eduroam_fw_ipsec.ps1

# Declare varaibles
function declare_variables
{
# BEGIN OF CONFIGURATION ######################################################

  # Do only cleanup tasks
  $script:remove_only = $False

  # Apply additional settings
  $script:additions = $True

  # Create inbound firewall rules
  $script:firewall_in = $True

  # Create outbound firewall rules (only useful when blocking outbound traffic)
  $script:firewall_out = $True

  # Create IPsec configurations
  $script:ipsec = $True

  # Set servers's FQDN (to select the correct certificate for IPsec)
  $script:local_fqdn = "radius.instituce.cz"

  # Set server's IP address (IPv4 or IPv6)
  $script:local_ip = "78.77.76.75"
  #$script:local_ip = "2001:78:77:76::75"

  # Set IP address(es) of local AP(s), examples:

    # One IP address
  #$script:ap_ips = "10.1.1.2"

    # IP addresses, subnet and range
  #$script:ap_ips = "10.1.1.2", "10.1.1.3", "10.1.2.0/24", "10.1.3.2-10.1.3.9"

    # I don't want to manage APs here (empty list)
  $script:ap_ips = @()

# END OF CONFIGURATION ########################################################

  # Set prefix for DisplayName creation
  $script:display_name_prefix = "_eduroam"

  if ($local_ip.Contains(":"))
  {
    $script:monitoring_ips = "2001:718:ff05:10b::234"
    $script:flr_ips        = "2001:718:ff05:aca::1:10", "2001:718:ff05:aca::1:11", "2001:718:ff05:aca::1:12"
    $script:icmp_version   = "ICMPv6"
  }
  else
  {
    $script:monitoring_ips = "78.128.248.234"
    $script:flr_ips        = "78.128.248.10", "78.128.248.11", "78.128.248.12"
    $script:icmp_version   = "ICMPv4"
  }

  # Output collors
  $script:group_bc = "blue"
  $script:group_fc = "white"
  $script:fail_bc  = "red"
  $script:fail_fc  = "white"
  $script:ok_bc    = "green"
  $script:ok_fc    = "black"

  # Can we continue?
  check_settings
}

# Check settings and decide if we can continue
function check_settings
{
  # Prevent accidental deletion of all firewall and IPsec rules
  if ($display_name_prefix.Length -lt 1)
  {
    Write-Host ("DisplayName prefix '{0}' is invalid! Exiting." -f $display_name_prefix) `
      -ForegroundColor $fail_fc `
      -BackgroundColor $fail_bc
    exit 1
  }

  # Is $local_ip valid IP address?
  if (-Not ($local_ip -As [IPAddress] -As [Bool]))
  {
    Write-Host ("Local IP address '{0}' is invalid! Exiting." -f $local_ip) `
      -ForegroundColor $fail_fc `
      -BackgroundColor $fail_bc
    exit 1
  }
}

# Internal verifiing function
function verify_exit_status($status)
{
  if (-Not $status)
  {
    Write-Host " FAIL! " -ForegroundColor $fail_fc -BackgroundColor $fail_bc
    exit 1
  }
  else
  {
    Write-Host " OK " -ForegroundColor $ok_fc -BackgroundColor $ok_bc
  }
}

# Remove old firewall rules
function remove_old_firewall_rules
{
  Write-Host "Remove old firewall rules:" `
    -ForegroundColor $group_fc `
    -BackgroundColor $group_bc

  Write-Host "Removing old firewall rules: " -NoNewline
  Remove-NetFirewallRule `
    -DisplayName ("{0}*" -f $display_name_prefix)
  verify_exit_status $?

  Write-Host
}

# Remove old IPsec rules
function remove_old_ipsec_rules
{
  Write-Host "Remove old IPsec rules:" `
    -ForegroundColor $group_fc `
    -BackgroundColor $group_bc

  Write-Host "Removing old IPsec MainMode rules: " -NoNewline
  Remove-NetIPsecMainModeRule `
    -DisplayName ("{0}*" -f $display_name_prefix)
  verify_exit_status $?

  Write-Host "Removing old IPsec ConSec rules: " -NoNewline
  Remove-NetIPSecRule `
    -DisplayName ("{0}*" -f $display_name_prefix)
  verify_exit_status $?

  Write-Host "Removing old IPsec MainMode crypto sets: " -NoNewline
  Remove-NetIPsecMainModeCryptoSet `
    -DisplayName ("{0}*" -f $display_name_prefix)
  verify_exit_status $?

  Write-Host "Removing old IPsec auth sets: " -NoNewline
  Remove-NetIPsecPhase1AuthSet `
    -DisplayName ("{0}*" -f $display_name_prefix)
  verify_exit_status $?

  Write-Host
}

# Apply additional settings
function apply_additional_settings
{
  Write-Host "Apply additional settings:" `
      -ForegroundColor $group_fc `
      -BackgroundColor $group_bc

  # Enable IPsec NAT-T
  Write-Host "Enabling IPsec NAT-T: " -NoNewline
  Set-NetFirewallSetting `
    -AllowIPsecThroughNAT Both
  verify_exit_status $?

  Write-Host
}

# Create new firewall inbound rules
function create_new_firewall_rules_in
{
  Write-Host "Create new firewall inbound rules:" `
    -ForegroundColor $group_fc `
    -BackgroundColor $group_bc

  Write-Host "Creating new firewall ICMP-in rule: " -NoNewline
  New-NetFirewallRule `
    -DisplayName ("{0} ICMP (IN)" -f $display_name_prefix) `
    -Direction Inbound `
    -Protocol $icmp_version `
    -LocalAddress $local_ip `
    -RemoteAddress $($flr_ips + $monitoring_ips) `
    -Action Allow `
    > $null
  verify_exit_status $?

  # If the $ap_ips variable is invalid, we create a rule without it
  Write-Host "Creating new firewall RADIUS-in rule: " -NoNewline
  try
  {
    New-NetFirewallRule `
      -DisplayName ("{0} RADIUS (IN)" -f $display_name_prefix) `
      -Direction Inbound `
      -Protocol UDP `
      -LocalPort 1812, 1813 `
      -LocalAddress $local_ip `
      -RemoteAddress $($flr_ips + $monitoring_ips + $ap_ips) `
      -Action Allow `
      -ErrorAction Stop `
      > $null
  }
  catch
  {
    Write-Host " Ignoring invalid 'ap_ips' " `
      -ForegroundColor $fail_fc `
      -BackgroundColor $fail_bc `
      -NoNewline
    Write-Host " " -NoNewline

    New-NetFirewallRule `
      -DisplayName ("{0} RADIUS (IN)" -f $display_name_prefix) `
      -Direction Inbound `
      -Protocol UDP `
      -LocalPort 1812, 1813 `
      -LocalAddress $local_ip `
      -RemoteAddress $($flr_ips + $monitoring_ips) `
      -Action Allow `
      > $null
  }
  verify_exit_status $?

  Write-Host "Creating new firewall IPsec-UDP-in rule: " -NoNewline
  New-NetFirewallRule `
    -DisplayName ("{0} IPsec UDP (IN)" -f $display_name_prefix) `
    -Direction Inbound `
    -Protocol UDP `
    -LocalPort 500, 4500 `
    -LocalAddress $local_ip `
    -RemoteAddress $flr_ips `
    -Action Allow `
    > $null
  verify_exit_status $?

  Write-Host "Creating new firewall IPsec-ESP-in rule: " -NoNewline
  New-NetFirewallRule `
    -DisplayName ("{0} IPsec ESP (IN)" -f $display_name_prefix) `
    -Direction Inbound `
    -Protocol 50 `
    -LocalAddress $local_ip `
    -RemoteAddress $flr_ips `
    -Action Allow `
    > $null
  verify_exit_status $?

  Write-Host
}

# Create new firewall outbound rules
function create_new_firewall_rules_out
{
  Write-Host "Create new firewall outbound rules:" `
    -ForegroundColor $group_fc `
    -BackgroundColor $group_bc

  Write-Host "Creating new firewall ICMP-out rule: " -NoNewline
  New-NetFirewallRule `
    -DisplayName ("{0} ICMP (OUT)" -f $display_name_prefix) `
    -Direction Outbound `
    -Protocol $icmp_version `
    -LocalAddress $local_ip `
    -RemoteAddress $($flr_ips + $monitoring_ips) `
    -Action Allow `
    > $null
  verify_exit_status $?

  Write-Host "Creating new firewall RADIUS-out rule: " -NoNewline
  New-NetFirewallRule `
    -DisplayName ("{0} RADIUS (OUT)" -f $display_name_prefix) `
    -Direction Outbound `
    -Protocol UDP `
    -RemotePort 1812 `
    -LocalAddress $local_ip `
    -RemoteAddress $flr_ips `
    -Action Allow `
    > $null
  verify_exit_status $?

  Write-Host "Creating new firewall IPsec-UDP-out rule: " -NoNewline
  New-NetFirewallRule `
    -DisplayName ("{0} IPsec UDP (OUT)" -f $display_name_prefix) `
    -Direction Outbound `
    -Protocol UDP `
    -RemotePort 500, 4500 `
    -LocalAddress $local_ip `
    -RemoteAddress $flr_ips `
    -Action Allow `
    > $null
  verify_exit_status $?

  Write-Host "Creating new firewall IPsec-ESP-out rule: " -NoNewline
  New-NetFirewallRule `
    -DisplayName ("{0} IPsec ESP (OUT)" -f $display_name_prefix) `
    -Direction Outbound `
    -Protocol 50 `
    -LocalAddress $local_ip `
    -RemoteAddress $flr_ips `
    -Action Allow `
    > $null
  verify_exit_status $?

  Write-Host
}

# Create new IPsec rules
function create_new_ipsec_rules
{
  Write-Host "Create new IPsec rules:" `
    -ForegroundColor $group_fc `
    -BackgroundColor $group_bc

  Write-Host ("Creating IPsec auth proposal for local certificate selection: ") -NoNewline
  $selection_proposal = New-NetIPsecAuthProposal `
                          -Machine `
                          -Cert `
                          -Authority "DC=cz, DC=cesnet-ca, O=CESNET CA, CN=eduroam CA 2" `
                          -AuthorityType Root `
                          -SubjectName $local_fqdn `
                          -SubjectNameType DomainName `
                          -SelectionCriteria
  verify_exit_status $?

  Write-Host ("Creating IPsec auth proposal for remote certificate validation: ") -NoNewline
  $validation_proposal = New-NetIPsecAuthProposal `
                           -Machine `
                           -Cert `
                           -Authority "DC=org, DC=edupki, CN=eduPKI CA G 01" `
                           -AuthorityType Root `
                           -SubjectName "flr.eduroam.cz" `
                           -SubjectNameType DomainName `
                           -ValidationCriteria
  verify_exit_status $?

  Write-Host "Creating IPsec auth set: " -NoNewline
  $auth_set = New-NetIPsecPhase1AuthSet `
                -DisplayName ("{0} AS" -f $display_name_prefix) `
                -Proposal $selection_proposal,$validation_proposal
  verify_exit_status $?

  Write-Host "Creating IPsec MainMode crypto proposal: " -NoNewline
  $main_mode_proposal = New-NetIPsecMainModeCryptoProposal `
                          -Encryption AES256 `
                          -Hash SHA256 `
                          -KeyExchange DH20
  verify_exit_status $?

  Write-Host "Creating IPsec MainMode crypto set: " -NoNewline
  $main_mode_crypto_set = New-NetIPsecMainModeCryptoSet `
                            -DisplayName ("{0} MMCS" -f $display_name_prefix) `
                            -MaxMinutes 1440 `
                            -Proposal $main_mode_proposal
  verify_exit_status $?

  Write-Host "Creating IPsec QuickMode proposal: " -NoNewline
  $quick_mode_proposal = New-NetIPsecQuickModeCryptoProposal `
                           -Encapsulation ESP `
                           -Encryption AES256 `
                           -ESPHash SHA256 `
                           -MaxKiloBytes 102400 `
                           -MaxMinutes 240
  verify_exit_status $?

  Write-Host "Creating IPsec QuickMode crypto set: " -NoNewline
  $quick_mode_crypto_set = New-NetIPsecQuickModeCryptoSet `
                             -DisplayName ("{0} QMCS" -f $display_name_prefix) `
                             -Proposal $quick_mode_proposal
  verify_exit_status $?

  Write-Host "Creating IPsec MainMode rule: " -NoNewline
  New-NetIPsecMainModeRule `
    -DisplayName ("{0} MainMode" -f $display_name_prefix) `
    -LocalAddress $local_ip `
    -RemoteAddress $flr_ips `
    -Phase1AuthSet $auth_set.Name `
    -MainModeCryptoSet $main_mode_crypto_set.Name `
    > $null
  verify_exit_status $?

  Write-Host "Creating IPsec ConSec rule: " -NoNewline
  New-NetIPSecRule `
    -DisplayName ("{0} ConSec" -f $display_name_prefix) `
    -Mode Transport `
    -KeyModule IKEv1 `
    -InboundSecurity Require `
    -OutboundSecurity Require `
    -Protocol Any `
    -LocalAddress $local_ip `
    -LocalPort Any `
    -RemoteAddress $flr_ips `
    -RemotePort Any `
    -Phase1AuthSet $auth_set.Name `
    -QuickModeCryptoSet $quick_mode_crypto_set.Name `
    > $null
  verify_exit_status $?

  Write-Host
}

# Establish run order
function main
{
  declare_variables

  remove_old_ipsec_rules
  remove_old_firewall_rules

  if ($additions    -And -Not $remove_only) { apply_additional_settings     }
  if ($firewall_in  -And -Not $remove_only) { create_new_firewall_rules_in  }
  if ($firewall_out -And -Not $remove_only) { create_new_firewall_rules_out }
  if ($ipsec        -And -Not $remove_only) { create_new_ipsec_rules        }

  Write-Host " All done " -ForegroundColor $ok_fc -BackgroundColor $ok_bc
}

main