IPSEC (with ISAKMP), Firewall and dialup VPN client

This config is for linking two sites with a pair of AR320S, running in NAT firewall mode. Each site having a permanent Internet connection.

Dialup client may have a dynamic IP address, but there are restrictions

it must be valid
NAT may not be used

This example if derived form Allieds Helpfull scripts, section 6 example 3.

Each site has a private network, there are no IP address clashes between the sites. Each firewall has a valid public IP address for access to the internet.

Roaming users has a laptop with a dialup connection.

There are no restrictions placed on access from the private network, to the internet.

There is no access from the intenet to the private network except for traffic that has been tunneled from the other site.

Config used for Eval and notes

Setup is for a


private network->Firewall->DMZ->ISP router

, type config.

In both cases eth0 is the private network, and eth1 the public network.

Site specific info for first site {Roadtech}

Private network :- 192.168.124.0/24
Private Firewall IP :- 192.168.124.202
Private Host for testing :- 192.168.124.122
Public Network :- 193.133.123.128/26
Public Firewall IP :- 193.133.123.140
Public Gateway for default route :- 193.133.123.129
Public Host for testing :- 193.133.123.131

Site specific info for second site {hitech-logistics}

Private network :- 172.28.3.16/28
Private Firewall IP :- 172.28.3.22
Public Network :- 193.133.123.192/27
Public Firewall IP :- 193.133.123.213
Public Gateway for default route :- 193.133.123.195

The Base configuration should have already been, set and saved. eth0 is the private interface, and eth1 the public interface. Both have been configured as per the notes.

It is worth checking the free space in the Flash memmory and compacting if nessesary

Show Flash

Activate Flash compaction

Private Network interface

If you have not already done so, configure the IP address and setings for the private interface eth0.

Public Network interface

If you have not already done so, configure the IP address and setings for the public interface eth1.

Create Security officer

If you have not already created a Security Officer Login you need to do so now. Please remember to keep a note of the name and password,

While logged in as manager.

add user=Arther password=qlbp priv=securityofficer

Create IPsec Keys

We are going to use preshared keys for Authentication. The key will be created on the First Firewall and then instaled on the second. Each Firewall can store a list of 65,535 keys.

show enco key
will show the keys currently in use.

Create keys on both firewalls.

Create tunnel conditions and rules

Basicaly what we setup here, Tells the route, that packets from networks on out private network {Identified as an address and network mask} to a remote network {Identified as an address and network mask} are to be encripted and tunneled to the public address of the remote firewall.

First Firewall

Before continuing any further it is woth checking that your routing table looks sensible and that you can at leased ping something on both your private network and the internet while loged on as manager to the Firewall.

show ip route
ping 193.133.123.131
ping 192.168.124.122

If the above shows any problem fix before proceeding further.

Nemiss Firewall Module Config

We need to designate a minimum of one policy, with both a public and a private network.

An interface may only be defined as private in one policy, An interface may be defined as public in two policies. A Policy may have multiple private and public interfaces.

Default rules are :-

All flows originating from inside (i.e., private interfaces) are allowed. When a session is initiated from a private interface to an outside IP host and has been allowed by the firewall, traffic for that session can flow in both directions. When the session completes, no further traffic is accepted to that private IP host on that port.
All flows originating from the outside (i.e., public interfaces) are blocked.
All traffic from an interface not specifically covered by policy to an interface specified in a policy as private will be dropped.
All traffic between interfaces not specifically covered by a policy will be passed as normal.

Note the default rulles block ICMP traffic such as pings this stops cirtain abuses, but makes diagnosing and testing VPN tunels a pain. So the rules here reenable them.

enable fire create fire poli=main # # Assign public and private interfaces add fire poli=main int=eth0 type=private add fire poli=main int=eth1 type=public # # Enable ICMP pings..... enable firewall policy=main icmp_forwarding=all # # Enable the firewall modules NAT functions add fire poli=main nat=enhanced int=eth0 gblint=eth1 # # Permit ISAKMP traffic originating at the firewall add fire poli=main rule=1 int=eth1 action=allow ip=193.133.123.140 prot=udp port=500 gblip=193.133.123.140 gblpo=500 # # Diasable NAT for intersite traffic that is encapsulated in IPSEC add fire poli=main rule=2 int=eth1 action=nonat prot=all ip=192.168.124.1-192.168.124.254 encap=ipsec # # Rule 3 for internaly initiated VPN traffic to remote office. add fire poli=main ru=3 ac=nonat int=eth0 prot=all ip=192.168.124.1-192.168.10.254 set fire poli=main ru=3 remoteip=172.28.3.17-172.28.3.30 #

Note this command is pushing the max line length limit of a command, you will probabaly have to either abrevieate the options to their minimum length. or leave the target out, do a gre show note entry number, and then use the set gre=1 entry=n ..... form to finish configuring the entry.

IPsec Module Config

We now need to create the specifications for the Security Associations to be negotiated on the VPN to connect this LAN to the remote LAN, so traffic between the LAN's is encrypted.

This example will specify AH using SHA, and ESP using DES+MD5, and key management via ISAKMP.

The Firewall supports 256 Security Association Specifications. The defined SAspecifications are combined into upto 256 bundles, when negotiating with a potential peer it is the SAspecs within the bundle selected for use with the peer that are checked.

Start by defining Security Association Specifications and Bundles. See IPsec

For are current purposes we want trafic between our firewalls using the public interfaces encripted, but traffic out to the web in general passed as is.

Note this command is pushing the max line length limit of a command, you will probabaly have to either abrevieate the options to their minimum length. or leave the target out, do a show IPSec note entry number, and then use multiple set IPSec policy=Fire2Fire ..... commands to finish configuring the entry.

# ISAKMP traffic permited port 500-500 any where. create IPSec policy=isakmp int=eth1 action=permit set IPsec policy=isakmp lad=193.133.123.140 RPOrt=500 LPOrt=500 TRANsportprotocol=UDP

# IPsec to remote site, from our private network {LADD,LMASk} to their network {RADD,RMASK} create IPSec policy=Fire2Fire int=eth1 action=IPSec KEYManagement=isakmp BUNDlespecification=1 PEERaddress=193.133.123.213 set IPSec policy=Fire2Fire isa=Fire2Fire set IPSec policy=Fire2Fire RADDress=172.28.3.16 RMASk=255.255.255.0 LADDress=192.168.124.0 LMASk=255.255.255.0

# policy for our roaming user. create IPSec policy=roaming1 int=eth1 ACTion=ipsec key=isakmp bund=1 peer=dynamic isa=roaming1 set IPSec policy=roaming1 lad=192.168.123.0 LMAsk=255.255.255.0 rname=roaming1

# Internet access create IPSec policy=the_rest int=eth1 action=permit

enable IPSec

User authentication

You have a choice here either create the users on the firewall or configure a radius server.

add user=mikey pass=ratspass login=false

If not already done add a default routing entery.

add ip route=0.0.0.0 int=eth1 next=193.133.123.129 mask=255.255.255.255

Second Firewall

Before continuing any further it is worth checking that your routing table looks sensible and that you can at leased ping something on both your private network and the internet while logged on as manager to the Firewall.

show ip route
ping 193.133.123.194
ping 172.28.3.19

If the above shows any problem fix before proceeding further.

Nemmiss Firewall Module Config


enable fire


create fire poli=main


# Assign public and private interfaces


add fire poli=main int=eth0 type=private


add fire poli=main int=eth1 type=public

#

# Enable the firewall modules NAT functions


add fire poli=main nat=enhanced int=eth0 gblip=eth1

#

# Permit ISAKMP traffic originating at the firewall


add fire poli=main rule=1 int=eth1 action=allow
ip=193.133.123.213
prot=udp
port=500
gblip=193.133.123.213
gblpo=500

#

# Diasable NAT for intersite traffic that is encapsulated in IPSEC


add fire poli=main rule=2 int=eth1 action=nonat 
prot=all ip=172.28.3.17-172.28.3.30 encap=ipsec

#

# Rule 3 for internaly initiated VPN traffic to remote office.


add fire poli=main ru=3 ac=nonat int=eth0 
prot=all ip=172.28.3.17-172.28.3.30


set fire poli=main ru=3 remoteip=192.168.124.1-192.168.124.254

IPsec Module Config

We now need to create the specifications for the Security Associations to be negotiated on the VPN to connect this LAN to the remote LAN, so traffic between the LAN's is encrypted.

This example will specify AH using SHA, and ESP using DES+MD5, and key management via ISAKMP.

show IPSec SAspec
Will list alredy defined specs.

show IPSec bundles
will list existing bundles.

create IPSec SASpec=1 prot=esp hasha=null encalg=des keyman=isakmp create IPSec SASpec=2 prot=ah mode=TUNNel hasha=sha keyman=isakmp create IPSec bundlespec=1 keym=isakmp string="1 and 2"

For are current purposes we want trafic between our firewalls using the public interfaces encripted, but traffic out to the web in general passed as is.

# ISAKMP traffic permited port 500-500 any where. create IPSec policy=isakmp int=eth1 action=permit RPOrt=500 LPOrt=500 set IPSec policy=isakmp TRANsportprotocol=UDP

# IPsec to remote site create IPSec policy=Fire2Fire int=eth1 action=IPSec KEYManagement=isakmp BUNDlespecification=1 PEERaddress=193.133.123.213 set IPSec policy=Fire2Fire isa=Fire2Fire set IPSec policy=Fire2Fire RADDress=192.168.124.0 RMASk=255.255.255.0 LADDress=172.28.3.16 LMASk=255.255.255.240

# Internet access create IPSec policy=the_rest int=eth1 action=permit

enable IPSec

isakmp config

Note this example is using the same key for both sites and the roaming user this is probabaly a very bad idea.

# Remote site create isakmp policy=Fire2Fire peer=193.133.123.140 hashalg=sha key=1 set ISAkmp pol=Fire2Fire senddeletes=on setcommitbit=on sendnotify=on # enable isakmp

add user=mikey pass=ratspass login=false

Roaming Client

Create key

ISAKMP


create isakmp
policy=roaming1
peer=193.133.123.140
hashalg=sha
key=1


set isakmp
policy=roaming1
senddeletes=on setcommitbit=on sendnotify=on


# User authentication


set isakmp
policy=roaming1
xauth=client
xauthname=mikey
xauthpass=ratspass

IPSEC

create IPSec SASpec=1 prot=esp hasha=null encalg=des keyman=isakmp create IPSec SASpec=2 prot=ah mode=TUNNel hasha=sha keyman=isakmp create IPSec bundlespec=1 keym=isakmp string="1 and 2"

How it works

Site to web

A packet from a host on the private network, arrives at the router. It is compared with the GRE filters for the receving interface eth0. It does not match, the detination address is not local, and a check with the routing tables idecates it should be sent on eth1.

As it is out bound on eth1, the source address is checked against the NAT filters. The address matches so NAT processing is trigered and the source address rewriten.

Packet is sent, and a reply receved.

The receved packet pases through eth1, the destination is local.

Local packet proccessing routes the packet to the inbound NAT modual that has been listening for replies.

NAT module rewites the detination address from its saved values, and packet is passed for routing.

Packet set over eth0 to the host that started the session.

Site to Site

A packet from a host on the private network, arives at the router.

A check of the destination addrerss with the routing tables idecates it should be sent on eth1.

Packet is compared with IPSEC filters, a match is found for policy Fire2Fire, so the packet is Queued awiting tunnel initalization.

ISAKMP negociation starts by sending a UDP packet to port 500 on the unit handleing the remote end of the tunnel and awaits a reply.

The ISAKMP packet is routed outbound on interface eth1

THe ISAKMP packet is compared against the NAT filters. As the source is the local NAT proccessing is skiped.

The ISAKMP packet is compared to the IPSEC filters, a match is found for policy isakmp, with an action of permit so the packet is sent.

A reply is receved from the remote unit {UDP port 500} This passes inbound on eth1, to the local ISAKMP agent.

Negociation continues through pases 1 and to with a number of Further packets being exchanged.

The Tunnel is established.

The queued packets are encripted according the the agreed security associations and the resulting packets are sent outbound on eth1.

Oddly it would apear that tunnel packets skip the outbound filters.

NAT on outbound IPsec packets is suppresed

The returning ESP tunnel packets, are reseived on eth1, and sent for local processing.

The payload is unpacked and decripted.

The packet is not local, and routing indecates that it should be delivered via eth0.

Packet set over eth0 to the host that started the session.

Testing

You should still be able to ping addresses on the public internet, from the router.

And the same fro the local private networks.

However you should now be able to ping or traceroute from devices, on one of the private networks to the other, or to the internet.

Note if the tunnel is working properly you should not see any intermediate routers apearing in the trace route listing when tracing between the sites private networks.

If you suspect a problem on the network between two routers, you must trace to the remote routers public interface, so that your trace packets do not use the tunnel, but follow the route of the tunnels transport layer.