Teltonika Networks Wiki

Changes

Domnev1 (view source)

Revision as of 10:17, 10 July 2024

13,900 bytes added ,  10:17
no edit summary
Line 1: Line 1:  +
[[IPSec Tunnel w/CA Certs Configuration]]
 +
 
==Introduction==
 
==Introduction==
This article contains instructions on how to configure
     −
==Tunnelbroker configuration==
+
In computing, '''Internet Protocol Security''' ('''IPsec''') is a secure network protocol suite of IPv4 that authenticates and encrypts the packets of data sent over an IPv4 network. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to use during the session. IPsec can protect data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). Internet Protocol security (IPsec) uses cryptographic security services to protect communications over Internet Protocol (IP) networks. IPsec supports network-level peer authentication, data-origin authentication, data integrity, data confidentiality (encryption), and replay protection.
===Login===
+
 
 +
This article provides an extensive configuration example with details on how to create a tunnel connection authenticating with X.509 Certs between two IPsec instances, both of which configured on RUTxxx routers.
 +
 
 +
==Configuration overview and prerequisites==
 +
 
 +
Before we begin, let's overview the configuration that we are attempting to achieve and the prerequisites that make it possible.
 +
 
 +
'''Prerequisites''':
 +
* Two RUTxxx routers of any type
 +
* Both RUTxxx routers must be accessible from each other's WAN connection
 +
* Firmware for the devices must be 00.07.xx.x or above. This is in part to make sure the StrongSwan service is U5.9.6 or >
 +
* An end device (PC, Laptop) for configuration
 +
* (Optional) A second end device to test remote LAN access
 
----
 
----
Go to [http://tunnelbroker.net tunnelbroker.net] and log into your account. If you don't have a registered account then you will need to create one - click '''register'''.
  −
[[File:Tunnelbroker login.png|border|center|class=tlt-border|1004x1004px]]
     −
===IPv6 to IPv4 tunnel setup===
+
[Image Here showing RUT1 & RUT2 connected via Wan connection]
Setup IPv6 over IPv4, also known as 6in4 IPv6 transition mechanism
+
[RUT1 Wan IP: 192.168.1.3 Lan IP: 192.168.3.1]
 +
[RUT2 Wan IP: 192.168.1.14 Lan IP: 192.168.14.1]
 +
 
 +
The figure above depicts two RUTxxx routers (RUT1 and RUT2) connected by an IPsec tunnel via their WAN interfaces.
 +
 
 +
==Router configuration==
 +
 
 +
We will start our configuration with RUT1.
 +
 
 +
This configuration guide will generate our own CA cert that will be used to self-sign our own keys and local certs for both devices.
 +
 
 +
===Generating Certs===
 +
----
 +
 
 +
 
 +
====Generating CA Cert====
 
----
 
----
   −
To create a new tunnel, click on '''create regular tunnel''' ('''1'''), then '''enter''' your '''public IP''' (it will light up green, if the tunnel can be created with this IP) ('''2'''), '''select''' the desired '''tunnel server''' ('''3''') and '''create tunnel''' ('''4''').
+
First we will generate our CA cert.
 +
 
 +
* Login to the router's WebUI and go to '''System → Administration → Certificates'''.
 +
The following are the settings used for this example, but values should be changed depending on your specific needs:
 +
 
 +
- File Type: '''''CA'''''
 +
 
 +
- Key Size: '''''1024'''''
   −
[[File:Create IPv6 Tunnel.png|border|center|class=tlt-border|854x854px]]
+
- Name (CN): '''''CAIPSec''''' // This can be whatever name you choose.
   −
After successful tunnel creation, you will be prompt to tunnel details window.
+
- Subject Information: '''''Toggled On''''' // It is recommended to fill out at least Country Code, State/Province and Organization Name.
   −
[[File:IPv6 Tunnel created.png|border|center|class=tlt-border|454x454px]]
+
- Country Code (CC): '''''US''''' // Fill your country code
   −
To create a a tunnel instance on your RUT router, '''navigate''' to '''example configurations''' ('''1''') and select '''OpenWRT Barrier Breaker''' ('''2''').
+
- State or Province Name (ST): '''''TX''''' // Fill your State/Province name
   −
[[File:Tunnel interface.png|border|center|class=tlt-border|554x554px]]
+
- Locality Name (L): '''''CAIPSec''''' // Fill your locality name, or at least a recognizable name for your CA
   −
Copy and paste the following commands into your RUT CLI. Do not forget to '''replace''' '''YOUR_TUNNELBORKER_USERNAME''' and '''YOUR_TUNNELBROKER_PASSWORD''' with your '''TunnelBroker account username''' and '''password'''.
+
- Organization Name (O): '''''CAIPSec''''' // Fill your Organization name
   −
==Relayd configuration==
+
- Organizational Unit Name (OU): '''''CAIPSEC''''' // Fill your specific Unit Name
Relay is a daemon (computer program that runs as a background process) used to relay and dynamically redirect incoming connections to a target host. Its main purpose in RUTxxx routers is to extend the wireless network. For example, when RUTxxx is in STA Wireless Station mode, it can be used to bridge WAN and LAN interfaces to create a larger Wireless network.
     −
This article provides an extensive configuration example of a basic Relay usage scenario with two RUTxxx devices.
+
- '''''Generate''''' Certificate
===Relayd installation===
+
<br>
 +
 
 +
[[File:IPSec CA Cert Generating.png|frame|none]]
 +
 
 +
<br>
 +
After you hit Generate the CA cert you should see a confirmation notification pop-up near the top right, and if you select Certificates Manager you should see a CAIPSec.key.pem under *Keys* and a CAIPSec.req.pem under *Certificate requests*.
 +
<br>
 +
 
 +
[[File:IPSec CA Cert Generating Confirmation.png|frame|none]]
 +
[[File:IPSec CA Cert Generating Manager Check.png|frame|none]]
 +
 
 +
<br>
 +
Next we need to sign the CAIPSec CA. We will be Self-Signing our own CA.
 +
Under the '''Certificate signing''' configure as follows:
 +
 
 +
- Signed Certificate Name: '''''CAIPSec'''''
 +
 
 +
- Type of Certificate to Sign: '''''Certificate Authority'''''
 +
 
 +
- Certificate Request File: '''''CAIPSec.req.pem'''''
 +
 
 +
- Days Valid: '''''3650''''' // For this example we will use 3650 days, but you can configure this to be longer if needed. I would caution against too long of a CA.
 +
 
 +
- Certificate Authority Key: '''''CAIPSec.key.pem'''''
 +
 
 +
- Leave the rest of the configuration default
 +
 
 +
- '''''Sign'''''
 +
<br>
 +
 
 +
[[File:IPSec CA Cert Signing.png|frame|none]]
 +
 
 +
<br>
 +
After you hit *Sign* the CA cert you should see a notification pop-up near the top right, and if you select Certificates Manager you should see a CAIPSec.cert.pem under *Certificates*.
 +
<br>
 +
 
 +
[[File:IPSec CA Cert Generating Confirmation2.png|frame|none]]
 +
<br>
 +
 
 +
====Generating Rut1 Client Cert====
 
----
 
----
Install relayd package if needed, skip this step on RUTX series devices or if you already installed it on your router
  −
<pre>opkg update
  −
opkg install relayd</pre>
     −
===WiFi client configuration===
+
* Login to the router's WebUI and go to '''System → Administration → Certificates'''.
 +
The following are the settings used for this example, but values should be changed depending on your specific needs:
 +
 
 +
- File Type: '''''Client'''''
 +
 
 +
- Key Size: '''''1024'''''
 +
 
 +
- Name (CN): '''''RUT1''''' // This can be whatever name you choose.
 +
 
 +
- Subject Information: '''''Toggled On''''' // It is recommended to fill out at least Country Code, State/Province and Organization Name.
 +
 
 +
- Country Code (CC): '''''US''''' // Fill your country code
 +
 
 +
- State or Province Name (ST): '''''TX''''' // Fill your State/Province name
 +
 
 +
- Locality Name (L): '''''RUT1''''' // Fill your locality name, or at least a recognizable name for your CA
 +
 
 +
- Organization Name (O): '''''RUT1''''' // Fill your Organization name
 +
 
 +
- Organizational Unit Name (OU): '''''RUT1''''' // Fill your specific Unit Name
 +
 
 +
- '''''Generate''''' Certificate
 +
<br>
 +
 
 +
[[File:IPSec RUT1 Cert Generating.png|frame|none]]
 +
 
 +
<br>
 +
After you hit Generate the Client cert you should see a notification pop-up near the top right, and if you select Certificates Manager you should see a RUT1.key.pem under *Keys* and a RUT1.req.pem under *Certificate requests*.
 +
<br>
 +
 
 +
[[File:IPSec RUT1 Cert Generating Confirmation.png|frame|none]]
 +
 
 +
<br>
 +
 
 +
Next we need to sign the RUT1 cert.
 +
Under the `Certificate signing` configure as follows:
 +
 
 +
- Signed Certificate Name: '''''RUT1'''''
 +
 
 +
- Type of Certificate to Sign: '''''Client Certificate'''''
 +
 
 +
- Certificate Request File: '''''RUT1.req.pem'''''
 +
 
 +
- Days Valid: '''''3650'''''
 +
 
 +
- Certificate Authority File: '''''CAIPSec.cert.pem'''''
 +
 
 +
- Certificate Authority Key: '''''CAIPSec.key.pem'''''
 +
 
 +
- Leave the rest of the configuration alone
 +
 
 +
- '''''Sign'''''
 +
<br>
 +
 
 +
[[File:IPSec RUT1 Cert Signing.png|frame|none]]
 +
 
 +
<br>
 +
After you hit *Sign* the Client cert you should see a notification pop-up near the top right, and if you select Certificates Manager you should see a RUT1.cert.pem under *Certificates*.
 +
<br>
 +
 
 +
[[File:IPSec RUT1 Cert Manager Check.png|frame|none]]
 +
 
 +
<br>
 +
 
 +
====Generating Rut2 Client Cert====
 +
----
 +
 
 +
We will still generate RUT2 certs on the RUT1 device, so that we can sign our certs with the CA created earlier.
 +
Later we will download the certs required for RUT2 and import them there.
 +
 
 +
* Login to the router's WebUI and go to '''System → Administration → Certificates'''.
 +
The following are the settings used for this example, but values should be changed depending on your specific needs:
 +
 
 +
- File Type: '''''Client'''''
 +
 
 +
- Key Size: '''''1024'''''
 +
 
 +
- Name (CN): '''''RUT2''''' // This can be whatever name you choose.
 +
 
 +
- Subject Information: '''''Toggled On''''' // It is recommended to fill out at least Country Code, State/Province and Organization Name.
 +
 
 +
- Country Code (CC): '''''US''''' // Fill your country code
 +
 
 +
- State or Province Name (ST): '''''TX''''' // Fill your State/Province name
 +
 
 +
- Locality Name (L): '''''RUT2''''' // Fill your locality name, or at least a recognizable name for your CA
 +
 
 +
- Organization Name (O): '''''RUT2''''' // Fill your Organization name
 +
 
 +
- Organizational Unit Name (OU): '''''RUT2''''' // Fill your specific Unit Name
 +
 
 +
- '''''Generate''''' Certificate
 +
<br>
 +
 
 +
[[File:IPSec RUT2 Cert Generating.png|frame|none]]
 +
 
 +
<br>
 +
After you hit Generate the Client cert you should see a notification pop-up near the top right, and if you select Certificates Manager you should see a RUT2.key.pem under *Keys* and a RUT2.req.pem under *Certificate requests*.
 +
<br>
 +
 
 +
[[File:IPSec RUT2 Cert Generating Confirmation.png|frame|none]]
 +
 
 +
<br>
 +
Next we need to sign the RUT2 cert.
 +
Under the `Certificate signing` configure as follows:
 +
 
 +
- Signed Certificate Name: '''''RUT2'''''
 +
 
 +
- Type of Certificate to Sign: '''''Client Certificate'''''
 +
 
 +
- Certificate Request File: '''''RUT2.req.pem'''''
 +
 
 +
- Days Valid: '''''3650'''''
 +
 
 +
- Certificate Authority File: '''''CAIPSec.cert.pem'''''
 +
 
 +
- Certificate Authority Key: '''''CAIPSec.key.pem'''''
 +
 
 +
- Leave the rest of the configuration alone
 +
 
 +
- '''''Sign'''''
 +
<br>
 +
 
 +
[[File:IPSec RUT2 Cert Signing.png|frame|none]]
 +
 
 +
<br>
 +
After you hit *Sign* the Client cert you should see a notification pop-up near the top right, and if you select Certificates Manager you should see a RUT2.cert.pem under *Certificates*.
 +
<br>
 +
 
 +
[[File:IPSec RUT2 Cert Manager Check.png|frame|none]]
 +
 
 +
<br>
 +
====Download/Import Certs====
 +
----
 +
 
 +
Starting with RUT1
 +
 
 +
* Login to the router's WebUI and go to '''System → Administration → Certificates -> Certificates Manager'''
 +
* Download CAIPSec.cert.pem, RUT1.cert.pem, RUT1.key.pem, RUT2.cert.pem & RUT2.key.pem
 +
* Go to '''System → Administration → Certificates -> Root CA'''. Toggle '''On'''. Select '''CAIPSec.cert.pem''' -> '''Upload''' & then '''Save'''
 +
 
 +
Next moving to RUT2
 +
 
 +
* Login to the router's WebUI and go to '''System → Administration → Certificates -> Certificates Manager'''
 +
* Import Certificate File *Browse* and import CAIPSec.cert.pem, RUT1.cert.pem, RUT2.cert.pem & RUT2.key.pem
 +
* Go to '''System → Administration → Certificates -> Root CA'''. Toggle '''On'''. Select '''CAIPSec.cert.pem''' -> '''Upload''' & then '''Save'''
 +
 
 +
===IPSec RUT1 Config===
 +
----
 +
 
 +
* Login to the router's WebUI and go to '''System → Services → VPN -> IPsec'''
 +
* Add a new instance called '''CA_EX'''
 +
<br>
 +
 
 +
[[File:IPSec RUT1 Config Add CA EX.png|frame|none]]
 +
 
 +
<br>
 +
* IPsec Instance General settings configuration as follows:
 +
 
 +
    - Remote endpoint: '''''192.168.1.14''''' // This should be RUT2 WAN IP. You should be able to ping this IP from RUT1 WAN IP.
 +
 
 +
    - Authentication method: '''''X.509'''''
 +
 
 +
    - Key: '''''RUT1.key.pem''''' // Browse and import the RUT1.key.pem we created & downloaded earlier.
 +
 
 +
    - Key decryption passphrase: Leave blank // This is only needed if an additional password was added to the cert, which we did not do in our earlier steps.
 +
 
 +
    - Local certificate: '''''RUT1.cert.pem''''' // Browse and import the RUT1.cert.pem we created & downloaded earlier.
 +
 
 +
    - CA certificate: '''''CAIPSec.cert.pem''''' // Browse and import the CAIPSec.cert.pem we created & downloaded earlier.
 +
 
 +
    - Local identifier: '''''192.168.3.1''''' // We will use the LAN IP of RUT1 for the Identifier
 +
 
 +
    - Remote identifier: '''''192.168.14.1''''' // We will use the LAN IP of RUT2 for the Identifier
 +
<br>
 +
 
 +
[[File:RUT1 IPSec Instance General Settings Configuration.png|frame|none]]
 +
 
 +
<br>
 +
 
 +
* IPsec Instance Advanced settings configuration as follows:
 +
 
 +
    - Remote certificate: '''''RUT2.cert.pem''''' // Upload RUT2 cert we created earlier.
 +
<br>
 +
 
 +
[[File:RUT1 IPSec Instance Advanced Settings Configuration.png|frame|none]]
 +
 
 +
<br>
 +
 
 +
* Connection settings General settings configuration as follows:
 +
 
 +
    - Mode: '''''Start''''' // start loads a connection and brings it up immediately. For more configuration information please reference *auto* here (https://wiki.strongswan.org/projects/strongswan/wiki/Connsection)
 +
 
 +
    - Type: '''''Tunnel'''''
 +
 
 +
    - Default route: '''''off''''' // Only use this if you want your default route to be out this tunnel.
 +
 
 +
    - Local subnet: '''''192.168.3.0/24''''' // RUT1 LAN subnet we want access to through the tunnel
 +
 
 +
    - Remote subnet: '''''192.168.14.0/24''''' // RUT2 LAN subnet we want access to through the tunnel
 +
 
 +
    - Key exchange: '''''IKEv2'''''
 +
<br>
 +
 
 +
[[File:RUT1 IPSec Connection Settings General Settings Configuration.png|frame|none]]
 +
 
 +
<br>
 +
 
 +
* Connection settings Advanced settings configuration as follows:
 +
 
 +
    - Force encapsulation: '''''On'''''
 +
 
 +
    - Local Firewall: '''''On'''''
 +
 
 +
    - Remote Firewall: '''''On'''''
 +
 
 +
    - Inactivity: '''''3600''''' // This is in seconds. Can be changed depending on how often you want the tunnel to be checked for data passing.
 +
 
 +
    - Dead peer detection: '''''On'''''
 +
 
 +
    - DPD action: '''''Restart'''''
 +
 
 +
    - DPD delay: '''''30''''' // This is in seconds.
 +
 
 +
    - DPD Timeout: '''''150''''' // This is in seconds.
 +
 
 +
    - The rest of the configuration leave as default
 +
 
 +
<br>
 +
 
 +
[[File:RUT1 IPSec Connection Settings Advanced Settings Configuration.png|frame|none]]
 +
 
 +
<br>
 +
 
 +
* Connection settings Proposal settings configuration as follows:
 +
 
 +
* Phase 1
 +
- Proposals // It is VERY important that these settings match between both RUT1 & RUT2
 +
  - Encryption: '''''AES 128'''''
 +
 
 +
  - Authentication: '''''SHA1'''''
 +
 
 +
  - DH group: '''''MODP1536'''''
 +
 
 +
  - Force crypto proposal: '''''Off'''''
 +
 
 +
  - IKE lifetime: '''''3h'''''
 +
<br>
 +
 
 +
[[File:RUT1 IPSec Proposal Settings Phase1.png|frame|none]]
 +
 
 +
<br>
 +
 
 +
* Phase 2
 +
- Proposals // It is VERY important that these settings match between both RUT1 & RUT2
 +
  - Encryption: '''''AES 128'''''
 +
 
 +
  - Hash: '''''SHA1'''''
 +
 
 +
  - PFS group: '''''MODP1536'''''
 +
 
 +
  - Force crypto proposal: '''''Off'''''
 +
 
 +
  - IKE lifetime: '''''3h'''''
 +
<br>
 +
 
 +
[[File:RUT1 IPSec Proposal Settings Phase2.png|frame|none]]
 +
 
 +
<br>
 +
 
 +
* Hit '''''Save & Apply'''''
 +
* Toggle the CA_EX tunnel on and hit '''''Save & Apply''''' once more
 +
<br>
 +
[[File:RUT1 IPSec Toggle On Save And Apply.png|frame|none]]
 +
 
 +
<br>
 +
* Reboot the device once you have finished.
 +
 
 +
 
 +
===IPSec RUT2 Config===
 
----
 
----
Add WiFi interface to make your router act as a WiFi client (connect to another AP)
     −
<pre>uci add wireless wifi-iface
  −
uci set wireless.@wifi-iface[-1]=wifi-iface</pre>
     −
Add new WiFi interface to 2.4ghz device, can specify 'radio1' for 5ghz
+
* Login to the router's WebUI and go to '''System → Services → VPN -> IPsec'''
 +
* Add a new instance called '''CA_EX'''
 +
<br>
   −
<pre>uci set wireless.@wifi-iface[-1].device='radio0'
+
[[File:IPSec_RUT1_Config_Add_CA_EX.png|frame|none]]
uci set wireless.@wifi-iface[-1].mode='sta'
  −
uci set wireless.@wifi-iface[-1].network='wifi_wan'</pre>
     −
Change SSID here to an SSID that the router will be connecting to
+
<br>
   −
<pre>uci set wireless.@wifi-iface[-1].ssid='RUT_4474_2G'</pre>
+
* IPsec Instance General settings configuration as follows:
 +
 
 +
    - Remote endpoint: '''''192.168.1.3''''' // This should be RUT1 WAN IP. You should be able to ping this IP from RUT2 WAN IP.
   −
Change BSSID here to BSSID that the router will be connecting to (L2 address)
+
    - Authentication method: '''''X.509'''''
   −
<pre>uci set wireless.@wifi-iface[-1].bssid='00:1E:42:44:44:74'</pre>
+
    - Key: '''''RUT2.key.pem''''' // Browse and import the RUT2.key.pem we created & downloaded earlier.
   −
Use appropriate auth method, PSK2 = WPA2-PSK here
+
    - Key decryption passphrase: Leave blank // This is only needed if an additional password was added to the cert, which we did not do in our earlier steps.
   −
<pre>uci set wireless.@wifi-iface[-1].encryption='psk2'</pre>
+
    - Local certificate: '''''RUT2.cert.pem''''' // Browse and import the RUT1.cert.pem we created & downloaded earlier.
   −
Change secret to appropriate one
+
    - CA certificate: '''''CAIPSec.cert.pem''''' // Browse and import the CAIPSec.cert.pem we created & downloaded earlier.
   −
<pre>uci set wireless.@wifi-iface[-1].key='Vc80Tps1'
+
    - Local identifier: '''''192.168.14.1''''' // We will use the LAN IP of RUT2 for the Identifier
uci set wireless.@wifi-iface[-1].disabled='0'
  −
uci set wireless.@wifi-iface[-1].skip_inactivity_poll='0'
  −
uci set wireless.@wifi-iface[-1].wifi_id='wifi1'</pre>
     −
New internface configuration
+
    - Remote identifier: '''''192.168.3.1''''' // We will use the LAN IP of RUT1 for the Identifier
 +
<br>
   −
<pre>uci set network.wifi_wan=interface
+
[[File:RUT2 IPSec Instance General Settings Configuration.png|frame|none]]
uci set network.wifi_wan.proto='dhcp'
  −
uci set network.wifi_wan.metric='6'
  −
uci set network.wifi_wan.disabled='0'
  −
uci set network.wifi_wan.force_link='0'
  −
uci set network.wifi_wan.broadcast='0'</pre>
     −
IPv6 interface creation
+
<br>
   −
<pre>uci set network.wifi_wan6=interface
+
* Connection settings Advanced settings configuration as follows:
uci set network.wifi_wan6.proto='dhcpv6'
+
 
uci set network.wifi_wan6.metric='6'
+
    - Remote certificate: '''''RUT1.cert.pem''''' // Upload RUT1 cert we created earlier.
uci set network.wifi_wan6.disabled='0'
+
<br>
uci set network.wifi_wan6.force_link='0'
  −
uci set network.wifi_wan6.reqaddress='try'
  −
uci set network.wifi_wan6.reqprefix='auto'
  −
uci set network.wifi_wan6.device='@wifi_wan'</pre>
     −
<pre>uci set network.lan_repeater=interface
+
[[File:RUT2 IPSec Instance Advanced Settings Configuration.png|frame|none]]
uci set network.lan_repeater.proto='relay'
  −
uci set network.lan_repeater.lan_mark='lan'
  −
uci set network.lan_repeater.enabled='1'
  −
uci set network.lan_repeater.network='lan wifi_wan'</pre>
     −
<pre>uci set network.lan.ipaddr='192.168.1.3'</pre>
+
<br>
   −
Set DHCP settings for LAN interface (disable dhcp on LAN) and enable IPv6 relay on wifi_wan interface and
+
* Connection settings General settings configuration as follows:
   −
<pre>uci set dhcp.lan.ignore='1'
+
    - Mode: '''''Start''''' // start loads a connection and brings it up immediately. For more configuration information please reference *auto* here (https://wiki.strongswan.org/projects/strongswan/wiki/Connsection)
uci set dhcp.lan.ra='relay'
  −
uci set dhcp.lan.dhcpv6='relay'
  −
uci set dhcp.lan.ndp='relay'</pre>
     −
<pre>uci set dhcp.wifi_wan=dhcp
+
    - Type: '''''Tunnel'''''
uci set dhcp.wifi_wan.ra='relay'
  −
uci set dhcp.wifi_wan.dhcpv6='relay'
  −
uci set dhcp.wifi_wan.master='1'
  −
uci set dhcp.wifi_wan.ndp='relay'</pre>
     −
Set firewall zone, using WAN firewall zone for newly created wifi_wan network interface
+
    - Default route: '''''off''''' // Only use this if you want your default route to be out this tunnel.
   −
<pre>uci set firewall.@zone[1].network='wan wan6 mob1s1a1 mob1s2a1 wifi_wan'</pre>
+
    - Local subnet: '''''192.168.14.0/24''''' // RUT2 LAN subnet we want access to through the tunnel
   −
Set mwan3 settings for new interface wifi_wan
+
    - Remote subnet: '''''192.168.3.0/24''''' // RUT1 LAN subnet we want access to through the tunnel
   −
<pre>uci set mwan3.wifi_wan=interface
+
    - Key exchange: '''''IKEv2'''''
uci set mwan3.wifi_wan.enabled='0'
+
<br>
uci set mwan3.wifi_wan.interval='3'
+
 
uci set mwan3.wifi_wan.family='ipv4'
+
[[File:RUT2 IPSec Connection Settings General Settings Configuration.png|frame|none]]
uci add mwan3 condition
+
 
uci set mwan3.@condition[-1].interface='wifi_wan'
+
<br>
uci set mwan3.@condition[-1].track_method='ping'
+
 
uci add_list mwan3.@condition[-1].track_ip='1.1.1.1'
+
* Connection settings Advanced settings configuration as follows:
uci add_list mwan3.@condition[-1].track_ip='8.8.8.8'
+
 
uci set mwan3.@condition[-1].reliability='1'
+
    - Force encapsulation: '''''On'''''
uci set mwan3.@condition[-1].count='1'
+
 
uci set mwan3.@condition[-1].timeout='2'
+
    - Local Firewall: '''''On'''''
uci set mwan3.@condition[-1].down='3'
+
 
uci set mwan3.@condition[-1].up='3'
+
    - Remote Firewall: '''''On'''''
uci set mwan3.wifi_wan_member_mwan=member
+
 
uci set mwan3.wifi_wan_member_mwan.interface='wifi_wan'
+
    - Inactivity: '''''3600''''' // This is in seconds. Can be changed depending on how often you want the tunnel to be checked for data passing.
uci set mwan3.wifi_wan_member_mwan.metric='1'
+
 
uci set mwan3.wifi_wan_member_balance=member
+
    - Dead peer detection: '''''On'''''
uci set mwan3.wifi_wan_member_balance.interface='wifi_wan'
+
 
uci set mwan3.wifi_wan_member_balance.weight='1'
+
    - DPD action: '''''Restart'''''
uci add_list mwan3.mwan_default.use_member='wifi_wan_member_mwan'
+
 
uci add_list mwan3.balance_default.use_member='wifi_wan_member_balance'</pre>
+
    - DPD delay: '''''30''''' // This is in seconds.
 +
 
 +
    - DPD Timeout: '''''150''''' // This is in seconds.
 +
 
 +
    - The rest of the configuration leave as default
 +
<br>
 +
 
 +
[[File:RUT2 IPSec Connection Settings Advanced Settings Configuration.png|frame|none]]
 +
 
 +
<br>
 +
 
 +
* Connection settings Proposal settings configuration as follows:
 +
 
 +
* Phase 1
 +
- Proposals // It is VERY important that these settings match between both RUT1 & RUT2
 +
  - Encryption: '''''AES 128'''''
 +
 
 +
  - Authentication: '''''SHA1'''''
 +
 
 +
  - DH group: '''''MODP1536'''''
 +
 
 +
  - Force crypto proposal: '''''Off'''''
 +
 
 +
  - IKE lifetime: '''''3h'''''
 +
<br>
 +
 
 +
[[File:RUT2 IPSec Proposal Settings Phase1.png|frame|none]]
 +
 
 +
<br>
 +
 
 +
* Phase 2
 +
- Proposals // It is VERY important that these settings match between both RUT1 & RUT2
 +
  - Encryption: '''''AES 128'''''
 +
 
 +
  - Hash: '''''SHA1'''''
 +
 
 +
  - PFS group: '''''MODP1536'''''
 +
 
 +
  - Force crypto proposal: '''''Off'''''
 +
 
 +
  - IKE lifetime: '''''3h'''''
 +
<br>
 +
 
 +
[[File:RUT2 IPSec Proposal Settings Phase2.png|frame|none]]
 +
 
 +
<br>
 +
 
 +
* Hit '''''Save & Apply'''''
 +
* Toggle the CA_EX tunnel on and hit '''''Save & Apply''''' once more
 +
<br>
 +
 
 +
[[File:RUT2 IPSec Toggle On Save And Apply.png|frame|none]]
 +
 
 +
<br>
 +
 
 +
* Reboot the device once you have finished.
 +
 
 +
 
 +
==Testing configuration==
 +
----
 +
 
 +
===RUT1 to RUT2 Test===
 +
----
 +
 
 +
Here we will check via SSH on both RUT1 & RUT2 devices that the IPsec tunnel has been established.
 +
That each RUT device can ping the other's LAN IP. In this case 192.168.3.1 for RUT1 & 192.168.14.1 for RUT2.
 +
And that LAN device on RUT1 can ping LAN device on RUT2.
 +
 +
* First make sure each device has been rebooted at least once after you have finished configuring the previous steps.
 +
* SSH into RUT1 device
 +
* '''''ipsec statusall''''' // This should show 2 up with Security Associations and that the connection should be up for some minutes. You should also see the Cert info from the certs we created earlier.
 +
<br>
 +
 
 +
[[File:RUT1 IPSec Status.png|frame|none]]
 +
 
 +
<br>
 +
* '''''ping 192.168.14.1''''' // You should get a response if the tunnel has established properly
 +
<br>
 +
 
 +
[[File:RUT1 Ping To RUT2 Check.png|frame|none]]
 +
 
 +
<br>
 +
 
 +
* SSH into RUT2 device
 +
* '''''ipsec statusall''''' // This should show 2 up with Security Associations and that the connection should be up for some minutes. You should also see the Cert info from the certs we created earlier.
 +
<br>
 +
 
 +
[[File:RUT2 IPSec Status.png|frame|none]]
 +
 
 +
<br>
 +
 
 +
* '''''ping 192.168.3.1''''' // You should get a response if the tunnel has established properly
 +
<br>
 +
 
 +
[[File:RUT2 Ping To RUT1 Check.png|frame|none]]
 +
 
 +
<br>
 +
 
 +
* SSH into RUT1 device
 +
* '''''opkg update'''''
 +
* '''''opkg install tcpdump'''''
 +
* '''''tcpdump -i any -w Checking_For_ESP_Packets.pcap'''''
 +
* SSH into RUT2 device
 +
* On RUT2 ping the LAN ip for RUT1 and leave that running. In our example that would be `ping 192.168.3.1`
 +
* On RUT1 wait 10 seconds then CTRL+C to stop the program
 +
* Then use a program like WinSCP to download '''Checking_For_ESP_Packets.pcap''' from RUT1
 +
* Open the file in a program called Wireshark and filter for encrypted ESP packets with this '''_ws.col.protocol == "ESP"'''. You should see ESP packets from both the WAN IPs. You shouldn't be able to see inside the packet because it is now encrypted, but if we decrypted the packets we would see the ICMP packets between the 2 RUT devices.
 +
<br>
 +
 
 +
[[File:Checking Pcap With Wireshark.png|frame|none]]
 +
 
 +
<br>
 +
 
 +
===RUT1 LAN device to RUT2 LAN device Test===
 +
----
   −
Set proper ipv6 settings for wifi_wan6 iface
+
Here we will confirm that LAN devices behind either RUTxxx devices are able to communicate with each other.
   −
<pre>uci set mwan3.wifi_wan6=interface
+
* Attach a Windows/MacOS/Linux PC via ethernet or wifi to RUT1 LAN. Remove or disable any other active interfaces on your PC.
uci set mwan3.wifi_wan6.enabled='0'
+
* Disable the firewall. Examples for each OS as follows.
uci set mwan3.wifi_wan6.interval='3'
+
  * Windows 10/11
uci set mwan3.wifi_wan6.family='ipv6'
+
    1. Press '''''Windows-Key + R'''''
uci add mwan3 condition
+
    2. Type '''''control''''' and hit enter
uci set mwan3.@condition[-1].interface='wifi_wan6'
+
    3. Navigate to Firewall Settings -> System and Security -> Windows Defender Firewall
uci set mwan3.@condition[-1].track_method='ping'
+
    4. On the left sidebar, click "Turn Windows Defender Firewall on or off"
uci add_list mwan3.@condition[-1].track_ip='2606:4700:4700::1111'
+
    5. Select "Turn off Windows Defender Firewall (not recommended)" under both the Private and Public network settings
uci add_list mwan3.@condition[-1].track_ip='2001:4860:4860::8888'
+
    6. Click "OK" to apply the changes
uci set mwan3.@condition[-1].reliability='1'
+
  * MacOS Ventura
uci set mwan3.@condition[-1].count='1'
+
    1. Click on Apple menu and select "System Preferences"
uci set mwan3.@condition[-1].timeout='2'
+
    2. Click on "Security & Privacy"
uci set mwan3.@condition[-1].down='3'
+
    3. Click on the "Firewall" tab
uci set mwan3.@condition[-1].up='3'
+
    4. Select the lock icon at the bottom left and enter your administrator password
uci set mwan3.wifi_wan6_member_mwan=member
+
    5. Select "Turn Off Firewall"
uci set mwan3.wifi_wan6_member_mwan.interface='wifi_wan6'
+
  * Linux (Ubuntu)
uci set mwan3.wifi_wan6_member_mwan.metric='1'
+
    1. Open a Terminal window
uci set mwan3.wifi_wan6_member_balance=member
+
    2. '''''sudo ufw disable'''''
uci set mwan3.wifi_wan6_member_balance.interface='wifi_wan6'
+
* Perform similar steps above for a 2nd device connected to RUT2 LAN
uci set mwan3.wifi_wan6_member_balance.weight='1'
+
* Once both devices are connected to the LAN of RUT1 & RUT2 you should be able to ping the devices from each other.
uci add_list mwan3.mwan_default.use_member='wifi_wan6_member_mwan'
+
<br>
uci add_list mwan3.balance_default.use_member='wifi_wan6_member_balance'
  −
uci set mwan3.default_rule_ipv6=rule
  −
uci set mwan3.default_rule_ipv6.dest_ip='::/0'
  −
uci set mwan3.default_rule_ipv6.use_policy='mwan_default'
  −
uci set mwan3.default_rule_ipv6.family='ipv6'</pre>
     −
Save all the changes and restart the configuration
+
[[File:LAN To LAN Device Ping.png|frame|none]]
   −
<pre>uci commit
+
<br>
reload_config</pre>
+
* Afterwards make sure to re-enable the firewall for both LAN devices
Retrieved from "https://wiki.teltonika-networks.com/view/Special:MobileDiff/100170...128718"