Raspberry Pi – remote site IPSec wireless router

This post on CSC caught my attention and reminded me of the challenges thrown up whilst working my first IT job at a charity. Typically trying to stitch together enterprise solutions for the bare minimum price.
At time of writing to two replies to the post come in at $700 (C881W) and $670 (MX64W). The solution below will come in below £50 (~$66).

home_office_rpi

Solution features

  • Wireless AP
  • DHCP
  • IPSec IKEv2 split-tunnel transport
  • BGP

Components

Topology

Head office subnet 10.10.0.0 /16
Head office public IP 172.16.10.1
Home office subnet dynamic
Home office public IP 172.16.10.1
Solution ‘inside’ subnet 192.168.2.0 /24

OS config

Interfaces

We will be connecting our RPi to the users home network via the ethernet interface, therefore leave the config to receive an address via DHCP. For our wireless interface which will be offering DHCP leases to associated devices, static interface config needs to be added. Edit /etc/network/interfaces :

/etc/network/interfaces
allow-hotplug eth0
iface eth0 int dhcp

iface wlan0 inet static
  address 192.168.2.254
  netmask 255.255.255.0

IP forwarding

sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
/etc/sysctl.conf
net.ipv4.ip_forward=1

Services

  • hostapd
  • Will allow our RPi to broadcast an SSID and manage its security settings.

    /etc/hostapd/hostapd.conf
    interface=wlan0
    hw_mode=g
    ieee80211d=1
    country_code=GB 
    driver=nl80211
    ssid=somessid
    auth_algs=1
    wpa=2                 # WPA2 only
    wpa_key_mgmt=WPA-PSK  
    rsn_pairwise=CCMP
    wpa_passphrase=somepassword
    
  • isc-dhcp-server
  • Allows the RPi to answer DHCP REQUESTs and issue leases based upon configured scopes.

    sudo apt-get install isc-dhcp-server
    
    /etc/dhcp/dhcpd.conf
    authoriative
    
    subnet 192.168.2.0 netmask 255.255.255.0 {
     range 192.168.2.10 192.168.2.20;
     option broadcast-address 192.168.2.255;
     option routers 192.168.2.254;
     default-lease-time 600;
     max-lease-time 7200;
     option domain-name "local-network";
     option domain-name-servers 8.8.8.8, 8.8.4.4;
    }
    
    /etc/default/isc-dhcp-server
    INTERFACES="wlan0"
    
  • strongswan
  • Provides a wide range of secure tunnel types, and will create our IPSec IKEv2 tunnel back to the head office ASA. In this first iteration we will implement a split-tunnel; only traffic destined to the head office IP subnet will travel via the tunnel, all other traffic will leave locally.

    /etc/ipsec.conf
     config setup
            # strictcrlpolicy=yes
            # uniqueids = no
    
    conn %default
            ikelifetime=1440m
            keylife=60m
            rekeymargin=3m
            keyingtries=1
            keyexchange=ikev2
            authby=secret
    
    conn headofficeasa
            left=%defaultroute
            leftsubnet=192.168.2.0/24
            leftid=172.16.10.2
            leftfirewall=yes
            right=172.16.10.1
            rightsubnet=10.10.0.0/16
            rightid=172.16.10.1
            auto=route
            ike=aes256-sha256-ecp384
            esp=aes256-sha256
    
    /etc/ipsec.secrets
    172.16.10.2 : PSK "cisco"
    172.16.10.1 : PSK "cisco"
    
    sudo systemctl enable ipsec
    
  • iptables
  • Software firewall used to restrict access to the ‘outside’ ethernet interface and also NAT traffic not destined to the head office IP subnet to the local interface.

    iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
    iptables -A FORWARD -i eth0 -i wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -t nat -A POSTROUTING ! -s 192.168.2.0/24 -o eth0 -j MASQUERADE
    

    We also want to explictly accept forwarding of IPsec traffic:

    iptables -A FORWARD -s 10.10.0.0/16 -d 192.168.2.0/24 -i eth0 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
    iptables -A FORWARD -s 192.168.2.0/24 -d 10.10.0.0/16 -o eth0 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
    
  • quagga
  • Dynamic routing protocol daemon which will be used to form an BGP adjacency with the ASA and advertise routes into the head office routing table.

    It would have been preferential to use OSPF, but as we are not using tunnel interfaces (eg GRE, VTI) it is not possible to form an adjacency on the same subnet. Thankfully BGP has a feature called eBGP multi-hop which allows you to adjust the TTL on the BGP packets. We can use this to allow the ASA to peer with the ‘inside’ interfaces of the Raspberry Pi.

    /etc/quagga/daemons
    zebra=yes
    bgpd=yes
    ospfd=no
    ospf6d=no
    ripd=no
    ripngd=no
    isisd=no
    babeld=no
    
    /etc/quagga/bgpd.conf
    !
    hostname bgpd
    password zebra
    log stdout
    !
    router bgp 64513
      bgp router-id 192.168.2.1
      network 192.168.2.0/24
      neighbor 172.16.10.1 remote-as 64512
      neighbor 172.16.10.1 ebgp-multihop 2
      neighbor 172.16.10.1 activate
    !
    line vty
    !
    
    ASA Configuration
    !
    router bgp 64512
      bgp log-neighbor-changes
      address-family ipv4 unicast
        neighbor 172.16.10.2 remote-as 64513
        neighbor 172.16.10.2 ebgp-multihop 2
        neighbor 172.16.10.2 activate
        network 10.10.0.0 mask 255.255.0.0
        no auto-summary
        no synchronization
      exit-address-family
    !
    

ASA configuration

!
object network NETWORK-INSIDE
 subnet 10.10.0.0 255.255.0.0
!
object network REMOTE-RPI01
 subnet 192.168.2.0 255.255.255.0
 description Remote RPi inside network
 nat (outside,outside) dynamic interface
!
same-security-traffic permit intra-interface
!
nat (inside,outside) source static NETWORK-INSIDE NETWORK-INSIDE destination static REMOTE-RPI01 REMOTE-RPI01 no-proxy-arp route-lookup
!
!
object-group network IPSEC-PEERS
  network-object host 172.16.10.2
!
access-list OUTSIDE-IN extended permit esp object-group IPSEC-PEERS any
access-list OUTSIDE-IN extended permit udp object-group IPSEC-PEERS any eq 4500
access-list OUTSIDE-IN extended permit udp object-group IPSEC-PEERS any eq isakmp
!
access-list VPN-TRAFFIC-A-RPI01 extended permit ip object NETWORK-INSIDE object REMOTE-RPI01
!
crypto map CMAP-RPI 1 match address VPN-TRAFFIC-A-RPI01
crypto map CMAP-RPI 1 set peer 172.16.10.2
crypto map CMAP-RPI 1 set ikev2 ipsec-proposal IKEV2-AES256
!
crypto map CMAP-RPI interface OUTSIDE
!
tunnel-group 172.16.10.2 type ipsec-l2l
!
!
!
crypto ipsec ikev2 ipsec-proposal IKEV2-AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-256
!
crypto ikev2 policy 1
 encryption aes-256
 integrity sha256
 group 20
 prf sha256
 lifetime seconds 43200
!
crypto ikev2 enable OUTSIDE
!
tunnel-group 172.16.10.2 ipsec-attributes
   ikev2 remote-authentication pre-shared-key 
   ikev2 local-authentication pre-shared-key 
!

References

https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
NAT and Remote Access VPN

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at WordPress.com.

Up ↑

%d bloggers like this: