EdgeRouter 4: IPSec, S2S vpn
-
@gtech I'm on a call, but I will have a config for oyu in a bit.
-
@JaredBusch Any good news?
-
@FATeknollogee said in EdgeRouter 4: IPSec, S2S vpn:
@JaredBusch Any good news?
These are the same on all routers.
# Set up the firewall to allow the traffic needed for IPSEC. set firewall name WAN_LOCAL rule 50 action accept set firewall name WAN_LOCAL rule 50 description 'Allow IKE' set firewall name WAN_LOCAL rule 50 destination port 500 set firewall name WAN_LOCAL rule 50 log disable set firewall name WAN_LOCAL rule 50 protocol udp set firewall name WAN_LOCAL rule 60 action accept set firewall name WAN_LOCAL rule 60 description 'Allow ESP' set firewall name WAN_LOCAL rule 60 log disable set firewall name WAN_LOCAL rule 60 protocol esp set firewall name WAN_LOCAL rule 70 action accept set firewall name WAN_LOCAL rule 70 description 'Allow NAT-T' set firewall name WAN_LOCAL rule 70 destination port 4500 set firewall name WAN_LOCAL rule 70 log disable set firewall name WAN_LOCAL rule 70 protocol udp set firewall name WAN_LOCAL rule 80 action accept set firewall name WAN_LOCAL rule 80 description 'Allow new IPSEC connections' set firewall name WAN_LOCAL rule 80 ipsec match-ipsec set firewall name WAN_LOCAL rule 80 log disable set firewall name WAN_LOCAL rule 80 protocol all set firewall name WAN_LOCAL rule 80 state established disable set firewall name WAN_LOCAL rule 80 state invalid disable set firewall name WAN_LOCAL rule 80 state new enable set firewall name WAN_LOCAL rule 80 state related disable
# Don't NAT IPSEC traffic. set service nat rule 5000 description 'Exclude IPSEC from NAT' set service nat rule 5000 destination group network-group IPSEC_Remote_Subnets set service nat rule 5000 exclude set service nat rule 5000 log disable set service nat rule 5000 outbound-interface eth0 set service nat rule 5000 protocol all set service nat rule 5000 type masquerade # Don't let the router make magic firewall exceptions set vpn ipsec auto-firewall-nat-exclude disable # Setup the ESP and IKE rules you need.These have to match on all devices. # So you will likely need to make something that matches the Meraki. set vpn ipsec esp-group myesp compression disable set vpn ipsec esp-group myesp lifetime 3600 set vpn ipsec esp-group myesp mode tunnel set vpn ipsec esp-group myesp pfs enable set vpn ipsec esp-group myesp proposal 1 encryption aes256 set vpn ipsec esp-group myesp proposal 1 hash sha1 set vpn ipsec ike-group myike ikev2-reauth no set vpn ipsec ike-group myike key-exchange ikev1 set vpn ipsec ike-group myike lifetime 28800 set vpn ipsec ike-group myike proposal 1 dh-group 19 set vpn ipsec ike-group myike proposal 1 encryption aes256 set vpn ipsec ike-group myike proposal 1 hash sha1 # Add the RSA keys set vpn rsa-keys rsa-key-name brancha rsa-key >>>>>>snip big long keytext<<<<<<< set vpn rsa-keys rsa-key-name hqoffice rsa-key >>>>>>snip big long keytext<<<<<<< set vpn rsa-keys rsa-key-name branchb rsa-key >>>>>>snip big long keytext<<<<<<<
This is only on the HQ side.
# Using RSA keys and not pre-shared key. If the remote end needs a PSK, the config is different. # Firewall group for reomte subnets, used by NAT rule set firewall group network-group IPSEC_Remote_Subnets description 'Remote IPSEC Networks' set firewall group network-group IPSEC_Remote_Subnets network 10.202.30.0/24 set firewall group network-group IPSEC_Remote_Subnets network 10.202.32.0/24 set firewall group network-group IPSEC_Remote_Subnets network 10.254.103.0/24
# Branch A has a static IP set to a FQDN. # Initiate connection to Branch A if the tunnel is not up and traffic needs to move. set vpn ipsec site-to-site peer brancha.domain.com authentication id @hqoffice set vpn ipsec site-to-site peer brancha.domain.com authentication mode rsa set vpn ipsec site-to-site peer brancha.domain.com authentication remote-id @brancha set vpn ipsec site-to-site peer brancha.domain.com authentication rsa-key-name brancha set vpn ipsec site-to-site peer brancha.domain.com connection-type initiate set vpn ipsec site-to-site peer brancha.domain.com description 'HQ to Branch A' set vpn ipsec site-to-site peer brancha.domain.com ike-group myike set vpn ipsec site-to-site peer brancha.domain.com ikev2-reauth inherit set vpn ipsec site-to-site peer brancha.domain.com local-address 123.123.123.123 # Branch A has two subnets that you want routed each is its own tunnel set vpn ipsec site-to-site peer brancha.domain.com tunnel 1 allow-nat-networks disable set vpn ipsec site-to-site peer brancha.domain.com tunnel 1 allow-public-networks disable set vpn ipsec site-to-site peer brancha.domain.com tunnel 1 esp-group myesp set vpn ipsec site-to-site peer brancha.domain.com tunnel 1 local prefix 10.202.0.0/21 set vpn ipsec site-to-site peer brancha.domain.com tunnel 1 remote prefix 10.202.30.0/24 set vpn ipsec site-to-site peer brancha.domain.com tunnel 2 allow-nat-networks disable set vpn ipsec site-to-site peer brancha.domain.com tunnel 2 allow-public-networks disable set vpn ipsec site-to-site peer brancha.domain.com tunnel 2 esp-group myesp set vpn ipsec site-to-site peer brancha.domain.com tunnel 2 local prefix 10.202.0.0/21 set vpn ipsec site-to-site peer brancha.domain.com tunnel 2 remote prefix 10.202.32.0/24
# Branch B has a constantly changing IP, so only respond. Don't initiate. # Also match the peer on the RSA key instead of an IP. set vpn ipsec site-to-site peer @branchb authentication id @hqoffice set vpn ipsec site-to-site peer @branchb authentication mode rsa set vpn ipsec site-to-site peer @branchb authentication remote-id @branchb set vpn ipsec site-to-site peer @branchb authentication rsa-key-name branchb set vpn ipsec site-to-site peer @branchb connection-type respond set vpn ipsec site-to-site peer @branchb description 'Branch B to HQ' set vpn ipsec site-to-site peer @branchb ike-group myike set vpn ipsec site-to-site peer @branchb ikev2-reauth inherit set vpn ipsec site-to-site peer @branchb local-address 123.123.123.123 set vpn ipsec site-to-site peer @branchb tunnel 1 allow-nat-networks disable set vpn ipsec site-to-site peer @branchb tunnel 1 allow-public-networks disable set vpn ipsec site-to-site peer @branchb tunnel 1 esp-group myesp set vpn ipsec site-to-site peer @branchb tunnel 1 local prefix 10.202.0.0/21 set vpn ipsec site-to-site peer @branchb tunnel 1 remote prefix 10.254.103.0/24
This is only on the Branch A side.
# Firewall group for reomte subnets, used by NAT rule set firewall group network-group IPSEC_Remote_Subnets description 'Remote IPSEC Networks' set firewall group network-group IPSEC_Remote_Subnets network 10.202.0.0/21 # Initiate connection to HQ if the tunnel is not up and traffic needs to move. set vpn ipsec site-to-site peer vpn.domain.com authentication id @brancha set vpn ipsec site-to-site peer vpn.domain.com authentication mode rsa set vpn ipsec site-to-site peer vpn.domain.com authentication remote-id @hqoffice set vpn ipsec site-to-site peer vpn.domain.com authentication rsa-key-name hqoffice set vpn ipsec site-to-site peer vpn.domain.com connection-type initiate set vpn ipsec site-to-site peer vpn.domain.com description 'Branch A to HQ' set vpn ipsec site-to-site peer vpn.domain.com ike-group myike set vpn ipsec site-to-site peer vpn.domain.com ikev2-reauth inherit set vpn ipsec site-to-site peer vpn.domain.com local-address 124.124.124.124 set vpn ipsec site-to-site peer vpn.domain.com tunnel 1 allow-nat-networks disable set vpn ipsec site-to-site peer vpn.domain.com tunnel 1 allow-public-networks disable set vpn ipsec site-to-site peer vpn.domain.com tunnel 1 esp-group myesp set vpn ipsec site-to-site peer vpn.domain.com tunnel 1 local prefix 10.202.30.0/24 set vpn ipsec site-to-site peer vpn.domain.com tunnel 1 remote prefix 10.202.0.0/21 set vpn ipsec site-to-site peer vpn.domain.com tunnel 2 allow-nat-networks disable set vpn ipsec site-to-site peer vpn.domain.com tunnel 2 allow-public-networks disable set vpn ipsec site-to-site peer vpn.domain.com tunnel 2 esp-group myesp set vpn ipsec site-to-site peer vpn.domain.com tunnel 2 local prefix 10.202.32.0/24 set vpn ipsec site-to-site peer vpn.domain.com tunnel 2 remote prefix 10.202.0.0/21
This is only on the Branch B side.
# Firewall group for reomte subnets, used by NAT rule set firewall group network-group IPSEC_Remote_Subnets description 'Remote IPSEC Networks' set firewall group network-group IPSEC_Remote_Subnets network 10.202.0.0/21 # Initiate connection to HQ if the tunnel is not up and traffic needs to move. set vpn ipsec site-to-site peer vpn.domain.com authentication id @branchb set vpn ipsec site-to-site peer vpn.domain.com authentication mode rsa set vpn ipsec site-to-site peer vpn.domain.com authentication remote-id @hqoffice set vpn ipsec site-to-site peer vpn.domain.com authentication rsa-key-name hqoffice set vpn ipsec site-to-site peer vpn.domain.com connection-type initiate set vpn ipsec site-to-site peer vpn.domain.com description 'Branch B to HQ' set vpn ipsec site-to-site peer vpn.domain.com ike-group myike set vpn ipsec site-to-site peer vpn.domain.com ikev2-reauth inherit set vpn ipsec site-to-site peer vpn.domain.com local-address any set vpn ipsec site-to-site peer vpn.domain.com tunnel 1 allow-nat-networks disable set vpn ipsec site-to-site peer vpn.domain.com tunnel 1 allow-public-networks disable set vpn ipsec site-to-site peer vpn.domain.com tunnel 1 esp-group myesp set vpn ipsec site-to-site peer vpn.domain.com tunnel 1 local prefix 10.254.103.0/24 set vpn ipsec site-to-site peer vpn.domain.com tunnel 1 remote prefix 10.202.0.0/21
-
You generate the RSA key on each unit with this command.
generate vpn rsa-key bits 4096
It will output the
>>>>>>snip big long keytext<<<<<<<
that you need for each location. -
@JaredBusch This is very detailed. I am going through it, thanks. Should have mentioned my needs, VPN for a few stuff as needed. I will be setting up few vlans namely default, phones, camera, guest, staff(internet only), IT etc. I know the meraki has a VLAN for VPN clients so wondering if I should have the same on the ER4?
-
@gtech said in EdgeRouter 4: IPSec, S2S vpn:
I know the meraki has a VLAN for VPN clients so wondering if I should have the same on the ER4?
So the question is... is the VLAN useful to you? Having a VLAN for VPN clients is perfectly fine, it gives you a chance to limit access to the entire VPN connected group of machines no a network level (basically makes three tiers... internet, VPN, and LAN.) Do you have limits that you will set, or will you simple route the VLAN to the LAN defeating its purpose?
If you are just going to route, then the VLAN serves no purpose. If you are going to treat it like a DMZ and limit the access to only a few services on the LAN, then it can be very useful.
-
@gtech said in EdgeRouter 4: IPSec, S2S vpn:
@JaredBusch This is very detailed. I am going through it, thanks. Should have mentioned my needs, VPN for a few stuff as needed. I will be setting up few vlans namely default, phones, camera, guest, staff(internet only), IT etc. I know the meraki has a VLAN for VPN clients so wondering if I should have the same on the ER4?
That was for site to site connections.
If you need roaming staff, then you want L2TP.
set vpn l2tp remote-access authentication local-users username usera password PasswordUserA set vpn l2tp remote-access authentication local-users username userb password PasswordUserB set vpn l2tp remote-access authentication local-users username userc password 'PasswordU$erC' set vpn l2tp remote-access authentication mode local set vpn l2tp remote-access authentication require mschap-v2 set vpn l2tp remote-access client-ip-pool start 10.254.203.2 set vpn l2tp remote-access client-ip-pool stop 10.254.203.10 set vpn l2tp remote-access dhcp-interface eth0 set vpn l2tp remote-access dns-servers server-1 8.8.8.8 set vpn l2tp remote-access dns-servers server-2 8.8.4.4 set vpn l2tp remote-access idle 1800 set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret SomeLongPSKGoesHere set vpn l2tp remote-access ipsec-settings ike-lifetime 3600 set vpn l2tp remote-access ipsec-settings lifetime 3600 set vpn l2tp remote-access mtu 1492
-
This post is deleted! -
@scottalanmiller good point
-
@JaredBusch I saw that, sure the info will come in useful for future projects . This weekend hopefully I can move to the ER4 with no major issues. All I am left to do is move firewall rules across/ port forwards to the ER4 and setup VPN.
-
I appreciate the config @JaredBusch this'll come in handy when I deploy ER's on both sides.
For now I'm still searching for a solution: ER (on one side) <--> Meraki MX (on the other side).
-
@FATeknollogee said in EdgeRouter 4: IPSec, S2S vpn:
For now I'm still searching for a solution: ER (on one side) <--> Meraki MX (on the other side).
Ugh, that won't be any fun.
-
@FATeknollogee said in EdgeRouter 4: IPSec, S2S vpn:
I appreciate the config @JaredBusch this'll come in handy when I deploy ER's on both sides.
For now I'm still searching for a solution: ER (on one side) <--> Meraki MX (on the other side).
Change the authentication in ER to PSK.
set vpn ipsec site-to-site peer site.domain.com authentication mode pre-shared-secret set vpn ipsec site-to-site peer site.domain.com authentication pre-shared-secret ex3VRe3FAGv769sGwrpLPhqQ set vpn ipsec site-to-site peer site.domain.com connection-type initiate set vpn ipsec site-to-site peer site.domain.com description 'HQ to PSK Site A' set vpn ipsec site-to-site peer site.domain.com ike-group myike set vpn ipsec site-to-site peer site.domain.com ikev2-reauth inherit set vpn ipsec site-to-site peer site.domain.com local-address 123.123.123.123 set vpn ipsec site-to-site peer site.domain.com tunnel 1 allow-nat-networks disable set vpn ipsec site-to-site peer site.domain.com tunnel 1 allow-public-networks disable set vpn ipsec site-to-site peer site.domain.com tunnel 1 esp-group myesp set vpn ipsec site-to-site peer site.domain.com tunnel 1 local prefix 10.254.103.0/24 set vpn ipsec site-to-site peer site.domain.com tunnel 1 remote prefix 10.254.0.0/24
And then change the IKE and ESP sections from the last post to match WTF ever the Meraki uses.
-
@JaredBusch :thumbs_up: :thumbs_up_medium_skin_tone: :thumbs_up_medium-dark_skin_tone:
I'll give that a try. -
This post is deleted! -
That previous error was due to copy/paste issues.
Here is the error I'm getting:
[ service nat ] NAT configuration error: rule type not specified/valid
-
@FATeknollogee said in EdgeRouter 4: IPSec, S2S vpn:
That previous error was due to copy/paste issues.
Here is the error I'm getting:
[ service nat ] NAT configuration error: rule type not specified/valid
The NAT above was exported from a live router using
show configuration command service | grep nat
Are you running 2.0? maybe something changed?
Edit: Nope
-
Never mind. I read the error closer.. I missed a line when I copy/pasted
fixed above also.set service nat rule 5000 type masquerade
-
@JaredBusch said in EdgeRouter 4: IPSec, S2S vpn:
Never mind. I read the error closer.. I missed a line when I copy/pasted
fixed above also.set service nat rule 5000 type masquerade
Haha, just added that line like 2 mins ago!!
Thanks for fixing!! -
ER4 <--> Meraki MX S2S is "up"
Many thanks to @JaredBusch for all the help.