Setup of DMVPN on Alpine linux: Difference between revisions

From Alpine Linux
No edit summary
No edit summary
Line 9: Line 9:
         netmask 255.255.255.255
         netmask 255.255.255.255
         post-down ip tunnel del $IFACE || true
         post-down ip tunnel del $IFACE || true
== Setting up IPSec VPN ==


To encrypt the traffic going over this tunnel, we will use ipsec. for ipsec we will use strongswan which has the vici plugin, see:
To encrypt the traffic going over this tunnel, we will use ipsec. for ipsec we will use strongswan which has the vici plugin, see:
Line 14: Line 16:
for this we also need a modified version of strongswan, provided by fabled.
for this we also need a modified version of strongswan, provided by fabled.


  thisshouldbetheipsecconfig
  connections {
        dmvpn {
                version = 2
                pull = no
                mobike = no
                dpd_delay = 15
                dpd_timeout = 30
                fragmentation = yes
                unique = replace
                rekey_time = 4h
                reauth_time = 13h
                proposals = aes256-sha512-ecp384
                local {
                        auth = psk
                        id = spoke1
                }
                remote {
                        auth = psk
                }
                children {
                        dmvpn {
                                esp_proposals = aes256-sha512-ecp384
                                local_ts = dynamic[gre]
                                remote_ts = dynamic[gre]
                                inactivity = 90m
                                rekey_time = 100m
                                mode = transport
                                dpd_action = clear
                                reqid = 1
                        }
                }
        }
}





Revision as of 13:39, 30 October 2015

Setting up mGRE tunnel

We start by adding mGRE tunnels to our network configuration. In conjunction with IPsec VPNs this allows passing of routing information between connected networks.

auto gre1
iface gre1 inet static
       pre-up ip tunnel add $IFACE mode gre key 42 ttl 64 dev br0 || true
       address 192.168.148.2
       netmask 255.255.255.255
       post-down ip tunnel del $IFACE || true

Setting up IPSec VPN

To encrypt the traffic going over this tunnel, we will use ipsec. for ipsec we will use strongswan which has the vici plugin, see: The vici plugin provides VICI, the Versatile IKE Configuration Interface. As its name indicates, it provides an interface for external applications to not only configure, but also to control and monitor the IKE daemon charon. for this we also need a modified version of strongswan, provided by fabled.

connections {
        dmvpn {
                version = 2
                pull = no
                mobike = no
                dpd_delay = 15
                dpd_timeout = 30
                fragmentation = yes
                unique = replace
                rekey_time = 4h
                reauth_time = 13h
                proposals = aes256-sha512-ecp384
                local {
                        auth = psk
                        id = spoke1
                }
                remote {
                        auth = psk
                }
                children {
                        dmvpn {
                                esp_proposals = aes256-sha512-ecp384
                                local_ts = dynamic[gre]
                                remote_ts = dynamic[gre]
                                inactivity = 90m
                                rekey_time = 100m
                                mode = transport
                                dpd_action = clear
                                reqid = 1
                        }
                }
        }
}


Generate PKI certificates

First, generate a private key, the default generates a 2048 bit RSA key

ipsec pki --gen > caKey.der

Now self-sign a CA certificate using the generated key:

ipsec pki --self --in caKey.der --dn "C=CH, O=strongSwan, CN=strongSwan CA" --ca > caCert.der

Adjust the distinguished name (DN) to your needs, it will be included in all issued certificates.

For each peer, i.e. for all VPN clients and VPN gateways in your network, generate an individual private key and issue a matching certificate using your new CA:

ipsec pki --gen > peerKey.der
ipsec pki --pub --in peerKey.der | ipsec pki --issue --cacert caCert.der --cakey caKey.der \
                                            --dn "C=CH, O=strongSwan, CN=peer" > peerCert.der

The second command extracts the public key and issues a certificate using your CA.

In case end entity certificates have to be revoked, Certificate Revocation Lists (CRLs) may be generated with the ipsec pki --signcrl command:

ipsec pki --signcrl --cacert caCert.der --cakey caKey.der --reason superseded --cert peerCert.der > crl.der

The certificate given with --cacert must be either a CA certificate or a certificate with the crlSign extended key usage (--flag crlSign).


To talk to the vici interface we use Quagga's new NHRP plugin developed by Timo Teras (fabled). We have to use his modified version, as these changes have not yet been upstreamed.

NHRP will automatically create GRE tunnels over IPsec, and we will use BGP to router the traffic over it.