Leo's Blog About knowledge which needs to be conserved somewhere

Configuring IPSec IKEv2 IPv6 tunnel with RSA keys on EdgeOS 2.0.9 and Ubuntu 20.04

6 min read edgeos ikev2 ipsec ipv6 linux strongswan

Goal

We want to create the following:

  • IPSec IKEv2 tunnel between an EdgeOS router and Ubuntu Linux (with strongSwan)
  • we only use IPv6 (we invest our energy in the future)
  • authentication via RSA keys should be used (PSK is too insecure regarding man-in-the-middle-attacks)
  • build setup incrementally for better debugging
    • in the first steps PSK setup is shown because it is easier to debug
    • PSK authentication will then be replaces with RSA keys

Assumptions for this test:

  • EdgeOS 2 is used (I tested with 2.0.9)
  • strongSwan 5.8 on Ubuntu Linux (or any Debian Linux with same strongSwan version)
  • use swanctl on Ubuntu Linux (because ipsec command is legacy)

Setup overview

LAN networks:

  • LAN1: 2001:DB8:1111:2222::/64
  • LAN2: 2001:DB8:3333:4444::/64

Devices:

  • C1: client device in office network
    • LAN1: 2001:DB8:1111:2222::123
  • R1: (name: sun) Edgerouter-X in office network
    • LAN1: 2001:DB8:1111:2222::1
    • WAN: 2001:DB8:9:9:9:9:9:9
  • R2: (name: moon) strongSwan Ubuntu VM in cloud virtual network
    • WAN: 2001:DB8:7:7:7:7:7:7
    • LAN2: 2001:DB8:3333:4444::1
  • C2: client in cloud virtual network
    • LAN2: 2001:DB8:3333:4444::456

Setup 1 (with PSK)

We want to begin with the easiest setup. Therefore we use a preshared key (PSK) for authentication. When this setups is working then we will improve the security and change to RSA keys. This will be explained later on.

EdgeOS IPSec config

Below we will only see IPSec relevant parts of the config.

First we define some secure settings for phase 1 and phase 2.

set vpn ipsec esp-group ESP_Phase1 compression 'disable'
set vpn ipsec esp-group ESP_Phase1 lifetime '5400'
set vpn ipsec esp-group ESP_Phase1 mode 'tunnel'
set vpn ipsec esp-group ESP_Phase1 pfs 'enable'
set vpn ipsec esp-group ESP_Phase1 proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP_Phase1 proposal 1 hash 'sha256'
set vpn ipsec ike-group ESP_Phase2 ikev2-reauth 'yes'
set vpn ipsec ike-group ESP_Phase2 key-exchange 'ikev2'
set vpn ipsec ike-group ESP_Phase2 lifetime '3600'
set vpn ipsec ike-group ESP_Phase2 proposal 1 dh-group '16'
set vpn ipsec ike-group ESP_Phase2 proposal 1 encryption 'aes256'
set vpn ipsec ike-group ESP_Phase2 proposal 1 hash 'sha256'

We use eth0 as Internet facing interface.

set vpn ipsec ipsec-interfaces interface 'eth0'

We create a new IPSec peer with several settings:

set vpn ipsec site-to-site peer 2001:DB8:7:7:7:7:7:7 authentication id 'sun'
set vpn ipsec site-to-site peer 2001:DB8:7:7:7:7:7:7 authentication remote-id 'moon'
set vpn ipsec site-to-site peer 2001:DB8:7:7:7:7:7:7 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 2001:DB8:7:7:7:7:7:7 authentication pre-shared-secret 'THISMUSTBEASECURPASSWORD'
set vpn ipsec site-to-site peer 2001:DB8:7:7:7:7:7:7 connection-type 'initiate'
set vpn ipsec site-to-site peer 2001:DB8:7:7:7:7:7:7 default-esp-group 'ESP_Phase1'
set vpn ipsec site-to-site peer 2001:DB8:7:7:7:7:7:7 ike-group 'ESP_Phase2'
set vpn ipsec site-to-site peer 2001:DB8:7:7:7:7:7:7 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 2001:DB8:7:7:7:7:7:7 local-address '2001:DB8:1111:2222::1'
set vpn ipsec site-to-site peer 2001:DB8:7:7:7:7:7:7 tunnel 2 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 2001:DB8:7:7:7:7:7:7 tunnel 2 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 2001:DB8:7:7:7:7:7:7 tunnel 2 esp-group 'ESP_Phase1'
set vpn ipsec site-to-site peer 2001:DB8:7:7:7:7:7:7 tunnel 2 local prefix '2001:DB8:1111:2222::/64'
set vpn ipsec site-to-site peer 2001:DB8:7:7:7:7:7:7 tunnel 2 remote prefix '2001:DB8:3333:4444::/64'

Let me explain some of the settings:

  • authentication id 'sun' - is needed because we use RSA authentication and both peers need to have an identity
  • mode 'pre-shared-secret' - see below for steps to create keys
  • local-address- for IPv6 we need to configure a source IP here. Please use an IP address of R1, e.g. the internal LAN IP.
  • local prefix - IPv6 network in office
  • remote prefix - IPv6 network in cloud environment

Note: we do not need to activate any NAT tranversal because we use IPv6.

strongSwan IPSec config

On the Linux host all configuration can be found in swanctl.conf:

connections {

    site-2-dynamic-ip {
        remote_addrs = %any
        version = 2
        proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
        keyingtries = 0
        local {
            auth = psk
            id = moon
        }
        remote {
            auth = psk
            id = sun
        }
        children {
            site-2-dynamic-ip6 {
                local_ts  = 2001:DB8:3333:4444::/64
                remote_ts = 2001:DB8:1111:2222::/64
                esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
                dpd_action = restart
                start_action = trap
            }
        }
    }
}
secrets {
   ike-3 {
      id-3a = moon
      id-3b = sun
      secret = THISMUSTBEASECURPASSWORD
   }
}

Testing and Debugging

Having EdgeOS and strongSwan config in place we can test the connection. We should be able to ping from C1 to C2. Therefore execute on C1 the following command:

ping 2001:DB8:3333:4444::456

If you get an answer everything is fine. You can continue with switching PSK to RSA authentation (see below).

If the ping is not successful then use the following commands for debugging.

On EdgeOS:

  • in configure mode:
show vpn debug peer 2001:DB8:7:7:7:7:7:7
show vpn ikpsec status
show vpn ikpsec sa
show vpn ike sa
  • in normal mode:
ipsec statusall
tcpdump host 2001:DB8:7:7:7:7:7:7

On Ubuntu Linux (strongSwan):

journalctl -u strongswan.service -f
ipsec status

Setup 2 (with RSA keys)

When we want to use RSA keys it is getting more complicated in our specific case because EdgeOs 2.x.y and stongSwan 5.8 use different key formats.

RSA key format

We have to convert between two file formats:

Converting can be done with rsa-converter tool.

Generate RSA keys

EdgeOS:

  • we want to have a custom key name
set vpn rsa-keys local-key file /config/ipsec.d/rsa-keys/sun.key
  • generate RSA key on Edgerouter
run generate vpn rsa-key bits 4096
  • manually save displayed public key for later use to file sun.pub.rfc3110.
  • convert public key to PEM format by using rsa-converter tool
./rsa-converter -p  < sun.pub.rfc3110 > sun.pub.pem

strongSwan:

  • generate key by using OpenSSL
  openssl genrsa -out moon.key 4096
  openssl rsa -in moon.key -pubout > moon.pub.pem
  • we also need the public key in Base64 RFC3110 format
./rsa-converter -r < moon.pub.pem > moon.pub.rfc3110

Let us summarize the files we have now:

  • sun.key - private key saved in EdgeOS
  • sun.pub.rfc3110 - public key extracted from EdgeOS key generation process (Base64 RFC3110 format)
  • sun.pub.pem - public key (PEM format)
  • moon.key - private key of strongSwan server
  • moon.pub.pem - public key of moon (PEM format)
  • moon.pub.rfc3110 - public key of moon (BASE64 RFC3110 format)

Next steps are:

  • import public key (Base64 RFC3110 format) of moon into EdgeOS
set vpn rsa-keys rsa-key-name moon rsa-key 0sAwEAAaw0flNdvMgZner.......
  • copy private key of moon to strongSwan directory
cp moon.key /etc/swanctl/rsa/
  • copy public keys to stronSwan directory
cp sun.pub.pem /etc/swanctl/pubkey/sun.pub
cp moon.pub.pem /etc/swanctl/pubkey/moon.pub

Use RSA keys for authentication

To activate usage of RSA keys instead of PSK, execute the following lines in EdgeOS:

set vpn ipsec site-to-site peer 2a05:d014:950:9500:8c53:a5f4:1577:b911 authentication mode 'rsa'
set vpn ipsec site-to-site peer 2a05:d014:950:9500:8c53:a5f4:1577:b911 authentication rsa-key-name 'moon'
commit ; save

On strongSwan configure /etc/swanctl.conf:

connections {

    site-2-dynamic-ip {
        remote_addrs = %any
        version = 2
        proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
        keyingtries = 0
        local {
            pubkeys = moon.pub
            id = moon
        }
        remote {
            pubkeys = sun.pub
            id = sun
        }
        children {
            site-2-dynamic-ip6 {
                local_ts  = 2001:DB8:3333:4444::/64
                remote_ts = 2001:DB8:1111:2222::/64
                esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
                dpd_action = restart
                start_action = trap
            }
        }
    }
}
secrets {
   rsa-3 {
      id-3a = moon
      id-3b = sun
      file = moon.key
   }
}

Then restart strongSwan, e.g. via systemctl strongswan restart.

If all settings are correct C1 can now again ping to C2.

Congratulations!

History: EdgeOS vs. Vyatta vs. VyOS

The commands in the configuration interface of EdgeOS & Vyatta & VyOS share many thing because they have the same basis.

Vyatta was devloped by Brocade. Vyatta 6.5 was released in 2012. This was the last open source release.

EdgeOS was forked from Vyatta 6.3.

VyOS was forked from Vyatta in 2013.

This is the reason for many similar configuration commands.

Comments: