The site-to-site Virtual Private Networks (VPN) connect two or more remote locations. Thanks to it, computers located inside locations can communicate securely over the public Internet as they were located on the same private network. This is accomplished by tunnels that interconnect remote locations. Tunnels add extra layer security, encrypting user traffic carried inside tunnels. Therefore, traffic flowing between locations is not readable even if it is intercepted by an attacker.
In a typical site-to-site VPN scenario, there is not a need for VPN client software to be installed on computers as it is in a case of remote access VPNs. Typically, tunnels are ended on a network device (router) that acts as a VPN gateway. The gateway is responsible for tunnel management, e.g. user traffic encapsulation and encryption/decryption. As a result, a computer has no idea that its counterpart is located in remote location that is part of VPN. It just sends raw IP traffic to its VPN gateway and it is a task of the gateway to ensure for secure packet transport. Howver, what if your home router does not support site-to-site VPN configuration and remote-access VPN is not an option as well? In this case, we can install VPN client directly on a computer and VPN tunnel will be terminated here. In this case, VPN client settings store the configuration required building tunnel.
The tutorial discuss the configuration of IPsec tunnel on VyOS network OS and the TheGreenBow VPN client on Windows 7. TheGreenBow VPN client is a VPN client application that makes it possible for a host device to configure a secure connection for site-to-site IPsec tunnel. As a result, PC with configured VPN client can access a corporate network securely through underlying public Internet as they are located on the same corporate network (Picture 1).
Picture 1 - Network Topology
IPsec site-to-site tunnel between VPN client and the corporate network is terminated on the device VyOS that is configured as an IPsec gateway. The router VyOS is running PAT and firewall services as well. The VyOS connects the corporate network to the public Internet. The corporate network also consists of the router Corporate and the Server running Linux OS. The router Corporate is running VyOS network OS.
The Windows machine with TheGreenBow VPN client is connected to the router SOHO. It is a Cisco router, configured for NAT (PAT) translation of the subnet 10.0.0.0/24 to the public IP address 11.0.2.1.
1. Cisco SOHO Router Configuration
1.1 Interfaces and Default Static Routes
interface GigabitEthernet0/0
ip address 11.0.2.1 255.255.255.0
ip nat outside
interface GigabitEthernet0/1
ip address 10.0.0.1 255.255.255.0
ip nat inside
ip route 0.0.0.0 0.0.0.0 11.0.2.2
1.2 Port Address Translation (PAT)
Typically, a SOHO router is configured for PAT service so a private address subnet is translated to a single public IP address. In our case, the subnet 10.0.0.0/24 is translated to a public address 11.0.2.1.
ip nat inside source list 1 interface GigabitEthernet0/0 overload
access-list 1 permit 10.0.0.0 0.0.0.255
2. Corporate Router Configuration
2.1 Hostname, Interfaces and Static Default Route
vyos@vyos:~$ configure
vyos@vyos# set system host-name 'Corporate'
vyos@vyos# commit
vyos@Corporate# set interfaces ethernet eth1 address '192.168.20.1/24'
vyos@Corporate# set interfaces ethernet eth2 address '192.168.10.2/24'
vyos@Corporate# set protocols static route 0.0.0.0/0 next-hop 192.168.10.1
vyos@Corporate# commit
vyos@Corporate# save
3. The router VyOS Configuration
3.1 Hostname, Interfaces and Static Default Route
vyos@vyos:~$ configure
vyos@vyos# set system host-name 'VyOS'
vyos@vyos# commit
vyos@VyOS# set interfaces ethernet eth0 address '11.0.2.2/24'
vyos@VyOS# set interfaces ethernet eth2 address '192.168.10.1/24'
vyos@VyOS# set protocols static route 0.0.0.0/0 next-hop 11.0.2.1
3.2 Internet Key Exchange (IKE) and Encapsulating Security Payloads (ESP) Groups
vyos@VyOS# set vpn ipsec ike-group ike-d lifetime 3600
vyos@VyOS# set vpn ipsec ike-group ike-d proposal 1 dh-group 18
vyos@VyOS# set vpn ipsec ike-group ike-d proposal 1 encryption aes256
vyos@VyOS# set vpn ipsec ike-group ike-d proposal 1 hash sha256
vyos@VyOS# set vpn ipsec nat-traversal enable
vyos@VyOS# set vpn ipsec esp-group esp-d compression disable
vyos@VyOS# set vpn ipsec esp-group esp-d lifetime 3600
vyos@VyOS# set vpn ipsec esp-group esp-d mode tunnel
vyos@VyOS# set vpn ipsec esp-group esp-d pfs dh-group18
vyos@VyOS# set vpn ipsec esp-group esp-d proposal 1 encryption aes256
vyos@VyOS# set vpn ipsec esp-group esp-d proposal 1 hash sha512
vyos@VyOS# set vpn ipsec ipsec-interfaces interface eth0
3.3 Peer Configuration
vyos@VyOS# set vpn ipsec site-to-site peer 0.0.0.0 authentication mode 'pre-shared-secret'
vyos@VyOS# set vpn ipsec site-to-site peer 0.0.0.0 authentication pre-shared-secret 'secretpassword'
vyos@VyOS# set vpn ipsec site-to-site peer 0.0.0.0 ike-group 'ike-d'
vyos@VyOS# set vpn ipsec site-to-site peer 0.0.0.0 local-address '11.0.2.2'
vyos@VyOS# set vpn ipsec site-to-site peer 0.0.0.0 tunnel 1 esp-group 'esp-d'
vyos@VyOS# set vpn ipsec site-to-site peer 0.0.0.0 tunnel 1 local prefix '192.168.20.0/24'
vyos@VyOS# set vpn ipsec site-to-site peer 0.0.0.0 tunnel 1 remote prefix '0.0.0.0/0'
3.4 PAT
We must exclude traffic from the subnet 192.168.20.0/24 (corporate private addresses) to the subnet 192.168.50.0/24 from NAT (rule 10). The IP addresses 192.168.50.0/24 are reserved for VPN clients. Therefore, the packets destined for VPN clients must be excluded from NAT in order to avoid translating the subnet 192.168.20.0/24 to 11.0.2.2 (the IP address of the router VyOS interface). If NAT were performed before encryption, the translated IP address 11.0.2.2 did not match the local prefix setting in the ipsec configuration. In that case, the packets destined for the subnet 192.168.50.0/24 would be sent out of the tunnel thus unencrypted.
However, when traffic is sent from 192.168.20.0/24 to any other IP addresses (outside the tunnel), we have to translate the subnet 192.168.20.0/24 into the public address 11.0.2.2 (rule 20), otherwise ISP filters traffic from the corporate private subnet 192.168.20.0/24.
vyos@VyOS# set nat source rule 10 description 'exlude_192.168.20.0/24_from_nat'
vyos@VyOS# set nat source rule 10 destination address '192.168.50.0/24'
vyos@VyOS# set nat source rule 10 exclude
vyos@VyOS# set nat source rule 10 outbound-interface 'eth0'
vyos@VyOS# set nat source rule 20 description 'include_192.168.20.0/24_to_nat'
vyos@VyOS# set nat source rule 20 outbound-interface 'eth0'
vyos@VyOS# set nat source rule 20 source address '192.168.20.0/24'
vyos@VyOS# set nat source rule 20 translation address 'masquerade'
3.5 Firewall
Change the default action from accept to drop for incoming traffic. Rule 10 allows established incoming traffic. Rule 20 allows ISAKMP and rule 30 allows esp protocols. The rule 40 allows de-encapsulated traffic from the subnet 192.168.50.0/24 to reach the private subnet 192.168.20/24.
vyos@VyOS# set firewall name incoming_traffic default-action drop
vyos@VyOS# set firewall name incoming_traffic enable-default-log
vyos@VyOS# set firewall name incoming_traffic rule 10 description 'incoming_established'
vyos@VyOS# set firewall name incoming_traffic rule 10 action 'accept'
vyos@VyOS# set firewall name incoming_traffic rule 10 state established 'enable'
vyos@VyOS# set firewall name incoming_traffic rule 10 state related 'enable'
vyos@VyOS# set firewall name incoming_traffic rule 20 description 'allow_isakmp'
vyos@VyOS# set firewall name incoming_traffic rule 20 action 'accept'
vyos@VyOS# set firewall name incoming_traffic rule 20 source address '0.0.0.0/0'
vyos@VyOS# set firewall name incoming_traffic rule 20 source port '500,4500'
vyos@VyOS# set firewall name incoming_traffic rule 20 destination address '11.0.2.2'
vyos@VyOS# set firewall name incoming_traffic rule 20 destination port '500,4500'
vyos@VyOS# set firewall name incoming_traffic rule 20 protocol 'udp'
vyos@VyOS# set firewall name incoming_traffic rule 30 description 'allow_ipsec'
vyos@VyOS# set firewall name incoming_traffic rule 30 action 'accept'
vyos@VyOS# set firewall name incoming_traffic rule 30 source address '0.0.0.0/0'
vyos@VyOS# set firewall name incoming_traffic rule 30 destination address '11.0.2.2'
vyos@VyOS# set firewall name incoming_traffic rule 30 protocol 'esp'
vyos@VyOS# set firewall name incoming_traffic rule 40 description 'allow_remote_private_nets'
vyos@VyOS# set firewall name incoming_traffic rule 40 action 'accept'
vyos@VyOS# set firewall name incoming_traffic rule 40 source address '192.168.50.0/24'
vyos@VyOS# set firewall name incoming_traffic rule 40 destination address '192.168.20.0/24'
Assign the firewall policy incoming_traffic to the interface eth0 in incoming direction and for the traffic destined for the router VyOS.
vyos@VyOS# set interfaces ethernet eth0 firewall in name incoming_traffic
vyos@VyOS# set interfaces ethernet eth0 firewall local name incoming_traffic
4. TheGreenBow VPN Client Configuration
Install the TheGreenBow VPN client. You can test it for free within 30 days time period. Configure IKE (Phase 1) and ESP (Phase 2) settings matching the the configuration we have done for the VyOS router (Pictures 2 and 3).
Picture 2 - TheGreenBow VPN Client IKE Settings
Picture 3 - TheGreenBow VPN Client ESP Settings
Once you have configured VPN client, you can connect to VPN network clicking VyOS_ESP settings (or Ctrl-O) with the right mouse button (Picture 3). When the VPN connection is successful, the color of the ESP setting icon is changed from grey to the green (Picture 4).
Picture 4 - IPsec Tunnel Established
5. Tuneel Verification
Issue the ping command from Windows 7 machine (IP address 10.0.0.10/24, the tunnel IP 192.168.50.1/24) to the host 192.168.20.10. Use Wireshark sniffer to capture network traffic on a link between SOHO and VyOS routers (ipsec.pcapng) and between VyOS and the Corporate routers raw_traffic_win.pcapng). As you can ICMP traffic is encrypted when tunnel is up (Picture 5).
Picture 5 - Encrypted ICMP Traffic Captured Between SOHO and VyOS Routers
The Picture 6 depicts the traffic captured between VyOS and Corporate routers.
Picture 6 - Decrypted ICMP Traffic Between VyOS and Corporate Routers
Now, start pinging the IP address 11.0.2.1 (SOHO router) from the Linux server located in a cooperate network and capture traffic on the link between VyOS and SOHO router (raw_traffic_linux.pcapng). NAT is applied on the router VyOS for the subnet 192.168.20.0/24 so the subnet is masked as the public IP address 11.0.2.2. Traffic is is not encrypted (Picture 7). The only traffic that is being encrypted is the traffic destined for the subnet 192.168.50.0/24.
Picture 7 - ICMP Traffic captured Between VyOS and SOHO Routers
Verification of the tunnel status on the VyOS router is depicted on the Picture 8.
vyos@VyOS:~$ show vpn ipsec status
Picture 8 - IPsec Tunnel Status Verification
End.