Changes

IPSec Tunnel w/CA Certs Configuration (view source)

Revision as of 00:48, 27 June 2024

109 bytes added ,  Thursday at 00:48
no edit summary
Line 46: Line 46:     
- Key Size: `1024`
 
- Key Size: `1024`
 +
 
- Name (CN): `CAIPSec` // This can be whatever name you choose.
 
- Name (CN): `CAIPSec` // This can be whatever name you choose.
 +
 
- Subject Information: `Toggled On` // It is recommended to fill out at least Country Code, State/Province and Organization Name.
 
- Subject Information: `Toggled On` // It is recommended to fill out at least Country Code, State/Province and Organization Name.
 +
 
- Country Code (CC): `US` // Fill your country code
 
- Country Code (CC): `US` // Fill your country code
 +
 
- State or Province Name (ST): `TX` // Fill your State/Province name
 
- State or Province Name (ST): `TX` // Fill your State/Province name
 +
 
- Locality Name (L): `CAIPSec` // Fill your locality name, or at least a recognizable name for your CA
 
- Locality Name (L): `CAIPSec` // Fill your locality name, or at least a recognizable name for your CA
 +
 
- Organization Name (O): `CAIPSec` // Fill your Organization name
 
- Organization Name (O): `CAIPSec` // Fill your Organization name
 +
 
- Organizational Unit Name (OU): `CAIPSEC` // Fill your specific Unit Name
 
- Organizational Unit Name (OU): `CAIPSEC` // Fill your specific Unit Name
 +
 
- `Generate` Certificate
 
- `Generate` Certificate
   Line 66: Line 74:     
- Signed Certificate Name: `CAIPSec`
 
- Signed Certificate Name: `CAIPSec`
 +
 
- Type of Certificate to Sign: `Certificate Authority`
 
- Type of Certificate to Sign: `Certificate Authority`
 +
 
- Certificate Request File: `CAIPSec.req.pem`
 
- Certificate Request File: `CAIPSec.req.pem`
 +
 
- Days Valid: `3650` // For this example we will use 3650 days, but you can configure this to be longer if needed. I would caution against too long of a CA.
 
- Days Valid: `3650` // For this example we will use 3650 days, but you can configure this to be longer if needed. I would caution against too long of a CA.
 +
 
- Certificate Authority Key: `CAIPSec.key.pem`
 
- Certificate Authority Key: `CAIPSec.key.pem`
 +
 
- Leave the rest of the configuration default
 
- Leave the rest of the configuration default
 +
 
- `Sign`
 
- `Sign`
   Line 86: Line 100:     
- File Type: `Client`
 
- File Type: `Client`
 +
 
- Key Size: `1024`
 
- Key Size: `1024`
 +
 
- Name (CN): `RUT1` // This can be whatever name you choose.
 
- Name (CN): `RUT1` // This can be whatever name you choose.
 +
 
- Subject Information: `Toggled On` // It is recommended to fill out at least Country Code, State/Province and Organization Name.
 
- Subject Information: `Toggled On` // It is recommended to fill out at least Country Code, State/Province and Organization Name.
 +
 
- Country Code (CC): `US` // Fill your country code
 
- Country Code (CC): `US` // Fill your country code
 +
 
- State or Province Name (ST): `TX` // Fill your State/Province name
 
- State or Province Name (ST): `TX` // Fill your State/Province name
 +
 
- Locality Name (L): `RUT1` // Fill your locality name, or at least a recognizable name for your CA
 
- Locality Name (L): `RUT1` // Fill your locality name, or at least a recognizable name for your CA
 +
 
- Organization Name (O): `RUT1` // Fill your Organization name
 
- Organization Name (O): `RUT1` // Fill your Organization name
 +
 
- Organizational Unit Name (OU): `RUT1` // Fill your specific Unit Name
 
- Organizational Unit Name (OU): `RUT1` // Fill your specific Unit Name
 +
 
- `Generate` Certificate
 
- `Generate` Certificate
   Line 106: Line 129:     
- Signed Certificate Name: `RUT1`
 
- Signed Certificate Name: `RUT1`
 +
 
- Type of Certificate to Sign: `Client Certificate`
 
- Type of Certificate to Sign: `Client Certificate`
 +
 
- Certificate Request File: `RUT1.req.pem`
 
- Certificate Request File: `RUT1.req.pem`
 +
 
- Days Valid: `3650`
 
- Days Valid: `3650`
 +
 
- Certificate Authority File: `CAIPSec.cert.pem`
 
- Certificate Authority File: `CAIPSec.cert.pem`
 +
 
- Certificate Authority Key: `CAIPSec.key.pem`
 
- Certificate Authority Key: `CAIPSec.key.pem`
 +
 
- Leave the rest of the configuration alone
 
- Leave the rest of the configuration alone
 +
 
- `Sign`
 
- `Sign`
   Line 130: Line 160:     
- File Type: `Client`
 
- File Type: `Client`
 +
 
- Key Size: `1024`
 
- Key Size: `1024`
 +
 
- Name (CN): `RUT2` // This can be whatever name you choose.
 
- Name (CN): `RUT2` // This can be whatever name you choose.
 +
 
- Subject Information: `Toggled On` // It is recommended to fill out at least Country Code, State/Province and Organization Name.
 
- Subject Information: `Toggled On` // It is recommended to fill out at least Country Code, State/Province and Organization Name.
 +
 
- Country Code (CC): `US` // Fill your country code
 
- Country Code (CC): `US` // Fill your country code
 +
 
- State or Province Name (ST): `TX` // Fill your State/Province name
 
- State or Province Name (ST): `TX` // Fill your State/Province name
 +
 
- Locality Name (L): `RUT2` // Fill your locality name, or at least a recognizable name for your CA
 
- Locality Name (L): `RUT2` // Fill your locality name, or at least a recognizable name for your CA
 +
 
- Organization Name (O): `RUT2` // Fill your Organization name
 
- Organization Name (O): `RUT2` // Fill your Organization name
 +
 
- Organizational Unit Name (OU): `RUT2` // Fill your specific Unit Name
 
- Organizational Unit Name (OU): `RUT2` // Fill your specific Unit Name
 +
 
- `Generate` Certificate
 
- `Generate` Certificate
   Line 150: Line 189:     
- Signed Certificate Name: `RUT2`
 
- Signed Certificate Name: `RUT2`
 +
 
- Type of Certificate to Sign: `Client Certificate`
 
- Type of Certificate to Sign: `Client Certificate`
 +
 
- Certificate Request File: `RUT2.req.pem`
 
- Certificate Request File: `RUT2.req.pem`
 +
 
- Days Valid: `3650`
 
- Days Valid: `3650`
 +
 
- Certificate Authority File: `CAIPSec.cert.pem`
 
- Certificate Authority File: `CAIPSec.cert.pem`
 +
 
- Certificate Authority Key: `CAIPSec.key.pem`
 
- Certificate Authority Key: `CAIPSec.key.pem`
 +
 
- Leave the rest of the configuration alone
 
- Leave the rest of the configuration alone
 +
 
- `Sign`
 
- `Sign`
   Line 187: Line 233:  
    
 
    
 
- Remote endpoint: `192.168.1.14` // This should be RUT2 WAN IP. You should be able to ping this IP from RUT1 WAN IP.
 
- Remote endpoint: `192.168.1.14` // This should be RUT2 WAN IP. You should be able to ping this IP from RUT1 WAN IP.
 +
 
- Authentication method: `X.509`
 
- Authentication method: `X.509`
 +
 
- Key: `RUT1.key.pem` // Browse and import the RUT1.key.pem we created & downloaded earlier.
 
- Key: `RUT1.key.pem` // Browse and import the RUT1.key.pem we created & downloaded earlier.
 +
 
- Key decryption passphrase: Leave blank // This is only needed if an additional password was added to the cert, which we did not do in our earlier steps.
 
- Key decryption passphrase: Leave blank // This is only needed if an additional password was added to the cert, which we did not do in our earlier steps.
 +
 
- Local certificate: `RUT1.cert.pem` // Browse and import the RUT1.cert.pem we created & downloaded earlier.
 
- Local certificate: `RUT1.cert.pem` // Browse and import the RUT1.cert.pem we created & downloaded earlier.
 +
 
- CA certificate: `CAIPSec.cert.pem` // Browse and import the CAIPSec.cert.pem we created & downloaded earlier.
 
- CA certificate: `CAIPSec.cert.pem` // Browse and import the CAIPSec.cert.pem we created & downloaded earlier.
 +
 
- Local identifier: `192.168.3.1` // We will use the LAN IP of RUT1 for the Identifier
 
- Local identifier: `192.168.3.1` // We will use the LAN IP of RUT1 for the Identifier
 +
 
- Remote identifier: `192.168.14.1` // We will use the LAN IP of RUT2 for the Identifier
 
- Remote identifier: `192.168.14.1` // We will use the LAN IP of RUT2 for the Identifier
 +
 
[Screenshot Here]
 
[Screenshot Here]
   Line 206: Line 260:  
- Mode: `Start` // start loads a connection and brings
 
- Mode: `Start` // start loads a connection and brings
 
it up immediately. For more configuration information please reference *auto* here (https://wiki.strongswan.org/projects/strongswan/wiki/Connsection)
 
it up immediately. For more configuration information please reference *auto* here (https://wiki.strongswan.org/projects/strongswan/wiki/Connsection)
 +
 
- Type: `Tunnel`
 
- Type: `Tunnel`
 +
 
- Default route: `off` // Only use this if you want your default route to be out this tunnel.
 
- Default route: `off` // Only use this if you want your default route to be out this tunnel.
 +
 
- Local subnet: `192.168.3.0/24` // RUT1 LAN subnet we want access to through the tunnel
 
- Local subnet: `192.168.3.0/24` // RUT1 LAN subnet we want access to through the tunnel
 +
 
- Remote subnet: `192.168.14.0/24` // RUT2 LAN subnet we want access to through the tunnel
 
- Remote subnet: `192.168.14.0/24` // RUT2 LAN subnet we want access to through the tunnel
 +
 
- Key exchange: `IKEv2`
 
- Key exchange: `IKEv2`
 
[Screenshot Here]
 
[Screenshot Here]
Line 217: Line 276:     
- Force encapsulation: `On`
 
- Force encapsulation: `On`
 +
 
- Local Firewall: `On`
 
- Local Firewall: `On`
 +
 
- Remote Firewall: `On`
 
- Remote Firewall: `On`
 +
 
- Inactivity: `3600` // This is in seconds. Can be changed depending on how often you want the tunnel to be checked for data passing.
 
- Inactivity: `3600` // This is in seconds. Can be changed depending on how often you want the tunnel to be checked for data passing.
 +
 
- Dead peer detection: `On`
 
- Dead peer detection: `On`
 +
 
- DPD action: `Restart`
 
- DPD action: `Restart`
 +
 
- DPD delay: `30` // This is in seconds.
 
- DPD delay: `30` // This is in seconds.
 +
 
- DPD Timeout: `150` // This is in seconds.
 
- DPD Timeout: `150` // This is in seconds.
 +
 
- The rest of the configuration leave as default
 
- The rest of the configuration leave as default
 
[Screenshot Here]
 
[Screenshot Here]
Line 233: Line 300:  
- Proposals // It is VERY important that these settings match between both RUT1 & RUT2
 
- Proposals // It is VERY important that these settings match between both RUT1 & RUT2
 
   - Encryption: `AES 128`
 
   - Encryption: `AES 128`
 +
 
   - Authentication: `SHA1`
 
   - Authentication: `SHA1`
 +
 
   - DH group: `MODP1536`
 
   - DH group: `MODP1536`
 +
 
- Force crypto proposal: `Off`
 
- Force crypto proposal: `Off`
 +
 
- IKE lifetime: `3h`
 
- IKE lifetime: `3h`
 
[Screenshot Here]
 
[Screenshot Here]
Line 242: Line 313:  
- Proposals // It is VERY important that these settings match between both RUT1 & RUT2
 
- Proposals // It is VERY important that these settings match between both RUT1 & RUT2
 
   - Encryption: `AES 128`
 
   - Encryption: `AES 128`
 +
 
   - Hash: `SHA1`
 
   - Hash: `SHA1`
 +
 
   - PFS group: `MODP1536`
 
   - PFS group: `MODP1536`
 +
 
- Force crypto proposal: `Off`
 
- Force crypto proposal: `Off`
 +
 
- IKE lifetime: `3h`
 
- IKE lifetime: `3h`
 
[Screenshot Here]
 
[Screenshot Here]
Line 267: Line 342:  
    
 
    
 
- Remote endpoint: `192.168.1.3` // This should be RUT1 WAN IP. You should be able to ping this IP from RUT2 WAN IP.
 
- Remote endpoint: `192.168.1.3` // This should be RUT1 WAN IP. You should be able to ping this IP from RUT2 WAN IP.
 +
 
- Authentication method: `X.509`
 
- Authentication method: `X.509`
 +
 
- Key: `RUT2.key.pem` // Browse and import the RUT2.key.pem we created & downloaded earlier.
 
- Key: `RUT2.key.pem` // Browse and import the RUT2.key.pem we created & downloaded earlier.
 +
 
- Key decryption passphrase: Leave blank // This is only needed if an additional password was added to the cert, which we did not do in our earlier steps.
 
- Key decryption passphrase: Leave blank // This is only needed if an additional password was added to the cert, which we did not do in our earlier steps.
 +
 
- Local certificate: `RUT2.cert.pem` // Browse and import the RUT1.cert.pem we created & downloaded earlier.
 
- Local certificate: `RUT2.cert.pem` // Browse and import the RUT1.cert.pem we created & downloaded earlier.
 +
 
- CA certificate: `CAIPSec.cert.pem` // Browse and import the CAIPSec.cert.pem we created & downloaded earlier.
 
- CA certificate: `CAIPSec.cert.pem` // Browse and import the CAIPSec.cert.pem we created & downloaded earlier.
 +
 
- Local identifier: `192.168.14.1` // We will use the LAN IP of RUT2 for the Identifier
 
- Local identifier: `192.168.14.1` // We will use the LAN IP of RUT2 for the Identifier
 +
 
- Remote identifier: `192.168.3.1` // We will use the LAN IP of RUT1 for the Identifier
 
- Remote identifier: `192.168.3.1` // We will use the LAN IP of RUT1 for the Identifier
 
[Screenshot Here]
 
[Screenshot Here]
Line 286: Line 368:  
- Mode: `Start` // start loads a connection and brings
 
- Mode: `Start` // start loads a connection and brings
 
it up immediately. For more configuration information please reference *auto* here (https://wiki.strongswan.org/projects/strongswan/wiki/Connsection)
 
it up immediately. For more configuration information please reference *auto* here (https://wiki.strongswan.org/projects/strongswan/wiki/Connsection)
 +
 
- Type: `Tunnel`
 
- Type: `Tunnel`
 +
 
- Default route: `off` // Only use this if you want your default route to be out this tunnel.
 
- Default route: `off` // Only use this if you want your default route to be out this tunnel.
 +
 
- Local subnet: `192.168.14.0/24` // RUT2 LAN subnet we want access to through the tunnel
 
- Local subnet: `192.168.14.0/24` // RUT2 LAN subnet we want access to through the tunnel
 +
 
- Remote subnet: `192.168.3.0/24` // RUT1 LAN subnet we want access to through the tunnel
 
- Remote subnet: `192.168.3.0/24` // RUT1 LAN subnet we want access to through the tunnel
 +
 
- Key exchange: `IKEv2`
 
- Key exchange: `IKEv2`
 
[Screenshot Here]
 
[Screenshot Here]
Line 297: Line 384:     
- Force encapsulation: `On`
 
- Force encapsulation: `On`
 +
 
- Local Firewall: `On`
 
- Local Firewall: `On`
 +
 
- Remote Firewall: `On`
 
- Remote Firewall: `On`
 +
 
- Inactivity: `3600` // This is in seconds. Can be changed depending on how often you want the tunnel to be checked for data passing.
 
- Inactivity: `3600` // This is in seconds. Can be changed depending on how often you want the tunnel to be checked for data passing.
 +
 
- Dead peer detection: `On`
 
- Dead peer detection: `On`
 +
 
- DPD action: `Restart`
 
- DPD action: `Restart`
 +
 
- DPD delay: `30` // This is in seconds.
 
- DPD delay: `30` // This is in seconds.
 +
 
- DPD Timeout: `150` // This is in seconds.
 
- DPD Timeout: `150` // This is in seconds.
 +
 
- The rest of the configuration leave as default
 
- The rest of the configuration leave as default
 
[Screenshot Here]
 
[Screenshot Here]
Line 313: Line 408:  
- Proposals // It is VERY important that these settings match between both RUT1 & RUT2
 
- Proposals // It is VERY important that these settings match between both RUT1 & RUT2
 
   - Encryption: `AES 128`
 
   - Encryption: `AES 128`
 +
 
   - Authentication: `SHA1`
 
   - Authentication: `SHA1`
 +
 
   - DH group: `MODP1536`
 
   - DH group: `MODP1536`
 +
 
- Force crypto proposal: `Off`
 
- Force crypto proposal: `Off`
 +
 
- IKE lifetime: `3h`
 
- IKE lifetime: `3h`
 
[Screenshot Here]
 
[Screenshot Here]
Line 322: Line 421:  
- Proposals // It is VERY important that these settings match between both RUT1 & RUT2
 
- Proposals // It is VERY important that these settings match between both RUT1 & RUT2
 
   - Encryption: `AES 128`
 
   - Encryption: `AES 128`
 +
 
 
   - Hash: `SHA1`
 
   - Hash: `SHA1`
 +
 
 
   - PFS group: `MODP1536`
 
   - PFS group: `MODP1536`
 +
 
 
- Force crypto proposal: `Off`
 
- Force crypto proposal: `Off`
 +
 
- IKE lifetime: `3h`
 
- IKE lifetime: `3h`
 
[Screenshot Here]
 
[Screenshot Here]
Retrieved from "https://wiki.teltonika-networks.com/view/Special:MobileDiff/128041"

Navigation menu