Raspberry Pi – remote site IPSec wireless router

This post on CSC caught my attention and reminded me of the challenges thrown up whilst working my first IT job at a charity. Typically trying to stitch together enterprise solutions for the bare minimum price.
At time of writing to two replies to the post come in at $700 (C881W) and $670 (MX64W). The solution below will come in below £50 (~$66).

Solution features

• Wireless AP
• DHCP
• IPSec IKEv2 split-tunnel transport
• BGP

Components

• Raspberry Pi 3
• Raspbian OS

Topology

OS config

Interfaces

We will be connecting our RPi to the users home network via the ethernet interface, therefore leave the config to receive an address via DHCP. For our wireless interface which will be offering DHCP leases to associated devices, static interface config needs to be added. Edit /etc/network/interfaces :

allow-hotplug eth0
iface eth0 int dhcp

iface wlan0 inet static
  address 192.168.2.254
  netmask 255.255.255.0

IP forwarding

sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"

net.ipv4.ip_forward=1

Services

• hostapd

Will allow our RPi to broadcast an SSID and manage its security settings.

/etc/hostapd/hostapd.conf
interface=wlan0 hw_mode=g ieee80211d=1 country_code=GB driver=nl80211 ssid=somessid auth_algs=1 wpa=2 # WPA2 only wpa_key_mgmt=WPA-PSK rsn_pairwise=CCMP wpa_passphrase=somepassword

• isc-dhcp-server

Allows the RPi to answer DHCP REQUESTs and issue leases based upon configured scopes.

sudo apt-get install isc-dhcp-server

/etc/dhcp/dhcpd.conf
authoriative subnet 192.168.2.0 netmask 255.255.255.0 { range 192.168.2.10 192.168.2.20; option broadcast-address 192.168.2.255; option routers 192.168.2.254; default-lease-time 600; max-lease-time 7200; option domain-name "local-network"; option domain-name-servers 8.8.8.8, 8.8.4.4; }

/etc/default/isc-dhcp-server
INTERFACES="wlan0"

• strongswan

Provides a wide range of secure tunnel types, and will create our IPSec IKEv2 tunnel back to the head office ASA. In this first iteration we will implement a split-tunnel; only traffic destined to the head office IP subnet will travel via the tunnel, all other traffic will leave locally.

/etc/ipsec.conf
config setup # strictcrlpolicy=yes # uniqueids = no conn %default ikelifetime=1440m keylife=60m rekeymargin=3m keyingtries=1 keyexchange=ikev2 authby=secret conn headofficeasa left=%defaultroute leftsubnet=192.168.2.0/24 leftid=172.16.10.2 leftfirewall=yes right=172.16.10.1 rightsubnet=10.10.0.0/16 rightid=172.16.10.1 auto=route ike=aes256-sha256-ecp384 esp=aes256-sha256

/etc/ipsec.secrets
172.16.10.2 : PSK "cisco" 172.16.10.1 : PSK "cisco"

sudo systemctl enable ipsec

• iptables

Software firewall used to restrict access to the ‘outside’ ethernet interface and also NAT traffic not destined to the head office IP subnet to the local interface.

iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -i wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING ! -s 192.168.2.0/24 -o eth0 -j MASQUERADE

We also want to explictly accept forwarding of IPsec traffic:

iptables -A FORWARD -s 10.10.0.0/16 -d 192.168.2.0/24 -i eth0 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
iptables -A FORWARD -s 192.168.2.0/24 -d 10.10.0.0/16 -o eth0 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT

• quagga

Dynamic routing protocol daemon which will be used to form an BGP adjacency with the ASA and advertise routes into the head office routing table.

It would have been preferential to use OSPF, but as we are not using tunnel interfaces (eg GRE, VTI) it is not possible to form an adjacency on the same subnet. Thankfully BGP has a feature called eBGP multi-hop which allows you to adjust the TTL on the BGP packets. We can use this to allow the ASA to peer with the ‘inside’ interfaces of the Raspberry Pi.

/etc/quagga/daemons
zebra=yes bgpd=yes ospfd=no ospf6d=no ripd=no ripngd=no isisd=no babeld=no

/etc/quagga/bgpd.conf
! hostname bgpd password zebra log stdout ! router bgp 64513 bgp router-id 192.168.2.1 network 192.168.2.0/24 neighbor 172.16.10.1 remote-as 64512 neighbor 172.16.10.1 ebgp-multihop 2 neighbor 172.16.10.1 activate ! line vty !

ASA Configuration
! router bgp 64512 bgp log-neighbor-changes address-family ipv4 unicast neighbor 172.16.10.2 remote-as 64513 neighbor 172.16.10.2 ebgp-multihop 2 neighbor 172.16.10.2 activate network 10.10.0.0 mask 255.255.0.0 no auto-summary no synchronization exit-address-family !

ASA configuration

!
object network NETWORK-INSIDE
 subnet 10.10.0.0 255.255.0.0
!
object network REMOTE-RPI01
 subnet 192.168.2.0 255.255.255.0
 description Remote RPi inside network
 nat (outside,outside) dynamic interface
!
same-security-traffic permit intra-interface
!
nat (inside,outside) source static NETWORK-INSIDE NETWORK-INSIDE destination static REMOTE-RPI01 REMOTE-RPI01 no-proxy-arp route-lookup
!
!
object-group network IPSEC-PEERS
  network-object host 172.16.10.2
!
access-list OUTSIDE-IN extended permit esp object-group IPSEC-PEERS any
access-list OUTSIDE-IN extended permit udp object-group IPSEC-PEERS any eq 4500
access-list OUTSIDE-IN extended permit udp object-group IPSEC-PEERS any eq isakmp
!
access-list VPN-TRAFFIC-A-RPI01 extended permit ip object NETWORK-INSIDE object REMOTE-RPI01
!
crypto map CMAP-RPI 1 match address VPN-TRAFFIC-A-RPI01
crypto map CMAP-RPI 1 set peer 172.16.10.2
crypto map CMAP-RPI 1 set ikev2 ipsec-proposal IKEV2-AES256
!
crypto map CMAP-RPI interface OUTSIDE
!
tunnel-group 172.16.10.2 type ipsec-l2l
!
!
!
crypto ipsec ikev2 ipsec-proposal IKEV2-AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-256
!
crypto ikev2 policy 1
 encryption aes-256
 integrity sha256
 group 20
 prf sha256
 lifetime seconds 43200
!
crypto ikev2 enable OUTSIDE
!
tunnel-group 172.16.10.2 ipsec-attributes
   ikev2 remote-authentication pre-shared-key 
   ikev2 local-authentication pre-shared-key 
!

References

https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
NAT and Remote Access VPN