Setting up mGRE tunnel
We start by adding mGRE tunnels to our network configuration.
Contents of /etc/networking/interfaces
...
auto gre1
iface gre1 inet static
pre-up ip tunnel add $IFACE mode gre key 42 ttl 64 dev br0 || true
address 192.168.148.2
netmask 255.255.255.255
post-down ip tunnel del $IFACE || true
Note: In conjunction with IPsec VPNs this allows passing of routing information between connected networks.
Note: A standard GRE tunnel will specify its start and endpoint. In case of the mGRE tunnel we do not assign an start/endpoint, it will dynamically be manage by NHRP
Note: A tunnel key is a 32-bit number is assigned to both ends of the tunnel. A key is added with the add gre tunnel command, and can be modified or deleted with the set gre tunnel command. The tunnel key provides a weak form of security because packets injected into the tunnel by an external party are rejected unless they contain the correct tunnel key value. The key also allows packets to travel through specific tunnels in multi-point networks because the key identifies each end of one tunnel.
Setting up IPSec VPN
To encrypt this tunnel, and the traffic in it, we will use strongswan ipsec with its vici plugin.
The vici plugin provides VICI, the Versatile IKE Configuration Interface. As its name indicates, it provides an interface for external applications to not only configure, but also to control and monitor the IKE daemon charon.
for this we also need a modified version of Strongswan which is the default Strongswan in Alpine Linux.
apk add strongswan
Template
Template taken from other wiki docs.
Contents of /etc/swanctl/swanctl.conf
connections {
dmvpn {
version = 2 # enable IKEv2
pull = no # IKEv1 only. Push enabled. IKEv2 does not support pull.
mobike = no # disable support for mobile clients tunnel migration
dpd_delay = 15 # Interval to check the liveness of a peer if not traffic has passed
dpd_timeout = 30 # IKEv1 only
fragmentation = yes # NOTE: has recently been added. docs are outdated.
unique = replace # replace connection if it already exists
rekey_time = 4h # rekey is by default already 4h
reauth_time = 13h # re authenticate ipsec tunnel
proposals = aes256-sha512-ecp384 # docs say default is considered safe and has good interoperability
local {
certs = cert # certificates used for authentication
auth = pubkey # a private key associated to a usable certificate
id = spoke1 # IKE identity which should be included in the certificate. ie fqdn
}
remote {
auth = pubkey # Authentication to expect from remote
}
children { # what is the difference between remote and children? local and remote is only to specify authentication?
dmvpn {
esp_proposals = aes256-sha512-ecp384 # docs say default is considered safe and has good interoperability
local_ts = dynamic[gre] # traffic selectors, dynamic to use outer address of virtual ip. restrict to GRE protocol
remote_ts = dynamic[gre] # traffic selectors, dynamic to use outer address of virtual ip. restrict to GRE protocol
inactivity = 90m # close CHILD_SA after inactivity
rekey_time = 100m # Time to schedule CHILD_SA rekeying
mode = transport # IPsec Mode to establish CHILD_SA with
dpd_action = clear # default is clear
reqid = 1 # why not use dynamic reqids, allocated incrementally?
}
}
}
}
Note: To control the IPSec VPN, NHRP will talk to Strongswan via its vici plugin (Versatile IKE Configuration Interface).
Note: You will need a modified version of Strongswan by fabled which you can find in Alpine Linux Git repository
Spoke 1
Contents of /etc/swanctl/swanctl.conf
connections {
dmvpn {
version = 2
mobike = no
dpd_delay = 15
fragmentation = yes
unique = replace
reauth_time = 13h
proposals = aes256-sha512-ecp384
local {
certs = spoke1.pem
auth = pub.key
id = spoke1.vpn.domain.tld
}
remote {
auth = pub.key
id = hub.vpn.domain.tld
}
children {
dmvpn {
esp_proposals = aes256-sha512-ecp384
local_ts = dynamic[gre]
remote_ts = dynamic[gre]
inactivity = 90m
rekey_time = 100m
mode = transport
}
}
}
}
HUB
Contents of /etc/swanctl/swanctl.conf
connections {
dmvpn {
version = 2
mobike = no
dpd_delay = 15
fragmentation = yes
unique = replace
reauth_time = 13h
proposals = aes256-sha512-ecp384
local {
certs = spoke1.pem
auth = pub.key
id = hub.vpn.domain.tld
}
remote {
auth = pub.key
}
children {
dmvpn {
esp_proposals = aes256-sha512-ecp384
local_ts = dynamic[gre]
remote_ts = dynamic[gre]
inactivity = 90m
rekey_time = 100m
mode = transport
}
}
}
}
Generate PKI certificates
Tip: The ipsec pki command suite allows you to run a simple public key infrastructure. Generate RSA and ECDSA public key pairs, create PKCS#10 certificate requests containing subjectAltNames, create X.509 self-signed end entity and root CA certificates, issue end entity and intermediate CA certificates signed by the private key of a CA and containing subjectAltNames, CRL distribution points and URIs of OCSP servers. You can also extract raw public keys from private keys, certificate requests and certificates and compute two kinds of SHA1-based key IDs.
First, generate a private key, the default generates a 2048 bit RSA key
ipsec pki --gen > caKey.der
Now self-sign a CA certificate using the generated key:
ipsec pki --self --in caKey.der --dn "C=CH, O=strongSwan, CN=strongSwan CA" --ca > caCert.der
Adjust the distinguished name (DN) to your needs, it will be included in all issued certificates.
For each peer, i.e. for all VPN clients and VPN gateways in your network, generate an individual private key and issue a matching certificate using your new CA:
ipsec pki --gen > peerKey.der
ipsec pki --pub --in peerKey.der | ipsec pki --issue --cacert caCert.der --cakey caKey.der --san host.vpn.example.tld --dn "C=CH, O=strongSwan, CN=peer" > peerCert.der
Note: The second command extracts the public key and issues a certificate using your CA.
Note: When using id in local/remote config, you will need to add this id to the certificate with --san host.vpn.example.tld
Certificate Revocation Lists (CRL)
In case end entity certificates have to be revoked, Certificate Revocation Lists (CRLs) may be generated with the ipsec pki --signcrl command:
ipsec pki --signcrl --cacert caCert.der --cakey caKey.der --reason superseded --cert peerCert.der > crl.der
Note: The certificate given with --cacert must be either a CA certificate or a certificate with the crlSign extended key usage (--flag crlSign).
Install certificates
On each peer store the following certificates and keys in the /etc/ipsec.d/ subdirectory tree:
/etc/swanctl/rsa/hubKey.der holds the private key of the given peer.
/etc/swanctl/x509/hubCert.der holds the end entity certificate of the given peer.
/etc/swanctl/x509ca/caCert.der holds the CA certificate which issued and signed all peer certificates.
Tip: Never store the private key caKey.der of the Certification Authority (CA) on a host with constant direct access to the Internet (e.g. a VPN gateway), since a theft of this master signing key will completely compromise your PKI.
Note: Optionally, the CRL may be stored in the following directory (if the certificate contains an URL to a CRL, it will be fetched on demand:
/etc/ipsec.d/crls/crl.der holds the CRL signed by the CA (or a certificate containing the crlSign EKU).
Quagga/NHRP
apk add quagga
Sending Traffic Indication (redirect) notifications
apk add iptables
iptables -A FORWARD -i gre1 -o gre1 \
-m hashlimit --hashlimit-upto 4/minute --hashlimit-burst 1 \
--hashlimit-mode srcip,dstip --hashlimit-srcmask 16 --hashlimit-dstmask 16 \
--hashlimit-name loglimit-0 -j NFLOG --nflog-group 1 --nflog-range 128
Configuring nhrpd