# EdgeOS GRE/IPsec config example This is an example configuration derived from the config used on a peering router in AS64746. It was created using EdgeOS version 1.5.0alpha1 on an EdgeRouter Lite. ## Features * Zone-based firewall * BGP prefix filtering and route summarization * GRE/IPsec tunnel in transport mode with "plainrsa" public key authentication * TCP MSS clamping to avoid fragmentation ## Setup This configuration assumes that both peers have static public IPs. You'll need to generate a public/private keypair for your router if you intend to use "plainrsa" authentication for your IPsec connections. The local public key listed in the output is what you'll send to your peer. ryan@edge1:~$ generate vpn rsa-key bits 4096 ryan@edge1:~$ show vpn ike rsa-keys Local public key (/config/ipsec.d/rsa-keys/localhost.key): 0sAQPNdF370ZEbN+kZUJQ10qnBlZujrg39ujfk20ILTjELksOIdJw/4jiU1MfpqFDKuB/XxERwJQp2POsFyV/n76jAgxIYBfFYfuaBcIH1rdNQtDhCnkmWzlueRXGEsz0Af79n8TKyQ9otzNhJ2cPE1CWCJbKqbIUN3piviLgGlItWNeya+Tl3Oj3ZfEVwr1QOvUAw32+m4L8T9jf1vqSlOTHpRpxxPWBrLEzstk0FOcZISji2JBpDOCU8Kpyyf74JM+LxsOIHwmS15b6iFZR3U9KZLqbbd0dSy/cM8P4XjrwM5UMyRDjrLqvuA/K/33BgtnxdQR3e9DJoYH3Qr8eRgSkR+jHyq06LvgHkHbMvrEjUnc3n8bg+YfR4oyJpIWsKjfIXmN1Q51KzxAPIAww+YSYUYtamSsQsspVAtMIQqR4e0r1In1qyoSn8VCPlksNMWpqYHbSjDo5HJYoSwxf2epzMtCvhenn0OuiH0xlgzziA+wBi6txksTMvJYcPJYnBVR2NIBjkWftOfmkY+rKMozViGjyd6kB7C8lqd8W7Ha5Ds2WxIY22DM3HcYH/zTp9z2xbuMOsbIgib/Y12Kh0wHyCz0lzFvs+d6CZwinyIXNKB/Vo4iiwT5luL5mGqf3pZx4zB+30GYSs/6MaELRF9BxD7tfqYCkOLXUtxyZ4Pdl2sw== If your peer sends you a key in PEM format (starts with `-----BEGIN PUBLIC KEY-----`), you'll need to convert it to the format used by EdgeOS (begins with `0s`) in order to insert it into the configuration. See [this forum post](http://community.ubnt.com/t5/EdgeMAX/ERL-lt-gt-Mikrotik-IPsec-Connections/m-p/534682#M13015) for a script to convert between the two key formats. ## Configuration firewall { all-ping enable broadcast-ping disable ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable name DN42-to-Local { default-action reject rule 10 { action accept description Established/Related state { established enable related enable } } rule 20 { action accept description ICMP protocol icmp } rule 30 { action accept description BGP destination { port bgp } protocol tcp state { new enable } tcp { flags SYN,!ACK,!FIN,!RST } } } name DN42-to-LAN { default-action reject rule 10 { action accept description Established/Related state { established enable related enable } } rule 20 { action accept description ICMP protocol icmp } } name WAN-to-Local { default-action drop rule 10 { action accept description Established/Related state { established enable related enable } } rule 20 { action accept description ICMP protocol icmp } rule 30 { action accept description "SSH Management" destination { port 22 } protocol tcp state { new enable } tcp { flags SYN,!ACK,!FIN,!RST } } rule 40 { action accept description IKE destination { port 500,4500 } protocol udp } rule 50 { action accept description IPSEC/ESP protocol esp } rule 60 { action accept description "GRE over IPsec" ipsec { match-ipsec } protocol gre } } name established-only { default-action drop rule 10 { action accept description Established/Related state { established enable related enable } } } name allow-all-v4 { default-action accept } options { mss-clamp { interface-type tun mss 1300 } } receive-redirects disable send-redirects enable source-validation disable syn-cookies enable } interfaces { ethernet eth0 { address 192.0.2.2/30 description WAN duplex auto speed auto } ethernet eth1 { address 172.23.248.33/27 description LAN duplex auto speed auto } ethernet eth2 { disable duplex auto speed auto } loopback lo { address 172.23.248.2/32 } tunnel tun0 { address 172.23.248.10/31 description "CREST-DN42 AS64828" encapsulation gre local-ip 192.0.2.2 mtu 1400 multicast disable remote-ip 192.0.2.243 ttl 255 } } policy { prefix-list AS64746-IPv4 { rule 1 { action permit le 32 prefix 172.23.248.0/24 } } prefix-list DN42-IPv4 { rule 1 { action permit description "DN42 native" ge 23 le 28 prefix 172.22.0.0/15 } rule 2 { action permit description "DN42 anycast" ge 32 prefix 172.22.0.0/24 } rule 3 { action permit description Freifunk ge 16 prefix 10.0.0.0/8 } rule 4 { action permit description ChaosVPN ge 23 prefix 172.31.0.0/16 } } route-map AS64746 { rule 1 { action permit match { ip { address { prefix-list AS64746-IPv4 } } } } } route-map DN42 { rule 1 { action permit match { ip { address { prefix-list DN42-IPv4 } } } } } } protocols { bgp 64746 { aggregate-address 172.23.248.0/24 { summary-only } neighbor 172.23.248.11 { description CREST-DN42 peer-group DN42 remote-as 64828 update-source 172.23.248.10 } network 172.23.248.0/24 { } parameters { router-id 172.23.248.2 } peer-group DN42 { route-map { export DN42 import DN42 } soft-reconfiguration { inbound } } redistribute { connected { route-map AS64746 } } } static { route 0.0.0.0/0 { next-hop 192.0.2.1 { } } route 172.23.248.0/24 { blackhole { distance 255 } } } } service { nat { rule 6000 { outbound-interface eth0 type masquerade } } ssh { disable-password-authentication port 22 protocol-version v2 } ubnt-discover { disable } } system { config-management { commit-revisions 10 } domain-name ryan.dn42 host-name edge1 login { banner { pre-login "" } user ryan { authentication { encrypted-password :) public-keys ryan { key AAAAB3NzaC1yc2EAAAADAQABAAACAQCymzCbuc777hZ8acvK+68tB7WlZl9V8rQjeQCHny2f9Fy2uSnDHXymUzQJSBY8dr4QM07owCFyYciYqhJRBeBRiaP1dj6avzZzlrOC2xuXSWw4aCYVkEaBPWkntCvBjmPhtvA+x5w8qm0X+B41DG1D44qzrQSmL5geheQCHWSf48Za6RUvPxPuQ+xfBMlIaWscRn95NST2102sYwfl3GDJEqV8FqZ5gQeuG3LDRBQmVEZOSMFIN0pOrp6+UYDe6LSw8eD3uBNrkfbbwwEqjHKFNuYaIw/XNdY0nqhHec0KjsuPLHTQMc44h8CPL5ytAtjF1WnPAE4e3aDQFnB05V/3GThJI010bNkLw5zbGkq0QUa7SmFfAsyOg50grByqZWY/J997HXjWdsgK+7d3K4VQXlI1Uak6G2i0Vb5KX0Xv6dmFmsqwuomeGozBJOl3YebvHI/39Y1VcZls2Zkjg4dBWJQGhsZv8wAX8bf7owtLPE+PcWvX5dRmk44r93mk1M1PTz7XAJGXfeii/OV+QRZZkbzhi3h7VItF5Yv5nptMQUx+irUrIX3gaTHOu8cMTxtP52kIOGOEN/LmYbmrdc++QJNGGadopuZBDpCiR2xQhwQL5yKaXH6Rdenn9d0mdNTzdqw5QOUfjY+SqTMDqLk+ETY+YZ6fvJYDIm4yfgi//Q== type ssh-rsa } } level admin } } name-server 4.2.2.2 name-server 8.8.8.8 ntp { server 0.ubnt.pool.ntp.org { } server 1.ubnt.pool.ntp.org { } server 2.ubnt.pool.ntp.org { } server 3.ubnt.pool.ntp.org { } } offload { ipsec enable ipv4 { forwarding enable } ipv6 { forwarding enable } } options { reboot-on-panic true } package { repository squeeze { components "main contrib non-free" distribution squeeze password "" url http://http.us.debian.org/debian username "" } repository squeeze-security { components main distribution squeeze/updates password "" url http://security.debian.org username "" } repository squeeze-updates { components "main contrib non-free" distribution squeeze-updates password "" url http://http.us.debian.org/debian username "" } } syslog { global { facility all { level notice } facility protocols { level debug } } } } vpn { ipsec { auto-firewall-nat-exclude disable esp-group ESP-AES128-SHA1-DH5-TRANSPORT { compression disable lifetime 3600 mode transport pfs dh-group5 proposal 1 { encryption aes128 hash sha1 } } ike-group IKE-AES128-SHA1-DH5 { lifetime 28800 proposal 1 { dh-group 5 encryption aes128 hash sha1 } } ipsec-interfaces { interface eth0 } site-to-site { peer 192.0.2.243 { authentication { mode rsa rsa-key-name crest-dn42 } connection-type initiate default-esp-group ESP-AES128-SHA1-DH5-TRANSPORT ike-group IKE-AES128-SHA1-DH5 local-ip 192.0.2.2 tunnel 0 { allow-nat-networks disable allow-public-networks disable esp-group ESP-AES128-SHA1-DH5-TRANSPORT protocol gre } } } } rsa-keys { rsa-key-name crest-dn42 { rsa-key 0sAwEAAbsbRoUcgdm4A4Nm+PLxWcW+zFis7pkaJ0MkGVzM7VC8nmngkM+W2zqZyQ4NUTBKKfGOUc4Ogi6gyhlzUnHdag9tDERIX+BwlDO6G4arod9z9KqmJuX4AOYVjH5QlAPz7NDMAezVekGoVLPGdOAMPD6NN54ihLRH6V3if8AGoJRpiajhcgQipjeQnhH4QhsYK4XSjayGT1onQwA8nhy5kt4ofyqSale4Fl4166S9tCn4RKwtlJDjR6VIrg6op6Ip8+ke2vjEHPJHj6qVsxfRgOk2d8pY8oPVt8ayc5F1z+lqJ7R0fADfN+AQSaBqOMmg5dHDFYWwgYkU5egdVKS7Oko6uNuUWsZ0VEnRoPZ4syJEUbiF5wGfaVBaaVLZYUlRLQCffB4JKzp+JesVToCX6JYRfb4JYQWFCDeQfrqRZHM4r13h8MOWPn9cqXcP47RKJjzNp6595biUotmCbMHyy/uveMWxK6vDzPQRkywqMMJE2qOyACmbMnSce9KlYhvma82Vd+z/9/U9NEy0s5MaYNDn+q+KYT5My3NSv52F6sLVGrKxTk79tzUejZcoukJv+gf51Epam4kVHzPIal/khsfjZn6YCU2j5+qcdRmzF+SG5c2WicvEU2Gc4ratfYNEPxU5oArzHIhIz6x2nAF+szcx/x8GEyXPNHnxEboJB7ox } } } zone-policy { zone DN42 { default-action reject description DN42 from Local { firewall { name allow-all-v4 } } from LAN { firewall { name allow-all-v4 } } interface tun0 } zone LAN { default-action reject from DN42 { firewall { name DN42-to-LAN } } from Local { firewall { name allow-all-v4 } } from WAN { firewall { name established-only } } interface eth1 } zone Local { default-action reject from DN42 { firewall { name DN42-to-Local } } from LAN { firewall { name allow-all-v4 } } from WAN { firewall { name WAN-to-Local } } local-zone } zone WAN { default-action reject from LAN { firewall { name allow-all-v4 } } from Local { firewall { name allow-all-v4 } } interface eth0 } }