Vyatta Internet Gateway Router Howto - VPN
 

Sonora Communications, Inc.

  • Increase font size
  • Default font size
  • Decrease font size

Vyatta Internet Gateway Router Howto - VPN

E-mail Print PDF

This document will show one way of configuring the Vyatta router as an Internet firewall/gateway and will demonstrate the configuration of a simple site-to-site IPSEC VPN using pre-shared keys with static IP addresses at both ends.  Apparently, Vyatta VC 6.1 will only support dynamic IP addresses if using RSA certificates.

These settings will also work for connecting an IPSEC VPN from a Vyatta router to a remote Snapgear VPN router (tested with SG300).  The settings shown match the defaults for a Snapgear IPSEC VPN tunnel.

Reference

Vyatta Open Source Router

Vyatta Forums

Application

VPN Diagram

Installation

Connect the new Vyatta router to your existing (test/configuration/shop) network using the first network port on the router (eth0)...usually the one on the left closest to the keyboard/mouse connectors. If your Ethernet ports are arranged vertically, eth0 is probably on the top. We'll use the dhcp server already on our network to give the new Vyatta router temporary access to the Internet for its updates.

Download the latest Vyatta Live CD ISO image, burn it to a CD and boot it on the router hardware, possibly using a USB external CD-ROM drive.

Login as 'vyatta' with password 'vyatta'.

There are two methods of installation: disk-based and image-based.  I think image-based is probably the newer, better method, but until I'm comfortable with it I'll stick to the old way.

Install to the hard drive/CF card/USB key. You'll need a minimum 1GB storage device, but 2GB or more is recommended for production use.

install-system

Disconnect the USB CDROM, if you used one, during the first reboot.

Initial Router Configuration

Configure an Internet connection to use for upgrading/updating the Vyatta installation:

configure
set interfaces ethernet eth0 address 123.123.123.2/29
set system gateway-address 123.123.123.1
set system name-server 8.8.8.8
commit
save

Next, we perform the update/upgrade at the Vyatta router console:

sudo full-upgrade
sudo full-upgrade -k
reboot

This leaves the router in an updated, but mostly unconfigured state. At this point, you can simply enter configuration commands at the console, or you could configure SSH access to the router and use cut n' paste.

Initial SSH Access

If you want to finish the configuration via SSH instead of standing at the router console, choose a network interface to connect to for configuration purposes. It is best to choose an interface that will be one of the internal LAN interfaces in your final configuration. We'll use 'eth1' here because that will work in most configurations where we use eth0 as the WAN port.

The configuration below assumes the use of eth1 and the IP address 192.168.1.1 on that port.

configure
set interfaces ethernet eth1 address 192.168.1.1/24
set service ssh
set service https
commit
save
exit

Connect Your Configuration PC

Now connect your workstation/notebook to eth1 on the Vyatta router...probably the second ethernet from the left (or top). Configure your workstation IP address to 192.168.2.22 (or any other valid 192.168.1.0/24 address) and SSH into the router to continue your configuration. Make sure you get a link light when both devices are turned on. You may need a crossover cable if you don't get a link light.

Here are sample Linux commands to configure your workstation/notebook PC and to connect to the router. If you use Microsoft Windows, use Network Properties. The first command simply adds a second IP address to your workstation's eth0 interface so as not to interrupt your existing connections. Adjust as necessary:

sudo ifconfig eth0:0 192.168.1.22
ssh -l vyatta 192.168.1.1

Program the Router

You can cut and paste from the following script, once you edit it for your application.  I have found it's not always possible to past the whole configuration in one go.  You may have to paste a section at a time.

I have commented out a few lines (such as "#configure") that are optional or that might give you an error and ruin your configuration. Use your own judgment as to whether you need to run any of the commented lines.

You can always 'discard' any uncommitted changes and redo. You can also just reboot the router to discard any committed, but unsaved changes.  Don't 'save' until you are sure the commands worked properly.

You must issue a 'commit' command to actuate any changes and you must issue a 'save' command for your commited changes to survive a reboot.

#### Vyatta 2-Port Internet Gateway + Site-to-Site VPN

### configure System options

#configure
set system host-name your-router-name
set system domain-name your.domain
# use tab key for time zone choices
set system time-zone America/Phoenix
# these are free OpenDNS servers
set system name-server 208.67.222.222
set system name-server 208.67.220.220
set system login user vyatta authentication plaintext-password your-vyatta-password
set system login user root authentication plaintext-password your-root-password
# optionally enable logging to the console
#set system syslog console

### configure Interface options

## Internet (WAN) interface uses static IP address with a small block assigned by ISP
# the next lines are commented out as they were previously configured
#set interfaces ethernet eth0 address 123.123.123.2/29
#set system gateway-address 123.123.123.1
set interfaces ethernet eth0 firewall in name FROM-EXTERNAL
set interfaces ethernet eth0 firewall local name TO-ROUTER
#show interfaces

## Internal LAN router interface
# the next line is commented out as it was previously configured
#set interfaces ethernet eth1 address 192.168.1.1/24
#show interfaces

### configure Services options

## enable web browser configuration via HTTPS (optional)
set service https

## enable SSH access on the non-standard port 222 (optional)
#set service ssh port 222

## configure DHCP server (optional)
# DHCP serving internal LAN on eth1 (optional)
set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.1.0/24 start 192.168.1.65 stop 192.168.1.199
set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.1.0/24 default-router 192.168.1.1
# if using router as local caching DNS server uncomment this next line:
set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.1.0/24 dns-server 192.168.1.1
set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.1.0/24 dns-server 208.67.222.222
set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.1.0/24 dns-server 208.67.220.220
set service dhcp-server shared-network-name ETH1_POOL authoritative enable
#show service dhcp-server

## configure Caching DNS (Optional but speeds up client DNS queries)
set service dns forwarding listen-on eth1

## configure NAT (Optional but needed for private (RFC 1918) internal address ranges)
# here we configure NAT from all private (RFC 1918) internal address ranges
set service nat rule 10 source address 192.168.0.0/16
set service nat rule 10 outbound-interface eth0
set service nat rule 10 type masquerade
set service nat rule 20 source address 172.16.0.0/12
set service nat rule 20 outbound-interface eth0
set service nat rule 20 type masquerade
set service nat rule 30 source address 10.0.0.0/8
set service nat rule 30 outbound-interface eth0
set service nat rule 30 type masquerade
#show service nat

### configure IPSEC VPN

## Site-to-Site (net to net)
# Left Side (right side would mirror this, but not be the same)
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec ike-group ike-vyatta proposal 1 encryption 3des
set vpn ipsec ike-group ike-vyatta proposal 1 hash sha1
set vpn ipsec ike-group ike-vyatta proposal 1 dh-group 2
set vpn ipsec ike-group ike-vyatta lifetime 3600
set vpn ipsec esp-group esp-vyatta proposal 1 encryption 3des
set vpn ipsec esp-group esp-vyatta proposal 1 hash sha1
set vpn ipsec esp-group esp-vyatta lifetime 3600
set vpn ipsec site-to-site peer 456.456.456.2
edit vpn ipsec site-to-site peer 456.456.456.2
set authentication mode pre-shared-secret
set authentication pre-shared-secret presharedsecret
set local-ip 123.123.123.2
set ike-group ike-vyatta
set tunnel 1 local-subnet 192.168.1.0/24
set tunnel 1 remote-subnet 192.168.2.0/24
set tunnel 1 esp-group esp-vyatta
top
#show vpn
# Add NAT exclusion for VPN traffic
set service nat rule 5 destination address 192.168.2.0/24
set service nat rule 5 outbound-interface eth0
set service nat rule 5 type masquerade
set service nat rule 5 exclude

### configure Firewall options

## FROM-EXTERNAL
set firewall name FROM-EXTERNAL description "Block Unwanted Internet Traffic"
# rule 10
set firewall name FROM-EXTERNAL rule 10 description "Accept Established-Related Connections"
set firewall name FROM-EXTERNAL rule 10 action accept
set firewall name FROM-EXTERNAL rule 10 state established enable
set firewall name FROM-EXTERNAL rule 10 state related enable
set firewall name FROM-EXTERNAL rule 10 log disable

## TO-ROUTER
set firewall name TO-ROUTER description "Traffic Destined for Router Itself"
# rule 10
set firewall name TO-ROUTER rule 10 description "Accept Established-Related Connections"
set firewall name TO-ROUTER rule 10 action accept
set firewall name TO-ROUTER rule 10 state established enable
set firewall name TO-ROUTER rule 10 state related enable
set firewall name TO-ROUTER rule 10 log disable
# rule 20
set firewall name TO-ROUTER rule 20 description "SSH Access"
set firewall name TO-ROUTER rule 20 action accept
set firewall name TO-ROUTER rule 20 protocol tcp
# adjust the source address for permitted SSH access to your needs
set firewall name TO-ROUTER rule 20 source address 209.193.64.248/29
# adjust the port you want to run SSH on here (ex. 222 instead of ssh)
set firewall name TO-ROUTER rule 20 destination port ssh
set firewall name TO-ROUTER rule 20 log disable
# rule 30
set firewall name TO-ROUTER rule 30 description "Accept ICMP Unreachable"
set firewall name TO-ROUTER rule 30 action accept
set firewall name TO-ROUTER rule 30 protocol icmp
set firewall name TO-ROUTER rule 30 icmp type 3
set firewall name TO-ROUTER rule 30 log disable
# rule 32
set firewall name TO-ROUTER rule 32 description "Accept ICMP Echo Request"
set firewall name TO-ROUTER rule 32 action accept
set firewall name TO-ROUTER rule 32 protocol icmp
set firewall name TO-ROUTER rule 32 icmp type 8
set firewall name TO-ROUTER rule 32 log disable
# rule 34
set firewall name TO-ROUTER rule 34 description "Accept ICMP Time-Exceeded"
set firewall name TO-ROUTER rule 34 action accept
set firewall name TO-ROUTER rule 34 protocol icmp
set firewall name TO-ROUTER rule 34 icmp type 11
set firewall name TO-ROUTER rule 34 log disable

#commit
#save

Port Forwarding (Destination NAT)

Please note that the NAT happens before the firewall, so you have to open the firewall for the destination.

You can use service names from /etc/services or you can use port numbers, or you can even mix names and numbers.

set service nat rule 2 description "Ports Forwarded to the Mail Server"
set service nat rule 2 destination address your.exter.nal.ip
set service nat rule 2 destination port smtp,ssmtp,http,https,pop3s,imaps
set service nat rule 2 inside-address address mail.svr.internal.ip
set service nat rule 2 protocol tcp
set service nat rule 2 type destination

set firewall name FROM-EXTERNAL rule 20 action accept
set firewall name FROM-EXTERNAL rule 20 description "Accept Authorized Services for Mail Server"
set firewall name FROM-EXTERNAL rule 20 destination mail.svr.internal.ip
set firewall name FROM-EXTERNAL rule 20 destination port smtp,ssmtp,http,https,pop3s,imaps
set firewall name FROM-EXTERNAL rule 20 log disable
set firewall name FROM-EXTERNAL rule 20 protocol tcp

Caching DNS

Using a caching DNS server on the Vyatta router will improve the performance of just one aspect of Internet access: DNS lookups. It can result in a snappier browsing experience.

Do not bother with this if you already have a DNS server on your internal network(s)...for example a domain-based windows network.

You may edit the /etc/dnsmasq.conf file and specify which interface to listen on. Since the firewall in the example above blocks outside access, I'll skip this.

You may also want to increase the cache size from the default of 150. It may improve the performance at the cost of some memory.

cache-size=2000

The integrated dnsmasq DHCP server is disabled by default...good. We already use the Vyatta DHCP server function.

Beep When Fully Booted

wget http://http.us.debian.org/debian/pool/main/b/beep/beep_1.2.2-24_i386.deb
sudo dpkg -i beep_1.2.2-24_i386.deb
rm beep_1.2.2-24_i386.deb
echo "beep -l 200 -f 750 -n -l 200 -f 1000" | sudo tee -a /etc/init.d/rc.local
Last Updated on Tuesday, 01 February 2011 13:07