-
Goal: create a playground for experimenting with different IPsec settings between 3 sites: 2 Mikrotiks and 1 StrongSwan node.
-
Requirements:
- GNS3
- VirtualBox (VMware or nested kvm would be even better)
We would need to install some appliances in GNS3:
- Mikrotik https://docs.gns3.com/appliances/mikrotik-chr.html
- Ubuntu Cloud nokvm [1] https://docs.gns3.com/appliances/ubuntu-cloud.html
[1]: Ubuntu Cloud appliance is already included to the GNS3 package.
However, it requires that the GNS VM supports kvm
, which is not
the case when running it inside VirtualBox on Intel (it doesn't
currently support nested virtualization). So if the lab would be run
in VirtualBox on an Intel processor, you would have to download
the original Ubuntu Cloud appliance and change "kwm"
from "require"
to "allow"
.
All routers are MikroTik CHR 6.44.2
, workstations are Ubuntu Cloud Guest 18.04
.
I also altered some VM configs:
- GNS3 preferences -> GNS3 VM -> vCPUs: 3, RAM: 4096 MB.
- Ubuntu Cloud nodes configuration -> RAM: 512 MB.
/ip pool
add name=dhcp1 ranges=192.168.121.10-192.168.121.11
add name=dhcp2 ranges=192.168.122.10-192.168.122.11
add name=dhcp3 ranges=192.168.123.10-192.168.123.11
/ip dhcp-server
add address-pool=dhcp1 authoritative=after-2sec-delay disabled=no interface=ether2
add address-pool=dhcp2 authoritative=after-2sec-delay disabled=no interface=ether3
add address-pool=dhcp3 authoritative=after-2sec-delay disabled=no interface=ether4
/ip address
add address=192.168.121.1/24 interface=ether2 network=192.168.121.0
add address=192.168.122.1/24 interface=ether3 network=192.168.122.0
add address=192.168.123.1/24 interface=ether4 network=192.168.123.0
/ip dhcp-server network
add address=192.168.121.0/24 gateway=192.168.121.1 dns-server=192.168.121.1 netmask=24
add address=192.168.122.0/24 gateway=192.168.122.1 dns-server=192.168.122.1 netmask=24
add address=192.168.123.0/24 gateway=192.168.123.1 dns-server=192.168.123.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip firewall filter
add action=drop dst-address=10.10.0.0/16 chain=forward
add action=drop src-address=10.10.0.0/16 chain=forward
/interface bridge
add name=bridge
add name=bridgeipsec
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridgeipsec interface=ether3
/ip pool
add name=dhcplan ranges=192.168.22.10-192.168.22.254
add name=dhcpipsec ranges=10.10.1.10-10.10.1.254
/ip dhcp-server option
add code=249 name=ipsec-ms-static-route value=0x100a0a0a0a0101
add code=121 name=ipsec-rfc3442-static-routes value=0x100a0a0a0a0101
/ip dhcp-server
add address-pool=dhcplan authoritative=after-2sec-delay disabled=no interface=bridge
add address-pool=dhcpipsec authoritative=after-2sec-delay disabled=no interface=bridgeipsec
/ip address
add address=192.168.22.1/24 interface=bridge network=192.168.22.0
add address=10.10.1.1/24 interface=bridgeipsec network=10.10.1.0
/ip dhcp-server network
add address=10.10.1.0/24 dhcp-option=ipsec-ms-static-route,ipsec-rfc3442-static-routes dns-none=yes gateway=10.10.1.1 netmask=24
add address=192.168.22.0/24 dns-server=192.168.22.1 gateway=192.168.22.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip ipsec policy group
add name=groupnode2
add name=groupnode3
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-128 lifetime=1h name=profileipsec
/ip ipsec peer
add address=192.168.122.11/32 exchange-mode=ike2 name=node2.ipsec profile=profileipsec
add address=192.168.123.11/32 exchange-mode=ike2 name=node3.ipsec profile=profileipsec
add exchange-mode=ike2 name=responder passive=yes profile=profileipsec send-initial-contact=no
/ip ipsec proposal
add enc-algorithms=aes-128-cbc name=proposalipsec pfs-group=modp1024
/ip firewall filter
add action=accept chain=forward ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
/ip firewall nat
add place-before=0 action=accept chain=srcnat dst-address=10.10.0.0/16 src-address=10.10.1.0/24
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether1
/ip ipsec identity
add generate-policy=port-strict my-id=fqdn:node1.ipsec peer=node2.ipsec policy-template-group=groupnode2 remote-id=fqdn:node2.ipsec secret=VpftW2L4TEt6SmVf1sWSznSqzIKJCF7l
add generate-policy=port-strict my-id=fqdn:node1.ipsec peer=node3.ipsec policy-template-group=groupnode3 remote-id=fqdn:node3.ipsec secret=5dHFVvfZCvZpMMBJJNkcIvQU90P0lx2s
/ip ipsec policy
add dst-address=10.10.2.0/24 level=unique proposal=proposalipsec sa-dst-address=192.168.122.11 sa-src-address=0.0.0.0 src-address=10.10.1.0/24 tunnel=yes
add dst-address=10.10.3.0/24 level=unique proposal=proposalipsec sa-dst-address=192.168.123.11 sa-src-address=0.0.0.0 src-address=10.10.1.0/24 tunnel=yes
add dst-address=10.10.2.0/24 group=groupnode2 proposal=proposalipsec src-address=10.10.1.0/24 template=yes
add dst-address=10.10.3.0/24 group=groupnode3 proposal=proposalipsec src-address=10.10.1.0/24 template=yes
/interface bridge
add name=bridge
add name=bridgeipsec
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridgeipsec interface=ether3
/ip pool
add name=dhcplan ranges=192.168.22.10-192.168.22.254
add name=dhcpipsec ranges=10.10.2.10-10.10.2.254
/ip dhcp-server option
add code=249 name=ipsec-ms-static-route value=0x100a0a0a0a0201
add code=121 name=ipsec-rfc3442-static-routes value=0x100a0a0a0a0201
/ip dhcp-server
add address-pool=dhcplan authoritative=after-2sec-delay disabled=no interface=bridge
add address-pool=dhcpipsec authoritative=after-2sec-delay disabled=no interface=bridgeipsec
/ip address
add address=192.168.22.1/24 interface=bridge network=192.168.22.0
add address=10.10.2.1/24 interface=bridgeipsec network=10.10.2.0
/ip dhcp-server network
add address=10.10.2.0/24 dhcp-option=ipsec-ms-static-route,ipsec-rfc3442-static-routes dns-none=yes gateway=10.10.2.1 netmask=24
add address=192.168.22.0/24 dns-server=192.168.22.1 gateway=192.168.22.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip ipsec policy group
add name=groupnode1
add name=groupnode3
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-128 lifetime=1h name=profileipsec
/ip ipsec peer
add address=192.168.121.11/32 exchange-mode=ike2 name=node1.ipsec profile=profileipsec
add address=192.168.123.11/32 exchange-mode=ike2 name=node3.ipsec profile=profileipsec
add exchange-mode=ike2 name=responder passive=yes profile=profileipsec send-initial-contact=no
/ip ipsec proposal
add enc-algorithms=aes-128-cbc name=proposalipsec pfs-group=modp1024
/ip firewall filter
add action=accept chain=forward ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
/ip firewall nat
add place-before=0 action=accept chain=srcnat dst-address=10.10.0.0/16 src-address=10.10.2.0/24
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether1
/ip ipsec identity
add generate-policy=port-strict my-id=fqdn:node2.ipsec peer=node1.ipsec policy-template-group=groupnode1 remote-id=fqdn:node1.ipsec secret=VpftW2L4TEt6SmVf1sWSznSqzIKJCF7l
add generate-policy=port-strict my-id=fqdn:node2.ipsec peer=node3.ipsec policy-template-group=groupnode3 remote-id=fqdn:node3.ipsec secret=Yl8ro4buZw689ud7r8uSIx595AIoQ9iS
/ip ipsec policy
add dst-address=10.10.1.0/24 level=unique proposal=proposalipsec sa-dst-address=192.168.121.11 sa-src-address=0.0.0.0 src-address=10.10.2.0/24 tunnel=yes
add dst-address=10.10.3.0/24 level=unique proposal=proposalipsec sa-dst-address=192.168.123.11 sa-src-address=0.0.0.0 src-address=10.10.2.0/24 tunnel=yes
add dst-address=10.10.1.0/24 group=groupnode1 proposal=proposalipsec src-address=10.10.2.0/24 template=yes
add dst-address=10.10.3.0/24 group=groupnode3 proposal=proposalipsec src-address=10.10.2.0/24 template=yes
apt update
apt install -yq strongswan
sysctl -w net.ipv4.ip_forward=1
cat >/etc/ipsec.secrets <<EOF
node3.ipsec node1.ipsec : PSK "5dHFVvfZCvZpMMBJJNkcIvQU90P0lx2s"
node3.ipsec node2.ipsec : PSK "Yl8ro4buZw689ud7r8uSIx595AIoQ9iS"
EOF
cat > /etc/ipsec.conf <<EOF
conn %default
authby=secret
type=tunnel
keyexchange=ikev2
compress=no
auto=start
rekey=yes
reauth=no
dpdaction=clear
closeaction=none
left=%defaultroute
leftsubnet=10.10.3.0/24
leftid=node3.ipsec
ike=aes128-sha1-modp1024
esp=aes128-sha1
conn node1.ipsec
right=192.168.121.11/32
rightid=node1.ipsec
rightsubnet=10.10.1.0/24
conn node2.ipsec
right=192.168.122.11/32
rightid=node2.ipsec
rightsubnet=10.10.2.0/24
EOF
ip addr add 10.10.3.1/24 dev lo
systemctl restart strongswan
sudo dhclient ens4
Ensure that the tunnels work:
node3:
# ipsec status
Security Associations (2 up, 0 connecting):
node1.ipsec[4]: ESTABLISHED 17 minutes ago, 192.168.123.11[node3.ipsec]...192.168.121.11[node1.ipsec]
node1.ipsec{2}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: c26ca07e_i 0a210cc3_o
node1.ipsec{2}: 10.10.3.0/24 === 10.10.1.0/24
node2.ipsec[3]: ESTABLISHED 17 minutes ago, 192.168.123.11[node3.ipsec]...192.168.122.11[node2.ipsec]
node2.ipsec{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c51f6171_i 0b5994f6_o
node2.ipsec{1}: 10.10.3.0/24 === 10.10.2.0/24
w1:
$ ip a | grep 10.10
inet 10.10.1.10/24 brd 10.10.1.255 scope global ens4
$ ping -c 1 10.10.3.1
PING 10.10.3.1 (10.10.3.1) 56(84) bytes of data.
64 bytes from 10.10.3.1: icmp_seq=1 ttl=63 time=12.4 ms
w2:
$ ip a | grep 10.10
inet 10.10.2.254/24 brd 10.10.2.255 scope global ens4
$ ping -c 1 10.10.3.1
PING 10.10.3.1 (10.10.3.1) 56(84) bytes of data.
64 bytes from 10.10.3.1: icmp_seq=1 ttl=63 time=4.21 ms
$ ping -c 1 10.10.1.10
PING 10.10.1.10 (10.10.1.10) 56(84) bytes of data.
64 bytes from 10.10.1.10: icmp_seq=1 ttl=62 time=6.14 ms
node3:
$ ping -c 1 10.10.1.10
PING 10.10.1.10 (10.10.1.10) 56(84) bytes of data.
64 bytes from 10.10.1.10: icmp_seq=1 ttl=63 time=4.93 ms
$ ping -c 1 10.10.2.254
PING 10.10.2.254 (10.10.2.254) 56(84) bytes of data.
64 bytes from 10.10.2.254: icmp_seq=1 ttl=63 time=6.07 ms
Start pings between the pairs: w1 -> w2; w2 -> node3; node3 -> w1.
w1: $ ping 10.10.2.254
w2: $ ping 10.10.3.1
node3: $ ping 10.10.1.10
Break the links between node2-internet and node3-internet.
The pings should start loosing packets. Return back the links.
It took ~5 seconds for the pings to restore since the links were returned back.
The ping stats:
w1:
--- 10.10.2.254 ping statistics ---
59 packets transmitted, 47 received, 20% packet loss, time 58405ms
rtt min/avg/max/mdev = 4.160/9.145/147.667/20.446 ms
w2:
--- 10.10.3.1 ping statistics ---
60 packets transmitted, 44 received, 26% packet loss, time 59554ms
rtt min/avg/max/mdev = 2.826/4.986/7.191/0.967 ms
node3:
--- 10.10.1.10 ping statistics ---
60 packets transmitted, 47 received, 21% packet loss, time 59414ms
rtt min/avg/max/mdev = 3.292/4.739/8.602/1.114 ms
Success, we got a working IPsec playground.