Setup of DMVPN on Alpine linux: Difference between revisions
Clandmeter (talk | contribs) |
Clandmeter (talk | contribs) |
||
Line 13: | Line 13: | ||
}} | }} | ||
{{note| In conjunction with IPsec VPNs this allows passing of routing information between connected networks.}} | {{note| In conjunction with IPsec VPNs this allows passing of routing information between connected networks.}} | ||
{{note| A standard GRE tunnel will specify its start and endpoint. In case of the mGRE tunnel we do not assign an endpoint, and we provide it an ip address.}} | {{note| A standard GRE tunnel will specify its start and endpoint. In case of the mGRE tunnel we do not assign an endpoint, and we provide it an ip address.}} | ||
{{note|A tunnel key is a 32-bit number is assigned to both ends of the tunnel. A key is added with the add gre tunnel command, and can be modified or deleted with the set gre tunnel command. The tunnel key provides a weak form of security because packets injected into the tunnel by an external party are rejected unless they contain the correct tunnel key value. The key also allows packets to travel through specific tunnels in multi-point networks because the key identifies each end of one tunnel.}} | |||
== Setting up IPSec VPN == | == Setting up IPSec VPN == |
Revision as of 14:13, 30 October 2015
Setting up mGRE tunnel
We start by adding mGRE tunnels to our network configuration.
Contents of /etc/networking/interfaces
Setting up IPSec VPN
To encrypt the traffic going over this tunnel, we will use ipsec. for ipsec we will use strongswan which has the vici plugin, see: The vici plugin provides VICI, the Versatile IKE Configuration Interface. As its name indicates, it provides an interface for external applications to not only configure, but also to control and monitor the IKE daemon charon. for this we also need a modified version of strongswan, provided by fabled.
apk add strongswan
Contents of /etc/swanctl/swanctl.conf
Generate PKI certificates
First, generate a private key, the default generates a 2048 bit RSA key
ipsec pki --gen > caKey.der
Now self-sign a CA certificate using the generated key:
ipsec pki --self --in caKey.der --dn "C=CH, O=strongSwan, CN=strongSwan CA" --ca > caCert.der
Adjust the distinguished name (DN) to your needs, it will be included in all issued certificates.
For each peer, i.e. for all VPN clients and VPN gateways in your network, generate an individual private key and issue a matching certificate using your new CA:
ipsec pki --gen > peerKey.der ipsec pki --pub --in peerKey.der | ipsec pki --issue --cacert caCert.der --cakey caKey.der \ --dn "C=CH, O=strongSwan, CN=peer" > peerCert.der
The second command extracts the public key and issues a certificate using your CA.
In case end entity certificates have to be revoked, Certificate Revocation Lists (CRLs) may be generated with the ipsec pki --signcrl command:
ipsec pki --signcrl --cacert caCert.der --cakey caKey.der --reason superseded --cert peerCert.der > crl.der
The certificate given with --cacert must be either a CA certificate or a certificate with the crlSign extended key usage (--flag crlSign).
To talk to the vici interface we use Quagga's new NHRP plugin developed by Timo Teras (fabled). We have to use his modified version, as these changes have not yet been upstreamed.
NHRP will automatically create GRE tunnels over IPsec, and we will use BGP to router the traffic over it.