mirror of
https://git.dn42.dev/wiki/wiki.git
synced 2024-11-23 07:43:29 +01:00
backport (cosmetic) changes from wiki-ng
This commit is contained in:
parent
4c127e7c98
commit
37d7831fd4
2
Other.md
2
Other.md
@ -19,7 +19,7 @@
|
||||
- **RetroShare** can be run as a darknet (friend-to-friend) by default to perform anonymous file transfers if DHT and Discovery features are disabled.
|
||||
- **GNUnet** is a darknet if the "F2F (network) topology" option is enabled.
|
||||
- **Syndie** is software used to publish distributed forums over the anonymous networks of I2P, Tor and Freenet.
|
||||
OneSwarm can be run as a darknet for friend-to-friend file-sharing.
|
||||
- OneSwarm can be run as a darknet for friend-to-friend file-sharing.
|
||||
- **Tribler** can be run as a darknet for file-sharing.
|
||||
|
||||
## BGP Routed IP
|
||||
|
@ -26,7 +26,7 @@ Note: This file covers the configuration of Bird 1.x. For an example configurati
|
||||
|
||||
## IPv6
|
||||
|
||||
```
|
||||
```conf
|
||||
#/etc/bird/bird6.conf
|
||||
protocol device {
|
||||
scan time 10;
|
||||
@ -96,7 +96,7 @@ template bgp dnpeers {
|
||||
include "/etc/bird/peers6/*";
|
||||
```
|
||||
|
||||
```
|
||||
```conf
|
||||
# /etc/bird/local6.conf
|
||||
# should be a unique identifier, use same id as for ipv4
|
||||
router id <GATEWAY_IP>;
|
||||
@ -115,7 +115,7 @@ function is_valid_network() {
|
||||
}
|
||||
```
|
||||
|
||||
```
|
||||
```conf
|
||||
# /etc/bird/peers6/<PEER_NAME>
|
||||
protocol bgp <PEER_NAME> from dnpeers {
|
||||
neighbor <PEERING_IP> as <PEER_AS>;
|
||||
@ -126,7 +126,7 @@ protocol bgp <PEER_NAME> from dnpeers {
|
||||
|
||||
### IPv4
|
||||
|
||||
```
|
||||
```conf
|
||||
# /etc/bird/bird.conf
|
||||
# Device status
|
||||
protocol device {
|
||||
@ -205,7 +205,7 @@ template bgp dnpeers {
|
||||
include "/etc/bird/peers4/*";
|
||||
```
|
||||
|
||||
```
|
||||
```conf
|
||||
#/etc/bird/local4.conf
|
||||
# should be a unique identifier, <GATEWAY_IP> is what most people use.
|
||||
router id <GATEWAY_IP>;
|
||||
@ -232,7 +232,7 @@ function is_valid_network() {
|
||||
}
|
||||
```
|
||||
|
||||
```
|
||||
```conf
|
||||
# /etc/bird/peers4/<PEER_NAME>
|
||||
protocol bgp <PEER_NAME> from dnpeers {
|
||||
neighbor <PEERING_IP> as <PEER_AS>;
|
||||
@ -276,27 +276,27 @@ ROA files generated by [roa_wizard](https://git.dn42.dev/Kioubit/roa_wizard) are
|
||||
|
||||
You can add cron entries to periodically update the tables:
|
||||
|
||||
```
|
||||
```conf
|
||||
*/15 * * * * curl -sfSLR {-o,-z}/var/lib/bird/bird6_roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird1_6.conf && chronic birdc6 configure
|
||||
*/15 * * * * curl -sfSLR {-o,-z}/var/lib/bird/bird_roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird1_4.conf && chronic birdc configure
|
||||
```
|
||||
|
||||
Debian version:
|
||||
|
||||
```
|
||||
```conf
|
||||
*/15 * * * * curl -sfSLR -o/var/lib/bird/bird6_roa_dn42.conf -z/var/lib/bird/bird6_roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird1_6.conf && /usr/sbin/birdc6 configure
|
||||
*/15 * * * * curl -sfSLR -o/var/lib/bird/bird_roa_dn42.conf -z/var/lib/bird/bird_roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird1_4.conf && /usr/sbin/birdc configure
|
||||
```
|
||||
|
||||
then create the directory to make sure curls can save the files:
|
||||
|
||||
```
|
||||
```sh
|
||||
mkdir -p /var/lib/bird/
|
||||
```
|
||||
|
||||
Or use a systemd timer: (check the commands before copy-pasting)
|
||||
|
||||
```
|
||||
```conf
|
||||
# /etc/systemd/system/dn42-roa.service
|
||||
[Unit]
|
||||
Description=Update DN42 ROA
|
||||
@ -308,7 +308,7 @@ ExecStart=curl -sfSLR -o /etc/bird/roa_dn42_v6.conf -z /etc/bird/roa_dn42_v6.con
|
||||
ExecStart=birdc configure
|
||||
```
|
||||
|
||||
```
|
||||
```conf
|
||||
# /etc/systemd/system/dn42-roa.timer
|
||||
[Unit]
|
||||
Description=Update DN42 ROA periodically
|
||||
@ -328,26 +328,28 @@ then enable and start the timer with `systemctl enable --now dn42-roa.timer`.
|
||||
|
||||
* Download gortr
|
||||
|
||||
`https://github.com/cloudflare/gortr/releases`
|
||||
<https://github.com/cloudflare/gortr/releases>
|
||||
|
||||
* Run gortr.
|
||||
|
||||
```
|
||||
```sh
|
||||
./gortr -verify=false -checktime=false -cache=https://dn42.burble.com/roa/dn42_roa_46.json
|
||||
```
|
||||
|
||||
|
||||
* Run with docker
|
||||
|
||||
`docker pull cloudflare/gortr`
|
||||
|
||||
```sh
|
||||
docker pull cloudflare/gortr
|
||||
```
|
||||
|
||||
```sh
|
||||
docker run --name dn42rpki -p 8282:8282 --restart=always -d cloudflare/gortr -verify=false -checktime=false -cache=https://dn42.burble.com/roa/dn42_roa_46.json
|
||||
```
|
||||
|
||||
* Add this to your bird configure file,other ROA protocol must removed.
|
||||
|
||||
```
|
||||
```conf
|
||||
protocol rpki rpki_dn42{
|
||||
roa4 { table dn42_roa; };
|
||||
roa6 { table dn42_roa_v6; };
|
||||
@ -364,7 +366,7 @@ protocol rpki rpki_dn42{
|
||||
|
||||
In your import filter add the following to reject invalid routes:
|
||||
|
||||
```
|
||||
```conf
|
||||
if (roa_check(dn42_roa, net, bgp_path.last) != ROA_VALID) then {
|
||||
print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last;
|
||||
reject;
|
||||
@ -373,7 +375,7 @@ if (roa_check(dn42_roa, net, bgp_path.last) != ROA_VALID) then {
|
||||
|
||||
Also, define your ROA table with:
|
||||
|
||||
```
|
||||
```conf
|
||||
roa table dn42_roa {
|
||||
include "/var/lib/bird/bird_roa_dn42.conf";
|
||||
};
|
||||
@ -386,7 +388,7 @@ roa table dn42_roa {
|
||||
|
||||
bird can be remote controlled via the `birdc` command. Here is a list of useful bird commands:
|
||||
|
||||
```
|
||||
```sh
|
||||
$ birdc
|
||||
BIRD 1.4.5 ready.
|
||||
bird> configure # reload configuration
|
||||
|
@ -26,7 +26,7 @@ When copying the configuration below onto your system, you will have to enter th
|
||||
* The same goes for `<OWNNETv6>`, but it takes an IPv6 subnet (Who'd have thought).
|
||||
* Keep in mind that you'll have to enter both networks in the OWNNET{,v6} and OWNNETSET{,v6}, the two variables are required due to set parsing difficulties with variables.
|
||||
|
||||
```
|
||||
```conf
|
||||
################################################
|
||||
# Variable header #
|
||||
################################################
|
||||
@ -182,7 +182,7 @@ The example config above relies on ROA configuration files in `/etc/bird/roa_dn4
|
||||
|
||||
To use an RTR server for ROA information, replace this config in your bird2 configuration file:
|
||||
|
||||
```
|
||||
```conf
|
||||
protocol static {
|
||||
roa4 { table dn42_roa; };
|
||||
include "/etc/bird/roa_dn42.conf";
|
||||
@ -196,7 +196,7 @@ protocol static {
|
||||
|
||||
... with this one (by changing address and port so it points to your RTR server)
|
||||
|
||||
```
|
||||
```conf
|
||||
protocol rpki roa_dn42 {
|
||||
roa4 { table dn42_roa; };
|
||||
roa6 { table dn42_roa_v6; };
|
||||
@ -228,7 +228,7 @@ Please note: This section assumes that you've already got a tunnel to your peeri
|
||||
|
||||
First, make sure the /etc/bird/peers directory exists:
|
||||
|
||||
```
|
||||
```sh
|
||||
# mkdir -p /etc/bird/peers
|
||||
```
|
||||
|
||||
@ -246,4 +246,4 @@ protocol bgp <NEIGHBOR_NAME>_v6 from dnpeers {
|
||||
}
|
||||
```
|
||||
|
||||
Due to the special link local addresses of IPv6, an interface has to be specified using the %<if> syntax if a link local address is used (Which is recommended)
|
||||
Due to the special link local addresses of IPv6, an interface has to be specified using the `%<if>` syntax if a link local address is used (Which is recommended)
|
||||
|
@ -11,14 +11,14 @@ Running email in dn42 is not very complicated. Your SMTP daemon probably alread
|
||||
|
||||
| Handle | Alias | Redirection |
|
||||
|:------------ |:-------------- |:--------------------- |
|
||||
| `STV0G-DN42` | stv0g@dn42.org | post@steffenvogel.de` |
|
||||
| `STV0G-DN42` | stv0g@dn42.org | `post@steffenvogel.de` |
|
||||
|
||||
## Test email
|
||||
|
||||
~~Send an email to `test@evenet.dn42` to check if your mail setup is correct.~~ This host will reply using the following
|
||||
sieve filter:
|
||||
|
||||
```
|
||||
```conf
|
||||
require ["regex", "variables", "vacation-seconds"];
|
||||
if header :contains "To" ["test@evenet.dn42"] {
|
||||
if header :matches "Subject" "*" {
|
||||
@ -41,31 +41,35 @@ This is controlled by the `ignore_target_hosts` variable in the configuration fi
|
||||
### Receiving emails
|
||||
|
||||
Don't forget to add your dn42 domains to the list of local domains, so that you accept incoming emails. On Debian, it is controlled by `dc_other_hostnames` in `update-exim4.conf.conf`. For instance:
|
||||
|
||||
dc_other_hostnames='myself.org;myself.dn42;myserver.myself.dn42'
|
||||
|
||||
```conf
|
||||
dc_other_hostnames='myself.org;myself.dn42;myserver.myself.dn42'
|
||||
```
|
||||
|
||||
## Postfix
|
||||
|
||||
### Sending Mails
|
||||
If your machine sends/receives Mails in "clearnet" with specific bound IP's you need to create an additional transport in master.cf
|
||||
|
||||
out_dn42 unix - - n - - smtp
|
||||
-o smtp_bind_address=172.23.67.1
|
||||
-o smtp_bind_address6=fd70:96c9:ef25::1
|
||||
-o smtp_helo_name=ns1.mhm.dn42
|
||||
-o syslog_name=postfix-dn42
|
||||
```conf
|
||||
out_dn42 unix - - n - - smtp
|
||||
-o smtp_bind_address=172.23.67.1
|
||||
-o smtp_bind_address6=fd70:96c9:ef25::1
|
||||
-o smtp_helo_name=ns1.mhm.dn42
|
||||
-o syslog_name=postfix-dn42
|
||||
```
|
||||
|
||||
and add this transport to /etc/postfix/transport for dn42 (and dont forget to postmap)
|
||||
|
||||
.dn42 out_dn42:
|
||||
```
|
||||
.dn42 out_dn42:
|
||||
```
|
||||
|
||||
This should to the trick for sending mails via your DN42-IP
|
||||
|
||||
If you use `smtpd_recipient_restrictions` you can use the following rule to white-list dn42 as sender.
|
||||
This can circumvent certain rdns configuration failure or in case you use rbl lists:
|
||||
|
||||
```
|
||||
```conf
|
||||
smtpd_recipient_restrictions = permit_mynetworks,
|
||||
permit_sasl_authenticated,
|
||||
check_client_access cidr:/etc/postfix/dn42.cidr,
|
||||
@ -74,14 +78,14 @@ smtpd_recipient_restrictions = permit_mynetworks,
|
||||
permit
|
||||
```
|
||||
|
||||
```
|
||||
```conf
|
||||
#/etc/postfix/dn42.cidr
|
||||
172.16.0.0/12 OK
|
||||
10.0.0.0/8 OK
|
||||
fc00::/7 OK
|
||||
```
|
||||
|
||||
```
|
||||
```sh
|
||||
$ postmap /etc/postfix/dn42.cidr
|
||||
```
|
||||
|
||||
|
@ -20,7 +20,7 @@ Ask me if you want to know if I have implemented those items already.
|
||||
|
||||
# Configuration
|
||||
|
||||
```
|
||||
```conf
|
||||
firewall {
|
||||
all-ping enable
|
||||
broadcast-ping disable
|
||||
|
@ -12,16 +12,20 @@ This configuration assumes that both peers have static public IPs.
|
||||
|
||||
You'll need to generate a public/private keypair for your router if you intend to use "plainrsa" authentication for your IPsec connections. The local public key listed in the output is what you'll send to your peer.
|
||||
|
||||
ryan@edge1:~$ generate vpn rsa-key bits 4096
|
||||
ryan@edge1:~$ show vpn ike rsa-keys
|
||||
```sh
|
||||
ryan@edge1:~$ generate vpn rsa-key bits 4096
|
||||
ryan@edge1:~$ show vpn ike rsa-keys
|
||||
|
||||
Local public key (/config/ipsec.d/rsa-keys/localhost.key):
|
||||
Local public key (/config/ipsec.d/rsa-keys/localhost.key):
|
||||
|
||||
0sAQPNdF370ZEbN+kZUJQ10qnBlZujrg39ujfk20ILTjELksOIdJw/4jiU1MfpqFDKuB/XxERwJQp2POsFyV/n76jAgxIYBfFYfuaBcIH1rdNQtDhCnkmWzlueRXGEsz0Af79n8TKyQ9otzNhJ2cPE1CWCJbKqbIUN3piviLgGlItWNeya+Tl3Oj3ZfEVwr1QOvUAw32+m4L8T9jf1vqSlOTHpRpxxPWBrLEzstk0FOcZISji2JBpDOCU8Kpyyf74JM+LxsOIHwmS15b6iFZR3U9KZLqbbd0dSy/cM8P4XjrwM5UMyRDjrLqvuA/K/33BgtnxdQR3e9DJoYH3Qr8eRgSkR+jHyq06LvgHkHbMvrEjUnc3n8bg+YfR4oyJpIWsKjfIXmN1Q51KzxAPIAww+YSYUYtamSsQsspVAtMIQqR4e0r1In1qyoSn8VCPlksNMWpqYHbSjDo5HJYoSwxf2epzMtCvhenn0OuiH0xlgzziA+wBi6txksTMvJYcPJYnBVR2NIBjkWftOfmkY+rKMozViGjyd6kB7C8lqd8W7Ha5Ds2WxIY22DM3HcYH/zTp9z2xbuMOsbIgib/Y12Kh0wHyCz0lzFvs+d6CZwinyIXNKB/Vo4iiwT5luL5mGqf3pZx4zB+30GYSs/6MaELRF9BxD7tfqYCkOLXUtxyZ4Pdl2sw==
|
||||
```
|
||||
|
||||
0sAQPNdF370ZEbN+kZUJQ10qnBlZujrg39ujfk20ILTjELksOIdJw/4jiU1MfpqFDKuB/XxERwJQp2POsFyV/n76jAgxIYBfFYfuaBcIH1rdNQtDhCnkmWzlueRXGEsz0Af79n8TKyQ9otzNhJ2cPE1CWCJbKqbIUN3piviLgGlItWNeya+Tl3Oj3ZfEVwr1QOvUAw32+m4L8T9jf1vqSlOTHpRpxxPWBrLEzstk0FOcZISji2JBpDOCU8Kpyyf74JM+LxsOIHwmS15b6iFZR3U9KZLqbbd0dSy/cM8P4XjrwM5UMyRDjrLqvuA/K/33BgtnxdQR3e9DJoYH3Qr8eRgSkR+jHyq06LvgHkHbMvrEjUnc3n8bg+YfR4oyJpIWsKjfIXmN1Q51KzxAPIAww+YSYUYtamSsQsspVAtMIQqR4e0r1In1qyoSn8VCPlksNMWpqYHbSjDo5HJYoSwxf2epzMtCvhenn0OuiH0xlgzziA+wBi6txksTMvJYcPJYnBVR2NIBjkWftOfmkY+rKMozViGjyd6kB7C8lqd8W7Ha5Ds2WxIY22DM3HcYH/zTp9z2xbuMOsbIgib/Y12Kh0wHyCz0lzFvs+d6CZwinyIXNKB/Vo4iiwT5luL5mGqf3pZx4zB+30GYSs/6MaELRF9BxD7tfqYCkOLXUtxyZ4Pdl2sw==
|
||||
If your peer sends you a key in PEM format (starts with `-----BEGIN PUBLIC KEY-----`), you'll need to convert it to the format used by EdgeOS (begins with `0s`) in order to insert it into the configuration. See [this forum post](http://community.ubnt.com/t5/EdgeMAX/ERL-lt-gt-Mikrotik-IPsec-Connections/m-p/534682#M13015) for a script to convert between the two key formats.
|
||||
|
||||
## Configuration
|
||||
|
||||
```conf
|
||||
firewall {
|
||||
all-ping enable
|
||||
broadcast-ping disable
|
||||
@ -499,3 +503,4 @@ If your peer sends you a key in PEM format (starts with `-----BEGIN PUBLIC KEY--
|
||||
interface eth0
|
||||
}
|
||||
}
|
||||
```
|
||||
|
@ -21,7 +21,7 @@ ifconfig gre$INDEX descr $DESCR
|
||||
|
||||
Add this to your `rc.conf`.
|
||||
|
||||
```
|
||||
```conf
|
||||
cloned_interfaces="$cloned_interfaces gre0"
|
||||
ifconfig_gre0="10.0.0.1 10.0.0.2 netmask 0xffffffff tunnel 1.2.3.4 5.6.7.8 descr foo"
|
||||
```
|
||||
|
@ -9,7 +9,7 @@ Let `fd42::` and `fd42::1` be the IPs of *A* and *D* respectively where both are
|
||||
|
||||
## pseudo interface
|
||||
Populate [`/etc/hostname.gre0`](https://man.openbsd.org/hostname.if.5) with:
|
||||
```
|
||||
```conf
|
||||
tunnel A.example.com D.example.net
|
||||
inet6 fd42::/127
|
||||
```
|
||||
@ -21,7 +21,7 @@ Reboot or run [`sh /etc/netstart gre0`](https://man.openbsd.org/netstart.8) to b
|
||||
|
||||
## miscellaneous
|
||||
Populate `/etc/sysctl.conf` with:
|
||||
```
|
||||
```conf
|
||||
net.inet.gre.allow=1
|
||||
```
|
||||
Reboot or run `sysctl net.inet.gre.allow=1` to allow GRE packet processing.
|
||||
|
@ -67,7 +67,7 @@ Common authentication methods are:
|
||||
- SSH Key: `auth: ssh-{rsa,ed25519} <key>`
|
||||
|
||||
Example: data/mntner/FOO-MNT
|
||||
```
|
||||
```conf
|
||||
mntner: FOO-MNT
|
||||
admin-c: FOO-DN42
|
||||
tech-c: FOO-DN42
|
||||
@ -93,7 +93,7 @@ Contact attributes are optional but DN42 is a dynamic network and being able to
|
||||
|
||||
|
||||
Example: data/person/FOO-DN42
|
||||
```
|
||||
```conf
|
||||
person: John Doe
|
||||
e-mail: john.doe@example.com
|
||||
nic-hdl: FOO-DN42
|
||||
@ -116,7 +116,7 @@ If you intend to register resources for an organisation (e.g. your hackerspace),
|
||||
- don't forget to set `mnt-by` to `<FOO>-MNT`, since you're managing this object on behalf of your organisation.
|
||||
|
||||
Example: data/organisation/ORG-EXAMPLE
|
||||
```
|
||||
```conf
|
||||
organisation: ORG-FOO
|
||||
org-name: Foo Organisation
|
||||
admin-c: FOO-DN42
|
||||
@ -153,7 +153,7 @@ Internet ASNs may be used, but you must take care to clearly separate Internet a
|
||||
If unsure, ask on the mailing list or IRC.
|
||||
|
||||
Example: data/aut-num/AS4242423999
|
||||
```
|
||||
```conf
|
||||
aut-num: AS4242423999
|
||||
as-name: AS-FOO-DN42
|
||||
admin-c: FOO-DN42
|
||||
@ -179,7 +179,7 @@ A few websites can generate random ULA prefixes for you:
|
||||
or a small script is available: [ulagen.py](https://git.dn42.dev/netravnen/dn42-repo-utils/src/master/ulagen.py)
|
||||
|
||||
example: data/inet6num/fd35:4992:6a6d::_48
|
||||
```
|
||||
```conf
|
||||
inet6num: fd35:4992:6a6d:0000:0000:0000:0000:0000 - fd35:4992:6a6d:ffff:ffff:ffff:ffff:ffff
|
||||
cidr: fd35:4992:6a6d::/48
|
||||
netname: FOO-NETWORK
|
||||
@ -223,7 +223,7 @@ If you need a /24 or larger, please ask in the IRC chan or on the mailing list a
|
||||
**Note:** Reverse DNS works with _any_ prefix length, as long as your [recursive nameserver](/services/DNS) supports [RFC 2317](https://www.ietf.org/rfc/rfc2317.txt). Don't go for a /24 _just to have RDNS_.
|
||||
|
||||
example: data/inetnum/172.20.150.0_27
|
||||
```
|
||||
```conf
|
||||
inetnum: 172.20.150.0 - 172.20.150.31
|
||||
cidr: 172.20.150.0/27
|
||||
netname: FOO-NETWORK
|
||||
@ -241,7 +241,7 @@ source: DN42
|
||||
If you plan to announce your prefixes in dn42, which you probably want in most cases, you will also need to create a `route6` object for ipv6 prefixes and a `route` object for ipv4 prefixes. This information is used for Route Origin Authorization (ROA) checks. If you skip this step, your network will probably get filtered by most major peers. Checking ROA will prevent (accidental) hijacking of other people's prefixes.
|
||||
|
||||
example: data/route6/fd35:4992:6a6d::_48
|
||||
```
|
||||
```conf
|
||||
route6: fd35:4992:6a6d::/48
|
||||
origin: AS4242423999
|
||||
max-length: 48
|
||||
@ -250,7 +250,7 @@ source: DN42
|
||||
```
|
||||
|
||||
example data/route/172.20.150.0_27:
|
||||
```
|
||||
```conf
|
||||
route: 172.20.150.0/27
|
||||
origin: AS4242423999
|
||||
max-length: 27
|
||||
@ -266,7 +266,7 @@ To register a domain name, create a `dns` object in the data/dns directory.
|
||||
Domain names and nserver attributes must be lowercase.
|
||||
|
||||
example: data/dns/foo.dn42
|
||||
```
|
||||
```conf
|
||||
domain: foo.dn42
|
||||
admin-c: FOO-DN42
|
||||
tech-c: FOO-DN42
|
||||
@ -280,13 +280,13 @@ source: DN42
|
||||
|
||||
You can also add DNSSEC delegations using `ds-rdata` attributes to your domain:
|
||||
|
||||
```
|
||||
```conf
|
||||
ds-rdata: 61857 13 2 bd35e3efe3325d2029fb652e01604a48b677cc2f44226eeabee54b456c67680c
|
||||
```
|
||||
|
||||
For reverse DNS, add `nserver` attributes to you inet{,6}num objects:
|
||||
|
||||
```
|
||||
```conf
|
||||
inet6num: fd35:4992:6a6d:0000:0000:0000:0000:0000 - fd35:4992:6a6d:ffff:ffff:ffff:ffff:ffff
|
||||
cidr: fd35:4992:6a6d::/48
|
||||
netname: FOO-NETWORK
|
||||
|
@ -10,9 +10,9 @@ These instructions are for IPsec in transport mode not IPsec in tunnel mode. IPs
|
||||
## Kernel configuration
|
||||
The FreeBSD GENERIC kernel lacks support for in-kernel IPsec processing. Add this two lines to your kernel config and (re-)build your own kernel.
|
||||
If you're new to FreeBSD check Chapters [15.9.1](http://www.freebsd.org/doc/handbook/ipsec.html) and [9](http://www.freebsd.org/doc/handbook/kernelconfig.html) of the FreeBSD handbook.
|
||||
```
|
||||
options IPSEC #IP security
|
||||
device crypto
|
||||
```conf
|
||||
options IPSEC #IP security
|
||||
device crypto
|
||||
```
|
||||
Reboot into your new kernel.
|
||||
|
||||
@ -20,7 +20,7 @@ Reboot into your new kernel.
|
||||
|
||||
Install the racoon daemon. It's included in the [security/ipsec-tools](http://www.freshports.org/security/ipsec-tools/) port.
|
||||
Racoon is pain in the ass to configure the first time because it's error messages aren't helping and the complexity of IPsec. Don't let this stop you.
|
||||
```
|
||||
```conf
|
||||
path pre_shared_key "/usr/local/etc/racoon/psk";
|
||||
path certificate "/usr/local/etc/racoon/certs";
|
||||
log info;
|
||||
|
@ -5,37 +5,43 @@ _Note: You may already have completed this step, since it's required to enable S
|
||||
|
||||
1. Configure a hostname and domain name.
|
||||
|
||||
Router#conf t
|
||||
Router(config)#hostname foo
|
||||
foo(config)#ip domain-name bar
|
||||
```
|
||||
Router#conf t
|
||||
Router(config)#hostname foo
|
||||
foo(config)#ip domain-name bar
|
||||
```
|
||||
|
||||
2. Generate an RSA key. The maximum length was increased from 2048 to 4096 as of release 15.1(1)T
|
||||
|
||||
foo(config)#crypto key generate rsa general-keys modulus 2048
|
||||
% The key modulus size is 2048 bits
|
||||
% Generating 2048 bit RSA keys, keys will be non-exportable...
|
||||
foo(config)#exit
|
||||
```
|
||||
foo(config)#crypto key generate rsa general-keys modulus 2048
|
||||
% The key modulus size is 2048 bits
|
||||
% Generating 2048 bit RSA keys, keys will be non-exportable...
|
||||
foo(config)#exit
|
||||
```
|
||||
|
||||
### Exchange public keys with your peer
|
||||
1. Display the public key. Send the key data portion to your peer.
|
||||
|
||||
foo#show crypto key mypubkey rsa foo.bar
|
||||
% Key pair was generated at: 19:24:02 UTC Jul 19 2014
|
||||
Key name: foo.bar
|
||||
Storage Device: not specified
|
||||
Usage: General Purpose Key
|
||||
Key is not exportable.
|
||||
Key Data:
|
||||
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
|
||||
00ABF25E 090CBDFC 47B3763B 01E38993 584F1D47 49DEE0FC 6A766D95 F416C5A8
|
||||
83E16EF2 19C00BC9 64B3E351 D6F43E57 461AC689 912C22FE C4BE10EE 05750F27
|
||||
FEBB9C8C 2DFC7DD7 C0D1E8B2 7F022F54 04101205 60E47D99 2307E625 404F1130
|
||||
CBD1759B BBDBBF89 0C0F6B09 52E50A81 BFCC6AA6 96AFF612 B700AEA5 0EDFCDDB
|
||||
D3C7E014 2A59CD82 29A403CA 01EE580A CC4A3A2C C36369FE D2FA0FEF 2DC32D50
|
||||
1C55A296 3CBD6AAC 6AA66C73 FAB30A12 CFD1341D C261E013 8A7DA310 8D0E6C99
|
||||
C248D554 D0D68508 3EA53F0F 971DA7A6 203CA186 A79F9D93 0D2E54EF F7E311B2
|
||||
F7A8B486 D980661D DEB6C0B3 80A82583 4936F131 57C6D204 0AA5ED7F 7749F044
|
||||
8F020301 0001
|
||||
```
|
||||
foo#show crypto key mypubkey rsa foo.bar
|
||||
% Key pair was generated at: 19:24:02 UTC Jul 19 2014
|
||||
Key name: foo.bar
|
||||
Storage Device: not specified
|
||||
Usage: General Purpose Key
|
||||
Key is not exportable.
|
||||
Key Data:
|
||||
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
|
||||
00ABF25E 090CBDFC 47B3763B 01E38993 584F1D47 49DEE0FC 6A766D95 F416C5A8
|
||||
83E16EF2 19C00BC9 64B3E351 D6F43E57 461AC689 912C22FE C4BE10EE 05750F27
|
||||
FEBB9C8C 2DFC7DD7 C0D1E8B2 7F022F54 04101205 60E47D99 2307E625 404F1130
|
||||
CBD1759B BBDBBF89 0C0F6B09 52E50A81 BFCC6AA6 96AFF612 B700AEA5 0EDFCDDB
|
||||
D3C7E014 2A59CD82 29A403CA 01EE580A CC4A3A2C C36369FE D2FA0FEF 2DC32D50
|
||||
1C55A296 3CBD6AAC 6AA66C73 FAB30A12 CFD1341D C261E013 8A7DA310 8D0E6C99
|
||||
C248D554 D0D68508 3EA53F0F 971DA7A6 203CA186 A79F9D93 0D2E54EF F7E311B2
|
||||
F7A8B486 D980661D DEB6C0B3 80A82583 4936F131 57C6D204 0AA5ED7F 7749F044
|
||||
8F020301 0001
|
||||
```
|
||||
|
||||
2. Convert your peer's public key to the hexadecimal DER format using the [pubkey-converter][pubkey-converter] script, if necessary.
|
||||
|
||||
@ -56,76 +62,83 @@ In this example, we'll use the following settings:
|
||||
|
||||
1. Add your peer's public key
|
||||
|
||||
foo#conf t
|
||||
Enter configuration commands, one per line. End with CNTL/Z.
|
||||
foo(config)#crypto key pubkey-chain rsa
|
||||
foo(config-pubkey-chain)#addressed-key 192.0.2.2
|
||||
foo(config-pubkey-key)#key-string
|
||||
Enter a public key as a hexidecimal number ....
|
||||
```
|
||||
foo#conf t
|
||||
Enter configuration commands, one per line. End with CNTL/Z.
|
||||
foo(config)#crypto key pubkey-chain rsa
|
||||
foo(config-pubkey-chain)#addressed-key 192.0.2.2
|
||||
foo(config-pubkey-key)#key-string
|
||||
Enter a public key as a hexidecimal number ....
|
||||
|
||||
foo(config-pubkey)#30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
|
||||
foo(config-pubkey)#00F3E0AA 8924E512 C08BA87C 73820A15 E5180DDC EF827221 2B3864BF B2D2A5E0
|
||||
foo(config-pubkey)#33D04C1D 43A0CAF8 617EEEBA 7DB5BD38 429660CC 3144618E 4F386201 52483DA7
|
||||
foo(config-pubkey)#FDDF7AAC DCA8C19D FF5B1956 14F63831 ACE70D0F 4C557CE7 220C7E8B 9A2C837F
|
||||
foo(config-pubkey)#065A2B41 23B68074 C57F6F78 2F222DA1 915A095C CED77FF3 F1DF849C 3FD086EA
|
||||
foo(config-pubkey)#0A74901D 99DA97D5 0CFB22E7 C6C827E6 E53BE215 8D4928D2 458B02E2 1600F1F1
|
||||
foo(config-pubkey)#F1128D63 3A55EC4B 54E6A8E1 0B197E1E 7DA31CC2 54C30A2D 03BE5B8A 16A5E324
|
||||
foo(config-pubkey)#F3B15B67 C3FB2831 7F31610A 3BD59E74 E749DC25 74424F3F 7EC305AD 0BFA5008
|
||||
foo(config-pubkey)#E36C6E00 854433B6 A0E8DBF1 7A4741DD A91A5320 1D5150FA 28F12273 56A3E9A2
|
||||
foo(config-pubkey)#D5020301 0001
|
||||
foo(config-pubkey)#quit
|
||||
foo(config-pubkey-key)#exit
|
||||
foo(config-pubkey-chain)#exit
|
||||
foo(config-pubkey)#30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
|
||||
foo(config-pubkey)#00F3E0AA 8924E512 C08BA87C 73820A15 E5180DDC EF827221 2B3864BF B2D2A5E0
|
||||
foo(config-pubkey)#33D04C1D 43A0CAF8 617EEEBA 7DB5BD38 429660CC 3144618E 4F386201 52483DA7
|
||||
foo(config-pubkey)#FDDF7AAC DCA8C19D FF5B1956 14F63831 ACE70D0F 4C557CE7 220C7E8B 9A2C837F
|
||||
foo(config-pubkey)#065A2B41 23B68074 C57F6F78 2F222DA1 915A095C CED77FF3 F1DF849C 3FD086EA
|
||||
foo(config-pubkey)#0A74901D 99DA97D5 0CFB22E7 C6C827E6 E53BE215 8D4928D2 458B02E2 1600F1F1
|
||||
foo(config-pubkey)#F1128D63 3A55EC4B 54E6A8E1 0B197E1E 7DA31CC2 54C30A2D 03BE5B8A 16A5E324
|
||||
foo(config-pubkey)#F3B15B67 C3FB2831 7F31610A 3BD59E74 E749DC25 74424F3F 7EC305AD 0BFA5008
|
||||
foo(config-pubkey)#E36C6E00 854433B6 A0E8DBF1 7A4741DD A91A5320 1D5150FA 28F12273 56A3E9A2
|
||||
foo(config-pubkey)#D5020301 0001
|
||||
foo(config-pubkey)#quit
|
||||
foo(config-pubkey-key)#exit
|
||||
foo(config-pubkey-chain)#exit
|
||||
```
|
||||
|
||||
2. Configure an ISAKMP policy
|
||||
|
||||
foo(config)#crypto isakmp policy 10
|
||||
foo(config-isakmp)#encryption aes
|
||||
foo(config-isakmp)#hash sha
|
||||
foo(config-isakmp)#group 5
|
||||
foo(config-isakmp)#lifetime 28800
|
||||
foo(config-isakmp)#authentication rsa-sig
|
||||
foo(config-isakmp)#exit
|
||||
```
|
||||
foo(config)#crypto isakmp policy 10
|
||||
foo(config-isakmp)#encryption aes
|
||||
foo(config-isakmp)#hash sha
|
||||
foo(config-isakmp)#group 5
|
||||
foo(config-isakmp)#lifetime 28800
|
||||
foo(config-isakmp)#authentication rsa-sig
|
||||
foo(config-isakmp)#exit
|
||||
```
|
||||
|
||||
3. All done! Configure the phase 2 parameters as you otherwise would.
|
||||
|
||||
## Full GRE/IPsec example
|
||||
crypto key pubkey-chain rsa
|
||||
addressed-key 192.0.2.2
|
||||
address 192.0.2.2
|
||||
key-string
|
||||
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
|
||||
00F3E0AA 8924E512 C08BA87C 73820A15 E5180DDC EF827221 2B3864BF B2D2A5E0
|
||||
33D04C1D 43A0CAF8 617EEEBA 7DB5BD38 429660CC 3144618E 4F386201 52483DA7
|
||||
FDDF7AAC DCA8C19D FF5B1956 14F63831 ACE70D0F 4C557CE7 220C7E8B 9A2C837F
|
||||
065A2B41 23B68074 C57F6F78 2F222DA1 915A095C CED77FF3 F1DF849C 3FD086EA
|
||||
0A74901D 99DA97D5 0CFB22E7 C6C827E6 E53BE215 8D4928D2 458B02E2 1600F1F1
|
||||
F1128D63 3A55EC4B 54E6A8E1 0B197E1E 7DA31CC2 54C30A2D 03BE5B8A 16A5E324
|
||||
F3B15B67 C3FB2831 7F31610A 3BD59E74 E749DC25 74424F3F 7EC305AD 0BFA5008
|
||||
E36C6E00 854433B6 A0E8DBF1 7A4741DD A91A5320 1D5150FA 28F12273 56A3E9A2
|
||||
D5020301 0001
|
||||
quit
|
||||
!
|
||||
crypto isakmp policy 10
|
||||
encr aes
|
||||
group 5
|
||||
lifetime 28800
|
||||
!
|
||||
crypto ipsec transform-set tset esp-aes esp-sha-hmac
|
||||
mode transport
|
||||
!
|
||||
crypto ipsec profile FOO
|
||||
set transform-set tset
|
||||
set pfs group5
|
||||
!
|
||||
interface Tunnel0
|
||||
ip address 10.1.2.0 255.255.255.254
|
||||
ip mtu 1400
|
||||
tunnel source 192.0.2.1
|
||||
tunnel destination 192.0.2.2
|
||||
tunnel protection ipsec profile FOO
|
||||
!
|
||||
interface FastEthernet0/0
|
||||
description WAN
|
||||
ip address 192.0.2.1 255.255.255.0
|
||||
duplex full
|
||||
|
||||
```
|
||||
crypto key pubkey-chain rsa
|
||||
addressed-key 192.0.2.2
|
||||
address 192.0.2.2
|
||||
key-string
|
||||
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
|
||||
00F3E0AA 8924E512 C08BA87C 73820A15 E5180DDC EF827221 2B3864BF B2D2A5E0
|
||||
33D04C1D 43A0CAF8 617EEEBA 7DB5BD38 429660CC 3144618E 4F386201 52483DA7
|
||||
FDDF7AAC DCA8C19D FF5B1956 14F63831 ACE70D0F 4C557CE7 220C7E8B 9A2C837F
|
||||
065A2B41 23B68074 C57F6F78 2F222DA1 915A095C CED77FF3 F1DF849C 3FD086EA
|
||||
0A74901D 99DA97D5 0CFB22E7 C6C827E6 E53BE215 8D4928D2 458B02E2 1600F1F1
|
||||
F1128D63 3A55EC4B 54E6A8E1 0B197E1E 7DA31CC2 54C30A2D 03BE5B8A 16A5E324
|
||||
F3B15B67 C3FB2831 7F31610A 3BD59E74 E749DC25 74424F3F 7EC305AD 0BFA5008
|
||||
E36C6E00 854433B6 A0E8DBF1 7A4741DD A91A5320 1D5150FA 28F12273 56A3E9A2
|
||||
D5020301 0001
|
||||
quit
|
||||
!
|
||||
crypto isakmp policy 10
|
||||
encr aes
|
||||
group 5
|
||||
lifetime 28800
|
||||
!
|
||||
crypto ipsec transform-set tset esp-aes esp-sha-hmac
|
||||
mode transport
|
||||
!
|
||||
crypto ipsec profile FOO
|
||||
set transform-set tset
|
||||
set pfs group5
|
||||
!
|
||||
interface Tunnel0
|
||||
ip address 10.1.2.0 255.255.255.254
|
||||
ip mtu 1400
|
||||
tunnel source 192.0.2.1
|
||||
tunnel destination 192.0.2.2
|
||||
tunnel protection ipsec profile FOO
|
||||
!
|
||||
interface FastEthernet0/0
|
||||
description WAN
|
||||
ip address 192.0.2.1 255.255.255.0
|
||||
duplex full
|
||||
```
|
||||
|
@ -21,17 +21,17 @@ Change the direction on 5.6.7.8.
|
||||
|
||||
## Load the IPsec security policy into the IPsec security policy database
|
||||
Load the policy with the setkey command.
|
||||
```
|
||||
```sh
|
||||
setkey -f /etc/ipsec-tools.conf
|
||||
```
|
||||
Afterward check the policy database with:
|
||||
```
|
||||
```sh
|
||||
setkey -DP
|
||||
```
|
||||
|
||||
## Configure the racoon daemon
|
||||
An example /etc/racoon/racoon.conf.
|
||||
```
|
||||
```conf
|
||||
path pre_shared_key "/etc/racoon/psk.txt";
|
||||
path certificate "/etc/racoon/certs";
|
||||
log info;
|
||||
|
@ -34,32 +34,40 @@ Next, add the right flow parameters to [`/etc/ipsec.conf`](http://man.openbsd.or
|
||||
|
||||
The configuration file should look like this:
|
||||
|
||||
mymachine = "3.4.5.6"
|
||||
mypeer = "1.3.3.7"
|
||||
ike esp transport proto gre from $mymachine to $mypeer \
|
||||
main auth hmac-sha1 enc aes-128 group modp1536 lifetime 28800 \
|
||||
quick auth hmac-sha1 enc aes-128 group modp1536 lifetime 3600
|
||||
```conf
|
||||
mymachine = "3.4.5.6"
|
||||
mypeer = "1.3.3.7"
|
||||
ike esp transport proto gre from $mymachine to $mypeer \
|
||||
main auth hmac-sha1 enc aes-128 group modp1536 lifetime 28800 \
|
||||
quick auth hmac-sha1 enc aes-128 group modp1536 lifetime 3600
|
||||
```
|
||||
|
||||
Load the configuration file into isakmpd: `ipsecctl -f /etc/ipsec.conf`. Once the connection is established, the IPSec flows can be listed with `ipsecctl -sa`:
|
||||
|
||||
# ipsecctl -sa
|
||||
FLOWS:
|
||||
flow esp in proto gre from 1.3.3.7 to 3.4.5.6 peer 1.3.3.7 srcid 3.4.5.6/32 dstid 1.3.3.7/32 type use
|
||||
flow esp out proto gre from 3.4.5.6 to 1.3.3.7 peer 1.3.3.7 srcid 3.4.5.6/32 dstid 1.3.3.7/32 type require
|
||||
```
|
||||
# ipsecctl -sa
|
||||
FLOWS:
|
||||
flow esp in proto gre from 1.3.3.7 to 3.4.5.6 peer 1.3.3.7 srcid 3.4.5.6/32 dstid 1.3.3.7/32 type use
|
||||
flow esp out proto gre from 3.4.5.6 to 1.3.3.7 peer 1.3.3.7 srcid 3.4.5.6/32 dstid 1.3.3.7/32 type require
|
||||
|
||||
SAD:
|
||||
esp transport from 1.3.3.7 to 3.4.5.6 spi 0xdeadbeef auth hmac-sha1 enc aes
|
||||
esp transport from 3.4.5.6 to 1.3.3.7 spi 0xf00df00d auth hmac-sha1 enc aes
|
||||
SAD:
|
||||
esp transport from 1.3.3.7 to 3.4.5.6 spi 0xdeadbeef auth hmac-sha1 enc aes
|
||||
esp transport from 3.4.5.6 to 1.3.3.7 spi 0xf00df00d auth hmac-sha1 enc aes
|
||||
```
|
||||
|
||||
# GRE Setup
|
||||
Next, we will set up the GRE device. The [gre(4)](http://man.openbsd.org/gre.4) device encapsulates IPv4 and IPv6 traffic, which allows you to speak both address families over one tunnel if you only have native connectivity for one address family. The addresses configured onto the GRE device should come from a private address range that is not used anywhere in DN42, or a registered transfer net. For IPv6, you should use either ULAs or Link-Local addresses. In this example, we assume you are using 10.20.30.0/31 as the IPv4 transfer "net" (it has only two addresses, so calling it a network is a bit of an overstatement) and Link-Local addresses for IPv6.
|
||||
|
||||
# ifconfig gre0 tunnel 3.4.5.6 1.3.3.7
|
||||
# ifconfig gre0 inet 10.20.30.0 10.20.30.1 # reverse these on your peer's side
|
||||
# ifconfig gre0 inet6 eui64
|
||||
```sh
|
||||
# ifconfig gre0 tunnel 3.4.5.6 1.3.3.7
|
||||
# ifconfig gre0 inet 10.20.30.0 10.20.30.1 # reverse these on your peer's side
|
||||
# ifconfig gre0 inet6 eui64
|
||||
```
|
||||
|
||||
These settings should also be added to [`/etc/hostname.gre0`](http://man.openbsd.org/hostname.if.5), .i.e.
|
||||
|
||||
tunnel 3.4.5.6 1.3.3.7
|
||||
inet 10.20.30.0 10.20.30.1
|
||||
inet6 eui64
|
||||
```conf
|
||||
tunnel 3.4.5.6 1.3.3.7
|
||||
inet 10.20.30.0 10.20.30.1
|
||||
inet6 eui64
|
||||
```
|
||||
|
@ -17,7 +17,7 @@ I'd probably go with 4096 bits.
|
||||
|
||||
|
||||
in your racoon.conf:
|
||||
```
|
||||
```conf
|
||||
path certificate "/etc/racoon/keys";
|
||||
|
||||
listen {
|
||||
@ -38,6 +38,6 @@ remote 192.168.255.2 {
|
||||
}
|
||||
```
|
||||
|
||||
## Se also
|
||||
## See also
|
||||
|
||||
[Debian specific configuration](/howto/IPsecWithPublicKeys/GRE-plus-IPsec-Debian)
|
||||
|
@ -2,34 +2,40 @@
|
||||
## Setup
|
||||
### Generate an RSA keypair
|
||||
|
||||
[admin@mtk1] > /ip ipsec key
|
||||
[admin@mtk1] /ip ipsec key> generate-key mykey key-size=4096
|
||||
For key bigger than 1024bit this may take a while..
|
||||
[admin@mtk1] /ip ipsec key> print
|
||||
Flags: P - private-key, R - rsa
|
||||
# NAME KEY-SIZE
|
||||
0 PR mykey 4096-bit
|
||||
```
|
||||
[admin@mtk1] > /ip ipsec key
|
||||
[admin@mtk1] /ip ipsec key> generate-key mykey key-size=4096
|
||||
For key bigger than 1024bit this may take a while..
|
||||
[admin@mtk1] /ip ipsec key> print
|
||||
Flags: P - private-key, R - rsa
|
||||
# NAME KEY-SIZE
|
||||
0 PR mykey 4096-bit
|
||||
```
|
||||
|
||||
## Exchange public keys with your peer
|
||||
1. Export the public key to a file.
|
||||
|
||||
[admin@mtk1] /ip ipsec key> export-pub-key mykey file-name=mykey.pub
|
||||
```
|
||||
[admin@mtk1] /ip ipsec key> export-pub-key mykey file-name=mykey.pub
|
||||
|
||||
[admin@mtk1] /ip ipsec key> /file print where name=mykey.pub
|
||||
# NAME TYPE SIZE CREATION-TIME
|
||||
2 mykey.pub ssh key 451 jul/20/2014 12:35:33
|
||||
[admin@mtk1] /ip ipsec key> /file print where name=mykey.pub
|
||||
# NAME TYPE SIZE CREATION-TIME
|
||||
2 mykey.pub ssh key 451 jul/20/2014 12:35:33
|
||||
```
|
||||
|
||||
2. Copy the file to your workstation and send it to your peer. The contents of the file should look like this:
|
||||
|
||||
-----BEGIN PUBLIC KEY-----
|
||||
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv4RHohMZP4F5qTJKqoSL
|
||||
TqefoZZRt1RVI5dOocjV1pJZnqcXMtHfQ/5+O+igUCAX+yBv0hie+U32FWcy5cQO
|
||||
+xaohZW1zFzvlRWVqOpTwdk/993Zmy070T1FzK4kFShsNtxYrtYNheCnakgfXgMg
|
||||
23w/35zcof64/ewzF6RuqkTzmccIFCWDuv2IobXTOYAk7G3PGN4xWscvFIroIy5s
|
||||
4E8oOmKWVoFErQA6XetJzI+X+knzI3J/6/Pff4Tz7TLxu1m2I0InFaBv1G0+BXnh
|
||||
QOvIM7fvs5s0YWaUdT+vz8F0SHtb6Q/IdWc4JJPH/Q2t4HKTkk7FUnvvub2GxVbs
|
||||
8QIDAQAB
|
||||
-----END PUBLIC KEY-----
|
||||
```
|
||||
-----BEGIN PUBLIC KEY-----
|
||||
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv4RHohMZP4F5qTJKqoSL
|
||||
TqefoZZRt1RVI5dOocjV1pJZnqcXMtHfQ/5+O+igUCAX+yBv0hie+U32FWcy5cQO
|
||||
+xaohZW1zFzvlRWVqOpTwdk/993Zmy070T1FzK4kFShsNtxYrtYNheCnakgfXgMg
|
||||
23w/35zcof64/ewzF6RuqkTzmccIFCWDuv2IobXTOYAk7G3PGN4xWscvFIroIy5s
|
||||
4E8oOmKWVoFErQA6XetJzI+X+knzI3J/6/Pff4Tz7TLxu1m2I0InFaBv1G0+BXnh
|
||||
QOvIM7fvs5s0YWaUdT+vz8F0SHtb6Q/IdWc4JJPH/Q2t4HKTkk7FUnvvub2GxVbs
|
||||
8QIDAQAB
|
||||
-----END PUBLIC KEY-----
|
||||
```
|
||||
|
||||
3. Convert your peer's public key to the PEM format using the [pubkey-converter][pubkey-converter] script, if necessary.
|
||||
|
||||
@ -50,43 +56,49 @@ In this example, we'll use the following settings:
|
||||
|
||||
1. Copy your peer's PEM-encoded public key to the router and import it. (Hit enter when it asks for a passphrase)
|
||||
|
||||
[admin@mtk1] /ip ipsec key> import peer-key.pub name=peer-key
|
||||
passphrase:
|
||||
```
|
||||
[admin@mtk1] /ip ipsec key> import peer-key.pub name=peer-key
|
||||
passphrase:
|
||||
|
||||
[admin@mtk1] /ip ipsec key> print
|
||||
Flags: P - private-key, R - rsa
|
||||
# NAME KEY-SIZE
|
||||
0 PR mykey 4096-bit
|
||||
1 R peer-key 4096-bit
|
||||
[admin@mtk1] /ip ipsec key> print
|
||||
Flags: P - private-key, R - rsa
|
||||
# NAME KEY-SIZE
|
||||
0 PR mykey 4096-bit
|
||||
1 R peer-key 4096-bit
|
||||
```
|
||||
|
||||
2. Configure your peer definition to use the public key
|
||||
|
||||
[admin@mtk1] /ip ipsec peer> add address=192.0.2.2 local-address=192.0.2.1 enc-algorithm=aes-128 hash-algorithm=sha1 dh-group=modp1536 lifetime=28800 key=mykey remote-key=peer-key auth-method=rsa-key
|
||||
[admin@mtk1] /ip ipsec peer> print
|
||||
Flags: X - disabled
|
||||
0 address=192.0.2.2/32 local-address=192.0.2.1 passive=no port=500
|
||||
auth-method=rsa-key key=mykey remote-key=peer-key generate-policy=no
|
||||
exchange-mode=main send-initial-contact=yes nat-traversal=no
|
||||
proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-128
|
||||
dh-group=modp1536 lifetime=8h lifebytes=0 dpd-interval=2m
|
||||
dpd-maximum-failures=5
|
||||
```
|
||||
[admin@mtk1] /ip ipsec peer> add address=192.0.2.2 local-address=192.0.2.1 enc-algorithm=aes-128 hash-algorithm=sha1 dh-group=modp1536 lifetime=28800 key=mykey remote-key=peer-key auth-method=rsa-key
|
||||
[admin@mtk1] /ip ipsec peer> print
|
||||
Flags: X - disabled
|
||||
0 address=192.0.2.2/32 local-address=192.0.2.1 passive=no port=500
|
||||
auth-method=rsa-key key=mykey remote-key=peer-key generate-policy=no
|
||||
exchange-mode=main send-initial-contact=yes nat-traversal=no
|
||||
proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-128
|
||||
dh-group=modp1536 lifetime=8h lifebytes=0 dpd-interval=2m
|
||||
dpd-maximum-failures=5
|
||||
```
|
||||
|
||||
3. All done! Configure the phase 2 parameters as you otherwise would.
|
||||
|
||||
## Full GRE/IPsec example
|
||||
# jul/20/2014 13:00:04 by RouterOS 6.15
|
||||
# software id = HBCA-0B2J
|
||||
#
|
||||
/interface gre
|
||||
add dscp=inherit local-address=192.0.2.1 mtu=1400 name=gre-tunnel1 \
|
||||
remote-address=192.0.2.2
|
||||
/ip address
|
||||
add address=10.1.2.0/31 interface=gre-tunnel1 network=10.1.2.0
|
||||
/ip ipsec proposal
|
||||
set [ find default=yes ] lifetime=1h pfs-group=modp1536
|
||||
/ip ipsec peer
|
||||
add address=192.0.2.2/32 auth-method=rsa-key dh-group=modp1536 key=mykey \
|
||||
lifetime=8h local-address=192.0.2.1 remote-key=peer-key
|
||||
/ip ipsec policy
|
||||
add dst-address=192.0.2.2/32 protocol=gre sa-dst-address=192.0.2.2 \
|
||||
sa-src-address=192.0.2.1 src-address=192.0.2.1/32
|
||||
```
|
||||
# jul/20/2014 13:00:04 by RouterOS 6.15
|
||||
# software id = HBCA-0B2J
|
||||
#
|
||||
/interface gre
|
||||
add dscp=inherit local-address=192.0.2.1 mtu=1400 name=gre-tunnel1 \
|
||||
remote-address=192.0.2.2
|
||||
/ip address
|
||||
add address=10.1.2.0/31 interface=gre-tunnel1 network=10.1.2.0
|
||||
/ip ipsec proposal
|
||||
set [ find default=yes ] lifetime=1h pfs-group=modp1536
|
||||
/ip ipsec peer
|
||||
add address=192.0.2.2/32 auth-method=rsa-key dh-group=modp1536 key=mykey \
|
||||
lifetime=8h local-address=192.0.2.1 remote-key=peer-key
|
||||
/ip ipsec policy
|
||||
add dst-address=192.0.2.2/32 protocol=gre sa-dst-address=192.0.2.2 \
|
||||
sa-src-address=192.0.2.1 src-address=192.0.2.1/32
|
||||
```
|
||||
|
@ -2,22 +2,26 @@
|
||||
## Setup
|
||||
### Generate an RSA keypair
|
||||
|
||||
ubnt@ubnt:~$ generate vpn rsa-key bits 4096 random /dev/urandom
|
||||
Generating rsa-key to /config/ipsec.d/rsa-keys/localhost.key
|
||||
```sh
|
||||
ubnt@ubnt:~$ generate vpn rsa-key bits 4096 random /dev/urandom
|
||||
Generating rsa-key to /config/ipsec.d/rsa-keys/localhost.key
|
||||
|
||||
Your new local RSA key has been generated
|
||||
The public portion of the key is:
|
||||
Your new local RSA key has been generated
|
||||
The public portion of the key is:
|
||||
|
||||
0sAQPNdF370ZEbN+kZUJQ10qnBlZujrg39ujfk20ILTjELksOIdJw/4jiU1MfpqFDKuB/XxERwJQp2POsFyV/n76jAgxIYBfFYfuaBcIH1rdNQtDhCnkmWzlueRXGEsz0Af79n8TKyQ9otzNhJ2cPE1CWCJbKqbIUN3piviLgGlItWNeya+Tl3Oj3ZfEVwr1QOvUAw32+m4L8T9jf1vqSlOTHpRpxxPWBrLEzstk0FOcZISji2JBpDOCU8Kpyyf74JM+LxsOIHwmS15b6iFZR3U9KZLqbbd0dSy/cM8P4XjrwM5UMyRDjrLqvuA/K/33BgtnxdQR3e9DJoYH3Qr8eRgSkR+jHyq06LvgHkHbMvrEjUnc3n8bg+YfR4oyJpIWsKjfIXmN1Q51KzxAPIAww+YSYUYtamSsQsspVAtMIQqR4e0r1In1qyoSn8VCPlksNMWpqYHbSjDo5HJYoSwxf2epzMtCvhenn0OuiH0xlgzziA+wBi6txksTMvJYcPJYnBVR2NIBjkWftOfmkY+rKMozViGjyd6kB7C8lqd8W7Ha5Ds2WxIY22DM3HcYH/zTp9z2xbuMOsbIgib/Y12Kh0wHyCz0lzFvs+d6CZwinyIXNKB/Vo4iiwT5luL5mGqf3pZx4zB+30GYSs/6MaELRF9BxD7tfqYCkOLXUtxyZ4Pdl2sw==
|
||||
0sAQPNdF370ZEbN+kZUJQ10qnBlZujrg39ujfk20ILTjELksOIdJw/4jiU1MfpqFDKuB/XxERwJQp2POsFyV/n76jAgxIYBfFYfuaBcIH1rdNQtDhCnkmWzlueRXGEsz0Af79n8TKyQ9otzNhJ2cPE1CWCJbKqbIUN3piviLgGlItWNeya+Tl3Oj3ZfEVwr1QOvUAw32+m4L8T9jf1vqSlOTHpRpxxPWBrLEzstk0FOcZISji2JBpDOCU8Kpyyf74JM+LxsOIHwmS15b6iFZR3U9KZLqbbd0dSy/cM8P4XjrwM5UMyRDjrLqvuA/K/33BgtnxdQR3e9DJoYH3Qr8eRgSkR+jHyq06LvgHkHbMvrEjUnc3n8bg+YfR4oyJpIWsKjfIXmN1Q51KzxAPIAww+YSYUYtamSsQsspVAtMIQqR4e0r1In1qyoSn8VCPlksNMWpqYHbSjDo5HJYoSwxf2epzMtCvhenn0OuiH0xlgzziA+wBi6txksTMvJYcPJYnBVR2NIBjkWftOfmkY+rKMozViGjyd6kB7C8lqd8W7Ha5Ds2WxIY22DM3HcYH/zTp9z2xbuMOsbIgib/Y12Kh0wHyCz0lzFvs+d6CZwinyIXNKB/Vo4iiwT5luL5mGqf3pZx4zB+30GYSs/6MaELRF9BxD7tfqYCkOLXUtxyZ4Pdl2sw==
|
||||
```
|
||||
|
||||
### Exchange public keys with your peer
|
||||
1. Display the public key. Send the key data portion to your peer.
|
||||
|
||||
ubnt@ubnt:~$ show vpn ike rsa-keys
|
||||
```sh
|
||||
ubnt@ubnt:~$ show vpn ike rsa-keys
|
||||
|
||||
Local public key (/config/ipsec.d/rsa-keys/localhost.key):
|
||||
Local public key (/config/ipsec.d/rsa-keys/localhost.key):
|
||||
|
||||
0sAQPNdF370ZEbN+kZUJQ10qnBlZujrg39ujfk20ILTjELksOIdJw/4jiU1MfpqFDKuB/XxERwJQp2POsFyV/n76jAgxIYBfFYfuaBcIH1rdNQtDhCnkmWzlueRXGEsz0Af79n8TKyQ9otzNhJ2cPE1CWCJbKqbIUN3piviLgGlItWNeya+Tl3Oj3ZfEVwr1QOvUAw32+m4L8T9jf1vqSlOTHpRpxxPWBrLEzstk0FOcZISji2JBpDOCU8Kpyyf74JM+LxsOIHwmS15b6iFZR3U9KZLqbbd0dSy/cM8P4XjrwM5UMyRDjrLqvuA/K/33BgtnxdQR3e9DJoYH3Qr8eRgSkR+jHyq06LvgHkHbMvrEjUnc3n8bg+YfR4oyJpIWsKjfIXmN1Q51KzxAPIAww+YSYUYtamSsQsspVAtMIQqR4e0r1In1qyoSn8VCPlksNMWpqYHbSjDo5HJYoSwxf2epzMtCvhenn0OuiH0xlgzziA+wBi6txksTMvJYcPJYnBVR2NIBjkWftOfmkY+rKMozViGjyd6kB7C8lqd8W7Ha5Ds2WxIY22DM3HcYH/zTp9z2xbuMOsbIgib/Y12Kh0wHyCz0lzFvs+d6CZwinyIXNKB/Vo4iiwT5luL5mGqf3pZx4zB+30GYSs/6MaELRF9BxD7tfqYCkOLXUtxyZ4Pdl2sw==
|
||||
0sAQPNdF370ZEbN+kZUJQ10qnBlZujrg39ujfk20ILTjELksOIdJw/4jiU1MfpqFDKuB/XxERwJQp2POsFyV/n76jAgxIYBfFYfuaBcIH1rdNQtDhCnkmWzlueRXGEsz0Af79n8TKyQ9otzNhJ2cPE1CWCJbKqbIUN3piviLgGlItWNeya+Tl3Oj3ZfEVwr1QOvUAw32+m4L8T9jf1vqSlOTHpRpxxPWBrLEzstk0FOcZISji2JBpDOCU8Kpyyf74JM+LxsOIHwmS15b6iFZR3U9KZLqbbd0dSy/cM8P4XjrwM5UMyRDjrLqvuA/K/33BgtnxdQR3e9DJoYH3Qr8eRgSkR+jHyq06LvgHkHbMvrEjUnc3n8bg+YfR4oyJpIWsKjfIXmN1Q51KzxAPIAww+YSYUYtamSsQsspVAtMIQqR4e0r1In1qyoSn8VCPlksNMWpqYHbSjDo5HJYoSwxf2epzMtCvhenn0OuiH0xlgzziA+wBi6txksTMvJYcPJYnBVR2NIBjkWftOfmkY+rKMozViGjyd6kB7C8lqd8W7Ha5Ds2WxIY22DM3HcYH/zTp9z2xbuMOsbIgib/Y12Kh0wHyCz0lzFvs+d6CZwinyIXNKB/Vo4iiwT5luL5mGqf3pZx4zB+30GYSs/6MaELRF9BxD7tfqYCkOLXUtxyZ4Pdl2sw==
|
||||
```
|
||||
|
||||
2. Convert your peer's public key to the Base64 RFC 3110 format using the [pubkey-converter][pubkey-converter] script, if necessary.
|
||||
|
||||
@ -38,98 +42,107 @@ In this example, we'll use the following settings:
|
||||
|
||||
1. Add your peer's public key
|
||||
|
||||
vyos@vyos:~$ configure
|
||||
[edit]
|
||||
vyos@vyos# set vpn rsa-keys rsa-key-name my-peer rsa-key 0sAwEAAb4ETtKRLxcFNty56regsR61pq7hQl3NnjwABL16wZXGynKxZlj11VbdqcNwaTaqHZLV4Xfy867nImSs0DD9Cko5LzWwyM1Ih4SB+rIjfmBt7nRUrilnYvfWAONG1CLTI2tXnM/miNqiY+PxlCiMPr1KrTJWBWOknqqhhL2dOBfp3Ryx1yRxDACFG4wgpwmndJOnmefnV6qZXWiOdoIsBsBqQKiDY0g2uI+S3KxK27JL3KZWcA2ehhvtxmq4vwcMXplYeedei3EEmWxtddAZCApXor9bkVoVp2io+a0D1ALevYMD5SIygu55Q888n5puYNry/cUjX20/F/YK+J9u2UExWewN4AIt/jMNm7nJNWpuFHfLX1V/igHrdGzoEM0E/i+nGz9CWTVTLoFUmkTjpt31FPmomSVEI7MbNXG7cpa+X55PWd1apheR52XJZPZfCnMf1DjilYbLMRG05RK8zI3QlX3UXHira0dq4OBZ+Aow+dGp+jLmwjgdBDnkQdVu0iP6bp+5/oz6mWvDQ65EVECAIXKR5zIsiKn9ZU18H+lp4xWMjiSw3Y+87Y5KeQPmX73Ygolow6VvtCBvX8CS4Plszn3i0Qp8184eLEWIY314Z8Z+HwBAjUv3MkqI93leokAjMbt23ttaJbWlWgG47BAJOEcWlMFkDNcZtOngUrzF
|
||||
```sh
|
||||
vyos@vyos:~$ configure
|
||||
[edit]
|
||||
vyos@vyos# set vpn rsa-keys rsa-key-name my-peer rsa-key 0sAwEAAb4ETtKRLxcFNty56regsR61pq7hQl3NnjwABL16wZXGynKxZlj11VbdqcNwaTaqHZLV4Xfy867nImSs0DD9Cko5LzWwyM1Ih4SB+rIjfmBt7nRUrilnYvfWAONG1CLTI2tXnM/miNqiY+PxlCiMPr1KrTJWBWOknqqhhL2dOBfp3Ryx1yRxDACFG4wgpwmndJOnmefnV6qZXWiOdoIsBsBqQKiDY0g2uI+S3KxK27JL3KZWcA2ehhvtxmq4vwcMXplYeedei3EEmWxtddAZCApXor9bkVoVp2io+a0D1ALevYMD5SIygu55Q888n5puYNry/cUjX20/F/YK+J9u2UExWewN4AIt/jMNm7nJNWpuFHfLX1V/igHrdGzoEM0E/i+nGz9CWTVTLoFUmkTjpt31FPmomSVEI7MbNXG7cpa+X55PWd1apheR52XJZPZfCnMf1DjilYbLMRG05RK8zI3QlX3UXHira0dq4OBZ+Aow+dGp+jLmwjgdBDnkQdVu0iP6bp+5/oz6mWvDQ65EVECAIXKR5zIsiKn9ZU18H+lp4xWMjiSw3Y+87Y5KeQPmX73Ygolow6VvtCBvX8CS4Plszn3i0Qp8184eLEWIY314Z8Z+HwBAjUv3MkqI93leokAjMbt23ttaJbWlWgG47BAJOEcWlMFkDNcZtOngUrzF
|
||||
```
|
||||
|
||||
2. Configure an ISAKMP policy
|
||||
|
||||
[edit]
|
||||
vyos@vyos# edit vpn ipsec ike-group FOO
|
||||
[edit vpn ipsec ike-group FOO]
|
||||
vyos@vyos# set lifetime 28800
|
||||
[edit vpn ipsec ike-group FOO]
|
||||
vyos@vyos# set proposal 1 encryption aes128
|
||||
[edit vpn ipsec ike-group FOO]
|
||||
vyos@vyos# set proposal 1 hash sha1
|
||||
[edit vpn ipsec ike-group FOO]
|
||||
vyos@vyos# set proposal 1 dh-group 5
|
||||
[edit vpn ipsec ike-group FOO]
|
||||
vyos@vyos# commit
|
||||
```sh
|
||||
[edit]
|
||||
vyos@vyos# edit vpn ipsec ike-group FOO
|
||||
[edit vpn ipsec ike-group FOO]
|
||||
vyos@vyos# set lifetime 28800
|
||||
[edit vpn ipsec ike-group FOO]
|
||||
vyos@vyos# set proposal 1 encryption aes128
|
||||
[edit vpn ipsec ike-group FOO]
|
||||
vyos@vyos# set proposal 1 hash sha1
|
||||
[edit vpn ipsec ike-group FOO]
|
||||
vyos@vyos# set proposal 1 dh-group 5
|
||||
[edit vpn ipsec ike-group FOO]
|
||||
vyos@vyos# commit
|
||||
```
|
||||
|
||||
3. Set your peer definition to use the public key
|
||||
|
||||
[edit vpn ipsec ike-group FOO]
|
||||
vyos@vyos# up
|
||||
[edit vpn ipsec]
|
||||
vyos@vyos# edit site-to-site peer 192.0.2.2
|
||||
[edit vpn ipsec site-to-site peer 192.0.2.2]
|
||||
vyos@vyos# set authentication mode rsa
|
||||
[edit vpn ipsec site-to-site peer 192.0.2.2]
|
||||
vyos@vyos# set authentication rsa-key-name my-peer
|
||||
```sh
|
||||
[edit vpn ipsec ike-group FOO]
|
||||
vyos@vyos# up
|
||||
[edit vpn ipsec]
|
||||
vyos@vyos# edit site-to-site peer 192.0.2.2
|
||||
[edit vpn ipsec site-to-site peer 192.0.2.2]
|
||||
vyos@vyos# set authentication mode rsa
|
||||
[edit vpn ipsec site-to-site peer 192.0.2.2]
|
||||
vyos@vyos# set authentication rsa-key-name my-peer
|
||||
```
|
||||
|
||||
4. All done! Configure the phase 2 parameters as you otherwise would.
|
||||
|
||||
## Full GRE/IPsec example
|
||||
interfaces {
|
||||
ethernet eth0 {
|
||||
address 192.0.2.1/30
|
||||
description WAN
|
||||
duplex auto
|
||||
speed auto
|
||||
}
|
||||
tunnel tun0 {
|
||||
address 10.1.2.0/31
|
||||
encapsulation gre
|
||||
local-ip 192.0.2.1
|
||||
mtu 1400
|
||||
multicast disable
|
||||
remote-ip 192.0.2.2
|
||||
ttl 255
|
||||
}
|
||||
|
||||
```conf
|
||||
interfaces {
|
||||
ethernet eth0 {
|
||||
address 192.0.2.1/30
|
||||
description WAN
|
||||
duplex auto
|
||||
speed auto
|
||||
}
|
||||
vpn {
|
||||
ipsec {
|
||||
esp-group BAR {
|
||||
compression disable
|
||||
lifetime 3600
|
||||
mode transport
|
||||
pfs dh-group5
|
||||
proposal 1 {
|
||||
encryption aes128
|
||||
hash sha1
|
||||
}
|
||||
}
|
||||
ike-group FOO {
|
||||
lifetime 28800
|
||||
proposal 1 {
|
||||
dh-group 5
|
||||
encryption aes128
|
||||
hash sha1
|
||||
}
|
||||
}
|
||||
ipsec-interfaces {
|
||||
interface eth0
|
||||
}
|
||||
site-to-site {
|
||||
peer 192.0.2.2 {
|
||||
authentication {
|
||||
mode rsa
|
||||
rsa-key-name my-peer
|
||||
}
|
||||
connection-type initiate
|
||||
default-esp-group BAR
|
||||
ike-group FOO
|
||||
local-ip 192.0.2.1
|
||||
tunnel 0 {
|
||||
protocol gre
|
||||
}
|
||||
}
|
||||
tunnel tun0 {
|
||||
address 10.1.2.0/31
|
||||
encapsulation gre
|
||||
local-ip 192.0.2.1
|
||||
mtu 1400
|
||||
multicast disable
|
||||
remote-ip 192.0.2.2
|
||||
ttl 255
|
||||
}
|
||||
}
|
||||
vpn {
|
||||
ipsec {
|
||||
esp-group BAR {
|
||||
compression disable
|
||||
lifetime 3600
|
||||
mode transport
|
||||
pfs dh-group5
|
||||
proposal 1 {
|
||||
encryption aes128
|
||||
hash sha1
|
||||
}
|
||||
}
|
||||
rsa-keys {
|
||||
rsa-key-name my-peer {
|
||||
rsa-key 0sAwEAAbsbRoUcgdm4A4Nm+PLxWcW+zFis7pkaJ0MkGVzM7VC8nmngkM+W2zqZyQ4NUTBKKfGOUc4Ogi6gyhlzUnHdag9tDERIX+BwlDO6G4arod9z9KqmJuX4AOYVjH5QlAPz7NDMAezVekGoVLPGdOAMPD6NN54ihLRH6V3if8AGoJRpiajhcgQipjeQnhH4QhsYK4XSjayGT1onQwA8nhy5kt4ofyqSale4Fl4166S9tCn4RKwtlJDjR6VIrg6op6Ip8+ke2vjEHPJHj6qVsxfRgOk2d8pY8oPVt8ayc5F1z+lqJ7R0fADfN+AQSaBqOMmg5dHDFYWwgYkU5egdVKS7Oko6uNuUWsZ0VEnRoPZ4syJEUbiF5wGfaVBaaVLZYUlRLQCffB4JKzp+JesVToCX6JYRfb4JYQWFCDeQfrqRZHM4r13h8MOWPn9cqXcP47RKJjzNp6595biUotmCbMHyy/uveMWxK6vDzPQRkywqMMJE2qOyACmbMnSce9KlYhvma82Vd+z/9/U9NEy0s5MaYNDn+q+KYT5My3NSv52F6sLVGrKxTk79tzUejZcoukJv+gf51Epam4kVHzPIal/khsfjZn6YCU2j5+qcdRmzF+SG5c2WicvEU2Gc4ratfYNEPxU5oArzHIhIz6x2nAF+szcx/x8GEyXPNHnxEboJB7ox
|
||||
ike-group FOO {
|
||||
lifetime 28800
|
||||
proposal 1 {
|
||||
dh-group 5
|
||||
encryption aes128
|
||||
hash sha1
|
||||
}
|
||||
}
|
||||
ipsec-interfaces {
|
||||
interface eth0
|
||||
}
|
||||
site-to-site {
|
||||
peer 192.0.2.2 {
|
||||
authentication {
|
||||
mode rsa
|
||||
rsa-key-name my-peer
|
||||
}
|
||||
connection-type initiate
|
||||
default-esp-group BAR
|
||||
ike-group FOO
|
||||
local-ip 192.0.2.1
|
||||
tunnel 0 {
|
||||
protocol gre
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
rsa-keys {
|
||||
rsa-key-name my-peer {
|
||||
rsa-key 0sAwEAAbsbRoUcgdm4A4Nm+PLxWcW+zFis7pkaJ0MkGVzM7VC8nmngkM+W2zqZyQ4NUTBKKfGOUc4Ogi6gyhlzUnHdag9tDERIX+BwlDO6G4arod9z9KqmJuX4AOYVjH5QlAPz7NDMAezVekGoVLPGdOAMPD6NN54ihLRH6V3if8AGoJRpiajhcgQipjeQnhH4QhsYK4XSjayGT1onQwA8nhy5kt4ofyqSale4Fl4166S9tCn4RKwtlJDjR6VIrg6op6Ip8+ke2vjEHPJHj6qVsxfRgOk2d8pY8oPVt8ayc5F1z+lqJ7R0fADfN+AQSaBqOMmg5dHDFYWwgYkU5egdVKS7Oko6uNuUWsZ0VEnRoPZ4syJEUbiF5wGfaVBaaVLZYUlRLQCffB4JKzp+JesVToCX6JYRfb4JYQWFCDeQfrqRZHM4r13h8MOWPn9cqXcP47RKJjzNp6595biUotmCbMHyy/uveMWxK6vDzPQRkywqMMJE2qOyACmbMnSce9KlYhvma82Vd+z/9/U9NEy0s5MaYNDn+q+KYT5My3NSv52F6sLVGrKxTk79tzUejZcoukJv+gf51Epam4kVHzPIal/khsfjZn6YCU2j5+qcdRmzF+SG5c2WicvEU2Gc4ratfYNEPxU5oArzHIhIz6x2nAF+szcx/x8GEyXPNHnxEboJB7ox
|
||||
}
|
||||
}
|
||||
}
|
||||
```
|
||||
|
@ -2,29 +2,33 @@
|
||||
## Setup
|
||||
### Generate an RSA keypair
|
||||
|
||||
root@debian:~# mkdir /etc/ipsec.d/public
|
||||
root@debian:~# ipsec pki --gen --type rsa --outform pem --size 4096 > /etc/ipsec.d/private/mykey.pem
|
||||
root@debian:~# ipsec pki --pub --in /etc/ipsec.d/private/mykey.pem --outform pem > /etc/ipsec.d/public/mykey.pub
|
||||
root@debian:~# echo ": RSA mykey.pem" >> /etc/ipsec.secrets
|
||||
```sh
|
||||
root@debian:~# mkdir /etc/ipsec.d/public
|
||||
root@debian:~# ipsec pki --gen --type rsa --outform pem --size 4096 > /etc/ipsec.d/private/mykey.pem
|
||||
root@debian:~# ipsec pki --pub --in /etc/ipsec.d/private/mykey.pem --outform pem > /etc/ipsec.d/public/mykey.pub
|
||||
root@debian:~# echo ": RSA mykey.pem" >> /etc/ipsec.secrets
|
||||
```
|
||||
|
||||
### Exchange public keys with your peer
|
||||
1. Display the public key. Send the key data to your peer.
|
||||
|
||||
root@debian:~# more /etc/ipsec.d/public/mykey.pub
|
||||
-----BEGIN PUBLIC KEY-----
|
||||
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2/FWIJuVUtfsLovavNp+
|
||||
nPSsT2mQoNK3ZUUwuEKfBjT7mhijdXRHh1SAtIaU2aen5+d5q6e27vMCCYOQLagn
|
||||
9CkKatBq54zGNvDSzQEpz0mIsaBx9xjvhsgqAmKCTpLtKuMz6cZbH8y8o9/ZZ8Kv
|
||||
+Jht67T8BDKXczgOg5IIaX84UpCrlSgmnSvKYKu3PXnt91bZ66HaDZJjPf9aiMNc
|
||||
fvuUqVfFWnsV2zI6HFvG/uwkqLalsnPaAwVeIWl2Ovy2Jzdj0GRLSYx87eneSBo+
|
||||
7tjlURQTudAj1+53SFOkBcCPSnzPYpIC3hBfZ8Zw8r/25moW3xf8TlLLJqgAh50Y
|
||||
tVyvyVSv1MKYBdjZcFsEXUceC5LI9JZryB/Serq0R+4//ZiR3LEtetVKNvco9bcI
|
||||
JHXr88HM2XeYRfRPAB6wembIEMKYdwIhwYAPPAtL+lDHtZBiBAIAp0y0FhaozSzl
|
||||
MSry8tbJR2fD/i8/yXr5isVfjJZdw8WK0LAd8a8zvmNIFKgiKWjoDgIycM5HrRD+
|
||||
rY0Br9xONkNdgB7Lz/wPEyUsiIiZpawM/S4taX7ExK4Wi3pdxkOHLn2ZyaWKsdhX
|
||||
PpCkdMfSOJ0SqCUcVze+xD8GlInUQsPgbDGvxT73jT6Ie+wSA94Cgs3mq7FS6cNo
|
||||
ZAASv7cT9DG+xfQmjrJC9SUCAwEAAQ==
|
||||
-----END PUBLIC KEY-----
|
||||
```sh
|
||||
root@debian:~# more /etc/ipsec.d/public/mykey.pub
|
||||
-----BEGIN PUBLIC KEY-----
|
||||
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2/FWIJuVUtfsLovavNp+
|
||||
nPSsT2mQoNK3ZUUwuEKfBjT7mhijdXRHh1SAtIaU2aen5+d5q6e27vMCCYOQLagn
|
||||
9CkKatBq54zGNvDSzQEpz0mIsaBx9xjvhsgqAmKCTpLtKuMz6cZbH8y8o9/ZZ8Kv
|
||||
+Jht67T8BDKXczgOg5IIaX84UpCrlSgmnSvKYKu3PXnt91bZ66HaDZJjPf9aiMNc
|
||||
fvuUqVfFWnsV2zI6HFvG/uwkqLalsnPaAwVeIWl2Ovy2Jzdj0GRLSYx87eneSBo+
|
||||
7tjlURQTudAj1+53SFOkBcCPSnzPYpIC3hBfZ8Zw8r/25moW3xf8TlLLJqgAh50Y
|
||||
tVyvyVSv1MKYBdjZcFsEXUceC5LI9JZryB/Serq0R+4//ZiR3LEtetVKNvco9bcI
|
||||
JHXr88HM2XeYRfRPAB6wembIEMKYdwIhwYAPPAtL+lDHtZBiBAIAp0y0FhaozSzl
|
||||
MSry8tbJR2fD/i8/yXr5isVfjJZdw8WK0LAd8a8zvmNIFKgiKWjoDgIycM5HrRD+
|
||||
rY0Br9xONkNdgB7Lz/wPEyUsiIiZpawM/S4taX7ExK4Wi3pdxkOHLn2ZyaWKsdhX
|
||||
PpCkdMfSOJ0SqCUcVze+xD8GlInUQsPgbDGvxT73jT6Ie+wSA94Cgs3mq7FS6cNo
|
||||
ZAASv7cT9DG+xfQmjrJC9SUCAwEAAQ==
|
||||
-----END PUBLIC KEY-----
|
||||
```
|
||||
|
||||
2. Convert your peer's public key to the Base64 RFC 3110 format using the [pubkey-converter][pubkey-converter] script, if necessary.
|
||||
|
||||
@ -47,58 +51,63 @@ _Note: strongSwan < 5.0.0 will read PEM-formatted **private** keys, but requires
|
||||
|
||||
1. Configure a connection policy in ipsec.conf for your peer. The `leftrsasigkey` attribute is your host's public key in Base64 RFC 3110 format enclosed in double quotes, and `rightrsasigkey` is your peer's key.
|
||||
|
||||
root@debian:~# cat << EOF >> /etc/ipsec.conf
|
||||
conn MYPEER
|
||||
# peer IPs
|
||||
left=192.0.2.1
|
||||
right=192.0.2.2
|
||||
# phase 1 parameters
|
||||
ike=aes128-sha1-modp1536!
|
||||
ikelifetime=28800s
|
||||
# authentication
|
||||
authby=pubkey
|
||||
leftrsasigkey="0sAwEAAdvxViCblVLX7C6L2rzafpz0rE9pkKDSt2VFMLhCnwY0+5oYo3V0R4dUgLSGlNmnp+fneauntu7zAgmDkC2oJ/QpCmrQaueMxjbw0s0BKc9JiLGgcfcY74bIKgJigk6S7SrjM+nGWx/MvKPf2WfCr/iYbeu0/AQyl3M4DoOSCGl/OFKQq5UoJp0rymCrtz157fdW2euh2g2SYz3/WojDXH77lKlXxVp7FdsyOhxbxv7sJKi2pbJz2gMFXiFpdjr8tic3Y9BkS0mMfO3p3kgaPu7Y5VEUE7nQI9fud0hTpAXAj0p8z2KSAt4QX2fGcPK/9uZqFt8X/E5SyyaoAIedGLVcr8lUr9TCmAXY2XBbBF1HHguSyPSWa8gf0nq6tEfuP/2YkdyxLXrVSjb3KPW3CCR16/PBzNl3mEX0TwAesHpmyBDCmHcCIcGADzwLS/pQx7WQYgQCAKdMtBYWqM0s5TEq8vLWyUdnw/4vP8l6+YrFX4yWXcPFitCwHfGvM75jSBSoIilo6A4CMnDOR60Q/q2NAa/cTjZDXYAey8/8DxMlLIiImaWsDP0uLWl+xMSuFot6XcZDhy59mcmlirHYVz6QpHTH0jidEqglHFc3vsQ/BpSJ1ELD4Gwxr8U+940+iHvsEgPeAoLN5quxUunDaGQAEr+3E/QxvsX0Jo6yQvUl"
|
||||
rightrsasigkey="0sAwEAAbkNYV9/gBIi4rOKeY75mCHxIGqvePPBlNp5LkdYGSuPwqYa3HJs7YAA1P05IhOSDjqO8yj6Wq3JfHWcCX1/o/aCBH7yB6lmxfKyJJiQwJ+WUADQ7FSklb7vJ6jWYQLJQZBVMNSJeiia3WRMFeCCy42Zj4zf0yKcz0rbn3ii31K+zqHRZyV3b1hltTsEVUfGD2T/td0tp22qqISWWLpU8xHBGlhYV0Ss5tXcV6rdh9Evd5r+Qk9Cc1VAL9+ZQd/TTKnEcK4ORbMNM+OPJ5Xp0qSA5z/ACD5ubITX/ZGSQpLDhPRnzzM+SmQzqEd61j772qWP2bPkgc/Haz8B62WoRio8Vdk8Ze12JBRFr63vq6YlkonSLJ84sxAUNXmuiJ8HemNvbs5kC4brNTj34ZwiJAFcnCvrLQmTmz5emm6JpP2r2k/hcJ40YEmc5KLZWwNiB4BIxduguGt2VBgcA2fu61NgOwymx0TfOH+tgXDMomaWr1z75OAFEA+fpUSLWxQw3mWLaCHR2/YJjHDR1rBi/GFcRdgPCAL6+0NU0H8JtljwFr42otq25esPGWIkAT1MJBbVAE11O18hnC5owhiRoB2aAKjx3XV9c+x6LBSHfkknO7oAp1DbcEmB6vg3MwVXU2uuWj7++fM8Xis1KiQSspj+B5Lx5RJlxz9qAEOBuj05"
|
||||
EOF
|
||||
```sh
|
||||
root@debian:~# cat << EOF >> /etc/ipsec.conf
|
||||
conn MYPEER
|
||||
# peer IPs
|
||||
left=192.0.2.1
|
||||
right=192.0.2.2
|
||||
# phase 1 parameters
|
||||
ike=aes128-sha1-modp1536!
|
||||
ikelifetime=28800s
|
||||
# authentication
|
||||
authby=pubkey
|
||||
leftrsasigkey="0sAwEAAdvxViCblVLX7C6L2rzafpz0rE9pkKDSt2VFMLhCnwY0+5oYo3V0R4dUgLSGlNmnp+fneauntu7zAgmDkC2oJ/QpCmrQaueMxjbw0s0BKc9JiLGgcfcY74bIKgJigk6S7SrjM+nGWx/MvKPf2WfCr/iYbeu0/AQyl3M4DoOSCGl/OFKQq5UoJp0rymCrtz157fdW2euh2g2SYz3/WojDXH77lKlXxVp7FdsyOhxbxv7sJKi2pbJz2gMFXiFpdjr8tic3Y9BkS0mMfO3p3kgaPu7Y5VEUE7nQI9fud0hTpAXAj0p8z2KSAt4QX2fGcPK/9uZqFt8X/E5SyyaoAIedGLVcr8lUr9TCmAXY2XBbBF1HHguSyPSWa8gf0nq6tEfuP/2YkdyxLXrVSjb3KPW3CCR16/PBzNl3mEX0TwAesHpmyBDCmHcCIcGADzwLS/pQx7WQYgQCAKdMtBYWqM0s5TEq8vLWyUdnw/4vP8l6+YrFX4yWXcPFitCwHfGvM75jSBSoIilo6A4CMnDOR60Q/q2NAa/cTjZDXYAey8/8DxMlLIiImaWsDP0uLWl+xMSuFot6XcZDhy59mcmlirHYVz6QpHTH0jidEqglHFc3vsQ/BpSJ1ELD4Gwxr8U+940+iHvsEgPeAoLN5quxUunDaGQAEr+3E/QxvsX0Jo6yQvUl"
|
||||
rightrsasigkey="0sAwEAAbkNYV9/gBIi4rOKeY75mCHxIGqvePPBlNp5LkdYGSuPwqYa3HJs7YAA1P05IhOSDjqO8yj6Wq3JfHWcCX1/o/aCBH7yB6lmxfKyJJiQwJ+WUADQ7FSklb7vJ6jWYQLJQZBVMNSJeiia3WRMFeCCy42Zj4zf0yKcz0rbn3ii31K+zqHRZyV3b1hltTsEVUfGD2T/td0tp22qqISWWLpU8xHBGlhYV0Ss5tXcV6rdh9Evd5r+Qk9Cc1VAL9+ZQd/TTKnEcK4ORbMNM+OPJ5Xp0qSA5z/ACD5ubITX/ZGSQpLDhPRnzzM+SmQzqEd61j772qWP2bPkgc/Haz8B62WoRio8Vdk8Ze12JBRFr63vq6YlkonSLJ84sxAUNXmuiJ8HemNvbs5kC4brNTj34ZwiJAFcnCvrLQmTmz5emm6JpP2r2k/hcJ40YEmc5KLZWwNiB4BIxduguGt2VBgcA2fu61NgOwymx0TfOH+tgXDMomaWr1z75OAFEA+fpUSLWxQw3mWLaCHR2/YJjHDR1rBi/GFcRdgPCAL6+0NU0H8JtljwFr42otq25esPGWIkAT1MJBbVAE11O18hnC5owhiRoB2aAKjx3XV9c+x6LBSHfkknO7oAp1DbcEmB6vg3MwVXU2uuWj7++fM8Xis1KiQSspj+B5Lx5RJlxz9qAEOBuj05"
|
||||
EOF
|
||||
```
|
||||
|
||||
2. All done! Configure the phase 2 parameters as you otherwise would.
|
||||
|
||||
## Full GRE/IPsec example
|
||||
root@debian:~# ip addr show dev gre1
|
||||
11: gre1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1400 qdisc noqueue state UNKNOWN
|
||||
link/gre 192.0.2.1 peer 192.0.2.2
|
||||
inet 10.1.2.0/31 scope global gre1
|
||||
valid_lft forever preferred_lft forever
|
||||
inet6 fe80::200:5efe:6825:1c22/64 scope link
|
||||
valid_lft forever preferred_lft forever
|
||||
root@debian:~# more /etc/ipsec.conf
|
||||
# ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
```sh
|
||||
root@debian:~# ip addr show dev gre1
|
||||
11: gre1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1400 qdisc noqueue state UNKNOWN
|
||||
link/gre 192.0.2.1 peer 192.0.2.2
|
||||
inet 10.1.2.0/31 scope global gre1
|
||||
valid_lft forever preferred_lft forever
|
||||
inet6 fe80::200:5efe:6825:1c22/64 scope link
|
||||
valid_lft forever preferred_lft forever
|
||||
root@debian:~# more /etc/ipsec.conf
|
||||
# ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
conn %default
|
||||
keyexchange=ikev1
|
||||
dpdaction=restart
|
||||
config setup
|
||||
|
||||
conn MYPEER
|
||||
# peer IPs
|
||||
left=192.0.2.1
|
||||
right=192.0.2.2
|
||||
# phase 1 parameters
|
||||
ike=aes128-sha1-modp1536!
|
||||
ikelifetime=28800s
|
||||
# authentication
|
||||
authby=pubkey
|
||||
leftrsasigkey="0sAwEAAdvxViCblVLX7C6L2rzafpz0rE9pkKDSt2VFMLhCnwY0+5oYo3V0R4dUgLSGlNmnp+fneauntu7zAgmDkC2oJ/QpCmrQaueMxjbw0s0BKc9JiLGgcfcY74bIKgJigk6S7SrjM+nGWx/MvKPf2WfCr/iYbeu0/AQyl3M4DoOSCGl/OFKQq5UoJp0rymCrtz157fdW2euh2g2SYz3/WojDXH77lKlXxVp7FdsyOhxbxv7sJKi2pbJz2gMFXiFpdjr8tic3Y9BkS0mMfO3p3kgaPu7Y5VEUE7nQI9fud0hTpAXAj0p8z2KSAt4QX2fGcPK/9uZqFt8X/E5SyyaoAIedGLVcr8lUr9TCmAXY2XBbBF1HHguSyPSWa8gf0nq6tEfuP/2YkdyxLXrVSjb3KPW3CCR16/PBzNl3mEX0TwAesHpmyBDCmHcCIcGADzwLS/pQx7WQYgQCAKdMtBYWqM0s5TEq8vLWyUdnw/4vP8l6+YrFX4yWXcPFitCwHfGvM75jSBSoIilo6A4CMnDOR60Q/q2NAa/cTjZDXYAey8/8DxMlLIiImaWsDP0uLWl+xMSuFot6XcZDhy59mcmlirHYVz6QpHTH0jidEqglHFc3vsQ/BpSJ1ELD4Gwxr8U+940+iHvsEgPeAoLN5quxUunDaGQAEr+3E/QxvsX0Jo6yQvUl"
|
||||
rightrsasigkey="0sAwEAAbkNYV9/gBIi4rOKeY75mCHxIGqvePPBlNp5LkdYGSuPwqYa3HJs7YAA1P05IhOSDjqO8yj6Wq3JfHWcCX1/o/aCBH7yB6lmxfKyJJiQwJ+WUADQ7FSklb7vJ6jWYQLJQZBVMNSJeiia3WRMFeCCy42Zj4zf0yKcz0rbn3ii31K+zqHRZyV3b1hltTsEVUfGD2T/td0tp22qqISWWLpU8xHBGlhYV0Ss5tXcV6rdh9Evd5r+Qk9Cc1VAL9+ZQd/TTKnEcK4ORbMNM+OPJ5Xp0qSA5z/ACD5ubITX/ZGSQpLDhPRnzzM+SmQzqEd61j772qWP2bPkgc/Haz8B62WoRio8Vdk8Ze12JBRFr63vq6YlkonSLJ84sxAUNXmuiJ8HemNvbs5kC4brNTj34ZwiJAFcnCvrLQmTmz5emm6JpP2r2k/hcJ40YEmc5KLZWwNiB4BIxduguGt2VBgcA2fu61NgOwymx0TfOH+tgXDMomaWr1z75OAFEA+fpUSLWxQw3mWLaCHR2/YJjHDR1rBi/GFcRdgPCAL6+0NU0H8JtljwFr42otq25esPGWIkAT1MJBbVAE11O18hnC5owhiRoB2aAKjx3XV9c+x6LBSHfkknO7oAp1DbcEmB6vg3MwVXU2uuWj7++fM8Xis1KiQSspj+B5Lx5RJlxz9qAEOBuj05"
|
||||
# phase 2 parameters
|
||||
esp=aes128-sha1!
|
||||
pfs=yes
|
||||
pfsgroup=modp1536
|
||||
lifetime=3600s
|
||||
type=transport
|
||||
leftprotoport=gre
|
||||
rightprotoport=gre
|
||||
# startup
|
||||
auto=route
|
||||
keyingtries=%forever
|
||||
conn %default
|
||||
keyexchange=ikev1
|
||||
dpdaction=restart
|
||||
|
||||
conn MYPEER
|
||||
# peer IPs
|
||||
left=192.0.2.1
|
||||
right=192.0.2.2
|
||||
# phase 1 parameters
|
||||
ike=aes128-sha1-modp1536!
|
||||
ikelifetime=28800s
|
||||
# authentication
|
||||
authby=pubkey
|
||||
leftrsasigkey="0sAwEAAdvxViCblVLX7C6L2rzafpz0rE9pkKDSt2VFMLhCnwY0+5oYo3V0R4dUgLSGlNmnp+fneauntu7zAgmDkC2oJ/QpCmrQaueMxjbw0s0BKc9JiLGgcfcY74bIKgJigk6S7SrjM+nGWx/MvKPf2WfCr/iYbeu0/AQyl3M4DoOSCGl/OFKQq5UoJp0rymCrtz157fdW2euh2g2SYz3/WojDXH77lKlXxVp7FdsyOhxbxv7sJKi2pbJz2gMFXiFpdjr8tic3Y9BkS0mMfO3p3kgaPu7Y5VEUE7nQI9fud0hTpAXAj0p8z2KSAt4QX2fGcPK/9uZqFt8X/E5SyyaoAIedGLVcr8lUr9TCmAXY2XBbBF1HHguSyPSWa8gf0nq6tEfuP/2YkdyxLXrVSjb3KPW3CCR16/PBzNl3mEX0TwAesHpmyBDCmHcCIcGADzwLS/pQx7WQYgQCAKdMtBYWqM0s5TEq8vLWyUdnw/4vP8l6+YrFX4yWXcPFitCwHfGvM75jSBSoIilo6A4CMnDOR60Q/q2NAa/cTjZDXYAey8/8DxMlLIiImaWsDP0uLWl+xMSuFot6XcZDhy59mcmlirHYVz6QpHTH0jidEqglHFc3vsQ/BpSJ1ELD4Gwxr8U+940+iHvsEgPeAoLN5quxUunDaGQAEr+3E/QxvsX0Jo6yQvUl"
|
||||
rightrsasigkey="0sAwEAAbkNYV9/gBIi4rOKeY75mCHxIGqvePPBlNp5LkdYGSuPwqYa3HJs7YAA1P05IhOSDjqO8yj6Wq3JfHWcCX1/o/aCBH7yB6lmxfKyJJiQwJ+WUADQ7FSklb7vJ6jWYQLJQZBVMNSJeiia3WRMFeCCy42Zj4zf0yKcz0rbn3ii31K+zqHRZyV3b1hltTsEVUfGD2T/td0tp22qqISWWLpU8xHBGlhYV0Ss5tXcV6rdh9Evd5r+Qk9Cc1VAL9+ZQd/TTKnEcK4ORbMNM+OPJ5Xp0qSA5z/ACD5ubITX/ZGSQpLDhPRnzzM+SmQzqEd61j772qWP2bPkgc/Haz8B62WoRio8Vdk8Ze12JBRFr63vq6YlkonSLJ84sxAUNXmuiJ8HemNvbs5kC4brNTj34ZwiJAFcnCvrLQmTmz5emm6JpP2r2k/hcJ40YEmc5KLZWwNiB4BIxduguGt2VBgcA2fu61NgOwymx0TfOH+tgXDMomaWr1z75OAFEA+fpUSLWxQw3mWLaCHR2/YJjHDR1rBi/GFcRdgPCAL6+0NU0H8JtljwFr42otq25esPGWIkAT1MJBbVAE11O18hnC5owhiRoB2aAKjx3XV9c+x6LBSHfkknO7oAp1DbcEmB6vg3MwVXU2uuWj7++fM8Xis1KiQSspj+B5Lx5RJlxz9qAEOBuj05"
|
||||
# phase 2 parameters
|
||||
esp=aes128-sha1!
|
||||
pfs=yes
|
||||
pfsgroup=modp1536
|
||||
lifetime=3600s
|
||||
type=transport
|
||||
leftprotoport=gre
|
||||
rightprotoport=gre
|
||||
# startup
|
||||
auto=route
|
||||
keyingtries=%forever
|
||||
```
|
||||
|
@ -6,29 +6,33 @@ For IPsec with Public Keys you'll need the package _strongswan-plugin-pubkey_ in
|
||||
Don't forget to disable selinux :)
|
||||
### Generate an RSA keypair
|
||||
|
||||
root@debian:~# mkdir /etc/ipsec.d/public
|
||||
root@debian:~# ipsec pki --gen --type rsa --outform pem --size 4096 > /etc/ipsec.d/private/mykey.pem
|
||||
root@debian:~# ipsec pki --pub --in /etc/ipsec.d/private/mykey.pem --outform pem > /etc/ipsec.d/public/mykey.pem
|
||||
root@debian:~# echo ": RSA mykey.pem" >> /etc/ipsec.secrets
|
||||
```sh
|
||||
root@debian:~# mkdir /etc/ipsec.d/public
|
||||
root@debian:~# ipsec pki --gen --type rsa --outform pem --size 4096 > /etc/ipsec.d/private/mykey.pem
|
||||
root@debian:~# ipsec pki --pub --in /etc/ipsec.d/private/mykey.pem --outform pem > /etc/ipsec.d/public/mykey.pem
|
||||
root@debian:~# echo ": RSA mykey.pem" >> /etc/ipsec.secrets
|
||||
```
|
||||
|
||||
### Exchange public keys with your peer
|
||||
1. Display the public key. Send the key data to your peer.
|
||||
|
||||
root@debian:~# more /etc/ipsec.d/public/mykey.pem
|
||||
-----BEGIN PUBLIC KEY-----
|
||||
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2/FWIJuVUtfsLovavNp+
|
||||
nPSsT2mQoNK3ZUUwuEKfBjT7mhijdXRHh1SAtIaU2aen5+d5q6e27vMCCYOQLagn
|
||||
9CkKatBq54zGNvDSzQEpz0mIsaBx9xjvhsgqAmKCTpLtKuMz6cZbH8y8o9/ZZ8Kv
|
||||
+Jht67T8BDKXczgOg5IIaX84UpCrlSgmnSvKYKu3PXnt91bZ66HaDZJjPf9aiMNc
|
||||
fvuUqVfFWnsV2zI6HFvG/uwkqLalsnPaAwVeIWl2Ovy2Jzdj0GRLSYx87eneSBo+
|
||||
7tjlURQTudAj1+53SFOkBcCPSnzPYpIC3hBfZ8Zw8r/25moW3xf8TlLLJqgAh50Y
|
||||
tVyvyVSv1MKYBdjZcFsEXUceC5LI9JZryB/Serq0R+4//ZiR3LEtetVKNvco9bcI
|
||||
JHXr88HM2XeYRfRPAB6wembIEMKYdwIhwYAPPAtL+lDHtZBiBAIAp0y0FhaozSzl
|
||||
MSry8tbJR2fD/i8/yXr5isVfjJZdw8WK0LAd8a8zvmNIFKgiKWjoDgIycM5HrRD+
|
||||
rY0Br9xONkNdgB7Lz/wPEyUsiIiZpawM/S4taX7ExK4Wi3pdxkOHLn2ZyaWKsdhX
|
||||
PpCkdMfSOJ0SqCUcVze+xD8GlInUQsPgbDGvxT73jT6Ie+wSA94Cgs3mq7FS6cNo
|
||||
ZAASv7cT9DG+xfQmjrJC9SUCAwEAAQ==
|
||||
-----END PUBLIC KEY-----
|
||||
```sh
|
||||
root@debian:~# more /etc/ipsec.d/public/mykey.pem
|
||||
-----BEGIN PUBLIC KEY-----
|
||||
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2/FWIJuVUtfsLovavNp+
|
||||
nPSsT2mQoNK3ZUUwuEKfBjT7mhijdXRHh1SAtIaU2aen5+d5q6e27vMCCYOQLagn
|
||||
9CkKatBq54zGNvDSzQEpz0mIsaBx9xjvhsgqAmKCTpLtKuMz6cZbH8y8o9/ZZ8Kv
|
||||
+Jht67T8BDKXczgOg5IIaX84UpCrlSgmnSvKYKu3PXnt91bZ66HaDZJjPf9aiMNc
|
||||
fvuUqVfFWnsV2zI6HFvG/uwkqLalsnPaAwVeIWl2Ovy2Jzdj0GRLSYx87eneSBo+
|
||||
7tjlURQTudAj1+53SFOkBcCPSnzPYpIC3hBfZ8Zw8r/25moW3xf8TlLLJqgAh50Y
|
||||
tVyvyVSv1MKYBdjZcFsEXUceC5LI9JZryB/Serq0R+4//ZiR3LEtetVKNvco9bcI
|
||||
JHXr88HM2XeYRfRPAB6wembIEMKYdwIhwYAPPAtL+lDHtZBiBAIAp0y0FhaozSzl
|
||||
MSry8tbJR2fD/i8/yXr5isVfjJZdw8WK0LAd8a8zvmNIFKgiKWjoDgIycM5HrRD+
|
||||
rY0Br9xONkNdgB7Lz/wPEyUsiIiZpawM/S4taX7ExK4Wi3pdxkOHLn2ZyaWKsdhX
|
||||
PpCkdMfSOJ0SqCUcVze+xD8GlInUQsPgbDGvxT73jT6Ie+wSA94Cgs3mq7FS6cNo
|
||||
ZAASv7cT9DG+xfQmjrJC9SUCAwEAAQ==
|
||||
-----END PUBLIC KEY-----
|
||||
```
|
||||
|
||||
2. Convert your peer's public key to the PEM format using the [pubkey-converter][pubkey-converter] script, if necessary.
|
||||
|
||||
@ -49,82 +53,90 @@ In this example, we'll use the following settings:
|
||||
|
||||
1. Add your peer's public key
|
||||
|
||||
root@debian:~# cat << EOF > /etc/ipsec.d/public/peerkey.pem
|
||||
-----BEGIN PUBLIC KEY-----
|
||||
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuQ1hX3+AEiLis4p5jvmY
|
||||
IfEgaq9488GU2nkuR1gZK4/CphrccmztgADU/TkiE5IOOo7zKPparcl8dZwJfX+j
|
||||
9oIEfvIHqWbF8rIkmJDAn5ZQANDsVKSVvu8nqNZhAslBkFUw1Il6KJrdZEwV4ILL
|
||||
jZmPjN/TIpzPStufeKLfUr7OodFnJXdvWGW1OwRVR8YPZP+13S2nbaqohJZYulTz
|
||||
EcEaWFhXRKzm1dxXqt2H0S93mv5CT0JzVUAv35lB39NMqcRwrg5Fsw0z448nlenS
|
||||
pIDnP8AIPm5shNf9kZJCksOE9GfPMz5KZDOoR3rWPvvapY/Zs+SBz8drPwHrZahG
|
||||
KjxV2Txl7XYkFEWvre+rpiWSidIsnzizEBQ1ea6Inwd6Y29uzmQLhus1OPfhnCIk
|
||||
AVycK+stCZObPl6abomk/avaT+FwnjRgSZzkotlbA2IHgEjF26C4a3ZUGBwDZ+7r
|
||||
U2A7DKbHRN84f62BcMyiZpavXPvk4AUQD5+lRItbFDDeZYtoIdHb9gmMcNHWsGL8
|
||||
YVxF2A8IAvr7Q1TQfwm2WPAWvjai2rbl6w8ZYiQBPUwkFtUATXU7XyGcLmjCGJGg
|
||||
HZoAqPHddX1z7HosFId+SSc7ugCnUNtwSYHq+DczBVdTa65aPv758zxeKzUqJBKy
|
||||
mP4HkvHlEmXHP2oAQ4G6PTkCAwEAAQ==
|
||||
-----END PUBLIC KEY-----
|
||||
EOF
|
||||
```sh
|
||||
root@debian:~# cat << EOF > /etc/ipsec.d/public/peerkey.pem
|
||||
-----BEGIN PUBLIC KEY-----
|
||||
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuQ1hX3+AEiLis4p5jvmY
|
||||
IfEgaq9488GU2nkuR1gZK4/CphrccmztgADU/TkiE5IOOo7zKPparcl8dZwJfX+j
|
||||
9oIEfvIHqWbF8rIkmJDAn5ZQANDsVKSVvu8nqNZhAslBkFUw1Il6KJrdZEwV4ILL
|
||||
jZmPjN/TIpzPStufeKLfUr7OodFnJXdvWGW1OwRVR8YPZP+13S2nbaqohJZYulTz
|
||||
EcEaWFhXRKzm1dxXqt2H0S93mv5CT0JzVUAv35lB39NMqcRwrg5Fsw0z448nlenS
|
||||
pIDnP8AIPm5shNf9kZJCksOE9GfPMz5KZDOoR3rWPvvapY/Zs+SBz8drPwHrZahG
|
||||
KjxV2Txl7XYkFEWvre+rpiWSidIsnzizEBQ1ea6Inwd6Y29uzmQLhus1OPfhnCIk
|
||||
AVycK+stCZObPl6abomk/avaT+FwnjRgSZzkotlbA2IHgEjF26C4a3ZUGBwDZ+7r
|
||||
U2A7DKbHRN84f62BcMyiZpavXPvk4AUQD5+lRItbFDDeZYtoIdHb9gmMcNHWsGL8
|
||||
YVxF2A8IAvr7Q1TQfwm2WPAWvjai2rbl6w8ZYiQBPUwkFtUATXU7XyGcLmjCGJGg
|
||||
HZoAqPHddX1z7HosFId+SSc7ugCnUNtwSYHq+DczBVdTa65aPv758zxeKzUqJBKy
|
||||
mP4HkvHlEmXHP2oAQ4G6PTkCAwEAAQ==
|
||||
-----END PUBLIC KEY-----
|
||||
EOF
|
||||
```
|
||||
|
||||
2. Configure a connection policy in ipsec.conf for your peer
|
||||
|
||||
root@debian:~# cat << EOF >> /etc/ipsec.conf
|
||||
conn MYPEER
|
||||
# peer IPs
|
||||
left=192.0.2.1
|
||||
right=192.0.2.2
|
||||
# phase 1 parameters
|
||||
ike=aes128-sha1-modp1536!
|
||||
ikelifetime=28800s
|
||||
# authentication
|
||||
authby=pubkey
|
||||
leftrsasigkey=/etc/ipsec.d/public/mykey.pem
|
||||
rightrsasigkey=/etc/ipsec.d/public/peerkey.pem
|
||||
EOF
|
||||
```sh
|
||||
root@debian:~# cat << EOF >> /etc/ipsec.conf
|
||||
conn MYPEER
|
||||
# peer IPs
|
||||
left=192.0.2.1
|
||||
right=192.0.2.2
|
||||
# phase 1 parameters
|
||||
ike=aes128-sha1-modp1536!
|
||||
ikelifetime=28800s
|
||||
# authentication
|
||||
authby=pubkey
|
||||
leftrsasigkey=/etc/ipsec.d/public/mykey.pem
|
||||
rightrsasigkey=/etc/ipsec.d/public/peerkey.pem
|
||||
EOF
|
||||
```
|
||||
|
||||
3. All done! Configure the phase 2 parameters as you otherwise would.
|
||||
|
||||
## Full GRE/IPsec example
|
||||
root@debian:~# ip addr show dev gre1
|
||||
11: gre1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1400 qdisc noqueue state UNKNOWN
|
||||
link/gre 192.0.2.1 peer 192.0.2.2
|
||||
inet 10.1.2.0/31 scope global gre1
|
||||
valid_lft forever preferred_lft forever
|
||||
inet6 fe80::200:5efe:6825:1c22/64 scope link
|
||||
valid_lft forever preferred_lft forever
|
||||
root@debian:~# more /etc/ipsec.conf
|
||||
# ipsec.conf - strongSwan IPsec configuration file
|
||||
```sh
|
||||
root@debian:~# ip addr show dev gre1
|
||||
11: gre1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1400 qdisc noqueue state UNKNOWN
|
||||
link/gre 192.0.2.1 peer 192.0.2.2
|
||||
inet 10.1.2.0/31 scope global gre1
|
||||
valid_lft forever preferred_lft forever
|
||||
inet6 fe80::200:5efe:6825:1c22/64 scope link
|
||||
valid_lft forever preferred_lft forever
|
||||
root@debian:~# more /etc/ipsec.conf
|
||||
# ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
config setup
|
||||
|
||||
conn %default
|
||||
keyexchange=ikev1
|
||||
dpdaction=restart
|
||||
conn %default
|
||||
keyexchange=ikev1
|
||||
dpdaction=restart
|
||||
|
||||
conn MYPEER
|
||||
# peer IPs
|
||||
left=192.0.2.1
|
||||
right=192.0.2.2
|
||||
# phase 1 parameters
|
||||
ike=aes128-sha1-modp1536!
|
||||
ikelifetime=28800s
|
||||
# authentication
|
||||
authby=pubkey
|
||||
leftrsasigkey=/etc/ipsec.d/public/mykey.pem
|
||||
rightrsasigkey=/etc/ipsec.d/public/peerkey.pem
|
||||
# phase 2 parameters
|
||||
esp=aes128-sha1-modp1536!
|
||||
lifetime=3600s
|
||||
type=transport
|
||||
leftprotoport=gre
|
||||
rightprotoport=gre
|
||||
# startup
|
||||
auto=route
|
||||
keyingtries=%forever
|
||||
conn MYPEER
|
||||
# peer IPs
|
||||
left=192.0.2.1
|
||||
right=192.0.2.2
|
||||
# phase 1 parameters
|
||||
ike=aes128-sha1-modp1536!
|
||||
ikelifetime=28800s
|
||||
# authentication
|
||||
authby=pubkey
|
||||
leftrsasigkey=/etc/ipsec.d/public/mykey.pem
|
||||
rightrsasigkey=/etc/ipsec.d/public/peerkey.pem
|
||||
# phase 2 parameters
|
||||
esp=aes128-sha1-modp1536!
|
||||
lifetime=3600s
|
||||
type=transport
|
||||
leftprotoport=gre
|
||||
rightprotoport=gre
|
||||
# startup
|
||||
auto=route
|
||||
keyingtries=%forever
|
||||
```
|
||||
|
||||
If your peer is using a Cisco router and is behind NAT, then you might need to add the following option:
|
||||
|
||||
rightid=NATIP
|
||||
```
|
||||
rightid=NATIP
|
||||
```
|
||||
|
||||
# See also
|
||||
* [Network settings](/howto/networksettings)
|
||||
|
@ -28,7 +28,7 @@ rfc8815 deprecated pim-sm, please take a look at the new multicast page about pi
|
||||
|
||||
* Create a dummy interface to hold your calculated unicast Rendezvous Point address. This one needs to be reachable from within dn42. Also set "multicast on" on this dummy interface. Example:
|
||||
|
||||
```
|
||||
```conf
|
||||
# /etc/network/interfaces.d/pim6sd
|
||||
auto pim-router-id
|
||||
iface pim-router-id inet manual
|
||||
@ -86,7 +86,7 @@ You can now switch into this test network namespace via "ip netns exec /bin/bash
|
||||
|
||||
### Creating a test multicast listener
|
||||
|
||||
```
|
||||
```sh
|
||||
$ socat -u UDP6-RECV:1234,reuseaddr,ipv6-join-group="[ff7e:230:fdd5:69d5:c530::123]:eth0" -
|
||||
```
|
||||
|
||||
@ -94,7 +94,7 @@ $ socat -u UDP6-RECV:1234,reuseaddr,ipv6-join-group="[ff7e:230:fdd5:69d5:c530::1
|
||||
|
||||
First select which interface should be the default one for your multicast traffic. Then send multicast packets via ICMPv6:
|
||||
|
||||
```
|
||||
```sh
|
||||
$ ip -6 route add ff7e:230:fdd5:69d5:c530::/96 dev eth0 table local
|
||||
$ ping6 -t 16 ff7e:230:fdd5:69d5:c530::123
|
||||
```
|
||||
@ -145,18 +145,18 @@ However you can usually just announce and use both RFC3306 and RFC3956 based mul
|
||||
#### Bootstrap Router
|
||||
|
||||
If you want to be participate as a bootstrap router candidate, please read up on how PIM works first. If you join with a bootstrap router candidate add it here below with contact information and join #dn42-multicast on HackInt:
|
||||
* <BSR-ADDR1> - foo@example.com, foo@HackInt
|
||||
* <BSR-ADDR2> - ...
|
||||
* \<BSR-ADDR1> - foo@example.com, foo@HackInt
|
||||
* \<BSR-ADDR2> - ...
|
||||
|
||||
#### Shared multicast addresses
|
||||
|
||||
Next to personal multicast prefixes generated by network prefix (RFC3306 or RFC3956) there can also be multicast addresses not owned by a specific AS. In general any one can just set up a multicast sender or listener for those. However to work, they need a reliable RP for coordination.
|
||||
|
||||
If you want to offer an RP candidate for a shared multicast address, please read up on how PIM works first. If you join with an RP candidate for a shared multicast address add it here below with contact information and join #dn42-multicast on HackInt:
|
||||
* <multicast-address1>/128:
|
||||
- <RP-address1> - foo@example.com, foo@HackInt
|
||||
- <RP-address2> - bar@example.com, bar@HackInt
|
||||
* <multicast-address2>/128:
|
||||
* \<multicast-address1>/128:
|
||||
- \<RP-address1> - foo@example.com, foo@HackInt
|
||||
- \<RP-address2> - bar@example.com, bar@HackInt
|
||||
* \<multicast-address2>/128:
|
||||
- ...
|
||||
|
||||
## Questions?
|
||||
|
@ -65,7 +65,7 @@ Enter NPT. Address your services using a reserved private block, and map that bl
|
||||
For example, if you've been assigned a public /48 prefix, and want to be reachable on DN42 aswell, you can use only ULA addresses from DN42 internally (or your own!), then map them to outside prefixes. Note that they'll need to all use the same prefix size to maintain the one-to-one mapping, so you may have to subnet the public prefix.
|
||||
|
||||
In Linux's netfilter, this can be implemented through the use of the NETMAP target, for the example above:
|
||||
```
|
||||
```sh
|
||||
ip6tables -t nat -A POSTROUTING -d 2000::/3 -s <DN42-PREFIX>:<SUBNET>::/56 -j NETMAP --to <PUBLIC-PREFIX>:<SUBNET>::/56; # Map ULA to the public prefix for outgoing packets
|
||||
ip6tables -t nat -A PREROUTING -s 2000::/3 -d <PUBLIC-PREFIX>:<SUBNET>::/56 -j NETMAP --to <DN42-PREFIX>:<SUBNET>::/56; # Map public prefix to ULA for incoming packets
|
||||
```
|
||||
|
@ -16,7 +16,7 @@ By default, [bgpd(8)](http://man.openbsd.org/bgpd.8) listens on all local addres
|
||||
|
||||
## local host
|
||||
Information such as ASN, router ID and allocated networks are required:
|
||||
```
|
||||
```conf
|
||||
# macros
|
||||
ASN="4242421234"
|
||||
|
||||
@ -31,7 +31,7 @@ prefix-set mynetworks {
|
||||
|
||||
These can be used in subsequent filter rules.
|
||||
The local peer's announcements is then defined as follows:
|
||||
```
|
||||
```conf
|
||||
# Generate routes for the networks our ASN will originate.
|
||||
# The communities (read 'tags') are later used to match on what
|
||||
# is announced to EBGP neighbors
|
||||
@ -41,7 +41,7 @@ network prefix-set mynetworks set large-community $ASN:1:1
|
||||
## neighbors
|
||||
For each neighbor its ASN and transfer ULA is required.
|
||||
An optional description is provided such that [bgpctl(8)](http://man.openbsd.org/bgpctl.8) for example can be used with mnemonic names instead of AS numbers:
|
||||
```
|
||||
```conf
|
||||
# peer A, transport over IPSec/GRE
|
||||
$A_local="fd00:12:34:A::1"
|
||||
$A_remote="fd00:12:34:A::2"
|
||||
@ -61,7 +61,7 @@ The filter rules are evaluated in sequential order, form first to last.
|
||||
The last matching allow or deny rule decides what action is taken.
|
||||
|
||||
Start off with basic protection and sanity rules:
|
||||
```
|
||||
```conf
|
||||
# deny more-specifics of our own originated prefixes
|
||||
deny quick from ebgp prefix-set mynetworks or-longer
|
||||
|
||||
@ -72,7 +72,7 @@ deny quick from any max-as-len 8
|
||||
`quick` rules are considered the last matching rule, and evaluation of subsequent rules is skipped.
|
||||
|
||||
Allow own announcements:
|
||||
```
|
||||
```conf
|
||||
# Outbound EBGP: only allow self originated networks to ebgp peers
|
||||
# Don't leak any routes from upstream or peering sessions. This is done
|
||||
# by checking for routes that are tagged with the large-community $ASN:1:1
|
||||
@ -80,7 +80,7 @@ allow to ebgp prefix-set mynetworks large-community $ASN:1:1
|
||||
```
|
||||
|
||||
Allow all remaining UPDATES based on **O**rigin **V**alidation **S**tates:
|
||||
```
|
||||
```conf
|
||||
# enforce ROA
|
||||
allow from ebgp ovs valid
|
||||
```
|
||||
@ -89,7 +89,7 @@ Note how the `ovs` filter requires the `roa-set {...}` to be defined; see the `
|
||||
|
||||
### path attributes
|
||||
Besides `allow` and `deny` statements, filter rules can modify UPDATE messages, e.g.
|
||||
```
|
||||
```conf
|
||||
# Scrub normal and large communities relevant to our ASN from EBGP neighbors
|
||||
# https://tools.ietf.org/html/rfc7454#section-11
|
||||
match from ebgp set { large-community delete $ASN:*:* }
|
||||
@ -123,7 +123,7 @@ roa-set {
|
||||
```
|
||||
|
||||
Include it in `/etc/bgpd.conf`:
|
||||
```
|
||||
```conf
|
||||
# defines roat-set, see _rpki-client crontab
|
||||
include "/etc/dn42.roa-set"
|
||||
```
|
||||
|
@ -28,9 +28,11 @@ This is needed so that OpenWRT is aware of the new interfaces (for firewall and
|
||||
|
||||
In `/etc/config/network`, add entries for each dn42 interface:
|
||||
|
||||
config interface dn42peer1
|
||||
option ifname tun-peer1
|
||||
option proto none
|
||||
```conf
|
||||
config interface dn42peer1
|
||||
option ifname tun-peer1
|
||||
option proto none
|
||||
```
|
||||
|
||||
## Firewall
|
||||
|
||||
@ -43,28 +45,36 @@ Everything is done in `/etc/config/firewall`.
|
||||
|
||||
### Zone declaration
|
||||
|
||||
config zone
|
||||
option name dn42
|
||||
option network 'dn42peer1 dn42peer2 dn42peer3'
|
||||
option input REJECT
|
||||
option output ACCEPT
|
||||
option forward REJECT
|
||||
```conf
|
||||
config zone
|
||||
option name dn42
|
||||
option network 'dn42peer1 dn42peer2 dn42peer3'
|
||||
option input REJECT
|
||||
option output ACCEPT
|
||||
option forward REJECT
|
||||
```
|
||||
|
||||
If you need to NAT your home network into dn42, you probably just need to add:
|
||||
|
||||
option masq 1
|
||||
```conf
|
||||
option masq 1
|
||||
```
|
||||
|
||||
### dn42 ↔ LAN forwarding
|
||||
|
||||
config forwarding
|
||||
option src lan
|
||||
option dest dn42
|
||||
```conf
|
||||
config forwarding
|
||||
option src lan
|
||||
option dest dn42
|
||||
```
|
||||
|
||||
If you're confident enough, you can also forward dn42 into your LAN:
|
||||
|
||||
config forwarding
|
||||
option src dn42
|
||||
option dest lan
|
||||
```conf
|
||||
config forwarding
|
||||
option src dn42
|
||||
option dest lan
|
||||
```
|
||||
|
||||
Or you can forward only certain ports, to certain hosts, etc (standard `config rule` stuff)
|
||||
|
||||
@ -72,7 +82,9 @@ Or you can forward only certain ports, to certain hosts, etc (standard `config r
|
||||
|
||||
This is more tricky. In theory, all you have to do is to set
|
||||
|
||||
option forward ACCEPT
|
||||
```conf
|
||||
option forward ACCEPT
|
||||
```
|
||||
|
||||
in the definition of the zone. However, due to a bug in Attitude Adjustment (see <https://dev.openwrt.org/ticket/12945>), this will allow forwarding **everything everywhere**.
|
||||
|
||||
|
128
howto/Quagga.md
128
howto/Quagga.md
@ -6,16 +6,20 @@ Quagga is probably one of the oldest software router around. It still works, of
|
||||
|
||||
Use this in your `zebra.conf`:
|
||||
|
||||
route-map RM_SET_SRC permit 10
|
||||
set src 172.22.XX.XX
|
||||
ip protocol bgp route-map RM_SET_SRC
|
||||
```conf
|
||||
route-map RM_SET_SRC permit 10
|
||||
set src 172.22.XX.XX
|
||||
ip protocol bgp route-map RM_SET_SRC
|
||||
```
|
||||
|
||||
Unfortunately, this is not possible with IPv6...
|
||||
|
||||
## Important bgp commands
|
||||
To connect to bgpd use:
|
||||
|
||||
$ vtysh
|
||||
```sh
|
||||
$ vtysh
|
||||
```
|
||||
|
||||
Which provides an interactive interface.
|
||||
In this interface '?' can be used to list the available commands or subcommands.
|
||||
@ -23,82 +27,94 @@ In this interface '?' can be used to list the available commands or subcommands.
|
||||
## Configure Quagga
|
||||
a minimal config would look like this:
|
||||
|
||||
vtysh> configure terminal
|
||||
vtysh(config)> router bgp <your-asn>
|
||||
vtysh(config-router)> neighbor <neighbor-ip> remote-as <neighbor-asn>
|
||||
vtysh(config-router)> neighbor <neighbor-ip> interface <interface>
|
||||
vtysh(config-router)> exit
|
||||
vtysh(config)> exit
|
||||
```sh
|
||||
vtysh> configure terminal
|
||||
vtysh(config)> router bgp <your-asn>
|
||||
vtysh(config-router)> neighbor <neighbor-ip> remote-as <neighbor-asn>
|
||||
vtysh(config-router)> neighbor <neighbor-ip> interface <interface>
|
||||
vtysh(config-router)> exit
|
||||
vtysh(config)> exit
|
||||
```
|
||||
|
||||
### IPv6
|
||||
for IPv6 do something like
|
||||
|
||||
vtysh> configure terminal
|
||||
vtysh(config)> router bgp <your-asn>
|
||||
vtysh(config-router)> neighbor <neighbor-ip> remote-as <neighbor-asn>
|
||||
vtysh(config-router)> neighbor <neighbor-ip> interface <interface>
|
||||
vtysh(config-router)> no neighbor <neighbor-ip> activate
|
||||
vtysh(config-router)> address-family ipv6
|
||||
vtysh(config-router-af)> neighbor <neighbor-ip> activate
|
||||
vtysh(config-router-af)> exit
|
||||
vtysh(config-router)> exit
|
||||
vtysh(config)> exit
|
||||
```sh
|
||||
vtysh> configure terminal
|
||||
vtysh(config)> router bgp <your-asn>
|
||||
vtysh(config-router)> neighbor <neighbor-ip> remote-as <neighbor-asn>
|
||||
vtysh(config-router)> neighbor <neighbor-ip> interface <interface>
|
||||
vtysh(config-router)> no neighbor <neighbor-ip> activate
|
||||
vtysh(config-router)> address-family ipv6
|
||||
vtysh(config-router-af)> neighbor <neighbor-ip> activate
|
||||
vtysh(config-router-af)> exit
|
||||
vtysh(config-router)> exit
|
||||
vtysh(config)> exit
|
||||
```
|
||||
|
||||
### peer groups, prefix lists and such
|
||||
If you want to use 'prefix-list' to filter some of the prefixes quagga is receiving, you can use a 'peer-group' instead of apply the prefix list to every neighbor.
|
||||
|
||||
Define a peer group:
|
||||
|
||||
vtysh(config-router)> neighbor <peer-group-name> peer-group
|
||||
```sh
|
||||
vtysh(config-router)> neighbor <peer-group-name> peer-group
|
||||
```
|
||||
|
||||
Apply to a neighbor:
|
||||
|
||||
vtysh(config-router)> neighbor <neighbor-ip> peer-group <name>
|
||||
```sh
|
||||
vtysh(config-router)> neighbor <neighbor-ip> peer-group <name>
|
||||
```
|
||||
|
||||
Apply a prefix list for incoming prefixes to your peer group:
|
||||
|
||||
vtysh(config-router)> neighbor <peer-group-name> prefix-list <prefix-list-name> in
|
||||
```sh
|
||||
vtysh(config-router)> neighbor <peer-group-name> prefix-list <prefix-list-name> in
|
||||
```
|
||||
|
||||
#### Example filter list
|
||||
|
||||
ip prefix-list vpn-in description BGP IPv4 import filter
|
||||
!old network:
|
||||
ip prefix-list vpn-in seq 5 permit 172.22.0.0/15 ge 22 le 28
|
||||
!new dn42 allocation:
|
||||
ip prefix-list vpn-in seq 10 permit 172.20.0.0/16 ge 22 le 28
|
||||
```sh
|
||||
ip prefix-list vpn-in description BGP IPv4 import filter
|
||||
!old network:
|
||||
ip prefix-list vpn-in seq 5 permit 172.22.0.0/15 ge 22 le 28
|
||||
!new dn42 allocation:
|
||||
ip prefix-list vpn-in seq 10 permit 172.20.0.0/16 ge 22 le 28
|
||||
|
||||
! Anycast /32s for Whois and DNS:
|
||||
ip prefix-list vpn-in seq 11 permit 172.22.0.43/32
|
||||
ip prefix-list vpn-in seq 12 permit 172.22.0.53/32
|
||||
! Anycast /32s for Whois and DNS:
|
||||
ip prefix-list vpn-in seq 11 permit 172.22.0.43/32
|
||||
ip prefix-list vpn-in seq 12 permit 172.22.0.53/32
|
||||
|
||||
ip prefix-list vpn-in seq 18 permit 192.175.48.0/24
|
||||
ip prefix-list vpn-in seq 20 deny 10.10.10.0/24
|
||||
ip prefix-list vpn-in seq 21 permit 10.0.0.0/8
|
||||
ip prefix-list vpn-in seq 30 permit 172.31.0.0/16
|
||||
ip prefix-list vpn-in seq 39 permit 100.64.0.0/10
|
||||
ip prefix-list vpn-in seq 40 permit 195.160.168.0/23
|
||||
ip prefix-list vpn-in seq 41 permit 91.204.4.0/22
|
||||
ip prefix-list vpn-in seq 43 permit 193.43.220.0/23
|
||||
ip prefix-list vpn-in seq 46 permit 83.133.178.0/23
|
||||
ip prefix-list vpn-in seq 47 permit 87.106.29.254/32
|
||||
ip prefix-list vpn-in seq 50 permit 85.25.246.16/28
|
||||
ip prefix-list vpn-in seq 51 permit 46.4.248.192/27
|
||||
ip prefix-list vpn-in seq 60 permit 94.45.224.0/19
|
||||
ip prefix-list vpn-in seq 70 permit 195.191.196.0/23
|
||||
ip prefix-list vpn-in seq 80 permit 80.244.241.224/27
|
||||
ip prefix-list vpn-in seq 90 permit 46.19.90.48/28
|
||||
ip prefix-list vpn-in seq 91 permit 46.19.90.96/28
|
||||
ip prefix-list vpn-in seq 110 permit 188.40.34.241/32
|
||||
ip prefix-list vpn-in seq 130 permit 37.1.89.192/26
|
||||
ip prefix-list vpn-in seq 140 permit 178.33.32.123/32
|
||||
ip prefix-list vpn-in seq 150 permit 87.98.246.19/32
|
||||
ip prefix-list vpn-in seq 1000 deny 0.0.0.0/0
|
||||
ip prefix-list vpn-in seq 18 permit 192.175.48.0/24
|
||||
ip prefix-list vpn-in seq 20 deny 10.10.10.0/24
|
||||
ip prefix-list vpn-in seq 21 permit 10.0.0.0/8
|
||||
ip prefix-list vpn-in seq 30 permit 172.31.0.0/16
|
||||
ip prefix-list vpn-in seq 39 permit 100.64.0.0/10
|
||||
ip prefix-list vpn-in seq 40 permit 195.160.168.0/23
|
||||
ip prefix-list vpn-in seq 41 permit 91.204.4.0/22
|
||||
ip prefix-list vpn-in seq 43 permit 193.43.220.0/23
|
||||
ip prefix-list vpn-in seq 46 permit 83.133.178.0/23
|
||||
ip prefix-list vpn-in seq 47 permit 87.106.29.254/32
|
||||
ip prefix-list vpn-in seq 50 permit 85.25.246.16/28
|
||||
ip prefix-list vpn-in seq 51 permit 46.4.248.192/27
|
||||
ip prefix-list vpn-in seq 60 permit 94.45.224.0/19
|
||||
ip prefix-list vpn-in seq 70 permit 195.191.196.0/23
|
||||
ip prefix-list vpn-in seq 80 permit 80.244.241.224/27
|
||||
ip prefix-list vpn-in seq 90 permit 46.19.90.48/28
|
||||
ip prefix-list vpn-in seq 91 permit 46.19.90.96/28
|
||||
ip prefix-list vpn-in seq 110 permit 188.40.34.241/32
|
||||
ip prefix-list vpn-in seq 130 permit 37.1.89.192/26
|
||||
ip prefix-list vpn-in seq 140 permit 178.33.32.123/32
|
||||
ip prefix-list vpn-in seq 150 permit 87.98.246.19/32
|
||||
ip prefix-list vpn-in seq 1000 deny 0.0.0.0/0
|
||||
|
||||
ipv6 prefix-list vpn-in seq 10 permit fd00::/8 ge 9
|
||||
ipv6 prefix-list vpn-in seq 15 deny any
|
||||
ipv6 prefix-list vpn-in seq 10 permit fd00::/8 ge 9
|
||||
ipv6 prefix-list vpn-in seq 15 deny any
|
||||
```
|
||||
|
||||
#### Example filter list script
|
||||
```
|
||||
```sh
|
||||
#!/bin/bash
|
||||
|
||||
vtysh -c 'conf t' -c "no ip prefix-list dn42"; #drop old prefix list
|
||||
|
@ -32,11 +32,12 @@ You can find a hosted example of dn42regsrv at <https://explorer.burble.com/>
|
||||
Instructions on how to host dn42regsrv yourself can be found on the git repo of [dn42regsrv](https://git.burble.com/burble.dn42/dn42regsrv).
|
||||
|
||||
You can also run dn42regsrv via docker (then available at 127.0.0.1:8042):
|
||||
|
||||
git checkout https://git.burble.com/burble.dn42/dn42regsrv.git .
|
||||
cd contrib/docker
|
||||
./build.sh
|
||||
docker-compose up -d
|
||||
```sh
|
||||
git checkout https://git.burble.com/burble.dn42/dn42regsrv.git .
|
||||
cd contrib/docker
|
||||
./build.sh
|
||||
docker-compose up -d
|
||||
```
|
||||
|
||||
Documentation for the api endpoints can be found here: <https://git.burble.com/burble.dn42/dn42regsrv/src/master/API.md>
|
||||
|
||||
@ -48,7 +49,9 @@ burble kindly provides ready-to-use files for gortr here:
|
||||
|
||||
You can use these to simply run gortr via docker:
|
||||
|
||||
docker run -ti -p 8082:8082 cloudflare/gortr -cache https://dn42.burble.com/roa/dn42_roa_46.json -verify=false -checktime=false -bind :8082
|
||||
```sh
|
||||
docker run -ti -p 8082:8082 cloudflare/gortr -cache https://dn42.burble.com/roa/dn42_roa_46.json -verify=false -checktime=false -bind :8082
|
||||
```
|
||||
|
||||
### rtrtr
|
||||
|
||||
@ -56,21 +59,25 @@ rtrtr is a RTR server from NLNet Labs. It's compatible with the dn42regsrv ROA-J
|
||||
|
||||
NLNet Labs provides an official docker image. You just have to bind mount a suitable configuration file:
|
||||
|
||||
docker run -d -v /etc/rtrtr.conf:/etc/rtrtr.conf -p 323:323/tcp nlnetlabs/rtrtr -c /etc/rtrtr.conf
|
||||
```sh
|
||||
docker run -d -v /etc/rtrtr.conf:/etc/rtrtr.conf -p 323:323/tcp nlnetlabs/rtrtr -c /etc/rtrtr.conf
|
||||
```
|
||||
|
||||
This is a working configuration file for dn42. Maybe change the listen addresses:
|
||||
|
||||
log_level = "debug"
|
||||
log_target = "stderr"
|
||||
http-listen = []
|
||||
[units.dn42-json]
|
||||
type = "json"
|
||||
uri = "https://dn42.burble.com/roa/dn42_roa_46.json"
|
||||
refresh = 600
|
||||
[targets.dn42-rtr]
|
||||
type = "rtr"
|
||||
listen = ["0.0.0.0:323", "[::]:323"]
|
||||
unit = "dn42-json"
|
||||
```conf
|
||||
log_level = "debug"
|
||||
log_target = "stderr"
|
||||
http-listen = []
|
||||
[units.dn42-json]
|
||||
type = "json"
|
||||
uri = "https://dn42.burble.com/roa/dn42_roa_46.json"
|
||||
refresh = 600
|
||||
[targets.dn42-rtr]
|
||||
type = "rtr"
|
||||
listen = ["0.0.0.0:323", "[::]:323"]
|
||||
unit = "dn42-json"
|
||||
```
|
||||
|
||||
For more information cosult the official documentation: <https://rtrtr.docs.nlnetlabs.nl/en/stable/>
|
||||
|
||||
|
@ -50,7 +50,7 @@ There are three options for doing this. but you only need to do **one** of these
|
||||
### `auth` attribute format, when your public key is in gitea or a public keyserver
|
||||
|
||||
- Use the following `auth` attribute in your `mntner` object:
|
||||
```
|
||||
```conf
|
||||
auth: pgp-fingerprint <fingerprint>
|
||||
```
|
||||
Where `<fingerprint>` is your **full 40-digit** key fingerprint, without spaces.
|
||||
@ -62,7 +62,7 @@ Where `<fingerprint>` is your **full 40-digit** key fingerprint, without spaces.
|
||||
*Tip: look at the existing key-cert objects for examples of how to add your public key*
|
||||
|
||||
- In this case the `auth` attribute must refer to the new key-cert object so use the following in your `mntner` object:
|
||||
```
|
||||
```conf
|
||||
auth: PGPKEY-<short fingerprint>
|
||||
```
|
||||
Where `<short fingerprint>` is the last **8** digits from your key fingerprint.
|
||||
@ -76,7 +76,7 @@ Where `<short fingerprint>` is the last **8** digits from your key fingerprint.
|
||||
- Use `git commit -S` to commit and sign your change.
|
||||
|
||||
- If you have already committed your change without signing it, you can sign the existing commit using:
|
||||
```
|
||||
```sh
|
||||
git commit --amend --no-edit -S
|
||||
```
|
||||
If you had already pushed your change to gitea, you must also do a force push (`git push --force`) to update the remote copy.
|
||||
@ -105,17 +105,17 @@ If you cannot get the above to work you may also:
|
||||
### `auth` attribute format when using an ssh key
|
||||
|
||||
The generic format for authentication using an SSH key is as follows:
|
||||
```
|
||||
```conf
|
||||
auth: ssh-<keytype> <pubkey>
|
||||
```
|
||||
|
||||
Common examples:
|
||||
|
||||
```
|
||||
```conf
|
||||
auth: ssh-ed25519 <pubkey>
|
||||
```
|
||||
|
||||
```
|
||||
```conf
|
||||
auth: ssh-rsa <pubkey>
|
||||
```
|
||||
|
||||
@ -131,13 +131,13 @@ Brief instructions are below, however there are also more detailed guides availa
|
||||
|
||||
- Set your git signature format to be SSH
|
||||
|
||||
```
|
||||
```sh
|
||||
git config --global gpg.format ssh
|
||||
```
|
||||
|
||||
- Tell git which SSH key to use
|
||||
|
||||
```
|
||||
```sh
|
||||
git config --global user.signingKey '<ssh public key>'
|
||||
```
|
||||
|
||||
@ -167,13 +167,13 @@ The registry includes a script that uses ssh-keygen signatures to sign your chan
|
||||
|
||||
#### How to sign
|
||||
|
||||
```
|
||||
```sh
|
||||
./sign-my-commit --ssh --key <path to your SSH private key> --push <MNTNER>
|
||||
```
|
||||
|
||||
e.g.
|
||||
|
||||
```
|
||||
```sh
|
||||
./sign-my-commit --ssh --key /home/foo/.ssh/id_ed25519 --push FOO-MNT
|
||||
```
|
||||
|
||||
@ -181,7 +181,7 @@ e.g.
|
||||
|
||||
The script can also verify your signature:
|
||||
|
||||
```
|
||||
```sh
|
||||
./sign-my-commit --ssh --verify <MNTNER>
|
||||
```
|
||||
|
||||
@ -231,7 +231,7 @@ Please try and upgrade your ssh-keygen version and use the generic ssh-keygen me
|
||||
### Authentication with an SSH RSA key
|
||||
|
||||
- Use the following `auth` attribute in your `mntner` object:
|
||||
```
|
||||
```conf
|
||||
auth: ssh-rsa <pubkey>
|
||||
```
|
||||
Where `<pubkey>` is the ssh public key copied from your id_rsa.pub file.
|
||||
@ -269,7 +269,7 @@ openssl pkeyutl \
|
||||
### Authentication with an SSH ecdsa key
|
||||
|
||||
- Use the following `auth` attribute in your `mntner` object:
|
||||
```
|
||||
```conf
|
||||
auth: ecdsa-sha2-nistp256 <pubkey>
|
||||
```
|
||||
Where `<pubkey>` is the ssh public key copied from your id_ecdsa.pub file.
|
||||
|
@ -1,6 +1,6 @@
|
||||
Modern versions of Windows do not support OSPF and manually adding static routes every time after a reboot is annoying. Below is a batch script you can edit and run to help make adding routes easier. This script assumes that your BGP router and Windows computer are on the same LAN.
|
||||
|
||||
```
|
||||
```sh
|
||||
@echo off
|
||||
REM fill in YOUR network information
|
||||
REM right click and RUN AS ADMIN
|
||||
|
@ -1,6 +1,8 @@
|
||||
lglass is a Python software package designed for Internet Registries like the DN42. You can generate zone files for DNS and rDNS IPv4/v6, and handle the registry. It is available on GitHub as free software:
|
||||
|
||||
$ git clone git://github.com/fritz0705/lglass.git
|
||||
```sh
|
||||
$ git clone git://github.com/fritz0705/lglass.git
|
||||
```
|
||||
|
||||
## Links
|
||||
- [Fritz Gihub repo](https://github.com/fritz0705/lglass)
|
||||
@ -10,27 +12,31 @@ lglass is a Python software package designed for Internet Registries like the DN
|
||||
|
||||
lglass provides an event-based whois daemon with internal caching, which was written in Python. It is very simple to run an instance:
|
||||
|
||||
$ ./bin/lglass-whoisd
|
||||
```sh
|
||||
$ ./bin/lglass-whoisd
|
||||
```
|
||||
|
||||
without the configfile:
|
||||
|
||||
$ ./bin/lglass-regtool whoisd -H $HOST -p $PORT
|
||||
.
|
||||
```sh
|
||||
$ ./bin/lglass-regtool whoisd -H $HOST -p $PORT
|
||||
```
|
||||
|
||||
usage: lglass-whoisd [-h] [-4] [-6] [--host HOST] [--port PORT]
|
||||
[--cidr] [--no-cidr] [--inverse] [--no-inverse]
|
||||
|
||||
optional arguments:
|
||||
-h, --help show this help message and exit
|
||||
-4 Listen on IPv4
|
||||
-6 Listen on IPv6
|
||||
--host HOST, -H HOST Listen on host
|
||||
--port PORT, -p PORT Listen on port
|
||||
--cidr, -c Perform CIDR matching on queries
|
||||
--no-cidr Do not perform CIDR matching on queries
|
||||
--inverse, -i Perform inverse matching on queries
|
||||
--no-inverse Do not perform inverse matching on queries
|
||||
```
|
||||
usage: lglass-whoisd [-h] [-4] [-6] [--host HOST] [--port PORT]
|
||||
[--cidr] [--no-cidr] [--inverse] [--no-inverse]
|
||||
|
||||
optional arguments:
|
||||
-h, --help show this help message and exit
|
||||
-4 Listen on IPv4
|
||||
-6 Listen on IPv6
|
||||
--host HOST, -H HOST Listen on host
|
||||
--port PORT, -p PORT Listen on port
|
||||
--cidr, -c Perform CIDR matching on queries
|
||||
--no-cidr Do not perform CIDR matching on queries
|
||||
--inverse, -i Perform inverse matching on queries
|
||||
--no-inverse Do not perform inverse matching on queries
|
||||
```
|
||||
|
||||
## Generate zone files
|
||||
|
||||
@ -38,32 +44,42 @@ lglass also provides a script to generate zone files from the registry. It's nam
|
||||
|
||||
To generate DNS zones:
|
||||
|
||||
$ ./bin/lglass-zonegen -d $PATH_TO_DATA_DIR -n ns1... -n ns2... -e foo.bar.com dns -z dn42
|
||||
```sh
|
||||
$ ./bin/lglass-zonegen -d $PATH_TO_DATA_DIR -n ns1... -n ns2... -e foo.bar.com dns -z dn42
|
||||
```
|
||||
|
||||
To generate IPv4 rDNS zones:
|
||||
|
||||
$ ./bin/lglass-zonegen -d $PATH_TO_DATA_DIR -n ns1... -n ns2... -e foo.bar.com rdns4 -N 172.22.0.0/16
|
||||
```sh
|
||||
$ ./bin/lglass-zonegen -d $PATH_TO_DATA_DIR -n ns1... -n ns2... -e foo.bar.com rdns4 -N 172.22.0.0/16
|
||||
```
|
||||
|
||||
To generate IPv6 rDNS zones:
|
||||
|
||||
$ ./bin/lglass-zonegen -d $PATH_TO_DATA_DIR -n ns1... -n ns2... -e foo.bar.com rdns6 -N fd00::/8
|
||||
```sh
|
||||
$ ./bin/lglass-zonegen -d $PATH_TO_DATA_DIR -n ns1... -n ns2... -e foo.bar.com rdns6 -N fd00::/8
|
||||
```
|
||||
|
||||
## Reformat RPSL files
|
||||
|
||||
You can also reformat RPSL files using lglass by using the lglass.rpsl module:
|
||||
|
||||
$ ./bin/lglass-rpsl < $DATA/inetnum/172.22.0.53_32
|
||||
```sh
|
||||
$ ./bin/lglass-rpsl < $DATA/inetnum/172.22.0.53_32
|
||||
```
|
||||
|
||||
lglass.rpsl also supports in-place operation:
|
||||
|
||||
$ ./bin/lglass-rpsl -i $DATA/inetnum/172.22.0.53_32
|
||||
```sh
|
||||
$ ./bin/lglass-rpsl -i $DATA/inetnum/172.22.0.53_32
|
||||
```
|
||||
|
||||
This opens the file, reads the content into memory, seeks to position 0, writes the formatted object and truncates the file.
|
||||
Simple web interface
|
||||
|
||||
lglass also comes with a simple web interface written in Python3 using Bottle and Jinja2. It also provides a binary to run it using wsgiref:
|
||||
|
||||
$ ./bin/lglass-web
|
||||
```sh
|
||||
$ ./bin/lglass-web
|
||||
```
|
||||
|
||||
Furthermore you can use any WSGI server like Gunicorn by using lglass.web.application:app as WSGI callback. You can provide a path to the configuration file in the environment variable `LGLASS_WEB_CFG`.
|
||||
|
||||
|
@ -13,22 +13,22 @@ That is why `rp_filter` needs to be disabled.
|
||||
|
||||
**Note** using sysctl is not persistent. Depending on your linux distribution put it into `/etc/sysctl.conf` or `/etc/sysctl.d`
|
||||
|
||||
```
|
||||
```sh
|
||||
sysctl -w net.ipv4.conf.all.rp_filter=0 net.ipv4.conf.default.rp_filter=0
|
||||
```
|
||||
|
||||
Check that its really disabled:
|
||||
```
|
||||
```sh
|
||||
sysctl -a | grep rp_filter
|
||||
```
|
||||
|
||||
Also the following options must be set.
|
||||
```
|
||||
```sh
|
||||
$ sysctl -w net.ipv4.conf.all.forwarding=1 net.ipv6.conf.all.forwarding=1
|
||||
```
|
||||
|
||||
Check that ALL your vpn interfaces allow ip forwarding for ipv6/ipv4.
|
||||
```
|
||||
```sh
|
||||
$ sysctl -a | grep forwarding
|
||||
```
|
||||
|
||||
|
233
howto/nixos.md
233
howto/nixos.md
@ -15,7 +15,7 @@ If you still want to give it a try, here you'll find some inspiration from my se
|
||||
Defining the container environment is the base part of the setup. Beginning with network setup, Private Network disables the passthrough of Host Interfaces into the container and adds a bridged Interface to the host default Interface (e.g. eth0). The localAddress is the container side address and the hostAddress is the one the Host gets. Inside the ```container.<name>.config```, you can basicly import the same nix expression as from the Host and don't need to add some special container parts.
|
||||
|
||||
```nix
|
||||
containers.dn42 = {
|
||||
containers.dn42 = {
|
||||
hostAddress = "192.168.254.1"; # Transfer Network
|
||||
hostAddress6 = "2001:db08::42"; # Transfer Network
|
||||
localAddress = "116.203.1.5";
|
||||
@ -24,22 +24,22 @@ Defining the container environment is the base part of the setup. Beginning with
|
||||
autoStart = true;
|
||||
|
||||
config = { config, pkgs, ... }: {
|
||||
imports = [
|
||||
./peers # Folder with a config for every Peer
|
||||
./dns.nix # Bind with the litschi.dn42 zone deligated
|
||||
./bird.nix # Bird config for BGP Routing
|
||||
./networking.nix # Static Network configuration (with firewall)
|
||||
./nginx.nix # nginx config for litschi.dn42
|
||||
];
|
||||
environment.systemPackages = with pkgs; [
|
||||
# Network debug tools
|
||||
dnsutils
|
||||
mtr
|
||||
tcpdump
|
||||
wireguard-tools
|
||||
];
|
||||
imports = [
|
||||
./peers # Folder with a config for every Peer
|
||||
./dns.nix # Bind with the litschi.dn42 zone deligated
|
||||
./bird.nix # Bird config for BGP Routing
|
||||
./networking.nix # Static Network configuration (with firewall)
|
||||
./nginx.nix # nginx config for litschi.dn42
|
||||
];
|
||||
environment.systemPackages = with pkgs; [
|
||||
# Network debug tools
|
||||
dnsutils
|
||||
mtr
|
||||
tcpdump
|
||||
wireguard-tools
|
||||
];
|
||||
}
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
In theory the container should now be starting and you can get shell access with ```sudo nixos-container root-login <name> ```.
|
||||
@ -47,20 +47,20 @@ In theory the container should now be starting and you can get shell access wit
|
||||
I mounted some host paths into the container for dns zone files and static homepage since the container is the only one providing .dn42 webservers.
|
||||
|
||||
```nix
|
||||
containers.dn42 = {
|
||||
containers.dn42 = {
|
||||
bindMounts = {
|
||||
"/var/www/dn42" = {
|
||||
hostPath = "/var/www/dn42";
|
||||
isReadOnly = true;
|
||||
mountPoint = "/var/www/dn42";
|
||||
};
|
||||
"/var/dns/dn42" = {
|
||||
hostPath = "/var/dns/dn42";
|
||||
isReadOnly = true;
|
||||
mountPoint = "/var/dns";
|
||||
};
|
||||
"/var/www/dn42" = {
|
||||
hostPath = "/var/www/dn42";
|
||||
isReadOnly = true;
|
||||
mountPoint = "/var/www/dn42";
|
||||
};
|
||||
"/var/dns/dn42" = {
|
||||
hostPath = "/var/dns/dn42";
|
||||
isReadOnly = true;
|
||||
mountPoint = "/var/dns";
|
||||
};
|
||||
};
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
### Network Setup
|
||||
@ -68,28 +68,28 @@ I mounted some host paths into the container for dns zone files and static homep
|
||||
As mentioned above, I got a spare public IPv4 Address, but by adding it as ```localAddress```, the container Part is configured static enough. But to forward traffic between Intferfaces ```/proc/sys/net/``` should configured
|
||||
|
||||
```nix
|
||||
boot.kernel.sysctl = {
|
||||
boot.kernel.sysctl = {
|
||||
"net.ipv4.ip_forward" = 1;
|
||||
"net.ipv6.conf.all.forwarding" = 1;
|
||||
};
|
||||
};
|
||||
```
|
||||
This allows our firewall to configure forwarding between peers and other tunnels. What is allowed to be forwarded can be configured in the firewall. Ferm has only few NixOS Options, but is pretty basic. Its configured with the ```services.ferm.config``` options, that contains just a string. Within this string there's standard plain ferm config. Example config is attached below.
|
||||
If the dn42 address is not bound at any other Interface, you need to add it to the lo Interface to use it as source IP when routing via peers with dedicated transfer net.
|
||||
```nix
|
||||
networking.interfaces.lo = {
|
||||
ipv4.addresses = [
|
||||
networking.interfaces.lo = {
|
||||
ipv4.addresses = [
|
||||
{
|
||||
address = "172.23.73.65";
|
||||
prefixLength = 32;
|
||||
address = "172.23.73.65";
|
||||
prefixLength = 32;
|
||||
}
|
||||
];
|
||||
ipv6.addresses = [
|
||||
];
|
||||
ipv6.addresses = [
|
||||
{
|
||||
address = "fd67:24bd:a1ea::1";
|
||||
prefixLength = 128;
|
||||
address = "fd67:24bd:a1ea::1";
|
||||
prefixLength = 128;
|
||||
}
|
||||
];
|
||||
};
|
||||
];
|
||||
};
|
||||
```
|
||||
|
||||
#### Ferm example
|
||||
@ -100,40 +100,40 @@ services.ferm = {
|
||||
domain ip table filter chain INPUT proto icmp ACCEPT;
|
||||
domain ip6 table filter chain INPUT proto (ipv6-icmp icmp) ACCEPT;
|
||||
domain (ip ip6) table filter {
|
||||
chain INPUT {
|
||||
policy DROP;
|
||||
interface lo ACCEPT;
|
||||
interface intern-+ ACCEPT;
|
||||
# website
|
||||
proto tcp dport (http https) ACCEPT;
|
||||
# wireguard
|
||||
proto udp dport ( <Wireguard Ports> ) ACCEPT;
|
||||
# bgp
|
||||
proto tcp dport (179) ACCEPT;
|
||||
# dns
|
||||
proto (udp tcp) dport domain ACCEPT;
|
||||
mod state state (INVALID) DROP;
|
||||
mod state state (ESTABLISHED RELATED) ACCEPT;
|
||||
}
|
||||
chain OUTPUT {
|
||||
policy ACCEPT;
|
||||
}
|
||||
chain FORWARD {
|
||||
policy DROP;
|
||||
# allow intern routing and dn42 forwarding
|
||||
interface dn42-+ outerface dn42-+ ACCEPT;
|
||||
interface intern-+ outerface intern-+ ACCEPT;
|
||||
interface intern-+ outerface dn42-+ ACCEPT;
|
||||
# but dn42 -> intern only with execptions
|
||||
interface dn42-+ outerface intern-+ {
|
||||
proto (ipv6-icmp icmp) ACCEPT; # Allow SSH Access from dn42 to devices behind intern-+ Interfaces
|
||||
proto tcp dport (ssh) ACCEPT;
|
||||
mod state state (ESTABLISHED) ACCEPT;
|
||||
chain INPUT {
|
||||
policy DROP;
|
||||
interface lo ACCEPT;
|
||||
interface intern-+ ACCEPT;
|
||||
# website
|
||||
proto tcp dport (http https) ACCEPT;
|
||||
# wireguard
|
||||
proto udp dport ( <Wireguard Ports> ) ACCEPT;
|
||||
# bgp
|
||||
proto tcp dport (179) ACCEPT;
|
||||
# dns
|
||||
proto (udp tcp) dport domain ACCEPT;
|
||||
mod state state (INVALID) DROP;
|
||||
mod state state (ESTABLISHED RELATED) ACCEPT;
|
||||
}
|
||||
chain OUTPUT {
|
||||
policy ACCEPT;
|
||||
}
|
||||
chain FORWARD {
|
||||
policy DROP;
|
||||
# allow intern routing and dn42 forwarding
|
||||
interface dn42-+ outerface dn42-+ ACCEPT;
|
||||
interface intern-+ outerface intern-+ ACCEPT;
|
||||
interface intern-+ outerface dn42-+ ACCEPT;
|
||||
# but dn42 -> intern only with execptions
|
||||
interface dn42-+ outerface intern-+ {
|
||||
proto (ipv6-icmp icmp) ACCEPT; # Allow SSH Access from dn42 to devices behind intern-+ Interfaces
|
||||
proto tcp dport (ssh) ACCEPT;
|
||||
mod state state (ESTABLISHED) ACCEPT;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
'';
|
||||
};
|
||||
};
|
||||
```
|
||||
|
||||
### Peering with wireguard
|
||||
@ -144,23 +144,23 @@ A sample wireguard config may look like this:
|
||||
```nix
|
||||
{config, pkgs, ...}:
|
||||
{
|
||||
networking.wireguard.interfaces.dn42-peer = {
|
||||
privateKey = "";
|
||||
allowedIPsAsRoutes = false;
|
||||
listenPort = 42420;
|
||||
networking.wireguard.interfaces.dn42-peer = {
|
||||
privateKey = "";
|
||||
allowedIPsAsRoutes = false;
|
||||
listenPort = 42420;
|
||||
|
||||
peers = [
|
||||
{
|
||||
publicKey = "";
|
||||
allowedIPs = [ "0.0.0.0/0" "::/0" ];
|
||||
endpoint = "42.42.42.42:42421";
|
||||
}
|
||||
];
|
||||
postSetup = ''
|
||||
${pkgs.iproute}/bin/ip addr add 169.254.0.1/32 peer 169.254.0.0/32 dev dn42-peer
|
||||
${pkgs.iproute}/bin/ip -6 addr add fe80::1220/64 dev dn42-peer
|
||||
'';
|
||||
};
|
||||
peers = [
|
||||
{
|
||||
publicKey = "";
|
||||
allowedIPs = [ "0.0.0.0/0" "::/0" ];
|
||||
endpoint = "42.42.42.42:42421";
|
||||
}
|
||||
];
|
||||
postSetup = ''
|
||||
${pkgs.iproute}/bin/ip addr add 169.254.0.1/32 peer 169.254.0.0/32 dev dn42-peer
|
||||
${pkgs.iproute}/bin/ip -6 addr add fe80::1220/64 dev dn42-peer
|
||||
'';
|
||||
};
|
||||
}
|
||||
```
|
||||
|
||||
@ -176,41 +176,40 @@ Like ferm, Bird2 is configured by ```services.bird2.config``` containing a strin
|
||||
Sample example to update ROA's :
|
||||
```nix
|
||||
{ pkgs, lib, ... }:
|
||||
let
|
||||
script = pkgs.writeShellScriptBin "update-roa" ''
|
||||
let script = pkgs.writeShellScriptBin "update-roa" ''
|
||||
mkdir -p /etc/bird/
|
||||
${pkgs.curl}/bin/curl -sfSLR {-o,-z}/etc/bird/roa_dn42_v6.conf https://dn42.burble.com/roa/dn42_roa_bird2_6.conf
|
||||
${pkgs.curl}/bin/curl -sfSLR {-o,-z}/etc/bird/roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird2_4.conf
|
||||
${pkgs.bird2}/bin/birdc c
|
||||
${pkgs.bird2}/bin/birdc reload in all
|
||||
'';
|
||||
'';
|
||||
in
|
||||
{
|
||||
systemd.timers.dn42-roa = {
|
||||
description = "Trigger a ROA table update";
|
||||
systemd.timers.dn42-roa = {
|
||||
description = "Trigger a ROA table update";
|
||||
|
||||
timerConfig = {
|
||||
OnBootSec = "5m";
|
||||
OnUnitInactiveSec = "1h";
|
||||
Unit = "dn42-roa.service";
|
||||
timerConfig = {
|
||||
OnBootSec = "5m";
|
||||
OnUnitInactiveSec = "1h";
|
||||
Unit = "dn42-roa.service";
|
||||
};
|
||||
|
||||
wantedBy = [ "timers.target" ];
|
||||
before = [ "bird.service" ];
|
||||
};
|
||||
|
||||
wantedBy = [ "timers.target" ];
|
||||
before = [ "bird.service" ];
|
||||
};
|
||||
|
||||
systemd.services = {
|
||||
dn42-roa = {
|
||||
after = [ "network.target" ];
|
||||
description = "DN42 ROA Updated";
|
||||
unitConfig = {
|
||||
Type = "one-shot";
|
||||
};
|
||||
serviceConfig = {
|
||||
ExecStart = "${script}/bin/update-roa";
|
||||
};
|
||||
systemd.services = {
|
||||
dn42-roa = {
|
||||
after = [ "network.target" ];
|
||||
description = "DN42 ROA Updated";
|
||||
unitConfig = {
|
||||
Type = "one-shot";
|
||||
};
|
||||
serviceConfig = {
|
||||
ExecStart = "${script}/bin/update-roa";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
```
|
||||
|
||||
@ -221,14 +220,14 @@ There is now (thanks to [Tchekda](https://github.com/NixOS/nixpkgs/pull/153481))
|
||||
```nix
|
||||
bird-lg = {
|
||||
proxy = {
|
||||
enable = true;
|
||||
allowedIPs = [ "172.20.XX.XX" "172.20.XX.YY" ];
|
||||
enable = true;
|
||||
allowedIPs = [ "172.20.XX.XX" "172.20.XX.YY" ];
|
||||
};
|
||||
frontend = {
|
||||
enable = true;
|
||||
netSpecificMode = "dn42";
|
||||
servers = [ "node1" "node2" ];
|
||||
domain = "domain.dn42";
|
||||
enable = true;
|
||||
netSpecificMode = "dn42";
|
||||
servers = [ "node1" "node2" ];
|
||||
domain = "domain.dn42";
|
||||
};
|
||||
};
|
||||
```
|
||||
|
@ -10,7 +10,7 @@
|
||||
* Replace `<REMOTE_GATEWAY_IP>` with dn42 ip address of your peer
|
||||
* `<LOCAL_GATEWAY_IPV6> <REMOTE_GATEWAY_IPV6>` same as ipv4, but both ip addresses needs to be in the same subnet. For simplicity you can always use an address from link-local ipv6 range (fe80::/64)
|
||||
|
||||
```
|
||||
```conf
|
||||
#/etc/openvpn/<PEER_NAME>
|
||||
proto <PROTO>
|
||||
mode p2p
|
||||
@ -39,7 +39,7 @@ secret /etc/openvpn/<PEER_NAME>.key
|
||||
|
||||
then create a new key and share it with your peer
|
||||
|
||||
```
|
||||
```sh
|
||||
$ openvpn --genkey --secret /etc/openvpn/<PEER_NAME>.key
|
||||
```
|
||||
|
||||
@ -47,7 +47,7 @@ $ openvpn --genkey --secret /etc/openvpn/<PEER_NAME>.key
|
||||
|
||||
## peer with fixed ip
|
||||
|
||||
```
|
||||
```conf
|
||||
proto <PROTO>
|
||||
mode p2p
|
||||
dev-type tun
|
||||
@ -72,7 +72,7 @@ secret /etc/openvpn/<PEER_NAME>.key
|
||||
* `<REMOTE_HOST>` is the ip address of your peer
|
||||
* `<REMOTE_PORT>` is openvpn port, where your peer listen for traffic
|
||||
|
||||
```
|
||||
```conf
|
||||
proto <PROTO>
|
||||
mode p2p
|
||||
remote <REMOTE_HOST>
|
||||
@ -99,7 +99,7 @@ Clients connect using certificates, and simply get attributed dn42 IPs in the or
|
||||
|
||||
Replace `<PORT>` with the UDP port you want OpenVPN to listen to, and change the IP ranges (`ifconfig` and `route-gateway` options).
|
||||
|
||||
```
|
||||
```conf
|
||||
mode server
|
||||
tls-server
|
||||
|
||||
@ -152,7 +152,7 @@ push "route 172.22.0.0 255.254.0.0"
|
||||
|
||||
Change `<SERVER>` and `<PORT>`.
|
||||
|
||||
```
|
||||
```conf
|
||||
client
|
||||
|
||||
ca ca.crt
|
||||
|
@ -5,7 +5,7 @@ This is the config that is used on ZOTAN Networks (AS4242422341). Full network c
|
||||
# Configuration
|
||||
|
||||
## loopback device (lo.network)
|
||||
```
|
||||
```conf
|
||||
[Match]
|
||||
Name=lo
|
||||
|
||||
@ -14,7 +14,7 @@ Address=fdff:b02d:2ef7::2/128
|
||||
```
|
||||
|
||||
## wireguard netdev (dn42p1.netdev)
|
||||
```
|
||||
```conf
|
||||
[NetDev]
|
||||
Name = dn42p1
|
||||
Kind = wireguard
|
||||
@ -31,7 +31,7 @@ AllowedIPs = 172.16.0.0/12,10.0.0.0/8,fd00::/8,fe80::/10,ff00::/8
|
||||
```
|
||||
|
||||
## wireguard network (dn42p1.network)
|
||||
```
|
||||
```conf
|
||||
[Match]
|
||||
Name = dn42p1
|
||||
|
||||
|
@ -10,7 +10,7 @@ One advantage of tinc is that you can have multiple peering over the same VPN co
|
||||
|
||||
Example `/etc/tinc/dn42_yourpeer/tinc.conf`:
|
||||
|
||||
```
|
||||
```conf
|
||||
Interface = dn42_yourpeer
|
||||
Name = your_host
|
||||
# Only switch mode is feasible for dn42 peerings, since in router mode tinc takes care of routing decisions on its own
|
||||
@ -26,7 +26,7 @@ Tinc requires to add manually ip addresses and routes to the tap/tun interfaces.
|
||||
Example `/etc/tinc/dn42_yourpeer/tinc-up`:
|
||||
|
||||
**Linux/iproute2**
|
||||
```
|
||||
```sh
|
||||
#!/bin/sh
|
||||
|
||||
# set the interface up
|
||||
@ -44,13 +44,13 @@ For authentication tinc uses public key authentication instead of certificates o
|
||||
For each key tinc should connect to or allow to connect, a file with the name of the peer in tincd -n twwh -K
|
||||
is required. To generate a public/private key pair use:
|
||||
|
||||
```
|
||||
```sh
|
||||
$ tincd -K
|
||||
```
|
||||
|
||||
Import for each other party the key like this `/etc/tinc/dn42_yourpeer/hosts/<peername>`:
|
||||
|
||||
```
|
||||
```conf
|
||||
# address/port are optional, in case they're missing you only expect connections from that host
|
||||
Address = <fqdn/ip_addr>
|
||||
Port = <port|655>
|
||||
@ -74,19 +74,19 @@ Installation:
|
||||
* Freebsd: Use this [port repo](https://github.com/Mic92/ports/tree/master/security/tinc)
|
||||
|
||||
Set up a new tinc network
|
||||
```
|
||||
```sh
|
||||
# tinc -n dn42_yourpeer init dn42_yourself
|
||||
```
|
||||
|
||||
Invite your peering partner. Tinc will print the invitaion which you need to copy to your peering partner.
|
||||
```
|
||||
```sh
|
||||
$ tinc invite yourpeer
|
||||
<ip-or-address>/nIRp5pJCnfnhuV13JUomscGs1q5HqEbz3AydZer7wRaMcpUB
|
||||
```
|
||||
|
||||
On the other node you can join by using:
|
||||
|
||||
```
|
||||
```sh
|
||||
$ tinc join <invitation-url>
|
||||
```
|
||||
|
||||
|
@ -9,13 +9,13 @@ to allow your BGP daemon instead to do routing. This approach is comparable to [
|
||||
|
||||
First generate on each peer public and private keys.
|
||||
|
||||
```
|
||||
```sh
|
||||
$ wg genkey | tee privatekey | wg pubkey > publickey
|
||||
```
|
||||
|
||||
## Configuration
|
||||
|
||||
```
|
||||
```conf
|
||||
# tunnel.conf
|
||||
[Interface]
|
||||
PrivateKey = <private_key>
|
||||
@ -38,7 +38,7 @@ AllowedIPs = 0.0.0.0/0,::/0
|
||||
Wireguard comes with its own interface type.
|
||||
It supports link-local addresses for IPv6 and single /32 addresses for IPv4, which can be used for peering.
|
||||
|
||||
```
|
||||
```sh
|
||||
$ ip link add dev <interface_name> type wireguard
|
||||
$ wg setconf <interface_name> tunnel.conf
|
||||
# both side pick a different link-local ipv6 address
|
||||
@ -54,7 +54,7 @@ Maybe you should check the MTU to your peer with e.g. `ping -s 1472 <end_point_h
|
||||
|
||||
## Testing
|
||||
|
||||
```
|
||||
```sh
|
||||
ping fe80::<your_peers_suffix>%<interface_name>
|
||||
```
|
||||
|
||||
@ -94,7 +94,7 @@ The script makes some changes that are not valid when used for DN42 tunnels, and
|
||||
|
||||
An example wg-quick script that incorporates the above two workarounds is below, where `<MyIPv[46]>` are the DN42 IP addresses of your node and `<PeerIPv[46]>` are the IP addresses for your peer.
|
||||
|
||||
```
|
||||
```conf
|
||||
[Interface]
|
||||
PrivateKey = <your private key>
|
||||
Address = <your link-local address, if any>
|
||||
@ -114,7 +114,7 @@ Use `which ip` to get the full path to your ip binary.
|
||||
Example configuration for systemd-networkd.
|
||||
|
||||
peer.netdev
|
||||
```text
|
||||
```conf
|
||||
[NetDev]
|
||||
Name=<ifname>
|
||||
Kind=wireguard
|
||||
@ -134,7 +134,7 @@ AllowedIPs=0.0.0.0/0
|
||||
```
|
||||
|
||||
peer.network
|
||||
```text
|
||||
```conf
|
||||
[Match]
|
||||
Name=<ifname>
|
||||
|
||||
@ -172,6 +172,6 @@ Peer=<your peer's IPv4 address>/32
|
||||
As wireguard are only resolving the hostname to IP only on start, dynamics DNS will stop working after a while without further configuration. The Following is a [script](https://github.com/WireGuard/wireguard-tools/blob/master/contrib/reresolve-dns/reresolve-dns.sh) from wireguard which will "re-resolve" the DNS and update the wireguard.
|
||||
|
||||
You can add cron entries to periodically "re-resolve" the DNS:
|
||||
```
|
||||
```sh
|
||||
* * * * * /path-to-the-script/reresolve-dns.sh
|
||||
```
|
||||
|
@ -186,9 +186,9 @@ Providers of shell access:
|
||||
|
||||
| Person | Hostname | Net | Description | Contact |
|
||||
|:------------- |:-------------------------------------- |:---------------- |:---------------- |:------------- |
|
||||
| mc36 | telnet test.nop.dn42 | dn42 only |looking glass | - |
|
||||
| JerryXiao | ssh lg@lg.jerry.dn42 | dn42 and icvpn |looking glass | - |
|
||||
| burble | ssh <mntner>@shell.fr-rbx1.burble.dn42 <br/> ssh <mntner>@shell.ca-bhs2.burble.dn42 | dn42 |Full shell account| See below |
|
||||
| mc36 | `telnet test.nop.dn42` | dn42 only |looking glass | - |
|
||||
| JerryXiao | `ssh lg@lg.jerry.dn42` | dn42 and icvpn |looking glass | - |
|
||||
| burble | `ssh <mntner>@shell.fr-rbx1.burble.dn42` <br/> `ssh <mntner>@shell.ca-bhs2.burble.dn42` | dn42 | Full shell account | See below |
|
||||
|
||||
### burble.dn42 shell access
|
||||
|
||||
|
@ -22,7 +22,7 @@ Document your mad setups in the categories below, with links to a full write up,
|
||||
- Wired: Token Ring/X.25/ATM/ISDN etc (encapsulation allowed, but bonus points for real physical networks)
|
||||
- Wireless: dn42 via microwave/laser/satellite
|
||||
|
||||
*... your stuff goes here*
|
||||
*... your stuff goes here*
|
||||
|
||||
## Things attached to dn42
|
||||
- The thing must be pingable from dn42
|
||||
|
@ -55,7 +55,9 @@ Server certificates are signed for 45 days. To renew follow the steps above star
|
||||
|
||||
get the script here:
|
||||
|
||||
```sh
|
||||
curl https://ca.dn42/ca.dn42 > ca.dn42; chmod +x ca.dn42
|
||||
```
|
||||
|
||||
available via git: anon@git.dn42:dn42/ca-client
|
||||
|
||||
@ -106,7 +108,7 @@ Environtment Options:
|
||||
|
||||
Generate the user key
|
||||
|
||||
```
|
||||
```sh
|
||||
$ ./ca.dn42 user-gen XUU-MNT xuu@sour.is
|
||||
Generating a 2048 bit RSA private key
|
||||
...............................+++
|
||||
@ -121,7 +123,7 @@ writing new private key to 'XUU-MNT.key'
|
||||
|
||||
### Sign the user key
|
||||
|
||||
```
|
||||
```sh
|
||||
$ ./ca.dn42 user-sign XUU-MNT xuu@sour.is
|
||||
== USER CERT ==
|
||||
C:XD
|
||||
@ -138,7 +140,7 @@ Verifying - Enter Export Password:
|
||||
|
||||
### Generate the server key
|
||||
|
||||
```
|
||||
```sh
|
||||
$ ./ca.dn42 tls-gen ca.dn42 XUU-MNT xuu@sour.is DNS:ca.dn42
|
||||
|
||||
Generating a 2048 bit RSA private key
|
||||
@ -162,7 +164,7 @@ $ dig +short TXT _dn42_tlsverify.ca.dn42.
|
||||
|
||||
### Sign the server key
|
||||
|
||||
```
|
||||
```sh
|
||||
$ ./ca.dn42 tls-sign ca.dn42 XUU-MNT
|
||||
== USER CERT ==
|
||||
C:XD
|
||||
@ -190,13 +192,13 @@ Verifying - Enter Export Password: ****
|
||||
|
||||
The generated certificate will be valid for 3 months, to renew it simply run ```./ca.dn42 tls-sign ca.dn42 XUU-MNT``` again. This could be also automated in cron:
|
||||
|
||||
```
|
||||
```sh
|
||||
0 0 1 * * /etc/ssl/dn42/ca.dn42 tls-sign wiki.dn42 MIC92-MNT
|
||||
```
|
||||
|
||||
or with a systemd timer:
|
||||
|
||||
```
|
||||
```conf
|
||||
# update-dn42-ca.timer
|
||||
[Timer]
|
||||
OnBootSec=1h
|
||||
@ -207,7 +209,7 @@ Persistent=yes
|
||||
WantedBy=timers.target
|
||||
```
|
||||
|
||||
```
|
||||
```conf
|
||||
[Service]
|
||||
Type=oneshot
|
||||
WorkingDirectory=/etc/ssl/dn42
|
||||
@ -219,7 +221,7 @@ ExecStart=/usr/bin/nginx -s reload
|
||||
|
||||
### Revoke a certificate.
|
||||
|
||||
```
|
||||
```sh
|
||||
$ ./ca.dn42 revoke XUU-MNT XUU-MNT.crt
|
||||
== USER CERT ==
|
||||
C:XD
|
||||
|
@ -101,11 +101,11 @@ C0IKqQ==
|
||||
## Testing constraints
|
||||
|
||||
The name constraints can be verified for example by using openssl:
|
||||
```
|
||||
openssl x509 -in dn42.crt -text -noout
|
||||
```sh
|
||||
openssl x509 -in dn42.crt -text -noout
|
||||
```
|
||||
which will show among other things:
|
||||
```
|
||||
```text
|
||||
X509v3 Name Constraints:
|
||||
Permitted:
|
||||
DNS:.dn42
|
||||
|
@ -24,7 +24,7 @@ service and configure the other service as the secondary or backup nameserver.
|
||||
|
||||
Example resolv.conf, preferring a0.recursive-servers.dn42 and IPv4:
|
||||
|
||||
```text
|
||||
```conf
|
||||
nameserver 172.20.0.53
|
||||
nameserver 172.23.0.53
|
||||
nameserver fd42:d42:d42:54::1
|
||||
@ -34,7 +34,7 @@ search dn42
|
||||
|
||||
Example resolv.conf, preferring a3.recursive-servers.dn42 and IPv6:
|
||||
|
||||
```text
|
||||
```conf
|
||||
nameserver fd42:d42:d42:53::1
|
||||
nameserver fd42:d42:d42:54::1
|
||||
nameserver 172.23.0.53
|
||||
|
@ -39,9 +39,9 @@ Since gollum is built on top of Git, it is not overly complicated to keep the lo
|
||||
- Contact [XUU-DN42](https://io.nixnodes.net?t=person&l=XUU-DN42) and ask for write access to the repo
|
||||
- Setup cron for periodic pull/push jobs for the repo (simple example):
|
||||
|
||||
+ **wiki-sync.sh**:
|
||||
+ **wiki-sync.sh**:
|
||||
|
||||
```sh
|
||||
```sh
|
||||
#!/bin/bash
|
||||
|
||||
WIKI_PATH=<repo path>
|
||||
@ -52,13 +52,13 @@ ${GIT} push
|
||||
${GIT} pull
|
||||
|
||||
exit 0
|
||||
```
|
||||
```
|
||||
|
||||
+ **Cron entry**:
|
||||
+ **Cron entry**:
|
||||
|
||||
`*/10 * * * * <path>/wiki-sync.sh &> /dev/null`
|
||||
`*/10 * * * * <path>/wiki-sync.sh &> /dev/null`
|
||||
|
||||
Running in 10 minute intervals is reasonable, if you choose to change this, please keep it in the range from 5 to 15 minutes.
|
||||
Running in 10 minute intervals is reasonable, if you choose to change this, please keep it in the range from 5 to 15 minutes.
|
||||
|
||||
## gollum
|
||||
|
||||
@ -84,7 +84,7 @@ RACK_ENV=production gollum --css --host 127.0.0.1 --port 4567 --no-edit <path>
|
||||
- Generate a [CSR](/services/Certificate-Authority) and send DNS Key Pin to [xuu@sour.is](mailto:xuu@sour.is):
|
||||
- \<AS> is the as number with the prefix `as` like `as64737-ca.wiki.dn42`
|
||||
|
||||
```
|
||||
```sh
|
||||
./ca.dn42 tls-gen \
|
||||
<AS>-<CC>(-<UID>).wiki.dn42 \
|
||||
EXAMPLE-MNT \
|
||||
@ -109,13 +109,13 @@ A custom header `X-SiteID` identifies the site you're connecting to:
|
||||
|
||||
- Extract base64 encoded SPKI fingerprint from private key `wiki.key`:
|
||||
|
||||
```
|
||||
```sh
|
||||
openssl rsa -in wiki.key -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64
|
||||
```
|
||||
|
||||
- Configure Nginx to send the fingerprint in header (SSL block):
|
||||
|
||||
```
|
||||
```conf
|
||||
add_header Public-Key-Pins pin-sha256="<primary>"; pin-sha256="<backup>"; max-age=5184000; includeSubDomains';
|
||||
```
|
||||
|
||||
@ -137,7 +137,7 @@ Nginx should listen on a unicast address as well, so your site can be reached ex
|
||||
|
||||
#### Config example
|
||||
|
||||
```
|
||||
```conf
|
||||
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
|
||||
ssl_session_cache shared:SSL:2m;
|
||||
|
||||
@ -196,7 +196,7 @@ The prefix AS-PATH should show the announcement is originating from your AS. Aft
|
||||
|
||||
#### Configuration
|
||||
|
||||
```
|
||||
```conf
|
||||
# exabgp.conf
|
||||
|
||||
group gollum-watchdog {
|
||||
|
@ -3,7 +3,6 @@
|
||||
|
||||
We have an IRC Chatroom on the [hackint-Network](http://www.hackint.org). It is reachable from within DN42, ChaosVPN and the public internet. A connection is only possible via TLS on port 6697.
|
||||
|
||||
|
||||
| Network | Hostname | SSL | IPv4 | IPv6 |
|
||||
|:--------|:------------------------------------------|:------ |:-------------------------- |:------------ |
|
||||
| DN42 | [irc.hackint.dn42](ircs://irc.hackint.dn42:6697) | Yes | 172.20.66.67 | fd42:d42:d42:6667::1 |
|
||||
@ -11,7 +10,7 @@ We have an IRC Chatroom on the [hackint-Network](http://www.hackint.org). It is
|
||||
|
||||
|
||||
### via public internet
|
||||
| Hostname | Location |
|
||||
| Hostname | Location |
|
||||
|:------------------------------------------------- |:-------------------------- |
|
||||
| [irc.hackint.org](ircs://irc.hackint.org:6697) | Global |
|
||||
| [irc.eu.hackint.org](ircs://irc.eu.hackint.org:6697) | European |
|
||||
|
@ -48,15 +48,19 @@ A Ruby script to calculate the IPv6 can be found on [ixp\_frnte\_dn42\_prefix.rb
|
||||
|
||||
An example configuration for Debian based Linux distributions would be:
|
||||
|
||||
iface ensXX inet6 static
|
||||
address fde0:93fa:7a0:2:0:fcde:3558:1/64
|
||||
```sh
|
||||
iface ensXX inet6 static
|
||||
address fde0:93fa:7a0:2:0:fcde:3558:1/64
|
||||
```
|
||||
|
||||
Here `ensXX` is the dn42 VLAN interface. This can be determined by comparing the MAC address of the interface with the MAC address of the dn42 VLAN in Proxmox. The MAC address can be determined on Linux with `ip l`:
|
||||
|
||||
ensXX: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu
|
||||
1500 qdisc pfifo_fast state UP mode DEFAULT group
|
||||
default qlen 1000
|
||||
link/ether MAC brd ff:ff:ff:ff:ff:ff
|
||||
```sh
|
||||
ensXX: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu
|
||||
1500 qdisc pfifo_fast state UP mode DEFAULT group
|
||||
default qlen 1000
|
||||
link/ether MAC brd ff:ff:ff:ff:ff:ff
|
||||
```
|
||||
|
||||
`MAC` would be the MAC address. After that you can activate the interface with ifup or a reboot of the VM.
|
||||
Of course there are other configuration possibilities. This is only an example for Debian-based Linux distributions.
|
||||
@ -71,17 +75,19 @@ You can now enter this configuration into your routing daemon and it will connec
|
||||
|
||||
An example configuration for bird2 would be the following:
|
||||
|
||||
protocol bgp ixp_rs from dnpeers {
|
||||
neighbor fde0:93fa:7a0:2:0:fcde:3559:1 as 4242421081;
|
||||
```conf
|
||||
protocol bgp ixp_rs from dnpeers {
|
||||
neighbor fde0:93fa:7a0:2:0:fcde:3559:1 as 4242421081;
|
||||
|
||||
enable extended messages on;
|
||||
direct;
|
||||
enforce first as off;
|
||||
enable extended messages on;
|
||||
direct;
|
||||
enforce first as off;
|
||||
|
||||
ipv4 {
|
||||
extended next hop;
|
||||
};
|
||||
}
|
||||
ipv4 {
|
||||
extended next hop;
|
||||
};
|
||||
}
|
||||
```
|
||||
|
||||
**What does this configuration do?**
|
||||
|
||||
@ -107,8 +113,8 @@ Furthermore, you can display different routes (in case of bird with `birdc show
|
||||
One can also try to ping the IP of some at the IXP. From the latency you can also see if everything is working:
|
||||
|
||||
* Burble's pingable
|
||||
* 172.20.129.5
|
||||
* fd42:4242:2601:ac05::1
|
||||
* `172.20.129.5`
|
||||
* `fd42:4242:2601:ac05::1`
|
||||
* Bandura's pingable:
|
||||
* 172.22.149.224
|
||||
* fd04:234e:fc31::
|
||||
* `172.22.149.224`
|
||||
* `fd04:234e:fc31::`
|
||||
|
@ -25,7 +25,7 @@ The collector uses the dynamic peering capability in Bird2 to allow anyone to pe
|
||||
|
||||
Example bird2 config:
|
||||
|
||||
```text
|
||||
```conf
|
||||
protocol bgp ROUTE_COLLECTOR
|
||||
{
|
||||
local as ***YOUR_ASN***;
|
||||
|
@ -11,7 +11,7 @@ Channel statistics for #dn42@hackint are available at: <https://dev.0l.dn42/stat
|
||||
|
||||
#### collectd.conf
|
||||
|
||||
```
|
||||
```conf
|
||||
LoadPlugin exec
|
||||
<Plugin exec>
|
||||
Exec nobody "/etc/collectd/bgp_prefixes-quagga.sh"
|
||||
|
@ -66,8 +66,10 @@ Mirrors are hosted at `asn.grmml.dn42` and `asn.lorkep.dn42`.
|
||||
|
||||
Example:
|
||||
|
||||
$ dig +short AS4242420000.asn.dn42 TXT
|
||||
"4242420000 | DN42 | dn42 | | PYROPETER-AS PyroPeters AS"
|
||||
```sh
|
||||
$ dig +short AS4242420000.asn.dn42 TXT
|
||||
"4242420000 | DN42 | dn42 | | PYROPETER-AS PyroPeters AS"
|
||||
```
|
||||
|
||||
The Python code for generating the zone from the registry is available on the monotone repository.
|
||||
|
||||
|
@ -27,7 +27,7 @@ DN42 is [interconnected](/internal/Interconnections) with the Inter City VPN or
|
||||
If you already run a local DNS server, you can tell it to query the dn42 anycast servers for the relevant domains
|
||||
by adding the following to /etc/bind/named.conf.local
|
||||
|
||||
```
|
||||
```conf
|
||||
zone "dn42" {
|
||||
type forward;
|
||||
forwarders { 172.20.0.53; fd42:d42:d42:54::1; };
|
||||
@ -71,7 +71,7 @@ options {
|
||||
**Note**: With DNSSEC enabled, bind might refuse to accept query results from the dn42 zone: `validating dn42/SOA: got insecure response; parent indicates it should be secure`.
|
||||
|
||||
To disable DNSSEC validation only for certain TLDs include the following in the options section:
|
||||
```
|
||||
```conf
|
||||
options {
|
||||
# [...]
|
||||
|
||||
@ -93,7 +93,7 @@ options {
|
||||
|
||||
If you are running dnsmasq under openwrt, you just have to add
|
||||
|
||||
```
|
||||
```conf
|
||||
config dnsmasq
|
||||
option boguspriv '0'
|
||||
option rebind_protection '1'
|
||||
@ -115,7 +115,7 @@ Attention: If you go with the default config you'll have to disable "boguspriv"
|
||||
|
||||
For normal dnsmasq use
|
||||
|
||||
```
|
||||
```conf
|
||||
server=/dn42/172.20.0.53
|
||||
server=/20.172.in-addr.arpa/172.20.0.53
|
||||
server=/21.172.in-addr.arpa/172.20.0.53
|
||||
@ -129,7 +129,7 @@ in `dnsmasq.conf`.
|
||||
## PowerDNS recursor
|
||||
Add this to /etc/powerdns/recursor.conf (at least in Debian and CentOS).
|
||||
|
||||
```
|
||||
```conf
|
||||
dont-query=127.0.0.0/8, 192.168.0.0/16, ::1/128, fe80::/10
|
||||
forward-zones-recurse=dn42=172.20.0.53
|
||||
forward-zones-recurse+=20.172.in-addr.arpa=172.20.0.53
|
||||
@ -143,7 +143,7 @@ forward-zones-recurse+=d.f.ip6.arpa=172.20.0.53
|
||||
## MaraDNS
|
||||
Put this in your mararc:
|
||||
|
||||
```
|
||||
```conf
|
||||
ipv4_alias["dn42_root"] = "172.20.0.53"
|
||||
root_servers["dn42."] = "dn42_root"
|
||||
root_servers["20.172.in-addr.arpa."] = "dn42_root"
|
||||
@ -158,7 +158,7 @@ root_servers["10.in-addr.arpa."] = "dn42_root"
|
||||
Make sure to disable `auto-trust-anchor-file` and manually configure `trust-anchor-file` to
|
||||
point to a file with DNSKEY records for dn42.
|
||||
|
||||
```
|
||||
```conf
|
||||
server:
|
||||
local-zone: "20.172.in-addr.arpa." nodefault
|
||||
local-zone: "21.172.in-addr.arpa." nodefault
|
||||
@ -205,11 +205,11 @@ forward-zone:
|
||||
|
||||
## JunOS (SRX 12.1X46)
|
||||
Should also work in 12.1X44 and 12.1X45. After making the changes below you may need to run:
|
||||
```
|
||||
```sh
|
||||
restart named-service
|
||||
```
|
||||
Config (vlan.0 is presumed to be your LAN/Trust interface)
|
||||
```
|
||||
```conf
|
||||
system {
|
||||
services {
|
||||
dns {
|
||||
@ -289,17 +289,17 @@ All delegation servers have DNSSEC support and all record are signed, for more i
|
||||
Following is a list of links to the DS record for TLD and reverse zone, to configure the key file, extract the value of ds-rdata and format it as follows, you must add all ds-rdata to the key file for dnssec to work. P.S. each ds-rdata or DS record should contain 4 numbers.
|
||||
|
||||
This is an example for dn42. and (fake) ds-rdata of 1 2 3 456
|
||||
```
|
||||
```conf
|
||||
dn42. 86400 IN DS 1 2 3 456
|
||||
```
|
||||
|
||||
This is an example for 172.20.0.0/16 and (fake) ds-rdata of 1 2 3 456
|
||||
```
|
||||
```conf
|
||||
20.172.in-addr.arpa. 86400 IN DS 1 2 3 456
|
||||
```
|
||||
|
||||
This is an example for fd00::/8 and (fake) ds-rdata of 1 2 3 456
|
||||
```
|
||||
```conf
|
||||
d.f.ip6.arpa. 86400 IN DS 1 2 3 456
|
||||
```
|
||||
|
||||
@ -323,7 +323,7 @@ d.f.ip6.arpa. 86400 IN DS 1 2 3 456
|
||||
|
||||
|
||||
## Unbound
|
||||
```
|
||||
```conf
|
||||
trust-anchor-file: <path to key file>
|
||||
|
||||
server:
|
||||
|
@ -8,7 +8,7 @@ You may use some servers listed in the [table of anycast servers](/services/dns/
|
||||
|
||||
Configuration for `unbound.conf`
|
||||
|
||||
```
|
||||
```conf
|
||||
server:
|
||||
local-zone: "22.172.in-addr.arpa." nodefault
|
||||
local-zone: "23.172.in-addr.arpa." nodefault
|
||||
@ -35,7 +35,7 @@ stub-zone:
|
||||
### Unbound with root-hints
|
||||
Alternatively you can put dn42 root servers in the root-hints file for recursive resolving.
|
||||
|
||||
```
|
||||
```conf
|
||||
# /etc/unbound/unbound.conf.d/dn42.conf
|
||||
server:
|
||||
# DNSSEC validation will fail
|
||||
@ -55,7 +55,7 @@ remote-control:
|
||||
```
|
||||
|
||||
The `/etc/unbound/dn42.hints` file:
|
||||
```
|
||||
```conf
|
||||
. NS a.root-servers.dn42.
|
||||
a.root-servers.dn42. 3600000 A 172.22.177.6
|
||||
. NS m.root-servers.dn42.
|
||||
|
Loading…
Reference in New Issue
Block a user