xauth_id secret my_xauth_secret set vpn ipsec auth-profile AUTH-SA local auth ike-psk id my_psk_id set vpn ipsec auth-profile AUTH-SA local xauth id my_xauth_id set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id my_psk_id or XAuth with X.509 authentication: .. code-block:: none set vpn ipsec auth-profile AUTH-SA global-secrets xauth client secret password set vpn ipsec auth-profile AUTH-SA local cert-file 'running://client.crt' set vpn ipsec auth-profile AUTH-SA local key file 'running://client.priv.pem' set vpn ipsec auth-profile AUTH-SA local ca-cert-file 'running://ca.crt' set vpn ipsec auth-profile AUTH-SA local xauth id client set vpn ipsec auth-profile AUTH-SA local id client.teldat.org set vpn ipsec auth-profile AUTH-SA remote id server.teldat.org .. note:: The Post-Quantum Pre-Shared Key (PPK) defines the identifier and secret pairs under the `global-secrets` section and, to make use of them, the corresponding `id` must be referenced in the auth-profile configuration. The identifier has to be unique for each PPK defined in the configuration, even if they are in different auth-profiles. The secret must have a minimum entropy of 256 bits, which is equivalent to (around) 32 ascii characters. Example configuration using PPK with PSK: * Initiator side: .. code-block:: none set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk my_psk_id secret my_psk_secret set vpn ipsec auth-profile AUTH-SA global-secrets ppk my_ppk_id secret 0x966d898b7bb09ce6b2b0a8bc2b5fc0236d89cae5987c9c40f29b34dadd2a8487 set vpn ipsec auth-profile AUTH-SA local auth ike-psk id my_psk_id set vpn ipsec auth-profile AUTH-SA local ppk id my_ppk_id set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id my_psk_id * Responder side: .. code-block:: none set vpn ipsec auth-profile AUTH-SA global-secrets ike-psk my_psk_id secret my_psk_secret set vpn ipsec auth-profile AUTH-SA global-secrets ppk my_ppk_id secret 0x966d898b7bb09ce6b2b0a8bc2b5fc0236d89cae5987c9c40f29b34dadd2a8487 set vpn ipsec auth-profile AUTH-SA local auth ike-psk id my_psk_id set vpn ipsec auth-profile AUTH-SA mirror-config false set vpn ipsec auth-profile AUTH-SA remote ppk id my_ppk_id set vpn ipsec auth-profile AUTH-SA remote auth ike-psk id my_psk_id The use of PPK could be set as a mandatory requirement for the connection by means of the following command: .. code-block:: none set vpn ipsec auth-profile AUTH-SA local ppk required set vpn ipsec auth-profile AUTH-SA remote ppk required The mandatory requirement will behave as follows: +--------------------+--------------------+---------------------+----------------+ | Required Initiator | Required responder | Both shared the PPK | Action | +====================+====================+=====================+================+ | * | * | Yes | Use PPK | +--------------------+--------------------+---------------------+----------------+ | Yes | * | No | Abort | +--------------------+--------------------+---------------------+----------------+ | * | Yes | No | Abort | +--------------------+--------------------+---------------------+----------------+ | No | No | No | Standard IKEv2 | +--------------------+--------------------+---------------------+----------------+ Check for more examples and use cases in :doc:`PPK examples `. .. dropdown:: Click here to see the available configuration commands: .. osdx:cmdtree:: cfg :maxdepth: 3 vpn ipsec auth-profile --------------------- Encapsulating profile --------------------- Finally, the ``esp-group`` must be defined in order to allow the encryption of IP packets on the network layer. Two modes are supported: * **Tunnel mode**: the whole IP packet is encapsulated via ESP and an outer IP header is added. Unless otherwise specified, this mode is used by default. * **Transport mode**: the original IP header is preserved and only the Layer 4 payload carried by the IP packet is encrypted. The ESP header is inserted between the original IP header and the encrypted payload. Tunnel mode is most commonly used for configurations that need a secure connection between two different networks, separated by an intermediate untrusted network. Transport mode is commonly used when fast and secure end-to-end communications are required, such as client-server communications. In OSDx, the mode can be configured using command :osdx:cfg:`vpn ipsec esp-group * mode *`. **Configuration examples:** .. note:: Example using transport mode, a child lifetime of 12 hours and disabled IPsec replay protection. A single proposal was defined, using ``aes256gcm128`` for encryption and Diffie-Hellman group 19 (``ecp256``). .. code-block:: none set vpn ipsec esp-group ESP_SPOKE lifetime 43200 set vpn ipsec esp-group ESP_SPOKE mode transport set vpn ipsec esp-group ESP_SPOKE replay-window 0 set vpn ipsec esp-group ESP_SPOKE proposal 1 encryption aes256gcm128 set vpn ipsec esp-group ESP_SPOKE proposal 1 pfs dh-group19 .. dropdown:: Click here to see the available configuration commands: .. osdx:cmdtree:: cfg :maxdepth: 3 vpn ipsec esp-group Administration ============== There are multiple operational commands available to manage, administrate and debug VPN IPsec connections. Operational command :osdx:op:`vpn ipsec show sa` can be used to list currently active SAs: .. code-block:: none vpn-peer-PEER_SA: #4, ESTABLISHED, IKEv2, 20f196be4f2a0858_i 9356cffbef06683f_r* local 'M2' @ 10.0.0.2[500] remote 'RS' @ 10.0.0.1[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 1s ago, rekeying in 18861s peer-PEER_SA-tunnel-1: #6, reqid 4, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 1s ago, rekeying in 3263s, expires in 3959s in cb6ac9cb, 0 bytes, 0 packets out caf347c3, 0 bytes, 0 packets local 192.168.100.0/24 remote 192.168.200.0/24 admin@M2$ :osdx:op:`vpn ipsec clear sa` can be used to close previously established SAs: .. code-block:: none admin@M2$ vpn ipsec clear sa Deleting IPSec SAs... 100% Closed tunnels: 1 admin@M2$ Additionally, we can manually initiate SAs via the following command: :osdx:op:`vpn ipsec initiate peer *` .. code-block:: none admin@RS420$ vpn ipsec initiate peer PEER_SA Initiating IPSec SAs... 0% Initiated tunnels: 1 admin@RS420$ Operational command :osdx:op:`vpn ipsec show policy` can prove very useful, since it displays the content of the security policy database. Enabling login information is also possible with the following configuration command: :osdx:cfg:`vpn ipsec logging`. Command summary =============== .. osdx:cmdtree:: cfg :maxdepth: 3 vpn ipsec .. osdx:cmdtree:: op vpn ipsec See also ======== You can find more information on how to configure VPN IPsec instances in the articles below: .. toctree:: :titlesonly: :glob: */index