95
edits
Changes
no edit summary
The following are the settings used for this example, but values should be changed depending on your specific needs:
The following are the settings used for this example, but values should be changed depending on your specific needs:
- File Type: CA
- File Type: `CA`
- Key Size: 1024
- Name (CN): CAIPSec // This can be whatever name you choose.
- Key Size: `1024`
- Subject Information: Toggled On // It is recommended to fill out at least Country Code, State/Province and Organization Name.
- Country Code (CC): US // Fill your country code
- Name (CN): `CAIPSec` // This can be whatever name you choose.
- State or Province Name (ST): TX // Fill your State/Province name
- Locality Name (L): CAIPSec // Fill your locality name, or at least a recognizable name for your CA
- Subject Information: `Toggled On` // It is recommended to fill out at least Country Code, State/Province and Organization Name.
- Organization Name (O): CAIPSec // Fill your Organization name
- Organizational Unit Name (OU): CAIPSEC // Fill your specific Unit Name
- Country Code (CC): `US` // Fill your country code
- State or Province Name (ST): `TX` // Fill your State/Province name
- Locality Name (L): `CAIPSec` // Fill your locality name, or at least a recognizable name for your CA
- Organization Name (O): `CAIPSec` // Fill your Organization name
- Organizational Unit Name (OU): `CAIPSEC` // Fill your specific Unit Name
- `Generate` Certificate
- `Generate` Certificate
[Screenshot Here]
[[File:IPSec CA Cert Generating.png|thumb|left]]
[[File:IPSec CA Cert Generating.png|frame|left]]
After you hit Generate the CA cert you should see a notification pop-up near the top right, and if you select Certificates Manager you should see a CAIPSec.key.pem under *Keys* and a CAIPSec.req.pem under *Certificate requests*.
After you hit Generate the CA cert you should see a confirmation notification pop-up near the top right, and if you select Certificates Manager you should see a CAIPSec.key.pem under *Keys* and a CAIPSec.req.pem under *Certificate requests*.
[Screenshot Here]
[Screenshot Here]
[Screenshot Here]
Next we need to sign the CAIPSec CA. We will be Self-Signing our own CA.
Next we need to sign the CAIPSec CA. We will be Self-Signing our own CA.
Under the `Certificate signing` configure as follows:
Under the `Certificate signing` configure as follows:
- Signed Certificate Name: CAIPSec
- Signed Certificate Name: `CAIPSec`
- Type of Certificate to Sign: Certificate Authority
- Certificate Request File: CAIPSec.req.pem
- Type of Certificate to Sign: `Certificate Authority`
- Days Valid: 3650 // For this example we will use 3650 days, but you can configure this to be longer if needed. I would caution against too long of a CA.
- Certificate Authority Key: CAIPSec.key.pem
- Certificate Request File: `CAIPSec.req.pem`
- Leave the rest of the configuration alone
- Days Valid: `3650` // For this example we will use 3650 days, but you can configure this to be longer if needed. I would caution against too long of a CA.
- Certificate Authority Key: `CAIPSec.key.pem`
- Leave the rest of the configuration default
- `Sign`
- `Sign`
[Screenshot Here]
After you hit *Sign* the CA cert you should see a notification pop-up near the top right, and if you select Certificates Manager you should see a CAIPSec.cert.pem under *Certificates*.
After you hit *Sign* the CA cert you should see a notification pop-up near the top right, and if you select Certificates Manager you should see a CAIPSec.cert.pem under *Certificates*.
The following are the settings used for this example, but values should be changed depending on your specific needs:
The following are the settings used for this example, but values should be changed depending on your specific needs:
- File Type: Client
- File Type: `Client`
- Key Size: 1024
- Name (CN): RUT1 // This can be whatever name you choose.
- Key Size: `1024`
- Subject Information: Toggled On // It is recommended to fill out at least Country Code, State/Province and Organization Name.
- Country Code (CC): US // Fill your country code
- Name (CN): `RUT1` // This can be whatever name you choose.
- State or Province Name (ST): TX // Fill your State/Province name
- Locality Name (L): RUT1 // Fill your locality name, or at least a recognizable name for your CA
- Subject Information: `Toggled On` // It is recommended to fill out at least Country Code, State/Province and Organization Name.
- Organization Name (O): RUT1 // Fill your Organization name
- Organizational Unit Name (OU): RUT1 // Fill your specific Unit Name
- Country Code (CC): `US` // Fill your country code
- State or Province Name (ST): `TX` // Fill your State/Province name
- Locality Name (L): `RUT1` // Fill your locality name, or at least a recognizable name for your CA
- Organization Name (O): `RUT1` // Fill your Organization name
- Organizational Unit Name (OU): `RUT1` // Fill your specific Unit Name
- `Generate` Certificate
- `Generate` Certificate
After you hit Generate the Client cert you should see a notification pop-up near the top right, and if you select Certificates Manager you should see a RUT1.key.pem under *Keys* and a RUT1.req.pem under *Certificate requests*.
After you hit Generate the Client cert you should see a notification pop-up near the top right, and if you select Certificates Manager you should see a RUT1.key.pem under *Keys* and a RUT1.req.pem under *Certificate requests*.
[Screenshot Here]
Next we need to sign the RUT1 cert.
Next we need to sign the RUT1 cert.
Under the `Certificate signing` configure as follows:
Under the `Certificate signing` configure as follows:
- Signed Certificate Name: RUT1
- Signed Certificate Name: `RUT1`
- Type of Certificate to Sign: Client Certificate
- Certificate Request File: RUT1.req.pem
- Type of Certificate to Sign: `Client Certificate`
- Days Valid: 3650
- Certificate Authority File: CAIPSec.cert.pem
- Certificate Request File: `RUT1.req.pem`
- Certificate Authority Key: CAIPSec.key.pem
- Days Valid: `3650`
- Certificate Authority File: `CAIPSec.cert.pem`
- Certificate Authority Key: `CAIPSec.key.pem`
- Leave the rest of the configuration alone
- Leave the rest of the configuration alone
- `Sign`
- `Sign`
[Screenshot Here]
After you hit *Sign* the Client cert you should see a notification pop-up near the top right, and if you select Certificates Manager you should see a RUT1.cert.pem under *Certificates*.
After you hit *Sign* the Client cert you should see a notification pop-up near the top right, and if you select Certificates Manager you should see a RUT1.cert.pem under *Certificates*.
The following are the settings used for this example, but values should be changed depending on your specific needs:
The following are the settings used for this example, but values should be changed depending on your specific needs:
- File Type: Client
- File Type: `Client`
- Key Size: 1024
- Name (CN): RUT2 // This can be whatever name you choose.
- Key Size: `1024`
- Subject Information: Toggled On // It is recommended to fill out at least Country Code, State/Province and Organization Name.
- Country Code (CC): US // Fill your country code
- Name (CN): `RUT2` // This can be whatever name you choose.
- State or Province Name (ST): TX // Fill your State/Province name
- Locality Name (L): RUT2 // Fill your locality name, or at least a recognizable name for your CA
- Subject Information: `Toggled On` // It is recommended to fill out at least Country Code, State/Province and Organization Name.
- Organization Name (O): RUT2 // Fill your Organization name
- Organizational Unit Name (OU): RUT2 // Fill your specific Unit Name
- Country Code (CC): `US` // Fill your country code
- State or Province Name (ST): `TX` // Fill your State/Province name
- Locality Name (L): `RUT2` // Fill your locality name, or at least a recognizable name for your CA
- Organization Name (O): `RUT2` // Fill your Organization name
- Organizational Unit Name (OU): `RUT2` // Fill your specific Unit Name
- `Generate` Certificate
- `Generate` Certificate
After you hit Generate the Client cert you should see a notification pop-up near the top right, and if you select Certificates Manager you should see a RUT2.key.pem under *Keys* and a RUT1.req.pem under *Certificate requests*.
After you hit Generate the Client cert you should see a notification pop-up near the top right, and if you select Certificates Manager you should see a RUT2.key.pem under *Keys* and a RUT1.req.pem under *Certificate requests*.
[Screenshot Here]
Next we need to sign the RUT2 cert.
Next we need to sign the RUT2 cert.
Under the `Certificate signing` configure as follows:
Under the `Certificate signing` configure as follows:
- Signed Certificate Name: RUT2
- Signed Certificate Name: `RUT2`
- Type of Certificate to Sign: Client Certificate
- Certificate Request File: RUT2.req.pem
- Type of Certificate to Sign: `Client Certificate`
- Days Valid: 3650
- Certificate Authority File: CAIPSec.cert.pem
- Certificate Request File: `RUT2.req.pem`
- Certificate Authority Key: CAIPSec.key.pem
- Days Valid: `3650`
- Certificate Authority File: `CAIPSec.cert.pem`
- Certificate Authority Key: `CAIPSec.key.pem`
- Leave the rest of the configuration alone
- Leave the rest of the configuration alone
- `Sign`
- `Sign`
- Remote endpoint: `192.168.1.14` // This should be RUT2 WAN IP. You should be able to ping this IP from RUT1 WAN IP.
- Remote endpoint: `192.168.1.14` // This should be RUT2 WAN IP. You should be able to ping this IP from RUT1 WAN IP.
- Authentication method: `X.509`
- Authentication method: `X.509`
- Key: `RUT1.key.pem` // Browse and import the RUT1.key.pem we created & downloaded earlier.
- Key: `RUT1.key.pem` // Browse and import the RUT1.key.pem we created & downloaded earlier.
- Key decryption passphrase: Leave blank // This is only needed if an additional password was added to the cert, which we did not do in our earlier steps.
- Key decryption passphrase: Leave blank // This is only needed if an additional password was added to the cert, which we did not do in our earlier steps.
- Local certificate: `RUT1.cert.pem` // Browse and import the RUT1.cert.pem we created & downloaded earlier.
- Local certificate: `RUT1.cert.pem` // Browse and import the RUT1.cert.pem we created & downloaded earlier.
- CA certificate: `CAIPSec.cert.pem` // Browse and import the CAIPSec.cert.pem we created & downloaded earlier.
- CA certificate: `CAIPSec.cert.pem` // Browse and import the CAIPSec.cert.pem we created & downloaded earlier.
- Local identifier: `192.168.3.1` // We will use the LAN IP of RUT1 for the Identifier
- Local identifier: `192.168.3.1` // We will use the LAN IP of RUT1 for the Identifier
- Remote identifier: `192.168.14.1` // We will use the LAN IP of RUT2 for the Identifier
- Remote identifier: `192.168.14.1` // We will use the LAN IP of RUT2 for the Identifier
[Screenshot Here]
[Screenshot Here]
* Connection settings Advanced settings configuration as follows:
* IPsec Instance Advanced settings configuration as follows:
- Remote certificate: `RUT2.cert.pem` // Upload RUT2 cert we created earlier.
- Remote certificate: `RUT2.cert.pem` // Upload RUT2 cert we created earlier.
[Screenshot Here]
* Connection settings General settings configuration as follows:
* Connection settings General settings configuration as follows:
- Mode: `Start` // start loads a connection and brings
- Mode: `Start` // start loads a connection and brings
it up immediately. For more configuration information please reference *auto* here (https://wiki.strongswan.org/projects/strongswan/wiki/Connsection)
it up immediately. For more configuration information please reference *auto* here (https://wiki.strongswan.org/projects/strongswan/wiki/Connsection)
- Type: `Tunnel`
- Type: `Tunnel`
- Default route: `off` // Only use this if you want your default route to be out this tunnel.
- Default route: `off` // Only use this if you want your default route to be out this tunnel.
- Local subnet: `192.168.3.0/24` // RUT1 LAN subnet we want access to through the tunnel
- Local subnet: `192.168.3.0/24` // RUT1 LAN subnet we want access to through the tunnel
- Remote subnet: `192.168.14.0/24` // RUT2 LAN subnet we want access to through the tunnel
- Remote subnet: `192.168.14.0/24` // RUT2 LAN subnet we want access to through the tunnel
- Key exchange: `IKEv2`
- Key exchange: `IKEv2`
[Screenshot Here]
[Screenshot Here]
- Force encapsulation: `On`
- Force encapsulation: `On`
- Local Firewall: `On`
- Local Firewall: `On`
- Remote Firewall: `On`
- Remote Firewall: `On`
- Inactivity: `3600` // This is in seconds. Can be changed depending on how often you want the tunnel to be checked for data passing.
- Inactivity: `3600` // This is in seconds. Can be changed depending on how often you want the tunnel to be checked for data passing.
- Dead peer detection: `On`
- Dead peer detection: `On`
- DPD action: `Restart`
- DPD action: `Restart`
- DPD delay: `30` // This is in seconds.
- DPD delay: `30` // This is in seconds.
- DPD Timeout: `150` // This is in seconds.
- DPD Timeout: `150` // This is in seconds.
- The rest of the configuration leave as default
- The rest of the configuration leave as default
[Screenshot Here]
[Screenshot Here]
- Proposals // It is VERY important that these settings match between both RUT1 & RUT2
- Proposals // It is VERY important that these settings match between both RUT1 & RUT2
- Encryption: `AES 128`
- Encryption: `AES 128`
- Authentication: `SHA1`
- Authentication: `SHA1`
- DH group: `MODP1536`
- DH group: `MODP1536`
- Force crypto proposal: `Off`
- Force crypto proposal: `Off`
- IKE lifetime: `3h`
- IKE lifetime: `3h`
[Screenshot Here]
[Screenshot Here]
- Proposals // It is VERY important that these settings match between both RUT1 & RUT2
- Proposals // It is VERY important that these settings match between both RUT1 & RUT2
- Encryption: `AES 128`
- Encryption: `AES 128`
- Hash: `SHA1`
- Hash: `SHA1`
- PFS group: `MODP1536`
- PFS group: `MODP1536`
- Force crypto proposal: `Off`
- Force crypto proposal: `Off`
- IKE lifetime: `3h`
- IKE lifetime: `3h`
[Screenshot Here]
[Screenshot Here]
- Remote endpoint: `192.168.1.3` // This should be RUT1 WAN IP. You should be able to ping this IP from RUT2 WAN IP.
- Remote endpoint: `192.168.1.3` // This should be RUT1 WAN IP. You should be able to ping this IP from RUT2 WAN IP.
- Authentication method: `X.509`
- Authentication method: `X.509`
- Key: `RUT2.key.pem` // Browse and import the RUT2.key.pem we created & downloaded earlier.
- Key: `RUT2.key.pem` // Browse and import the RUT2.key.pem we created & downloaded earlier.
- Key decryption passphrase: Leave blank // This is only needed if an additional password was added to the cert, which we did not do in our earlier steps.
- Key decryption passphrase: Leave blank // This is only needed if an additional password was added to the cert, which we did not do in our earlier steps.
- Local certificate: `RUT2.cert.pem` // Browse and import the RUT1.cert.pem we created & downloaded earlier.
- Local certificate: `RUT2.cert.pem` // Browse and import the RUT1.cert.pem we created & downloaded earlier.
- CA certificate: `CAIPSec.cert.pem` // Browse and import the CAIPSec.cert.pem we created & downloaded earlier.
- CA certificate: `CAIPSec.cert.pem` // Browse and import the CAIPSec.cert.pem we created & downloaded earlier.
- Local identifier: `192.168.14.1` // We will use the LAN IP of RUT2 for the Identifier
- Local identifier: `192.168.14.1` // We will use the LAN IP of RUT2 for the Identifier
- Remote identifier: `192.168.3.1` // We will use the LAN IP of RUT1 for the Identifier
- Remote identifier: `192.168.3.1` // We will use the LAN IP of RUT1 for the Identifier
[Screenshot Here]
[Screenshot Here]
- Remote certificate: `RUT1.cert.pem` // Upload RUT1 cert we created earlier.
- Remote certificate: `RUT1.cert.pem` // Upload RUT1 cert we created earlier.
[Screenshot Here]
* Connection settings General settings configuration as follows:
* Connection settings General settings configuration as follows:
- Mode: `Start` // start loads a connection and brings
- Mode: `Start` // start loads a connection and brings
it up immediately. For more configuration information please reference *auto* here (https://wiki.strongswan.org/projects/strongswan/wiki/Connsection)
it up immediately. For more configuration information please reference *auto* here (https://wiki.strongswan.org/projects/strongswan/wiki/Connsection)
- Type: `Tunnel`
- Type: `Tunnel`
- Default route: `off` // Only use this if you want your default route to be out this tunnel.
- Default route: `off` // Only use this if you want your default route to be out this tunnel.
- Local subnet: `192.168.14.0/24` // RUT2 LAN subnet we want access to through the tunnel
- Local subnet: `192.168.14.0/24` // RUT2 LAN subnet we want access to through the tunnel
- Remote subnet: `192.168.3.0/24` // RUT1 LAN subnet we want access to through the tunnel
- Remote subnet: `192.168.3.0/24` // RUT1 LAN subnet we want access to through the tunnel
- Key exchange: `IKEv2`
- Key exchange: `IKEv2`
[Screenshot Here]
[Screenshot Here]
- Force encapsulation: `On`
- Force encapsulation: `On`
- Local Firewall: `On`
- Local Firewall: `On`
- Remote Firewall: `On`
- Remote Firewall: `On`
- Inactivity: `3600` // This is in seconds. Can be changed depending on how often you want the tunnel to be checked for data passing.
- Inactivity: `3600` // This is in seconds. Can be changed depending on how often you want the tunnel to be checked for data passing.
- Dead peer detection: `On`
- Dead peer detection: `On`
- DPD action: `Restart`
- DPD action: `Restart`
- DPD delay: `30` // This is in seconds.
- DPD delay: `30` // This is in seconds.
- DPD Timeout: `150` // This is in seconds.
- DPD Timeout: `150` // This is in seconds.
- The rest of the configuration leave as default
- The rest of the configuration leave as default
[Screenshot Here]
[Screenshot Here]
- Proposals // It is VERY important that these settings match between both RUT1 & RUT2
- Proposals // It is VERY important that these settings match between both RUT1 & RUT2
- Encryption: `AES 128`
- Encryption: `AES 128`
- Authentication: `SHA1`
- Authentication: `SHA1`
- DH group: `MODP1536`
- DH group: `MODP1536`
- Force crypto proposal: `Off`
- Force crypto proposal: `Off`
- IKE lifetime: `3h`
- IKE lifetime: `3h`
[Screenshot Here]
[Screenshot Here]
- Proposals // It is VERY important that these settings match between both RUT1 & RUT2
- Proposals // It is VERY important that these settings match between both RUT1 & RUT2
- Encryption: `AES 128`
- Encryption: `AES 128`
- Hash: `SHA1`
- Hash: `SHA1`
- PFS group: `MODP1536`
- PFS group: `MODP1536`
- Force crypto proposal: `Off`
- Force crypto proposal: `Off`
- IKE lifetime: `3h`
- IKE lifetime: `3h`
[Screenshot Here]
[Screenshot Here]
==Testing configuration==
==Testing configuration==
----
===RUT1 to RUT2 Test===
----
----
That each RUT device can ping the other's LAN IP. In this case 192.168.3.1 for RUT1 & 192.168.14.1 for RUT2.
That each RUT device can ping the other's LAN IP. In this case 192.168.3.1 for RUT1 & 192.168.14.1 for RUT2.
And that LAN device on RUT1 can ping LAN device on RUT2.
And that LAN device on RUT1 can ping LAN device on RUT2.
* First make sure each device has been rebooted at least once after you have finished configuring the previous steps.
* First make sure each device has been rebooted at least once after you have finished configuring the previous steps.
* SSH into RUT1 device.
* SSH into RUT1 device
* `ipsec statusall` // This should show 2 up with Security Associations and that the connection should be up for some minutes. You should also see the Cert info from the certs we created earlier.
* `ipsec statusall` // This should show 2 up with Security Associations and that the connection should be up for some minutes. You should also see the Cert info from the certs we created earlier.
[Screenshot Here]
[Screenshot Here]
* `ping 192.168.14.1` // You should get a response if the tunnel has established properly.
* `ping 192.168.14.1` // You should get a response if the tunnel has established properly
[Screenshot Here]
[Screenshot Here]
* SSH into RUT2 device.
* SSH into RUT2 device
* `ipsec statusall` // This should show 2 up with Security Associations and that the connection should be up for some minutes. You should also see the Cert info from the certs we created earlier.
* `ipsec statusall` // This should show 2 up with Security Associations and that the connection should be up for some minutes. You should also see the Cert info from the certs we created earlier.
[Screenshot Here]
[Screenshot Here]
* `ping 192.168.3.1` // You should get a response if the tunnel has established properly.
* `ping 192.168.3.1` // You should get a response if the tunnel has established properly
[Screenshot Here]
[Screenshot Here]
===RUT1 LAN device to RUT2 LAN device Test===
===RUT1 LAN device to RUT2 LAN device Test===
----
----
Here we will confirm that LAN devices behind either RUTxxx devices are able to communicate with each other.
* Attach a Windows/MacOS/Linux PC via ethernet or wifi to RUT1 LAN. Remove or disable any other active interfaces on your PC.
* Attach a Windows/MacOS/Linux PC via ethernet or wifi to RUT1 LAN. Remove or disable any other active interfaces on your PC.
