Dans cette article, la solution proposée est de pouvoir interconnecter la plateforme private cloud vers notre réseau central. Il existe plusieurs solutions :

  • Liaison dédié : une connexion directe sur une infrastructure dédiée
  • Connexion MPLS : liaison dédié sur une infrastructure mutualisée d’opérateur
  • VPN à travers internet : liaison sur un support public

Nous utilisons les VPN à travers internet car les deux premiers nécessitent un investissement important et des délais non compatible avec les exigences du cloud.

Le choix du protocole et des logiciels de VPN est vaste. Nous utiliserons le protocole IPSEC pour le chiffrage de la connexion et l’encapsulement GRE pour y diffuser plus que les trames IP. GRE va nous servir plus tard pour y faire transiter des protocoles de routage dynamique. Ce sujet fera l’objet d’un autre article.

Dans cet article, nous utiliserons l’authentification par certificat public/privé. Cela facilite le portage (pas de configuration liée à une adresse ip particulière), un niveau de sécurité plus important (pas d’échange de secret) et des configurations exotiques (NAT).

Donc si vous avez une autorité de certification ou des certificats signés par un tiers valide, vous pouvez passer l’étape de création d’une autorité de certification.

 

Création de notre autorité de certification

jph@ezydata:~/jphCA$ mkdir jphCA
jph@ezydata:~/jphCA$ cd jphCA
jph@ezydata:~/jphCA$ grep "^[^#*/;]" openssl.cnf
HOME			= .
oid_section		= new_oids
openssl_conf = default_conf
[ new_oids ]
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
[ ca ]
default_ca	= CA_default		# The default ca section
[ CA_default ]
dir		= ./jphCA		# Where everything is kept
certs		= $dir/certs		# Where the issued certs are kept
crl_dir		= $dir/crl		# Where the issued crl are kept
database	= $dir/index.txt	# database index file.
					# several certs with same subject.
new_certs_dir	= $dir/newcerts		# default place for new certs.
certificate	= $dir/cacert.pem 	# The CA certificate
serial		= $dir/serial 		# The current serial number
crlnumber	= $dir/crlnumber	# the current crl number
					# must be commented out to leave a V1 CRL
crl		= $dir/crl.pem 		# The current CRL
private_key	= $dir/private/cakey.pem# The private key
x509_extensions	= usr_cert		# The extensions to add to the cert
name_opt 	= ca_default		# Subject Name options
cert_opt 	= ca_default		# Certificate field options
default_days	= 365			# how long to certify for
default_crl_days= 30			# how long before next CRL
default_md	= default		# use public key default MD
preserve	= no			# keep passed DN ordering
policy		= policy_match
[ policy_match ]
countryName		= match
stateOrProvinceName	= match
organizationName	= match
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional
[ policy_anything ]
countryName		= optional
stateOrProvinceName	= optional
localityName		= optional
organizationName	= optional
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional
[ req ]
default_bits		= 2048
default_keyfile 	= privkey.pem
distinguished_name	= req_distinguished_name
attributes		= req_attributes
x509_extensions	= v3_ca	# The extensions to add to the self signed cert
string_mask = utf8only
[ req_distinguished_name ]
countryName			= Country Name (2 letter code)
countryName_default		= FR
countryName_min			= 2
countryName_max			= 2
stateOrProvinceName		= State or Province Name (full name)
stateOrProvinceName_default	= ILE DE FRANCE
localityName			= Locality Name (eg, city)
localityName_default            = Paris
0.organizationName		= Organization Name (eg, company)
0.organizationName_default	= EzyData
organizationalUnitName		= Organizational Unit Name (eg, section)
organizationalUnitName_default	= Service
commonName			= Common Name (e.g. server FQDN or YOUR name)
commonName_max			= 64
emailAddress			= Email Address
emailAddress_max		= 64
[ req_attributes ]
challengePassword		= A challenge password
challengePassword_min		= 4
challengePassword_max		= 20
unstructuredName		= An optional company name
[ usr_cert ]
basicConstraints=CA:FALSE
nsComment			= "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical,CA:true
[ crl_ext ]
authorityKeyIdentifier=keyid:always
[ proxy_cert_ext ]
basicConstraints=CA:FALSE
nsComment			= "Certificat générer par EzyData"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
[ tsa ]
default_tsa = tsa_config1	# the default TSA section
[ tsa_config1 ]
dir		= ./jphCA		# TSA root directory
serial		= $dir/tsaserial	# The current serial number (mandatory)
crypto_device	= builtin		# OpenSSL engine to use for signing
signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
					# (optional)
certs		= $dir/cacert.pem	# Certificate chain to include in reply
					# (optional)
signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)
signer_digest  = sha256			# Signing digest to use. (Optional)
default_policy	= tsa_policy1		# Policy if request did not specify it
					# (optional)
other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
clock_precision_digits  = 0	# number of digits after dot. (optional)
ordering		= yes	# Is ordering defined for timestamps?
				# (optional, default: no)
tsa_name		= yes	# Must the TSA name be included in the reply?
				# (optional, default: no)
ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
				# (optional, default: no)
ess_cert_id_alg		= sha1	# algorithm to compute certificate
				# identifier (optional, default: sha1)
[default_conf]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=2

Je vous conseille fortement de personnaliser ce fichier de configuration, notamment la directive « dir » qui est la racine de votre CA.
A partir de la, il faut exporter ce fichier de configuration, sinon l’outil openssl utilisera celui installer dans le système (/etc/ssl/openssl.conf).
Pour ce faire, la variable d’environnement OPENSSL_CONFIG contiendra le chemin absolue vers notre fichier de configuration spécifique.
Donc, commençons par initialiser la structure de notre nouveau CA avec le script CA.pl se trouvant dans le répertoire /usr/lib/ssl/misc.

jph@ezydata:~/jphCA$ OPENSSL_CONFIG="-config ./openssl.cnf" ./CA.pl -newca -extra-req "-newkey rsa:4096"
CA certificate filename (or enter to create)

Making CA certificate ...
====
openssl req -config ./openssl.cnf -new -keyout ./jphCA/private/cakey.pem -out ./jphCA/careq.pem -newkey rsa:4096
Generating a RSA private key
.........................................................++++
...........................................................++++
writing new private key to './jphCA/private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [FR]:
State or Province Name (full name) [ILE DE FRANCE]:
Locality Name (eg, city) [Paris]:
Organization Name (eg, company) [EzyData]:
Organizational Unit Name (eg, section) [Service]:
Common Name (e.g. server FQDN or YOUR name) []:EzydataCA
Email Address []:jean-pierre.hoang@ezydata.fr

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
==> 0
====
====
openssl ca -config ./openssl.cnf -create_serial -out ./jphCA/cacert.pem -days 1095 -batch -keyfile ./jphCA/private/cakey.pem -selfsign -extensions v3_ca  -infiles ./jphCA/careq.pem
Using configuration from ./openssl.cnf
Enter pass phrase for ./jphCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            4f:1b:7d:c8:db:95:d7:dc:54:d2:c9:d4:f9:d5:26:b5:dc:73:01:ee
        Validity
            Not Before: Mar  2 18:32:26 2021 GMT
            Not After : Mar  1 18:32:26 2024 GMT
        Subject:
            countryName               = FR
            stateOrProvinceName       = ILE DE FRANCE
            organizationName          = EzyData
            organizationalUnitName    = Service
            commonName                = EzydataCA
            emailAddress              = jean-pierre.hoang@ezydata.fr
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                41:B0:D8:13:D1:61:A8:5C:E9:18:43:F0:87:55:4B:7F:78:8B:CD:26
            X509v3 Authority Key Identifier:
                keyid:41:B0:D8:13:D1:61:A8:5C:E9:18:43:F0:87:55:4B:7F:78:8B:CD:26

            X509v3 Basic Constraints: critical
                CA:TRUE
Certificate is to be certified until Mar  1 18:32:26 2024 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated
==> 0
====
CA certificate is in ./jphCA/cacert.pem

L’autorité de certification étant prête, la suite consiste à créer deux paires de certificats public/privé pour les deux terminaisons de VPN site à site.

 

Création des certificats pour le VPN

 

la commande -newreq crée la clé privée et une demande de certification. Le nom donné à cette clé privée et la demande newkey.pem et newreq.pem se trouvent sur le répertoire courant. Attention, il faudra renommé ces clés avant de demander une nouvelle paire sinon vous perdrez ces clés.

 

jph@ezydata:~/jphCA$ OPENSSL_CONFIG="-config ./openssl.cnf" ./CA.pl -newreq
Use of uninitialized value $1 in concatenation (.) or string at ./CA.pl line 133.
====
openssl req -config ./openssl.cnf -new  -keyout newkey.pem -out newreq.pem -days 365
Ignoring -days; not generating a certificate
Generating a RSA private key
..................................................+++++
............+++++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [FR]:
State or Province Name (full name) [ILE DE FRANCE]:
Locality Name (eg, city) [Paris]:
Organization Name (eg, company) [EzyData]:
Organizational Unit Name (eg, section) [Service]:
Common Name (e.g. server FQDN or YOUR name) []:vpncentral
Email Address []:jean-pierre.hoang@ezydata.fr

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
==> 0
====
Request is in newreq.pem, private key is in newkey.pem

A présent, la clé privé est crée, la signature de la requête newreq.pem par l’autorité de certification maison se fait par la commande suivante :

jph@ezydata:~/jphCA$ OPENSSL_CONFIG="-config ./openssl.cnf" ./CA.pl -sign
====
openssl ca -config ./openssl.cnf -policy policy_anything -out newcert.pem  -infiles newreq.pem
Using configuration from ./openssl.cnf
Enter pass phrase for ./jphCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            4f:1b:7d:c8:db:95:d7:dc:54:d2:c9:d4:f9:d5:26:b5:dc:73:01:ef
        Validity
            Not Before: Mar  2 18:39:24 2021 GMT
            Not After : Mar  2 18:39:24 2022 GMT
        Subject:
            countryName               = FR
            stateOrProvinceName       = ILE DE FRANCE
            localityName              = Paris
            organizationName          = EzyData
            organizationalUnitName    = Service
            commonName                = vpncentral
            emailAddress              = jean-pierre.hoang@ezydata.fr
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                19:DA:04:C3:95:28:56:7F:ED:28:19:6A:CF:DD:9C:B9:71:2D:FA:4A
            X509v3 Authority Key Identifier:
                keyid:41:B0:D8:13:D1:61:A8:5C:E9:18:43:F0:87:55:4B:7F:78:8B:CD:26

Certificate is to be certified until Mar  2 18:39:24 2022 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
==> 0
====
Signed certificate is in newcert.pem
jph@ezydata:~/jphCA$ ls
jphCA  newcert.pem  newkey.pem  newreq.pem  openssl.cnf

renommons alors ces fichiers et changeons les de place.

jph@ezydata:~/jphCA$ mv newkey.pem jphCA/private/vpncentral_key.pem
jph@ezydata:~/jphCA$ mv newcert.pem jphCA/certs/vpncentral_pub.pem

Supprimons la demande de certification qui ne nous est plus utile.

jph@ezydata:~/jphCA$ rm newreq.pem

Le ménage étant fait, la création de la seconde parie de clé publique/privée peut avoir lieu.

jph@ezydata:~/jphCA$ OPENSSL_CONFIG="-config ./openssl.cnf" ./CA.pl -newreq
Use of uninitialized value $1 in concatenation (.) or string at ./CA.pl line 133.
====
openssl req -config ./openssl.cnf -new  -keyout newkey.pem -out newreq.pem -days 365
Ignoring -days; not generating a certificate
Generating a RSA private key
....+++++
.......................+++++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [FR]:
State or Province Name (full name) [ILE DE FRANCE]:
Locality Name (eg, city) [Paris]:
Organization Name (eg, company) [EzyData]:
Organizational Unit Name (eg, section) [Service]:
Common Name (e.g. server FQDN or YOUR name) []:vpncloud
Email Address []:jean-pierre.hoang@ezydata.fr

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
==> 0
====
Request is in newreq.pem, private key is in newkey.pem
jph@ezydata:~/jphCA$ OPENSSL_CONFIG="-config ./openssl.cnf" ./CA.pl -sign
====
openssl ca -config ./openssl.cnf -policy policy_anything -out newcert.pem  -infiles newreq.pem
Using configuration from ./openssl.cnf
Enter pass phrase for ./jphCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            4f:1b:7d:c8:db:95:d7:dc:54:d2:c9:d4:f9:d5:26:b5:dc:73:01:f0
        Validity
            Not Before: Mar  2 18:49:05 2021 GMT
            Not After : Mar  2 18:49:05 2022 GMT
        Subject:
            countryName               = FR
            stateOrProvinceName       = ILE DE FRANCE
            localityName              = Paris
            organizationName          = EzyData
            organizationalUnitName    = Service
            commonName                = vpncloud
            emailAddress              = jean-pierre.hoang@ezydata.fr
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                51:F1:4D:59:23:D9:C4:47:EE:97:F9:78:AD:B9:72:36:65:83:68:42
            X509v3 Authority Key Identifier:
                keyid:41:B0:D8:13:D1:61:A8:5C:E9:18:43:F0:87:55:4B:7F:78:8B:CD:26

Certificate is to be certified until Mar  2 18:49:05 2022 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
==> 0
====
Signed certificate is in newcert.pem
jph@ezydata:~/jphCA$ mv newkey.pem jphCA/private/vpncloud_key.pem
jph@ezydata:~/jphCA$ mv newcert.pem jphCA/certs/vpncloud_pub.pem
jph@ezydata:~/jphCA$ rm -rf newreq.pem

Pour la suite de la configuration IPSEC, l’élément important dans le certificat est le subject. C’est en quelque sorte le Distinguished Name du certificat. Il est composer des éléments tel le pays, la ville, le nom canonique. Cet élément sert à distinguer un certificat public d’un autre.

Pour le récupérer, la commande openssl suivante fera l’affaire.

jph@ezydata:~/jphCA$ openssl x509 -subject -in jphCA/certs/vpncloud_pub.pem -text -noout -nocert | head -1 | cut -d '=' -f2-
C = FR, ST = ILE DE FRANCE, L = Paris, O = EzyData, OU = Service, CN = vpncloud, emailAddress = jean-pierre.hoang@ezydata.fr
jph@ezydata:~/jphCA$ openssl x509 -subject -in jphCA/certs/vpncentral_pub.pem -text -noout -nocert | head -1 | cut -d '=' -f2-
C = FR, ST = ILE DE FRANCE, L = Paris, O = EzyData, OU = Service, CN = vpncentral, emailAddress = jean-pierre.hoang@ezydata.fr

Configuration du VPN

 

Le but de cet article n’est pas de décrire ni de détaillé le protocole IPSEC AH/ESP, ni d’en étudier la complexité. Il a pour but de décrire une configuration opérationnelle entre deux systèmes et surtout avec des fournisseurs de cloud public.

Pour ce faire, il est nécessaire de procéder par étape et d’en valider au fur et à mesure. Cette démarche permet de progresser et de valider point par point afin d’éliminer des erreurs en cascade.
La première étape est de s’assurer que les firewall sont bien ouvert pour le protocole ESP.
cette configuration est à faire sur les deux routeurs.

set firewall name internet-routeur rule 100 action 'accept'
set firewall name internet-routeur rule 100 protocol 'esp'
set firewall name internet-routeur rule 101 action 'accept'
set firewall name internet-routeur rule 101 protocol 'udp'
set firewall name internet-routeur rule 101 source address '@ipterminaisondistant'
set firewall name internet-routeur rule 101 destination port 500

la directive @ipterminaisondistant peut être omis. Mais pour des raisons de sécurité évident, si nous connaissons d’avance l’adresse ip de l’autre bout du tunnel, il faut le restreindre à celui-ci. @ipterminaisondistant est à remplacer par l’adresse ip de l’équipement distant.

La vérification peut se faire avec les outils de pentesting de type nmap.

vyos@vpncentral:~# nmap -sU -p 500 @ipterminaisondistant
Starting Nmap 7.70 ( https://nmap.org ) at 2021-03-02 19:46 UTC
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for @ipterminaisondistant
Host is up (0.00061s latency).

PORT    STATE         SERVICE
500/udp open|filtered isakmp
MAC Address: 52:54:00:59:D3:40 (QEMU virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.49 seconds

IPSEC / ESP

Le port udp_500 nécessaire à l’établissement des clés de chiffrement du tunnel en place, la suite de la configuration est de définir les algorithmes de chiffrements pris en charge. Bien sur, le problème majeur de la configuration ipsec est l’incompatibilité des algorithmes de chiffrements déclarés de part et d’autre.
Etant donné que le processeur utilisé est un Intel, la recommendation est d’utilisé l’algorithme AES-GCM.

set vpn ipsec esp-group esp_phase2 compression 'disable'
set vpn ipsec esp-group esp_phase2 lifetime '3600'
set vpn ipsec esp-group esp_phase2 mode 'tunnel'
set vpn ipsec esp-group esp_phase2 pfs 'enable'
set vpn ipsec esp-group esp_phase2 proposal 1 encryption 'aes128'
set vpn ipsec esp-group esp_phase2 proposal 1 hash 'sha1'
set vpn ipsec ike-group ike_phase1 close-action 'none'
set vpn ipsec ike-group ike_phase1 ikev2-reauth 'no'
set vpn ipsec ike-group ike_phase1 key-exchange 'ikev2'
set vpn ipsec ike-group ike_phase1 lifetime '28800'
set vpn ipsec ike-group ike_phase1 proposal 1 dh-group '2'
set vpn ipsec ike-group ike_phase1 proposal 1 encryption 'aes128'
set vpn ipsec ike-group ike_phase1 proposal 1 hash 'sha1'

la partie la plus complexe à appréhender est la partie qui suit. En lieu et place d’une déclaration de tunnel IPSEC à travers des adresses ip réelles, nous utilisons une déclaration par rapport à un identifiant basé sur les certificats. Cela à comme avantage plus de sécurité (le certificat est difficilement falsifiable, cf usurpation d’ip). En bref, le noyau linux doit savoir quel flux à chiffrer peu importe si il est entre deux adresses réelles ou des adresses loopback.

set interfaces loopback lo address '192.168.99.1/32'

C’est cette adresse de loopback qui servira de point d’entrée IPSEC.

set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec site-to-site peer @cloudpf authentication mode 'x509'
set vpn ipsec site-to-site peer @cloudpf authentication remote-id 'C = FR, ST = ILE DE FRANCE, L = Paris, O = EzyData, OU = Service, CN = vpncloud, emailAddress = jean-pierre.hoang@ezydata.fr'
set vpn ipsec site-to-site peer @cloudpf authentication use-x509-id
set vpn ipsec site-to-site peer @cloudpf authentication x509 ca-cert-file '/config/auth/ipsec/cacert.pem'
set vpn ipsec site-to-site peer @cloudpf authentication x509 cert-file '/config/auth/ipsec/vpncentral_pub.pem'
set vpn ipsec site-to-site peer @cloudpf authentication x509 key file '/config/auth/ipsec/vpncentral_key.pem'
set vpn ipsec site-to-site peer @cloudpf authentication x509 key password 'monmotdepassebiensecurise'
set vpn ipsec site-to-site peer @cloudpf connection-type 'respond'
set vpn ipsec site-to-site peer @cloudpf default-esp-group 'esp_phase2'
set vpn ipsec site-to-site peer @cloudpf ike-group 'ike_phase1'
set vpn ipsec site-to-site peer @cloudpf ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer @cloudpf local-address '@ippublicvpncentral'
set vpn ipsec site-to-site peer @cloudpf tunnel 1 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer @cloudpf tunnel 1 allow-public-networks 'disable'
set vpn ipsec site-to-site peer @cloudpf tunnel 1 local prefix '192.168.99.1/32'
set vpn ipsec site-to-site peer @cloudpf tunnel 1 remote prefix '192.168.99.2/32'

Donc voici l’ensemble des commandes pour le site vpncentral

set firewall name internet-routeur rule 100 action 'accept'
set firewall name internet-routeur rule 100 protocol 'esp'
set firewall name internet-routeur rule 101 action 'accept'
set firewall name internet-routeur rule 101 protocol 'udp'
set firewall name internet-routeur rule 101 source address '@ippublicvpncloud'
set firewall name internet-routeur rule 101 destination port 500
set vpn ipsec esp-group esp_phase2 compression 'disable'
set vpn ipsec esp-group esp_phase2 lifetime '3600'
set vpn ipsec esp-group esp_phase2 mode 'tunnel'
set vpn ipsec esp-group esp_phase2 pfs 'enable'
set vpn ipsec esp-group esp_phase2 proposal 1 encryption 'aes128'
set vpn ipsec esp-group esp_phase2 proposal 1 hash 'sha1'
set vpn ipsec ike-group ike_phase1 close-action 'none'
set vpn ipsec ike-group ike_phase1 ikev2-reauth 'no'
set vpn ipsec ike-group ike_phase1 key-exchange 'ikev2'
set vpn ipsec ike-group ike_phase1 lifetime '28800'
set vpn ipsec ike-group ike_phase1 proposal 1 dh-group '2'
set vpn ipsec ike-group ike_phase1 proposal 1 encryption 'aes128'
set vpn ipsec ike-group ike_phase1 proposal 1 hash 'sha1'
set interfaces loopback lo address '192.168.99.1/32'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec site-to-site peer @cloudpf authentication mode 'x509'
set vpn ipsec site-to-site peer @cloudpf authentication remote-id 'C = FR, ST = ILE DE FRANCE, L = Paris, O = EzyData, OU = Service, CN = vpncloud, emailAddress = jean-pierre.hoang@ezydata.fr'
set vpn ipsec site-to-site peer @cloudpf authentication use-x509-id
set vpn ipsec site-to-site peer @cloudpf authentication x509 ca-cert-file '/config/auth/ipsec/cacert.pem'
set vpn ipsec site-to-site peer @cloudpf authentication x509 cert-file '/config/auth/ipsec/vpncentral_pub.pem'
set vpn ipsec site-to-site peer @cloudpf authentication x509 key file '/config/auth/ipsec/vpncentral_key.pem'
set vpn ipsec site-to-site peer @cloudpf authentication x509 key password 'monmotdepassebiensecurise'
set vpn ipsec site-to-site peer @cloudpf connection-type 'respond'
set vpn ipsec site-to-site peer @cloudpf default-esp-group 'esp_phase2'
set vpn ipsec site-to-site peer @cloudpf ike-group 'ike_phase1'
set vpn ipsec site-to-site peer @cloudpf ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer @cloudpf local-address '@ippublicvpncentral'
set vpn ipsec site-to-site peer @cloudpf tunnel 1 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer @cloudpf tunnel 1 allow-public-networks 'disable'
set vpn ipsec site-to-site peer @cloudpf tunnel 1 local prefix '192.168.99.1/32'
set vpn ipsec site-to-site peer @cloudpf tunnel 1 remote prefix '192.168.99.2/32'

Et la configuration pour le site cloud

set firewall name internet-routeur rule 100 action 'accept'
set firewall name internet-routeur rule 100 protocol 'esp'
set firewall name internet-routeur rule 101 action 'accept'
set firewall name internet-routeur rule 101 protocol 'udp'
set firewall name internet-routeur rule 101 source address '149.189.1.100'
set firewall name internet-routeur rule 101 destination port 500
set vpn ipsec esp-group esp_phase2 compression 'disable'
set vpn ipsec esp-group esp_phase2 lifetime '3600'
set vpn ipsec esp-group esp_phase2 mode 'tunnel'
set vpn ipsec esp-group esp_phase2 pfs 'enable'
set vpn ipsec esp-group esp_phase2 proposal 1 encryption 'aes128'
set vpn ipsec esp-group esp_phase2 proposal 1 hash 'sha1'
set vpn ipsec ike-group ike_phase1 close-action 'none'
set vpn ipsec ike-group ike_phase1 ikev2-reauth 'no'
set vpn ipsec ike-group ike_phase1 key-exchange 'ikev2'
set vpn ipsec ike-group ike_phase1 lifetime '28800'
set vpn ipsec ike-group ike_phase1 proposal 1 dh-group '2'
set vpn ipsec ike-group ike_phase1 proposal 1 encryption 'aes128'
set vpn ipsec ike-group ike_phase1 proposal 1 hash 'sha1'
set interfaces loopback lo address '192.168.99.2/32'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec site-to-site peer 149.189.1.100 authentication mode 'x509'
set vpn ipsec site-to-site peer 149.189.1.100 authentication remote-id 'C = FR, ST = ILE DE FRANCE, L = Paris, O = EzyData, OU = Service, CN = vpncentral, emailAddress = jean-pierre.hoang@ezydata.fr'
set vpn ipsec site-to-site peer 149.189.1.100 authentication use-x509-id
set vpn ipsec site-to-site peer 149.189.1.100 authentication x509 ca-cert-file '/config/auth/ipsec/cacert.pem'
set vpn ipsec site-to-site peer 149.189.1.100 authentication x509 cert-file '/config/auth/ipsec/vpncloud_pub.pem'
set vpn ipsec site-to-site peer 149.189.1.100 authentication x509 key file '/config/auth/ipsec/vpncloud_key.pem'
set vpn ipsec site-to-site peer 149.189.1.100 authentication x509 key password 'monmotdepassebiensecurise'
set vpn ipsec site-to-site peer 149.189.1.100 connection-type 'initiate'
set vpn ipsec site-to-site peer 149.189.1.100 default-esp-group 'esp_phase2'
set vpn ipsec site-to-site peer 149.189.1.100 ike-group 'ike_phase1'
set vpn ipsec site-to-site peer 149.189.1.100 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 149.189.1.100 local-address '149.202.1.100'
set vpn ipsec site-to-site peer 149.189.1.100 tunnel 1 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 149.189.1.100 tunnel 1 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 149.189.1.100 tunnel 1 local prefix '192.168.99.2/32'
set vpn ipsec site-to-site peer 149.189.1.100 tunnel 1 remote prefix '192.168.99.1/32'

A partir de la, une connexion IPSEC entre les deux sites est établie.

vyos@vpncentral# run show vpn ike sa
Peer ID / IP                            Local ID / IP
------------                            -------------
@ippublicvpncloud                       @ippublicvpncentral

    State  IKEVer  Encrypt  Hash    D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------  ----    ---------      -----  ------  ------
    up     IKEv2   aes128   sha1_96 2(MODP_1024)   no     3600    28800

vyos@vpncentral# run show vpn ipsec sa
Connection                 State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID                                                                       Proposal
-------------------------  -------  --------  --------------  ----------------  ----------------  ------------------------------------------------------------------------------  ----------------------------------
peer-@ippublicvpncloud-tunnel-1  up       1m27s     0B/0B           0/0               @ippublicvpncloud       C=FR,ST=ILEDEFRANCE,L=Paris,O=EzyData,OU=Service,CN=vpncloud,emailAddress=jean-pierre.hoang@ezydata.fr  AES_CBC_128/HMAC_SHA1_96
peer-@ippublicvpncloud-tunnel-1  up       1m27s     0B/0B           0/0               @ippublicvpncloud       C=FR,ST=ILEDEFRANCE,L=Paris,O=EzyData,OU=Service,CN=vpncloud,emailAddress=jean-pierre.hoang@ezydata.fr  AES_CBC_128/HMAC_SHA1_96/MODP_1024

Tunnel GRE

 

Nous aurions pu nous arrêter la. C’est à dire que les deux sites sont reliés et une route statique peut être mis en oeuvre pour les déclarer. Cette solution n’est pas très extensible ni maintenable. L’objectif est que le site central puisse accéder à l’ensemble des ressources du cloud et une gestion statique des routes peut avoir des effets inattendus.

L’utilisation d’un protocole de routage dynamique type OSPF ne transite pas dans un tunnel IPSEC pure. C’est pour cela qu’en général, on lui rajoute une autre couche d’encapsulation GRE qui peut véhiculer d’autre trame qu’IP.

 

Sur le site @central, déclarons un tunnel de type gre ayant comme spécificité les adresses ip loopback du routeur. Rappelez-vous que le noyau ipsec chiffre un flux entre deux terminaisons ipsec et non terminaison finale.

 

 

set interfaces tunnel tun0 address '10.10.10.1/30'
set interfaces tunnel tun0 encapsulation 'gre'
set interfaces tunnel tun0 local-ip '192.168.99.1'
set interfaces tunnel tun0 remote-ip '192.168.99.2'

Son homologue sur le site @cloud

set interfaces tunnel tun0 address '10.10.10.2/30'
set interfaces tunnel tun0 encapsulation 'gre'
set interfaces tunnel tun0 local-ip '192.168.99.2'
set interfaces tunnel tun0 remote-ip '192.168.99.1'

Attention, utilisez des adresses de tunnel qui n’est pas utilisé dans votre organisation.

Les deux sites sont reliés entre eux par un tunnel GRE dont le flux est chiffré par IPSEC. Cependant, aucun flux ne pourra transiter car il n’y a pas de route établie entre les deux sites. Seul les deux équipements VPN peuvent se communiquer.

Le prochain article va mettre en place un protocol de routage dynamic OSPF afin de relier ce nouveau site au domain ospf d’entreprise.