Line 46: |
Line 46: |
| | | |
| - Key Size: `1024` | | - Key Size: `1024` |
| + | |
| - Name (CN): `CAIPSec` // This can be whatever name you choose. | | - Name (CN): `CAIPSec` // This can be whatever name you choose. |
| + | |
| - Subject Information: `Toggled On` // It is recommended to fill out at least Country Code, State/Province and Organization Name. | | - Subject Information: `Toggled On` // It is recommended to fill out at least Country Code, State/Province and Organization Name. |
| + | |
| - Country Code (CC): `US` // Fill your country code | | - Country Code (CC): `US` // Fill your country code |
| + | |
| - State or Province Name (ST): `TX` // Fill your State/Province name | | - State or Province Name (ST): `TX` // Fill your State/Province name |
| + | |
| - Locality Name (L): `CAIPSec` // Fill your locality name, or at least a recognizable name for your CA | | - Locality Name (L): `CAIPSec` // Fill your locality name, or at least a recognizable name for your CA |
| + | |
| - Organization Name (O): `CAIPSec` // Fill your Organization name | | - Organization Name (O): `CAIPSec` // Fill your Organization name |
| + | |
| - Organizational Unit Name (OU): `CAIPSEC` // Fill your specific Unit Name | | - Organizational Unit Name (OU): `CAIPSEC` // Fill your specific Unit Name |
| + | |
| - `Generate` Certificate | | - `Generate` Certificate |
| | | |
Line 66: |
Line 74: |
| | | |
| - Signed Certificate Name: `CAIPSec` | | - Signed Certificate Name: `CAIPSec` |
| + | |
| - Type of Certificate to Sign: `Certificate Authority` | | - Type of Certificate to Sign: `Certificate Authority` |
| + | |
| - Certificate Request File: `CAIPSec.req.pem` | | - Certificate Request File: `CAIPSec.req.pem` |
| + | |
| - Days Valid: `3650` // For this example we will use 3650 days, but you can configure this to be longer if needed. I would caution against too long of a CA. | | - Days Valid: `3650` // For this example we will use 3650 days, but you can configure this to be longer if needed. I would caution against too long of a CA. |
| + | |
| - Certificate Authority Key: `CAIPSec.key.pem` | | - Certificate Authority Key: `CAIPSec.key.pem` |
| + | |
| - Leave the rest of the configuration default | | - Leave the rest of the configuration default |
| + | |
| - `Sign` | | - `Sign` |
| | | |
Line 86: |
Line 100: |
| | | |
| - File Type: `Client` | | - File Type: `Client` |
| + | |
| - Key Size: `1024` | | - Key Size: `1024` |
| + | |
| - Name (CN): `RUT1` // This can be whatever name you choose. | | - Name (CN): `RUT1` // This can be whatever name you choose. |
| + | |
| - Subject Information: `Toggled On` // It is recommended to fill out at least Country Code, State/Province and Organization Name. | | - Subject Information: `Toggled On` // It is recommended to fill out at least Country Code, State/Province and Organization Name. |
| + | |
| - Country Code (CC): `US` // Fill your country code | | - Country Code (CC): `US` // Fill your country code |
| + | |
| - State or Province Name (ST): `TX` // Fill your State/Province name | | - State or Province Name (ST): `TX` // Fill your State/Province name |
| + | |
| - Locality Name (L): `RUT1` // Fill your locality name, or at least a recognizable name for your CA | | - Locality Name (L): `RUT1` // Fill your locality name, or at least a recognizable name for your CA |
| + | |
| - Organization Name (O): `RUT1` // Fill your Organization name | | - Organization Name (O): `RUT1` // Fill your Organization name |
| + | |
| - Organizational Unit Name (OU): `RUT1` // Fill your specific Unit Name | | - Organizational Unit Name (OU): `RUT1` // Fill your specific Unit Name |
| + | |
| - `Generate` Certificate | | - `Generate` Certificate |
| | | |
Line 106: |
Line 129: |
| | | |
| - Signed Certificate Name: `RUT1` | | - Signed Certificate Name: `RUT1` |
| + | |
| - Type of Certificate to Sign: `Client Certificate` | | - Type of Certificate to Sign: `Client Certificate` |
| + | |
| - Certificate Request File: `RUT1.req.pem` | | - Certificate Request File: `RUT1.req.pem` |
| + | |
| - Days Valid: `3650` | | - Days Valid: `3650` |
| + | |
| - Certificate Authority File: `CAIPSec.cert.pem` | | - Certificate Authority File: `CAIPSec.cert.pem` |
| + | |
| - Certificate Authority Key: `CAIPSec.key.pem` | | - Certificate Authority Key: `CAIPSec.key.pem` |
| + | |
| - Leave the rest of the configuration alone | | - Leave the rest of the configuration alone |
| + | |
| - `Sign` | | - `Sign` |
| | | |
Line 130: |
Line 160: |
| | | |
| - File Type: `Client` | | - File Type: `Client` |
| + | |
| - Key Size: `1024` | | - Key Size: `1024` |
| + | |
| - Name (CN): `RUT2` // This can be whatever name you choose. | | - Name (CN): `RUT2` // This can be whatever name you choose. |
| + | |
| - Subject Information: `Toggled On` // It is recommended to fill out at least Country Code, State/Province and Organization Name. | | - Subject Information: `Toggled On` // It is recommended to fill out at least Country Code, State/Province and Organization Name. |
| + | |
| - Country Code (CC): `US` // Fill your country code | | - Country Code (CC): `US` // Fill your country code |
| + | |
| - State or Province Name (ST): `TX` // Fill your State/Province name | | - State or Province Name (ST): `TX` // Fill your State/Province name |
| + | |
| - Locality Name (L): `RUT2` // Fill your locality name, or at least a recognizable name for your CA | | - Locality Name (L): `RUT2` // Fill your locality name, or at least a recognizable name for your CA |
| + | |
| - Organization Name (O): `RUT2` // Fill your Organization name | | - Organization Name (O): `RUT2` // Fill your Organization name |
| + | |
| - Organizational Unit Name (OU): `RUT2` // Fill your specific Unit Name | | - Organizational Unit Name (OU): `RUT2` // Fill your specific Unit Name |
| + | |
| - `Generate` Certificate | | - `Generate` Certificate |
| | | |
Line 150: |
Line 189: |
| | | |
| - Signed Certificate Name: `RUT2` | | - Signed Certificate Name: `RUT2` |
| + | |
| - Type of Certificate to Sign: `Client Certificate` | | - Type of Certificate to Sign: `Client Certificate` |
| + | |
| - Certificate Request File: `RUT2.req.pem` | | - Certificate Request File: `RUT2.req.pem` |
| + | |
| - Days Valid: `3650` | | - Days Valid: `3650` |
| + | |
| - Certificate Authority File: `CAIPSec.cert.pem` | | - Certificate Authority File: `CAIPSec.cert.pem` |
| + | |
| - Certificate Authority Key: `CAIPSec.key.pem` | | - Certificate Authority Key: `CAIPSec.key.pem` |
| + | |
| - Leave the rest of the configuration alone | | - Leave the rest of the configuration alone |
| + | |
| - `Sign` | | - `Sign` |
| | | |
Line 187: |
Line 233: |
| | | |
| - Remote endpoint: `192.168.1.14` // This should be RUT2 WAN IP. You should be able to ping this IP from RUT1 WAN IP. | | - Remote endpoint: `192.168.1.14` // This should be RUT2 WAN IP. You should be able to ping this IP from RUT1 WAN IP. |
| + | |
| - Authentication method: `X.509` | | - Authentication method: `X.509` |
| + | |
| - Key: `RUT1.key.pem` // Browse and import the RUT1.key.pem we created & downloaded earlier. | | - Key: `RUT1.key.pem` // Browse and import the RUT1.key.pem we created & downloaded earlier. |
| + | |
| - Key decryption passphrase: Leave blank // This is only needed if an additional password was added to the cert, which we did not do in our earlier steps. | | - Key decryption passphrase: Leave blank // This is only needed if an additional password was added to the cert, which we did not do in our earlier steps. |
| + | |
| - Local certificate: `RUT1.cert.pem` // Browse and import the RUT1.cert.pem we created & downloaded earlier. | | - Local certificate: `RUT1.cert.pem` // Browse and import the RUT1.cert.pem we created & downloaded earlier. |
| + | |
| - CA certificate: `CAIPSec.cert.pem` // Browse and import the CAIPSec.cert.pem we created & downloaded earlier. | | - CA certificate: `CAIPSec.cert.pem` // Browse and import the CAIPSec.cert.pem we created & downloaded earlier. |
| + | |
| - Local identifier: `192.168.3.1` // We will use the LAN IP of RUT1 for the Identifier | | - Local identifier: `192.168.3.1` // We will use the LAN IP of RUT1 for the Identifier |
| + | |
| - Remote identifier: `192.168.14.1` // We will use the LAN IP of RUT2 for the Identifier | | - Remote identifier: `192.168.14.1` // We will use the LAN IP of RUT2 for the Identifier |
| + | |
| [Screenshot Here] | | [Screenshot Here] |
| | | |
Line 206: |
Line 260: |
| - Mode: `Start` // start loads a connection and brings | | - Mode: `Start` // start loads a connection and brings |
| it up immediately. For more configuration information please reference *auto* here (https://wiki.strongswan.org/projects/strongswan/wiki/Connsection) | | it up immediately. For more configuration information please reference *auto* here (https://wiki.strongswan.org/projects/strongswan/wiki/Connsection) |
| + | |
| - Type: `Tunnel` | | - Type: `Tunnel` |
| + | |
| - Default route: `off` // Only use this if you want your default route to be out this tunnel. | | - Default route: `off` // Only use this if you want your default route to be out this tunnel. |
| + | |
| - Local subnet: `192.168.3.0/24` // RUT1 LAN subnet we want access to through the tunnel | | - Local subnet: `192.168.3.0/24` // RUT1 LAN subnet we want access to through the tunnel |
| + | |
| - Remote subnet: `192.168.14.0/24` // RUT2 LAN subnet we want access to through the tunnel | | - Remote subnet: `192.168.14.0/24` // RUT2 LAN subnet we want access to through the tunnel |
| + | |
| - Key exchange: `IKEv2` | | - Key exchange: `IKEv2` |
| [Screenshot Here] | | [Screenshot Here] |
Line 217: |
Line 276: |
| | | |
| - Force encapsulation: `On` | | - Force encapsulation: `On` |
| + | |
| - Local Firewall: `On` | | - Local Firewall: `On` |
| + | |
| - Remote Firewall: `On` | | - Remote Firewall: `On` |
| + | |
| - Inactivity: `3600` // This is in seconds. Can be changed depending on how often you want the tunnel to be checked for data passing. | | - Inactivity: `3600` // This is in seconds. Can be changed depending on how often you want the tunnel to be checked for data passing. |
| + | |
| - Dead peer detection: `On` | | - Dead peer detection: `On` |
| + | |
| - DPD action: `Restart` | | - DPD action: `Restart` |
| + | |
| - DPD delay: `30` // This is in seconds. | | - DPD delay: `30` // This is in seconds. |
| + | |
| - DPD Timeout: `150` // This is in seconds. | | - DPD Timeout: `150` // This is in seconds. |
| + | |
| - The rest of the configuration leave as default | | - The rest of the configuration leave as default |
| [Screenshot Here] | | [Screenshot Here] |
Line 233: |
Line 300: |
| - Proposals // It is VERY important that these settings match between both RUT1 & RUT2 | | - Proposals // It is VERY important that these settings match between both RUT1 & RUT2 |
| - Encryption: `AES 128` | | - Encryption: `AES 128` |
| + | |
| - Authentication: `SHA1` | | - Authentication: `SHA1` |
| + | |
| - DH group: `MODP1536` | | - DH group: `MODP1536` |
| + | |
| - Force crypto proposal: `Off` | | - Force crypto proposal: `Off` |
| + | |
| - IKE lifetime: `3h` | | - IKE lifetime: `3h` |
| [Screenshot Here] | | [Screenshot Here] |
Line 242: |
Line 313: |
| - Proposals // It is VERY important that these settings match between both RUT1 & RUT2 | | - Proposals // It is VERY important that these settings match between both RUT1 & RUT2 |
| - Encryption: `AES 128` | | - Encryption: `AES 128` |
| + | |
| - Hash: `SHA1` | | - Hash: `SHA1` |
| + | |
| - PFS group: `MODP1536` | | - PFS group: `MODP1536` |
| + | |
| - Force crypto proposal: `Off` | | - Force crypto proposal: `Off` |
| + | |
| - IKE lifetime: `3h` | | - IKE lifetime: `3h` |
| [Screenshot Here] | | [Screenshot Here] |
Line 267: |
Line 342: |
| | | |
| - Remote endpoint: `192.168.1.3` // This should be RUT1 WAN IP. You should be able to ping this IP from RUT2 WAN IP. | | - Remote endpoint: `192.168.1.3` // This should be RUT1 WAN IP. You should be able to ping this IP from RUT2 WAN IP. |
| + | |
| - Authentication method: `X.509` | | - Authentication method: `X.509` |
| + | |
| - Key: `RUT2.key.pem` // Browse and import the RUT2.key.pem we created & downloaded earlier. | | - Key: `RUT2.key.pem` // Browse and import the RUT2.key.pem we created & downloaded earlier. |
| + | |
| - Key decryption passphrase: Leave blank // This is only needed if an additional password was added to the cert, which we did not do in our earlier steps. | | - Key decryption passphrase: Leave blank // This is only needed if an additional password was added to the cert, which we did not do in our earlier steps. |
| + | |
| - Local certificate: `RUT2.cert.pem` // Browse and import the RUT1.cert.pem we created & downloaded earlier. | | - Local certificate: `RUT2.cert.pem` // Browse and import the RUT1.cert.pem we created & downloaded earlier. |
| + | |
| - CA certificate: `CAIPSec.cert.pem` // Browse and import the CAIPSec.cert.pem we created & downloaded earlier. | | - CA certificate: `CAIPSec.cert.pem` // Browse and import the CAIPSec.cert.pem we created & downloaded earlier. |
| + | |
| - Local identifier: `192.168.14.1` // We will use the LAN IP of RUT2 for the Identifier | | - Local identifier: `192.168.14.1` // We will use the LAN IP of RUT2 for the Identifier |
| + | |
| - Remote identifier: `192.168.3.1` // We will use the LAN IP of RUT1 for the Identifier | | - Remote identifier: `192.168.3.1` // We will use the LAN IP of RUT1 for the Identifier |
| [Screenshot Here] | | [Screenshot Here] |
Line 286: |
Line 368: |
| - Mode: `Start` // start loads a connection and brings | | - Mode: `Start` // start loads a connection and brings |
| it up immediately. For more configuration information please reference *auto* here (https://wiki.strongswan.org/projects/strongswan/wiki/Connsection) | | it up immediately. For more configuration information please reference *auto* here (https://wiki.strongswan.org/projects/strongswan/wiki/Connsection) |
| + | |
| - Type: `Tunnel` | | - Type: `Tunnel` |
| + | |
| - Default route: `off` // Only use this if you want your default route to be out this tunnel. | | - Default route: `off` // Only use this if you want your default route to be out this tunnel. |
| + | |
| - Local subnet: `192.168.14.0/24` // RUT2 LAN subnet we want access to through the tunnel | | - Local subnet: `192.168.14.0/24` // RUT2 LAN subnet we want access to through the tunnel |
| + | |
| - Remote subnet: `192.168.3.0/24` // RUT1 LAN subnet we want access to through the tunnel | | - Remote subnet: `192.168.3.0/24` // RUT1 LAN subnet we want access to through the tunnel |
| + | |
| - Key exchange: `IKEv2` | | - Key exchange: `IKEv2` |
| [Screenshot Here] | | [Screenshot Here] |
Line 297: |
Line 384: |
| | | |
| - Force encapsulation: `On` | | - Force encapsulation: `On` |
| + | |
| - Local Firewall: `On` | | - Local Firewall: `On` |
| + | |
| - Remote Firewall: `On` | | - Remote Firewall: `On` |
| + | |
| - Inactivity: `3600` // This is in seconds. Can be changed depending on how often you want the tunnel to be checked for data passing. | | - Inactivity: `3600` // This is in seconds. Can be changed depending on how often you want the tunnel to be checked for data passing. |
| + | |
| - Dead peer detection: `On` | | - Dead peer detection: `On` |
| + | |
| - DPD action: `Restart` | | - DPD action: `Restart` |
| + | |
| - DPD delay: `30` // This is in seconds. | | - DPD delay: `30` // This is in seconds. |
| + | |
| - DPD Timeout: `150` // This is in seconds. | | - DPD Timeout: `150` // This is in seconds. |
| + | |
| - The rest of the configuration leave as default | | - The rest of the configuration leave as default |
| [Screenshot Here] | | [Screenshot Here] |
Line 313: |
Line 408: |
| - Proposals // It is VERY important that these settings match between both RUT1 & RUT2 | | - Proposals // It is VERY important that these settings match between both RUT1 & RUT2 |
| - Encryption: `AES 128` | | - Encryption: `AES 128` |
| + | |
| - Authentication: `SHA1` | | - Authentication: `SHA1` |
| + | |
| - DH group: `MODP1536` | | - DH group: `MODP1536` |
| + | |
| - Force crypto proposal: `Off` | | - Force crypto proposal: `Off` |
| + | |
| - IKE lifetime: `3h` | | - IKE lifetime: `3h` |
| [Screenshot Here] | | [Screenshot Here] |
Line 322: |
Line 421: |
| - Proposals // It is VERY important that these settings match between both RUT1 & RUT2 | | - Proposals // It is VERY important that these settings match between both RUT1 & RUT2 |
| - Encryption: `AES 128` | | - Encryption: `AES 128` |
| + | |
| - Hash: `SHA1` | | - Hash: `SHA1` |
| + | |
| - PFS group: `MODP1536` | | - PFS group: `MODP1536` |
| + | |
| - Force crypto proposal: `Off` | | - Force crypto proposal: `Off` |
| + | |
| - IKE lifetime: `3h` | | - IKE lifetime: `3h` |
| [Screenshot Here] | | [Screenshot Here] |