NAT Before VPN

From VyOS Wiki
Revision as of 12:19, 12 November 2018 by Max1e6 (talk | contribs)
Jump to: navigation, search

Overview

Some application service providers (ASPs) operate a VPN gateway to provide access to their internal resources, and require that a connecting organisation translate all traffic to the service provider network to a source address provided by the ASP. An example in Australia is Ebix, an ASP connecting insurance organisations (brokers, insurers etc) to a common network for information exchange.

Example Network

Here's one example of a network environment for an ASP. The ASP requests that all connections from this company should come from 172.29.41.89 - an address that is assigned by the ASP and not in use at the customer site.

NAT-VPN-01.png

Configuration Steps

The required configuration can be broken down into 4 major pieces:

  • A dummy interface for the provider-assigned IP;
  • NAT (specifically, Source NAT);
  • IPSec IKE and ESP Groups;
  • IPSec VPN tunnels.

Dummy Interface

The dummy interface allows us to have an equivalent of the Cisco IOS Loopback interface - a router-internal interface we can use for IP addresses the router must know about, but which are not actually assigned to a real network.

We only need a single step for this interface:

set interfaces dummy dum0 address '172.29.41.89/32'

This looks like this in the indented form:

interfaces {
    dummy dum0 {
        address 172.29.41.89/32
    }
}

NAT Configuration

The ASP requires that we source NAT all connections from our local subnet to their assigned address, which we configured above on the dum0 dummy interface. This is pretty basic source NAT configuration, and you should choose rule numbers that suit your particular configuration rather than simply assuming 110 and 120 are right for you:

Configuration commands are fairly simple:

set nat source rule 110 description 'Internal to ASP'
set nat source rule 110 destination address '172.27.1.0/24'
set nat source rule 110 outbound-interface 'any'
set nat source rule 110 source address '192.168.43.0/24'
set nat source rule 110 translation address '172.29.41.89'
set nat source rule 120 description 'Internal to ASP'
set nat source rule 120 destination address '10.125.0.0/16'
set nat source rule 120 outbound-interface 'any'
set nat source rule 120 source address '192.168.43.0/24'
set nat source rule 120 translation address '172.29.41.89'

The resulting configuration:

nat {
    source {
        rule 110 {
            description "Internal to ASP"
            destination {
                address 172.27.1.0/24
            }
            outbound-interface any
            source {
                address 192.168.43.0/24
            }
            translation {
                address 172.29.41.89
            }
        }
        rule 120 {
            description "Internal to ASP"
            destination {
                address 10.125.0.0/16
            }
            outbound-interface any
            source {
                address 192.168.43.0/24
            }
            translation {
                address 172.29.41.89
            }
        }
    }
}

IPSec IKE and ESP

The ASP has documented their IPSec requirements:

  • IKE Phase
    • 3DES Encryption
    • MD5 Hashes
  • ESP Phase
    • 3DES Encryption
    • MD5 Hashes
    • DH Group 2 (Diffie-Hellman group 2, 1024 bit modulus)

Additionally, we want to use VPNs only on our eth1 interface (the external interface in the image above)

Configuration Commands:

set vpn ipsec ike-group ebix-sunrise-ike ikev2-reauth 'no'
set vpn ipsec ike-group ebix-sunrise-ike key-exchange 'ikev1'
set vpn ipsec ike-group ebix-sunrise-ike lifetime '7800'
set vpn ipsec ike-group ebix-sunrise-ike proposal 1 dh-group '2'
set vpn ipsec ike-group ebix-sunrise-ike proposal 1 encryption '3des'
set vpn ipsec ike-group ebix-sunrise-ike proposal 1 hash 'md5'

set vpn ipsec esp-group ebix-sunrise-esp compression 'disable'
set vpn ipsec esp-group ebix-sunrise-esp lifetime '3600'
set vpn ipsec esp-group ebix-sunrise-esp mode 'tunnel'
set vpn ipsec esp-group ebix-sunrise-esp pfs 'disable'
set vpn ipsec esp-group ebix-sunrise-esp proposal 1 encryption '3des'
set vpn ipsec esp-group ebix-sunrise-esp proposal 1 hash 'md5'

set vpn ipsec ipsec-interfaces interface 'eth1'

The resulting configuration:

vpn {
    ipsec {
        esp-group ebix-sunrise-esp {
            compression disable
            lifetime 3600
            mode tunnel
            pfs disable
            proposal 1 {
                encryption 3des
                hash md5
            }
        }
        ike-group ebix-sunrise-ike {
            ikev2-reauth no
            key-exchange ikev1
            lifetime 7800
            proposal 1 {
                dh-group 2
                encryption 3des
                hash md5
            }
        }
        ipsec-interfaces {
            interface eth1
        }
    }
}

IPSec VPN Tunnels

We'll use the IKE and ESP groups created above for this VPN. Because we need access to 2 different subnets on the far side, we will need two different tunnels. If you changed the names of the ESP group and IKE group in the previous step, make sure you use the correct names here too.

Configuration commands:

set vpn ipsec site-to-site peer 198.51.100.243 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 198.51.100.243 authentication pre-shared-secret 'PASSWORD IS HERE'
set vpn ipsec site-to-site peer 198.51.100.243 connection-type 'initiate'
set vpn ipsec site-to-site peer 198.51.100.243 default-esp-group 'ebix-sunrise-esp'
set vpn ipsec site-to-site peer 198.51.100.243 ike-group 'ebix-sunrise-ike'
set vpn ipsec site-to-site peer 198.51.100.243 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 198.51.100.243 local-address '203.0.113.46'
set vpn ipsec site-to-site peer 198.51.100.243 tunnel 0 local prefix '172.29.41.89/32'
set vpn ipsec site-to-site peer 198.51.100.243 tunnel 0 remote prefix '172.27.1.0/24'
set vpn ipsec site-to-site peer 198.51.100.243 tunnel 1 local prefix '172.29.41.89/32'
set vpn ipsec site-to-site peer 198.51.100.243 tunnel 1 remote prefix '10.125.0.0/16'

And the result:

vpn {
    ipsec {
        site-to-site {
            peer 198.51.100.243 {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret ****************
                }
                connection-type initiate
                default-esp-group ebix-sunrise-esp
                ike-group ebix-sunrise-ike
                ikev2-reauth inherit
                local-address 203.0.113.46
                tunnel 0 {
                    local {
                        prefix 172.29.41.89/32
                    }
                    remote {
                        prefix 172.27.1.0/24
                    }
                }
                tunnel 1 {
                    local {
                        prefix 172.29.41.89/32
                    }
                    remote {
                        prefix 10.125.0.0/16
                    }
                }
            }
        }
    }
}

Testing and Validation

If you've completed all the above steps you no doubt want to see if it's all working.

Start by checking for IPSec SAs (Security Associations) with:

$ show vpn ipsec sa

Peer ID / IP                            Local ID / IP
------------                            -------------
198.51.100.243                          203.0.113.46

    Tunnel  State  Bytes Out/In   Encrypt  Hash    NAT-T  A-Time  L-Time  Proto
    ------  -----  -------------  -------  ----    -----  ------  ------  -----
    0       up     0.0/0.0        3des     md5     no     1647    3600    all
    1       up     0.0/0.0        3des     md5     no     865     3600    all

That looks good - we defined 2 tunnels and they're both up and running.

Try ping from an internal PC to the far-side networks:

C:\>ping 172.27.1.91

Pinging 172.27.1.91 with 32 bytes of data:
Reply from 172.27.1.91: bytes=32 time=6ms TTL=125
Reply from 172.27.1.91: bytes=32 time=2ms TTL=125
Reply from 172.27.1.91: bytes=32 time=2ms TTL=125
Reply from 172.27.1.91: bytes=32 time=2ms TTL=125

Ping statistics for 172.27.1.91:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 2ms, Maximum = 6ms, Average = 3ms

And check the IPSec SAs again to see data transferred over the tunnels:

$ show vpn ipsec sa

Peer ID / IP                            Local ID / IP
------------                            -------------
198.51.100.243                          203.0.113.46

    Tunnel  State  Bytes Out/In   Encrypt  Hash    NAT-T  A-Time  L-Time  Proto
    ------  -----  -------------  -------  ----    -----  ------  ------  -----
    0       up     240.0/240.0    3des     md5     no     1864    3600    all
    1       up     0.0/0.0        3des     md5     no     1082    3600    all