I have an IPSec IKEv2 roadwarrior tunnel configured on my VyOS 1.4 which optionally supports WAN IPv6 from connected clients, it works fine. On the other hand, I notice that from the outside my clients connected with an IPv6 from the pool assigned to remore-access are accessible from the outside and impossible to filter the packets with their IP as destinations. I don’t understand, where do the filters apply to prevent communications to these clients?
Thanks for your help and here’s the configuration I use for my VPN Roadwarrior by modifying the values :
#########################
## IPSec | ROADWARRIOR ##
#########################
#
## IPSec global config
#######################
set vpn ipsec interface 'eth0'
set vpn ipsec options 'disable-route-autoinstall'
#
## Config
##########
# Phase 1
set vpn ipsec ike-group IKE-ROADWARRIOR key-exchange 'ikev2'
set vpn ipsec ike-group IKE-ROADWARRIOR lifetime '7200'
set vpn ipsec ike-group IKE-ROADWARRIOR proposal 10 encryption 'aes256gcm128'
set vpn ipsec ike-group IKE-ROADWARRIOR proposal 10 hash 'sha384'
set vpn ipsec ike-group IKE-ROADWARRIOR proposal 10 dh-group '24'
# Phase 2
set vpn ipsec esp-group ESP-ROADWARRIOR lifetime '3600'
set vpn ipsec esp-group ESP-ROADWARRIOR proposal 10 encryption 'aes256gcm128'
set vpn ipsec esp-group ESP-ROADWARRIOR proposal 10 hash 'sha256'
set vpn ipsec esp-group ESP-ROADWARRIOR pfs 'dh-group24'
# Remote Access
set vpn ipsec remote-access pool ROADWARRIOR-IPV4 prefix '10.10.50.0/24'
set vpn ipsec remote-access pool ROADWARRIOR-IPV4 name-server '10.10.40.200'
set vpn ipsec remote-access pool ROADWARRIOR-IPV6 prefix 'w:x:y:z::/64'
set vpn ipsec remote-access connection ROADWARRIOR esp-group 'ESP-ROADWARRIOR'
set vpn ipsec remote-access connection ROADWARRIOR ike-group 'IKE-ROADWARRIOR'
set vpn ipsec remote-access connection ROADWARRIOR pool 'ROADWARRIOR-IPV4'
set vpn ipsec remote-access connection ROADWARRIOR pool 'ROADWARRIOR-IPV6'
set vpn ipsec remote-access connection ROADWARRIOR authentication local-id 'my.roadwarrior.host'
set vpn ipsec remote-access connection ROADWARRIOR authentication client-mode 'eap-mschapv2'
set vpn ipsec remote-access connection ROADWARRIOR authentication x509 certificate 'IPSec_my.roadwarrior.host'
set vpn ipsec remote-access connection ROADWARRIOR authentication x509 ca-certificate 'CA_VyOS_my.roadwarrior.host'
# PSK EAP
set vpn ipsec remote-access connection ROADWARRIOR authentication local-users username mysuperuser password 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
#
## Firewall
############
########## WAN ##########
## WAN-GUESTS
set firewall name WAN-GUESTS rule 2000 action 'accept'
set firewall name WAN-GUESTS rule 2000 ipsec match-ipsec
set firewall name WAN-GUESTS rule 2000 source address '10.10.50.0/24'
## WAN-LAN
set firewall name WAN-LAN rule 2000 action 'accept'
set firewall name WAN-LAN rule 2000 ipsec match-ipsec
set firewall name WAN-LAN rule 2000 source address '10.10.50.0/24'
## WAN-LOCAL
set firewall name WAN-LOCAL rule 2000 action 'accept'
set firewall name WAN-LOCAL rule 2000 ipsec match-ipsec
set firewall name WAN-LOCAL rule 2000 source address '10.10.50.0/24'
#
## NAT Outbound
################
# SNAT RoadWarrior v4 (Outbound)
set nat source rule 110 outbound-interface 'eth0'
set nat source rule 110 source address '10.10.50.0/24'
set nat source rule 110 translation address 'masquerade'
I use zones:
eth0 => WAN
eth1 => LAN
eth2 => GUESTS
All IPSec traffic is considered on the eth0 interface and therefore the WAN zone.
So when traffic arrives from outside, it’s considered as WAN traffic and would come out on … WAN.
Since traffic is in the same zone (WAN) you will need to apply a firewall to the interface as well. I took some of your roadwarrior settings and flipped things here and there.
Firewall on eth0 with default accept since zone based rules are also in play
interface eth0 {
in {
ipv6-name BLOCKEM
}
local {
}
out {
}
}
ipv6-name BLOCKEM {
default-action accept
description "Block some things"
rule 10 {
action reject
destination {
address 2603:3001:38e4:c1ff:dead:beef::/96
}
protocol ipv6-icmp
}
}
I didn’t know that I could define “classic” firewalls on interfaces in addition to my zones.
So if I’ve understood correctly, as long as my interface is in a default drop zone, I can safely define default accept firewalls on my interface, as this will then be filtered on the zone.
So I added this, and the result seems to be exactly what I was looking for :
########## ETH0 ##########
## IN-V6
# Default accept ETH0-IN-V6 (because zones filters after)
set firewall ipv6-name SECURE_ROADWARRIOR_V6 default-action 'accept'
# Drop outside to Roadwarrior V6 pool except icmpv6
set firewall ipv6-name SECURE_ROADWARRIOR_V6 rule 10 action 'drop'
set firewall ipv6-name SECURE_ROADWARRIOR_V6 rule 10 protocol '!icmpv6'
set firewall ipv6-name SECURE_ROADWARRIOR_V6 rule 10 destination address 'w:x:y:z::/64'
set firewall ipv6-name SECURE_ROADWARRIOR_V6 rule 10 log 'enable'
set firewall ipv6-name SECURE_ROADWARRIOR_V6 rule 10 description 'Drop outside to Roadwarrior V6 pool'
# Link SECURE_ROADWARRIOR_V6 firewall to eth0 (WAN)
set firewall interface eth0 in ipv6-name SECURE_ROADWARRIOR_V6
I’m thinking of using this method to also filter IPSec traffic from my other site-to-site IPSec tunnels.
Thank you very much for taking the time to help me
