Site-to-Site IPSEC

IPSEC can be used to link two remote locations together over an untrusted medium like the Internet. The implementation itself is a combination of protocols, settings, and encryption standards that have to match on both sides of the tunnel.

Terminology

Devices at both sides of the tunnel are called Peers. Each of the peers uses combinations of encryption and hashing protocols to secure traffic that are specified in a Proposal. Once both peers have negotiated a secure connection using the protocols and standards in the proposals Security Associations (SAs) are installed. These SAs have a finite lifetime before they expire and new SAs are negotiated.

IPSEC Policy vs. Routing

It's very important to note that IPSEC is not routing. Traffic is sent over IPSEC tunnels when it matches Source and Destination addresses in an IPSEC Policy. Traffic that matches the policy is termed "interesting" and sent via the tunnel, not routed like typical network traffic. Some vendors have their own "routed IPSEC" implementations but those are specific to their platforms and outside the scope of this post.

Network Topology

This network scenario in this post has a West Branch office that needs to be connected to the Central Office. This post does not include the additional configuration of the East Office that is pictured in the topology below and covered in the extended IPSEC guide.

Network Addresses

The West Office has a LAN on the 192.168.2.0/24 network, and a WAN address of 172.16.1.2/24. The Central Office has a LAN on the 192.168.1.0/24 network, and a WAN address of 172.16.1.1/24. The WAN port on all routers is eth0, and the LAN gateway port is eth1 in keeping with the typical Ubiquiti defaults.

Configuration Summary

The two sections of configuration commands below will perform the following steps on both routers:

1. Create firewall IP address groups for easier firewalling
2. Allow traffic between IPSEC peers
3. Create ESP groups with secure encryption and hashing protocols
4. Create IKE groups with the same
5. Create IPSEC peers pointing to the opposite router
6. Create IPSEC proposals to define "interesting" traffic
7. Enable the NAT exclusion feature in the firewall for IPSEC traffic

The two blocks of commands can be copy-pasted to routers on a workbench once they've been configured with IP addresses and a basic default configuration.

Central Router Configuration

The following commands on the Central Office router are the first half of the tunnel between Central and West:

configure
set firewall group address-group IPSEC description ”IPSEC peer addresses”
set firewall group address-group IPSEC address 172.16.1.2
set firewall name WAN LOCAL rule 15 description ”IPSEC Peers”
set firewall name WAN LOCAL rule 15 action accept
set firewall name WAN LOCAL rule 15 source group address-group IPSEC
commit

set vpn ipsec esp-group central-west proposal 1 encryption aes256
set vpn ipsec esp-group central-west proposal 1 hash sha1
set vpn ipsec esp-group central-west mode tunnel
set vpn ipsec esp-group central-west lifetime 1800
set vpn ipsec esp-group central-west pfs dh-group2
set vpn ipsec ike-group central-west key-exchange ikev2
set vpn ipsec ike-group central-west proposal 1 encryption aes256
set vpn ipsec ike-group central-west proposal 1 hash sha1
set vpn ipsec ike-group central-west proposal 1 dh-group 2
commit

set vpn ipsec site-to-site peer 172.16.1.2 description ”West office”
set vpn ipsec site-to-site peer 172.16.1.2 local-address 172.16.1.1
set vpn ipsec site-to-site peer 172.16.1.2 tunnel 0 esp-group central-west
set vpn ipsec site-to-site peer 172.16.1.2 ike-group central-west
set vpn ipsec site-to-site peer 172.16.1.2 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 172.16.1.2 authentication pre-shared-secret ”manitowest”
set vpn ipsec site-to-site peer 172.16.1.2 tunnel 0 local prefix 192.168.1.0/24
set vpn ipsec site-to-site peer 172.16.1.2 tunnel 0 remote prefix 192.168.2.0/24
commit

set vpn ipsec auto-firewall-nat-exclude enable
commit
save

West Router Configuration

The following commands on the West Office router are the second half of the tunnel between Central and West:

configure
set firewall group address-group IPSEC description ”IPSEC peer addresses”
set firewall group address-group IPSEC address 172.16.1.1
set firewall name WAN LOCAL rule 15 description ”IPSEC Peers”
set firewall name WAN LOCAL rule 15 action accept
set firewall name WAN LOCAL rule 15 source group address-group IPSEC
commit

set vpn ipsec esp-group west-central proposal 1 encryption aes256
set vpn ipsec esp-group west-central proposal 1 hash sha1
set vpn ipsec esp-group west-central mode tunnel
set vpn ipsec esp-group west-central lifetime 1800
set vpn ipsec esp-group west-central pfs dh-group2
set vpn ipsec ike-group west-central key-exchange ikev2
set vpn ipsec ike-group west-central proposal 1 encryption aes256
set vpn ipsec ike-group west-central proposal 1 hash sha1
set vpn ipsec ike-group west-central proposal 1 dh-group 2
commit

set vpn ipsec site-to-site peer 172.16.1.1 description ”Central office”
set vpn ipsec site-to-site peer 172.16.1.1 local􀀀address 172.16.1.2
set vpn ipsec site-to-site peer 172.16.1.1 tunnel 0 esp-group west-central
set vpn ipsec site-to-site peer 172.16.1.1 ike-group west-central
set vpn ipsec site-to-site peer 172.16.1.1 authentication mode pre-shared-secret
set vpn ipsec site􀀀to􀀀site peer 172.16.1.1 authentication pre-shared-secret ”manitowest”
set vpn ipsec site-to-site peer 172.16.1.1 tunnel 0 local prefix 192.168.2.0/24
set vpn ipsec site-to-site peer 172.16.1.1 tunnel 0 remote prefix 192.168.1.0/24
set vpn ipsec auto-firewall-nat-exclude enable
commit
save

Testing

To test the IPSEC tunnel send an ICMP Echo (Ping) from a device on one LAN to a device on the other. This will generate the "interesting" traffic and force the IPSEC tunnels to come up. To view how many IPSEC tunnels are currently up use the following command:

show vpn ipsec status

To get more specific information on the current SAs use the following command:

show vpn ipsec sa