trailofbits · kiratp · Apr 23, 2017 · May 4, 2017 · jackivanov · Apr 30, 2017
@@ -38,6 +38,12 @@ CA_PayloadIdentifier: "{{ 700000 | random | to_uuid | upper }}"
 # Block traffic between connected clients
 BetweenClients_DROP: Y
 
+# ALPHA feature: Uncomment below to build EdgeMaxclient configuration. Note that this will break connectivity from other clients
+# We recommend that you deploy a sepearate Algo server for each Edgerouter with only one client user defined.
+# Set the lan subnet to the IP CIDR notation for the lan behind the router. This MUST not interest with the vpn_network set above
+edgemax_support: True
+edgemax_lan_subnet: 10.0.0.0/16
+
 congrats:
   common: |
     "#                          Congratulations!                            #"

@@ -0,0 +1,109 @@
+# Setting up an EdgeMax Client
+
+Steps
+
+1) Set up config.cfg
+   * one single user
+   * Uncomment ```edgemax_support``` and ```edgemax_lan_subnet``` and make sure the LAN subnet is correct and does not overlapt with ```vpn_network```
+   * 
+2) Copy over files to router and place them as follows. This will preserve the files if you upgrade the router image
+   * config/<ALGO_IP>/ipsec_<USER>.* /config/user-data
+   * config/<ALGO_IP>/pki/cacert.pem /config/auth/algo/cacerts/
+   * config/<ALGO_IP>/pki/certs/*.crt /config/auth/algo/certs/
+   * config/<ALGO_IP>/pki/private/<USER>.key /config/auth/algo/private/
+3) SSH into the router and copy files from the config folder to the ipsec.d configuration folders. You will have to do this step every time you upgrade the router image.
+   * /config/auth/algo/cacerts/cacert.pem /etc/ipsec.d/cacerts
+   * /config/auth/algo/certs/* /etc/ipsec.d/certs
+   * /config/auth/algo/private/* /etc/ipsec.d/private (needs sudo)
+4) Still on the router, edit /config/config.boot and add the following:
+
+    ``` 
+    vpn {
+        ipsec {
+            auto-update 3600
+            auto-firewall-nat-exclude disable
+            include-ipsec-conf /config/user-data/ipsec_home.conf
+            include-ipsec-secrets /config/user-data/ipsec_home.secrets
+            logging {
+                log-level 2
+                log-modes net
+            }
+
+        }
+    }
+    ```
+5) ```sudo ipsec restart```
+6) ```sudo ipsec statusall``` - At this point you should see a shunted connection in the output. If not, stop and verify the above steps. Proceeding without the shunted connection will break local routing if the tunnel fails to come up
+    ```
+    Listening IP addresses:
+      <CLIENT_ISP_PUBLIC_IP>
+      <LAN_SUBNET_1>
+      <LAN_SUBNET_2>
+    Connections:
+    ikev2-<ALGO_IP>:  %any...<ALGO_IP>  IKEv2, dpddelay=35s
+    ikev2-<ALGO_IP>:   local:  [CN=home] uses public key authentication
+    ikev2-<ALGO_IP>:    cert:  "CN=home"
+    ikev2-<ALGO_IP>:   remote: [<ALGO_IP>] uses public key authentication
+    ikev2-<ALGO_IP>:   child:  10.0.0.0/16 === 0.0.0.0/0 TUNNEL, dpdaction=clear
+       lanbypass:  %any...%any  IKEv1
+       lanbypass:   local:  uses public key authentication
+       lanbypass:   remote: uses public key authentication
+       lanbypass:   child:  10.0.0.0/16 === 10.0.0.0/16 PASS
+    Shunted Connections:
+       lanbypass:  10.0.0.0/16 === 10.0.0.0/16 PASS
+    Security Associations (0 up, 0 connecting):
+      none
+    ```
+7) ```sudo ipsec up ikev2-<ALGO_IP>``` - the tunnel should come up 
+    ```
+    @ubnt:/$ sudo ipsec status
+    Shunted Connections:
+       lanbypass:  10.0.0.0/16 === 10.0.0.0/16 PASS
+    Security Associations (1 up, 0 connecting):
+    ikev2-<ALGO_IP>[1]: ESTABLISHED 11 minutes ago, 24.18.46.13[CN=home]...<ALGO_IP>[<ALGO_IP>]
+    ikev2-<ALGO_IP>{1}:  INSTALLED, TUNNEL, ESP in UDP SPIs: c5fbcf80_i cdffe66d_o
+    ikev2-<ALGO_IP>{1}:   10.0.0.0/16 === 0.0.0.0/0
+    ```
+8) Now, we need to make sure that packets meant to go into the tunnel are not modified by SNAT rules. Go to the web inteface and under Firewall/Nat > NAT, update the masquarade rule to only filter for Destination = ALGO_IP. Below it what it looks like in the config.boot file/UI tree. THe second rule below is an example of how you can exclude a client's traffic comeletely from the tunnel. 
+    ```
+    nat {
+            rule 5003 {
+                description "masquerade for WAN"
+                destination {
+                    address <ALGO_IP>
+                }
+                log disable
+                outbound-interface eth0
+                protocol all
+                type masquerade
+            }
+            rule 5005 {
+                description "Masquerade for WAN - Xbox One"
+                destination {
+                }
+                log disable
+                outbound-interface eth0
+                protocol tcp
+                source {
+                    address 10.0.0.35
+                }
+                type masquerade
+            }
+    }
+    ```
+9) You can try enabling ipsec hardware offload in the UI config tree under system. This seemsto be buggy and in some cases results in throughput lower than when offload is disabled - YMMV
+    ```
+        offload {
+            hwnat disable
+            ipsec enable
+            ipv4 {
+                forwarding enable
+                gre disable
+                vlan enable
+            }
+            ipv6 {
+                forwarding enable
+                vlan enable
+            }
+        }
+        ```
@@ -24,5 +24,18 @@ conn ikev2-{{ IP_subject_alt_name }}
     leftcert={{ item }}.crt
     leftfirewall=yes
     left=%defaultroute
-
-    auto=add
+{% if edgemax_support is defined and edgemax_lan_subnet is defined and edgemax_support == True %}
+    leftsubnet={{ edgemax_lan_subnet }}
+    auto=route
+{% else %}
+    audto=add
+{% endif %}
+
+
+{% if edgemax_support is defined and edgemax_lan_subnet is defined and edgemax_support == True %}
+conn lanbypass
+    leftsubnet={{ edgemax_lan_subnet }}
+    rightsubnet={{ edgemax_lan_subnet }}
+    type=passthrough
+    auto=route
+{% endif %}
@@ -38,5 +38,9 @@ conn %default
     rightdns={% for host in dns_servers.ipv4 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% if ipv6_support is defined and ipv6_support == "yes" %},{% for host in dns_servers.ipv6 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% endif %}
 {% endif %}
 
+{% if edgemax_support is defined and edgemax_lan_subnet is defined and edgemax_support == True %}
+	rightsubnet=0.0.0.0/0,::/0
+{% endif %}
+
 conn ikev2-pubkey
     auto=add
@@ -6,12 +6,18 @@
 :POSTROUTING ACCEPT [0:0]
 {% if max_mss is defined %}
 -A FORWARD -s {{ vpn_network }} -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss {{ max_mss }}
+{% if edgemax_support is defined and edgemax_lan_subnet is defined and edgemax_support == True %}
+-A FORWARD -s {{ edgemax_lan_subnet }} -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss {{ max_mss }}
+{% endif %}
 {% endif %}
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]
 :POSTROUTING ACCEPT [0:0]
 -A POSTROUTING -s {{ vpn_network }} -m policy --pol none --dir out -j MASQUERADE
+{% if edgemax_support is defined and edgemax_lan_subnet is defined and edgemax_support == True %}
+-A POSTROUTING -s {{ edgemax_lan_subnet }} -m policy --pol none --dir out -j MASQUERADE
+{% endif %}
 COMMIT
 *filter
 :INPUT DROP [0:0]
@@ -34,11 +40,17 @@ COMMIT
 -A INPUT -d {{ local_service_ip }} -p tcp -m multiport --dport 8080,8118 -j ACCEPT
 {% if BetweenClients_DROP is defined and BetweenClients_DROP == "Y" %}
 -A FORWARD -s {{ vpn_network }} -d {{ vpn_network }} -j DROP
+{% if edgemax_support is defined and edgemax_lan_subnet is defined and edgemax_support == True %}
+-A FORWARD -s {{ edgemax_lan_subnet }} -d {{ edgemax_lan_subnet }} -j DROP
+{% endif %}
 {% endif %}
 -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A FORWARD -p tcp --dport 445 -j DROP
 -A FORWARD -p udp -m multiport --ports 137,138 -j DROP
 -A FORWARD -p tcp -m multiport --ports 137,139 -j DROP
 -A FORWARD -m conntrack --ctstate NEW -s {{ vpn_network }} -m policy --pol ipsec --dir in -j ACCEPT
+{% if edgemax_support is defined and edgemax_lan_subnet is defined and edgemax_support == True %}
+-A FORWARD -m conntrack --ctstate NEW -s {{ edgemax_lan_subnet }} -m policy --pol ipsec --dir in -j ACCEPT
+{% endif %}
 COMMIT