Setup of DMVPN on Alpine linux: Difference between revisions
Clandmeter (talk | contribs) |
(update cgit link to gitlab) |
||
(13 intermediate revisions by 3 users not shown) | |||
Line 12: | Line 12: | ||
post-down ip tunnel del $IFACE || true</nowiki> | post-down ip tunnel del $IFACE || true</nowiki> | ||
}} | }} | ||
{{TOC right}} | |||
{{note| In conjunction with IPsec VPNs this allows passing of routing information between connected networks.}} | {{note| In conjunction with IPsec VPNs this allows passing of routing information between connected networks.}} | ||
Line 21: | Line 23: | ||
To encrypt this tunnel, and the traffic in it, we will use strongswan ipsec with its vici plugin. | To encrypt this tunnel, and the traffic in it, we will use strongswan ipsec with its vici plugin. | ||
The vici plugin provides VICI, the Versatile IKE Configuration Interface. As its name indicates, it provides an interface for external applications to not only configure, but also to control and monitor the IKE daemon charon. | The vici plugin provides VICI, the Versatile IKE Configuration Interface. As its name indicates, it provides an interface for external applications to not only configure, but also to control and monitor the IKE daemon charon. | ||
for this we also need a modified version of [ | for this we also need a modified version of [https://gitlab.alpinelinux.org/alpine/aports/-/tree/master/main/strongswan Strongswan] which is the default Strongswan in Alpine Linux. | ||
{{cmd|apk add strongswan}} | {{cmd|apk add strongswan}} | ||
Line 220: | Line 222: | ||
neighbor spokes-ibgp advertisement-interval 1 | neighbor spokes-ibgp advertisement-interval 1 | ||
neighbor spokes-ibgp soft-reconfiguration inbound | neighbor spokes-ibgp soft-reconfiguration inbound | ||
exit | exit | ||
Line 241: | Line 242: | ||
write mem | write mem | ||
==== Adding spokes to hub ==== | |||
{{note|For each spoke you are adding, you need to add the gre ip address to the bgp configuration, simillar like above in the config}} | |||
{{cmd|vtysh}} | {{cmd|vtysh}} | ||
conf | conf terminal | ||
router bgp 65000 | router bgp 65000 | ||
neighbor 172.16.3.1 peer-group spokes-ibgp | |||
exit | exit | ||
write mem | write mem | ||
{{tip|Most of the commands used in the vty shell are similar like in Cisco devices. This means you can also gather information from the Cisco docs}} | |||
= See also = | |||
* [[Dynamic Multipoint VPN (DMVPN)]] | |||
* [[Dynamic Multipoint VPN (DMVPN) Phase 3 with Quagga NHRPd]] | |||
[[category: VPN]] |
Latest revision as of 21:05, 25 August 2023
Setting up mGRE tunnel
We start by adding mGRE tunnels to our network configuration.
Contents of /etc/networking/interfaces
Setting up IPSec VPN
To encrypt this tunnel, and the traffic in it, we will use strongswan ipsec with its vici plugin. The vici plugin provides VICI, the Versatile IKE Configuration Interface. As its name indicates, it provides an interface for external applications to not only configure, but also to control and monitor the IKE daemon charon. for this we also need a modified version of Strongswan which is the default Strongswan in Alpine Linux.
apk add strongswan
Template
Template taken from other wiki docs.
Contents of /etc/swanctl/swanctl.conf
Spoke 1
Contents of /etc/swanctl/swanctl.conf
HUB
Contents of /etc/swanctl/swanctl.conf
Generate PKI certificates
First, generate a private key, the default generates a 2048 bit RSA key
ipsec pki --gen > caKey.der
Now self-sign a CA certificate using the generated key:
ipsec pki --self --in caKey.der --dn "C=CH, O=strongSwan, CN=strongSwan CA" --ca > caCert.der
Adjust the distinguished name (DN) to your needs, it will be included in all issued certificates.
For each peer, i.e. for all VPN clients and VPN gateways in your network, generate an individual private key and issue a matching certificate using your new CA:
ipsec pki --gen > peerKey.der ipsec pki --pub --in peerKey.der | ipsec pki --issue --cacert caCert.der --cakey caKey.der --san host.vpn.example.tld --dn "C=CH, O=strongSwan, CN=peer" > peerCert.der
Certificate Revocation Lists (CRL)
In case end entity certificates have to be revoked, Certificate Revocation Lists (CRLs) may be generated with the ipsec pki --signcrl command:
ipsec pki --signcrl --cacert caCert.der --cakey caKey.der --reason superseded --cert peerCert.der > crl.der
Install certificates
On each peer store the following certificates and keys in the /etc/ipsec.d/ subdirectory tree:
/etc/swanctl/rsa/hubKey.der holds the private key of the given peer. /etc/swanctl/x509/hubCert.der holds the end entity certificate of the given peer. /etc/swanctl/x509ca/caCert.der holds the CA certificate which issued and signed all peer certificates.
Quagga/NHRP
adding the required packages
apk add iptables quagga-nhrp
Sending Traffic Indication (redirect) notifications
iptables -A FORWARD -i gre1 -o gre1 \ -m hashlimit --hashlimit-upto 4/minute --hashlimit-burst 1 \ --hashlimit-mode srcip,dstip --hashlimit-srcmask 16 --hashlimit-dstmask 16 \ --hashlimit-name loglimit-0 -j NFLOG --nflog-group 1 --nflog-range 128
Configuring Quagga
vtysh
General
configure terminal log syslog debug nhrp common
BGP config
router bgp 65000 bgp router-id 172.16.0.1 bgp deterministic-med network 172.16.0.0/16 redistribute nhrp neighbor spokes-ibgp peer-group neighbor spokes-ibgp remote-as 65000 neighbor spokes-ibgp ebgp-multihop 1 neighbor spokes-ibgp disable-connected-check neighbor spokes-ibgp route-reflector-client neighbor spokes-ibgp next-hop-self all neighbor spokes-ibgp advertisement-interval 1 neighbor spokes-ibgp soft-reconfiguration inbound exit
NHRP config
interface gre1 tunnel protection vici profile dmvpn tunnel source br0 ip nhrp network-id 1 ip nhrp shortcut ip nhrp registration no-unique ip nhrp nhs dynamic nbma hub1.vpn.domain.tld ipv6 nd suppress-ra no link-detect exit
Save config
exit write mem
Adding spokes to hub
vtysh
conf terminal router bgp 65000 neighbor 172.16.3.1 peer-group spokes-ibgp exit write mem