Configuring IPSec IKEv2 IPv6 tunnel with RSA keys on EdgeOS 2.0.9 and Ubuntu 20.04
Goal
We want to create the following:
- IPSec IKEv2 tunnel between an EdgeOS router and Ubuntu Linux (with strongSwan)
- we only use IPv6 (we invest our energy in the future)
- authentication via RSA keys should be used (PSK is too insecure regarding man-in-the-middle-attacks)
- build setup incrementally for better debugging
- in the first steps PSK setup is shown because it is easier to debug
- PSK authentication will then be replaces with RSA keys
Assumptions for this test:
- EdgeOS 2 is used (I tested with 2.0.9)
- strongSwan 5.8 on Ubuntu Linux (or any Debian Linux with same strongSwan version)
- use swanctl on Ubuntu Linux (because ipsec command is legacy)
Setup overview
LAN networks:
- LAN1:
2001:DB8:1111:2222::/64
- LAN2:
2001:DB8:3333:4444::/64
Devices:
- C1: client device in office network
- LAN1:
2001:DB8:1111:2222::123
- LAN1:
- R1: (name:
sun
) Edgerouter-X in office network- LAN1:
2001:DB8:1111:2222::1
- WAN:
2001:DB8:9:9:9:9:9:9
- LAN1:
- R2: (name:
moon
) strongSwan Ubuntu VM in cloud virtual network- WAN:
2001:DB8:7:7:7:7:7:7
- LAN2:
2001:DB8:3333:4444::1
- WAN:
- C2: client in cloud virtual network
- LAN2:
2001:DB8:3333:4444::456
- LAN2:
Setup 1 (with PSK)
We want to begin with the easiest setup. Therefore we use a preshared key (PSK) for authentication. When this setups is working then we will improve the security and change to RSA keys. This will be explained later on.
EdgeOS IPSec config
Below we will only see IPSec relevant parts of the config.
First we define some secure settings for phase 1 and phase 2.
set vpn ipsec esp-group ESP_Phase1 compression 'disable'
set vpn ipsec esp-group ESP_Phase1 lifetime '5400'
set vpn ipsec esp-group ESP_Phase1 mode 'tunnel'
set vpn ipsec esp-group ESP_Phase1 pfs 'enable'
set vpn ipsec esp-group ESP_Phase1 proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP_Phase1 proposal 1 hash 'sha256'
set vpn ipsec ike-group ESP_Phase2 ikev2-reauth 'yes'
set vpn ipsec ike-group ESP_Phase2 key-exchange 'ikev2'
set vpn ipsec ike-group ESP_Phase2 lifetime '3600'
set vpn ipsec ike-group ESP_Phase2 proposal 1 dh-group '16'
set vpn ipsec ike-group ESP_Phase2 proposal 1 encryption 'aes256'
set vpn ipsec ike-group ESP_Phase2 proposal 1 hash 'sha256'
We use eth0
as Internet facing interface.
set vpn ipsec ipsec-interfaces interface 'eth0'
We create a new IPSec peer with several settings:
set vpn ipsec site-to-site peer 2001:DB8:7:7:7:7:7:7 authentication id 'sun'
set vpn ipsec site-to-site peer 2001:DB8:7:7:7:7:7:7 authentication remote-id 'moon'
set vpn ipsec site-to-site peer 2001:DB8:7:7:7:7:7:7 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 2001:DB8:7:7:7:7:7:7 authentication pre-shared-secret 'THISMUSTBEASECURPASSWORD'
set vpn ipsec site-to-site peer 2001:DB8:7:7:7:7:7:7 connection-type 'initiate'
set vpn ipsec site-to-site peer 2001:DB8:7:7:7:7:7:7 default-esp-group 'ESP_Phase1'
set vpn ipsec site-to-site peer 2001:DB8:7:7:7:7:7:7 ike-group 'ESP_Phase2'
set vpn ipsec site-to-site peer 2001:DB8:7:7:7:7:7:7 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 2001:DB8:7:7:7:7:7:7 local-address '2001:DB8:1111:2222::1'
set vpn ipsec site-to-site peer 2001:DB8:7:7:7:7:7:7 tunnel 2 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 2001:DB8:7:7:7:7:7:7 tunnel 2 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 2001:DB8:7:7:7:7:7:7 tunnel 2 esp-group 'ESP_Phase1'
set vpn ipsec site-to-site peer 2001:DB8:7:7:7:7:7:7 tunnel 2 local prefix '2001:DB8:1111:2222::/64'
set vpn ipsec site-to-site peer 2001:DB8:7:7:7:7:7:7 tunnel 2 remote prefix '2001:DB8:3333:4444::/64'
Let me explain some of the settings:
authentication id 'sun'
- is needed because we use RSA authentication and both peers need to have an identitymode 'pre-shared-secret'
- see below for steps to create keyslocal-address
- for IPv6 we need to configure a source IP here. Please use an IP address of R1, e.g. the internal LAN IP.local prefix
- IPv6 network in officeremote prefix
- IPv6 network in cloud environment
Note: we do not need to activate any NAT tranversal because we use IPv6.
strongSwan IPSec config
On the Linux host all configuration can be found in swanctl.conf:
connections {
site-2-dynamic-ip {
remote_addrs = %any
version = 2
proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
keyingtries = 0
local {
auth = psk
id = moon
}
remote {
auth = psk
id = sun
}
children {
site-2-dynamic-ip6 {
local_ts = 2001:DB8:3333:4444::/64
remote_ts = 2001:DB8:1111:2222::/64
esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
dpd_action = restart
start_action = trap
}
}
}
}
secrets {
ike-3 {
id-3a = moon
id-3b = sun
secret = THISMUSTBEASECURPASSWORD
}
}
Testing and Debugging
Having EdgeOS and strongSwan config in place we can test the connection. We should be able to ping from C1 to C2. Therefore execute on C1 the following command:
ping 2001:DB8:3333:4444::456
If you get an answer everything is fine. You can continue with switching PSK to RSA authentation (see below).
If the ping is not successful then use the following commands for debugging.
On EdgeOS:
- in configure mode:
show vpn debug peer 2001:DB8:7:7:7:7:7:7
show vpn ikpsec status
show vpn ikpsec sa
show vpn ike sa
- in normal mode:
ipsec statusall
tcpdump host 2001:DB8:7:7:7:7:7:7
On Ubuntu Linux (strongSwan):
journalctl -u strongswan.service -f
ipsec status
Setup 2 (with RSA keys)
When we want to use RSA keys it is getting more complicated in our specific case because EdgeOs 2.x.y and stongSwan 5.8 use different key formats.
RSA key format
We have to convert between two file formats:
- EdgeOS 2.0.9 needs the public key in Base64 RFC 3110 format
- strongSwan uses PEM format
Converting can be done with rsa-converter tool.
Generate RSA keys
EdgeOS:
- we want to have a custom key name
set vpn rsa-keys local-key file /config/ipsec.d/rsa-keys/sun.key
- generate RSA key on Edgerouter
run generate vpn rsa-key bits 4096
- manually save displayed public key for later use to file
sun.pub.rfc3110
. - convert public key to PEM format by using rsa-converter tool
./rsa-converter -p < sun.pub.rfc3110 > sun.pub.pem
strongSwan:
- generate key by using OpenSSL
openssl genrsa -out moon.key 4096
openssl rsa -in moon.key -pubout > moon.pub.pem
- we also need the public key in Base64 RFC3110 format
./rsa-converter -r < moon.pub.pem > moon.pub.rfc3110
Let us summarize the files we have now:
sun.key
- private key saved in EdgeOSsun.pub.rfc3110
- public key extracted from EdgeOS key generation process (Base64 RFC3110 format)sun.pub.pem
- public key (PEM format)moon.key
- private key of strongSwan servermoon.pub.pem
- public key of moon (PEM format)moon.pub.rfc3110
- public key of moon (BASE64 RFC3110 format)
Next steps are:
- import public key (Base64 RFC3110 format) of moon into EdgeOS
set vpn rsa-keys rsa-key-name moon rsa-key 0sAwEAAaw0flNdvMgZner.......
- copy private key of moon to strongSwan directory
cp moon.key /etc/swanctl/rsa/
- copy public keys to stronSwan directory
cp sun.pub.pem /etc/swanctl/pubkey/sun.pub
cp moon.pub.pem /etc/swanctl/pubkey/moon.pub
Use RSA keys for authentication
To activate usage of RSA keys instead of PSK, execute the following lines in EdgeOS:
set vpn ipsec site-to-site peer 2a05:d014:950:9500:8c53:a5f4:1577:b911 authentication mode 'rsa'
set vpn ipsec site-to-site peer 2a05:d014:950:9500:8c53:a5f4:1577:b911 authentication rsa-key-name 'moon'
commit ; save
On strongSwan configure /etc/swanctl.conf:
connections {
site-2-dynamic-ip {
remote_addrs = %any
version = 2
proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
keyingtries = 0
local {
pubkeys = moon.pub
id = moon
}
remote {
pubkeys = sun.pub
id = sun
}
children {
site-2-dynamic-ip6 {
local_ts = 2001:DB8:3333:4444::/64
remote_ts = 2001:DB8:1111:2222::/64
esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
dpd_action = restart
start_action = trap
}
}
}
}
secrets {
rsa-3 {
id-3a = moon
id-3b = sun
file = moon.key
}
}
Then restart strongSwan, e.g. via systemctl strongswan restart
.
If all settings are correct C1 can now again ping to C2.
Congratulations!
History: EdgeOS vs. Vyatta vs. VyOS
The commands in the configuration interface of EdgeOS & Vyatta & VyOS share many thing because they have the same basis.
Vyatta was devloped by Brocade. Vyatta 6.5 was released in 2012. This was the last open source release.
EdgeOS was forked from Vyatta 6.3.
VyOS was forked from Vyatta in 2013.
This is the reason for many similar configuration commands.