Teltonika Networks Wiki

Changes

IPSec Tunnel w/CA Certs Configuration (view source)

Revision as of 00:44, 27 June 2024

328 bytes added ,  Thursday at 00:44
no edit summary
Line 43: Line 43:  
The following are the settings used for this example, but values should be changed depending on your specific needs:
 
The following are the settings used for this example, but values should be changed depending on your specific needs:
   −
- File Type: CA
+
- File Type: `CA`
- Key Size: 1024
+
- Key Size: `1024`
- Name (CN): CAIPSec // This can be whatever name you choose.
+
- Name (CN): `CAIPSec` // This can be whatever name you choose.
- Subject Information: Toggled On // It is recommended to fill out at least Country Code, State/Province and Organization Name.
+
- Subject Information: `Toggled On` // It is recommended to fill out at least Country Code, State/Province and Organization Name.
- Country Code (CC): US // Fill your country code
+
- Country Code (CC): `US` // Fill your country code
- State or Province Name (ST): TX // Fill your State/Province name
+
- State or Province Name (ST): `TX` // Fill your State/Province name
- Locality Name (L): CAIPSec // Fill your locality name, or at least a recognizable name for your CA
+
- Locality Name (L): `CAIPSec` // Fill your locality name, or at least a recognizable name for your CA
- Organization Name (O): CAIPSec // Fill your Organization name
+
- Organization Name (O): `CAIPSec` // Fill your Organization name
- Organizational Unit Name (OU): CAIPSEC // Fill your specific Unit Name
+
- Organizational Unit Name (OU): `CAIPSEC` // Fill your specific Unit Name
 
- `Generate` Certificate
 
- `Generate` Certificate
    
[Screenshot Here]
 
[Screenshot Here]
   −
After you hit Generate the CA cert you should see a notification pop-up near the top right, and if you select Certificates Manager you should see a CAIPSec.key.pem under *Keys* and a CAIPSec.req.pem under *Certificate requests*.
+
After you hit Generate the CA cert you should see a confirmation notification pop-up near the top right, and if you select Certificates Manager you should see a CAIPSec.key.pem under *Keys* and a CAIPSec.req.pem under *Certificate requests*.
    
[Screenshot Here]
 
[Screenshot Here]
 
+
[Screenshot Here]
    
Next we need to sign the CAIPSec CA. We will be Self-Signing our own CA.
 
Next we need to sign the CAIPSec CA. We will be Self-Signing our own CA.
 
Under the `Certificate signing` configure as follows:
 
Under the `Certificate signing` configure as follows:
   −
- Signed Certificate Name: CAIPSec
+
- Signed Certificate Name: `CAIPSec`
- Type of Certificate to Sign: Certificate Authority
+
- Type of Certificate to Sign: `Certificate Authority`
- Certificate Request File: CAIPSec.req.pem
+
- Certificate Request File: `CAIPSec.req.pem`
- Days Valid: 3650 // For this example we will use 3650 days, but you can configure this to be longer if needed. I would caution against too long of a CA.
+
- Days Valid: `3650` // For this example we will use 3650 days, but you can configure this to be longer if needed. I would caution against too long of a CA.
- Certificate Authority Key: CAIPSec.key.pem
+
- Certificate Authority Key: `CAIPSec.key.pem`
- Leave the rest of the configuration alone
+
- Leave the rest of the configuration default
 
- `Sign`
 
- `Sign`
 +
 +
[Screenshot Here]
    
After you hit *Sign* the CA cert you should see a notification pop-up near the top right, and if you select Certificates Manager you should see a CAIPSec.cert.pem under *Certificates*.
 
After you hit *Sign* the CA cert you should see a notification pop-up near the top right, and if you select Certificates Manager you should see a CAIPSec.cert.pem under *Certificates*.
Line 82: Line 84:  
The following are the settings used for this example, but values should be changed depending on your specific needs:
 
The following are the settings used for this example, but values should be changed depending on your specific needs:
   −
- File Type: Client
+
- File Type: `Client`
- Key Size: 1024
+
- Key Size: `1024`
- Name (CN): RUT1 // This can be whatever name you choose.
+
- Name (CN): `RUT1` // This can be whatever name you choose.
- Subject Information: Toggled On // It is recommended to fill out at least Country Code, State/Province and Organization Name.
+
- Subject Information: `Toggled On` // It is recommended to fill out at least Country Code, State/Province and Organization Name.
- Country Code (CC): US // Fill your country code
+
- Country Code (CC): `US` // Fill your country code
- State or Province Name (ST): TX // Fill your State/Province name
+
- State or Province Name (ST): `TX` // Fill your State/Province name
- Locality Name (L): RUT1 // Fill your locality name, or at least a recognizable name for your CA
+
- Locality Name (L): `RUT1` // Fill your locality name, or at least a recognizable name for your CA
- Organization Name (O): RUT1 // Fill your Organization name
+
- Organization Name (O): `RUT1` // Fill your Organization name
- Organizational Unit Name (OU): RUT1 // Fill your specific Unit Name
+
- Organizational Unit Name (OU): `RUT1` // Fill your specific Unit Name
 
- `Generate` Certificate
 
- `Generate` Certificate
   Line 97: Line 99:  
After you hit Generate the Client cert you should see a notification pop-up near the top right, and if you select Certificates Manager you should see a RUT1.key.pem under *Keys* and a RUT1.req.pem under *Certificate requests*.
 
After you hit Generate the Client cert you should see a notification pop-up near the top right, and if you select Certificates Manager you should see a RUT1.key.pem under *Keys* and a RUT1.req.pem under *Certificate requests*.
    +
[Screenshot Here]
    
Next we need to sign the RUT1 cert.
 
Next we need to sign the RUT1 cert.
 
Under the `Certificate signing` configure as follows:
 
Under the `Certificate signing` configure as follows:
   −
- Signed Certificate Name: RUT1
+
- Signed Certificate Name: `RUT1`
- Type of Certificate to Sign: Client Certificate
+
- Type of Certificate to Sign: `Client Certificate`
- Certificate Request File: RUT1.req.pem
+
- Certificate Request File: `RUT1.req.pem`
- Days Valid: 3650
+
- Days Valid: `3650`
- Certificate Authority File: CAIPSec.cert.pem
+
- Certificate Authority File: `CAIPSec.cert.pem`
- Certificate Authority Key: CAIPSec.key.pem
+
- Certificate Authority Key: `CAIPSec.key.pem`
 
- Leave the rest of the configuration alone
 
- Leave the rest of the configuration alone
 
- `Sign`
 
- `Sign`
 +
 +
[Screenshot Here]
    
After you hit *Sign* the Client cert you should see a notification pop-up near the top right, and if you select Certificates Manager you should see a RUT1.cert.pem under *Certificates*.
 
After you hit *Sign* the Client cert you should see a notification pop-up near the top right, and if you select Certificates Manager you should see a RUT1.cert.pem under *Certificates*.
Line 123: Line 128:  
The following are the settings used for this example, but values should be changed depending on your specific needs:
 
The following are the settings used for this example, but values should be changed depending on your specific needs:
   −
- File Type: Client
+
- File Type: `Client`
- Key Size: 1024
+
- Key Size: `1024`
- Name (CN): RUT2 // This can be whatever name you choose.
+
- Name (CN): `RUT2` // This can be whatever name you choose.
- Subject Information: Toggled On // It is recommended to fill out at least Country Code, State/Province and Organization Name.
+
- Subject Information: `Toggled On` // It is recommended to fill out at least Country Code, State/Province and Organization Name.
- Country Code (CC): US // Fill your country code
+
- Country Code (CC): `US` // Fill your country code
- State or Province Name (ST): TX // Fill your State/Province name
+
- State or Province Name (ST): `TX` // Fill your State/Province name
- Locality Name (L): RUT2 // Fill your locality name, or at least a recognizable name for your CA
+
- Locality Name (L): `RUT2` // Fill your locality name, or at least a recognizable name for your CA
- Organization Name (O): RUT2 // Fill your Organization name
+
- Organization Name (O): `RUT2` // Fill your Organization name
- Organizational Unit Name (OU): RUT2 // Fill your specific Unit Name
+
- Organizational Unit Name (OU): `RUT2` // Fill your specific Unit Name
 
- `Generate` Certificate
 
- `Generate` Certificate
   Line 138: Line 143:  
After you hit Generate the Client cert you should see a notification pop-up near the top right, and if you select Certificates Manager you should see a RUT2.key.pem under *Keys* and a RUT1.req.pem under *Certificate requests*.
 
After you hit Generate the Client cert you should see a notification pop-up near the top right, and if you select Certificates Manager you should see a RUT2.key.pem under *Keys* and a RUT1.req.pem under *Certificate requests*.
    +
[Screenshot Here]
    
Next we need to sign the RUT2 cert.
 
Next we need to sign the RUT2 cert.
 
Under the `Certificate signing` configure as follows:
 
Under the `Certificate signing` configure as follows:
   −
- Signed Certificate Name: RUT2
+
- Signed Certificate Name: `RUT2`
- Type of Certificate to Sign: Client Certificate
+
- Type of Certificate to Sign: `Client Certificate`
- Certificate Request File: RUT2.req.pem
+
- Certificate Request File: `RUT2.req.pem`
- Days Valid: 3650
+
- Days Valid: `3650`
- Certificate Authority File: CAIPSec.cert.pem
+
- Certificate Authority File: `CAIPSec.cert.pem`
- Certificate Authority Key: CAIPSec.key.pem
+
- Certificate Authority Key: `CAIPSec.key.pem`
 
- Leave the rest of the configuration alone
 
- Leave the rest of the configuration alone
 
- `Sign`
 
- `Sign`
Line 190: Line 196:       −
* Connection settings Advanced settings configuration as follows:
+
* IPsec Instance Advanced settings configuration as follows:
 
    
 
    
 
- Remote certificate: `RUT2.cert.pem` // Upload RUT2 cert we created earlier.
 
- Remote certificate: `RUT2.cert.pem` // Upload RUT2 cert we created earlier.
 
+
[Screenshot Here]
    
* Connection settings General settings configuration as follows:
 
* Connection settings General settings configuration as follows:
Line 273: Line 279:  
    
 
    
 
- Remote certificate: `RUT1.cert.pem` // Upload RUT1 cert we created earlier.
 
- Remote certificate: `RUT1.cert.pem` // Upload RUT1 cert we created earlier.
 
+
[Screenshot Here]
    
* Connection settings General settings configuration as follows:
 
* Connection settings General settings configuration as follows:
Line 330: Line 336:     
==Testing configuration==
 
==Testing configuration==
 +
----
 +
 +
===RUT1 to RUT2 Test===
 
----
 
----
   Line 335: Line 344:  
That each RUT device can ping the other's LAN IP. In this case 192.168.3.1 for RUT1 & 192.168.14.1 for RUT2.
 
That each RUT device can ping the other's LAN IP. In this case 192.168.3.1 for RUT1 & 192.168.14.1 for RUT2.
 
And that LAN device on RUT1 can ping LAN device on RUT2.
 
And that LAN device on RUT1 can ping LAN device on RUT2.
  −
===RUT1 to RUT2 Test===
  −
----
   
   
 
   
 
* First make sure each device has been rebooted at least once after you have finished configuring the previous steps.
 
* First make sure each device has been rebooted at least once after you have finished configuring the previous steps.
* SSH into RUT1 device.
+
* SSH into RUT1 device
 
* `ipsec statusall` // This should show 2 up with Security Associations and that the connection should be up for some minutes. You should also see the Cert info from the certs we created earlier.
 
* `ipsec statusall` // This should show 2 up with Security Associations and that the connection should be up for some minutes. You should also see the Cert info from the certs we created earlier.
 
[Screenshot Here]
 
[Screenshot Here]
   −
* `ping 192.168.14.1` // You should get a response if the tunnel has established properly.
+
* `ping 192.168.14.1` // You should get a response if the tunnel has established properly
 
[Screenshot Here]
 
[Screenshot Here]
   −
* SSH into RUT2 device.
+
* SSH into RUT2 device
 
* `ipsec statusall` // This should show 2 up with Security Associations and that the connection should be up for some minutes. You should also see the Cert info from the certs we created earlier.
 
* `ipsec statusall` // This should show 2 up with Security Associations and that the connection should be up for some minutes. You should also see the Cert info from the certs we created earlier.
 
[Screenshot Here]
 
[Screenshot Here]
   −
* `ping 192.168.3.1` // You should get a response if the tunnel has established properly.
+
* `ping 192.168.3.1` // You should get a response if the tunnel has established properly
 
[Screenshot Here]
 
[Screenshot Here]
   Line 367: Line 373:  
===RUT1 LAN device to RUT2 LAN device Test===
 
===RUT1 LAN device to RUT2 LAN device Test===
 
----
 
----
 +
 +
Here we will confirm that LAN devices behind either RUTxxx devices are able to communicate with each other.
    
* Attach a Windows/MacOS/Linux PC via ethernet or wifi to RUT1 LAN. Remove or disable any other active interfaces on your PC.
 
* Attach a Windows/MacOS/Linux PC via ethernet or wifi to RUT1 LAN. Remove or disable any other active interfaces on your PC.
Retrieved from "https://wiki.teltonika-networks.com/view/Special:MobileDiff/128039"