Changes

IPSec Tunnel w/CA Certs Configuration (view source)

Revision as of 20:47, 27 June 2024

1,655 bytes added , 27 June

no edit summary

Line 5: Line 5:

In computing, '''Internet Protocol Security''' ('''IPsec''') is a secure network protocol suite of IPv4 that authenticates and encrypts the packets of data sent over an IPv4 network. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to use during the session. IPsec can protect data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). Internet Protocol security (IPsec) uses cryptographic security services to protect communications over Internet Protocol (IP) networks. IPsec supports network-level peer authentication, data-origin authentication, data integrity, data confidentiality (encryption), and replay protection.

−

This article provides an extensive configuration example with details on how to create a tunnel connection authenticating with CA Certs between two IPsec instances, both of which configured on RUTxxx routers.

+

This article provides an extensive configuration example with details on how to create a tunnel connection authenticating with X.509 Certs between two IPsec instances, both of which configured on RUTxxx routers.

==Configuration overview and prerequisites==

Line 62: Line 62:

- `Generate` Certificate

+

[[File:IPSec CA Cert Generating.png|frame|none]]

Line 98: Line 99:

[[File:IPSec CA Cert Generating Confirmation2.png|frame|none]]

+

====Generating Rut1 Client Cert====

Line 124: Line 126:

- `Generate` Certificate

+

−

[~~Screenshot Here~~]

+

[[File:IPSec RUT1 Cert Generating.png|frame|none]]

+

After you hit Generate the Client cert you should see a notification pop-up near the top right, and if you select Certificates Manager you should see a RUT1.key.pem under *Keys* and a RUT1.req.pem under *Certificate requests*.

+

+

[[File:IPSec RUT1 Cert Generating Confirmation.png|frame|none]]

−

~~[Screenshot Here]~~

+

Next we need to sign the RUT1 cert.

Line 149: Line 156:

- `Sign`

+

−

[~~Screenshot Here~~]

+

[[File:IPSec RUT1 Cert Signing.png|frame|none]]

+

After you hit *Sign* the Client cert you should see a notification pop-up near the top right, and if you select Certificates Manager you should see a RUT1.cert.pem under *Certificates*.

+

−

[~~Screenshot Here~~]

+

[[File:IPSec RUT1 Cert Manager Check.png|frame|none]]

+

====Generating Rut2 Client Cert====

Line 184: Line 196:

- `Generate` Certificate

+

−

[~~Screenshot Here~~]

+

[[File:IPSec RUT2 Cert Generating.png|frame|none]]

+

After you hit Generate the Client cert you should see a notification pop-up near the top right, and if you select Certificates Manager you should see a RUT2.key.pem under *Keys* and a RUT1.req.pem under *Certificate requests*.

+

−

[~~Screenshot Here~~]

+

[[File:IPSec RUT2 Cert Generating Confirmation.png|frame|none]]

+

Next we need to sign the RUT2 cert.

Under the `Certificate signing` configure as follows:

Line 209: Line 225:

- `Sign`

+

+

[[File:IPSec RUT2 Cert Signing.png|frame|none]]

+

After you hit *Sign* the Client cert you should see a notification pop-up near the top right, and if you select Certificates Manager you should see a RUT2.cert.pem under *Certificates*.

+

−

[~~Screenshot Here~~]

+

[[File:IPSec RUT2 Cert Manager Check.png|frame|none]]

+

====Download/Import Certs====

----

Line 234: Line 256:

* Login to the router's WebUI and go to '''System → Services → VPN -> IPsec'''

* Add a new instance called `CA_EX`

−

~~[Screenshot Here]~~

+

+

[[File:IPSec RUT1 Config Add CA EX.png|frame|none]]

+

* IPsec Instance General settings configuration as follows:

Line 253: Line 278:

- Remote identifier: `192.168.14.1` // We will use the LAN IP of RUT2 for the Identifier

+

−

[~~Screenshot Here~~]

+

[[File:RUT1 IPSec Instance General Settings Configuration.png|frame|none]]

+

* IPsec Instance Advanced settings configuration as follows:

- Remote certificate: `RUT2.cert.pem` // Upload RUT2 cert we created earlier.

−

[~~Screenshot Here~~]

+

+

[[File:RUT1 IPSec Instance Advanced Settings Configuration.png|frame|none]]

+

* Connection settings General settings configuration as follows:

Line 276: Line 307:

- Key exchange: `IKEv2`

−

~~[Screenshot Here]~~

+

+

[[File:RUT1 IPSec Connection Settings General Settings Configuration.png|frame|none]]

+

* Connection settings Advanced settings configuration as follows:

Line 298: Line 332:

- The rest of the configuration leave as default

−

~~[Screenshot Here]~~

+

+

[[File:RUT1 IPSec Connection Settings Advanced Settings Configuration.png|frame|none]]

+

* Connection settings Proposal settings configuration as follows:

Line 314: Line 352:

- IKE lifetime: `3h`

−

[~~Screenshot Here~~]

+

+

[[File:RUT1 IPSec Proposal Settings Phase1.png|frame|none]]

+

* Phase 2

Line 327: Line 369:

- IKE lifetime: `3h`

−

[~~Screenshot Here~~]

+

+

[[File:RUT1 IPSec Proposal Settings Phase2.png|frame|none]]

+

* Hit 'Save & Apply'

* Toggle the CA_EX tunnel on and hit 'Save & Apply' once more

−

[~~Screenshot Here~~]

+

+

[[File:RUT1 IPSec Toggle On Save And Apply.png|frame|none]]

+

* Reboot the device once you have finished.

Line 343: Line 390:

* Login to the router's WebUI and go to '''System → Services → VPN -> IPsec'''

* Add a new instance called `CA_EX`

−

[~~Screenshot Here~~]

+

+

[[File:IPSec_RUT1_Config_Add_CA_EX.png|frame|none]]

+

* IPsec Instance General settings configuration as follows:

Line 362: Line 413:

- Remote identifier: `192.168.3.1` // We will use the LAN IP of RUT1 for the Identifier

−

[~~Screenshot Here~~]

+

+

[[File:RUT2 IPSec Instance General Settings Configuration.png|frame|none]]

+

* Connection settings Advanced settings configuration as follows:

- Remote certificate: `RUT1.cert.pem` // Upload RUT1 cert we created earlier.

−

[~~Screenshot Here~~]

+

+

[[File:RUT2 IPSec Instance Advanced Settings Configuration.png|frame|none]]

+

* Connection settings General settings configuration as follows:

Line 384: Line 442:

- Key exchange: `IKEv2`

−

~~[Screenshot Here]~~

+

+

[[File:RUT2 IPSec Connection Settings General Settings Configuration.png|frame|none]]

+

* Connection settings Advanced settings configuration as follows:

Line 406: Line 467:

- The rest of the configuration leave as default

−

~~[Screenshot Here]~~

+

+

[[File:RUT2 IPSec Connection Settings Advanced Settings Configuration.png|frame|none]]

+

* Connection settings Proposal settings configuration as follows:

Line 422: Line 486:

- IKE lifetime: `3h`

−

[~~Screenshot Here~~]

+

+

[[File:RUT2 IPSec Proposal Settings Phase1.png|frame|none]]

+

* Phase 2

Line 435: Line 503:

- IKE lifetime: `3h`

−

[~~Screenshot Here~~]

+

+

[[File:RUT2 IPSec Proposal Settings Phase2.png|frame|none]]

+

* Hit 'Save & Apply'

* Toggle the CA_EX tunnel on and hit 'Save & Apply' once more

−

[~~Screenshot Here~~]

+

+

[[File:RUT2 IPSec Toggle On Save And Apply.png|frame|none]]

+

* Reboot the device once you have finished.

Line 458: Line 533:

* SSH into RUT1 device

* `ipsec statusall` // This should show 2 up with Security Associations and that the connection should be up for some minutes. You should also see the Cert info from the certs we created earlier.

−

[~~Screenshot Here~~]

+

+

[[File:RUT1 IPSec Status.png|frame|none]]

+

* `ping 192.168.14.1` // You should get a response if the tunnel has established properly

−

[~~Screenshot Here~~]

+

+

[[File:RUT1 Ping To RUT2 Check.png|frame|none]]

+

* SSH into RUT2 device

* `ipsec statusall` // This should show 2 up with Security Associations and that the connection should be up for some minutes. You should also see the Cert info from the certs we created earlier.

−

[~~Screenshot Here~~]

+

+

[[File:RUT2 IPSec Status.png|frame|none]]

+

* `ping 192.168.3.1` // You should get a response if the tunnel has established properly

−

[~~Screenshot Here~~]

+

+

[[File:RUT2 Ping To RUT1 Check.png|frame|none]]

+

* SSH into RUT1 device

Line 478: Line 568:

* On RUT1 wait 10 seconds then CTRL+C to stop the program

* Then use a program like WinSCP to download `Checking_For_ESP_Packets.pcap` from RUT1

−

* Open the file in a program called Wireshark and filter for encrypted ESP packets with this `_ws.col.protocol == "ESP"`. You should see ESP packets from both the WAN IPs. You shouldn't be able to see inside the packet because it is now encrypted, but if we decrypted the packets we would see the ICMP packets between the 2 RUT devices.

+

* Open the file in a program called Wireshark and filter for encrypted ESP packets with this '''_ws.col.protocol == "ESP"'''. You should see ESP packets from both the WAN IPs. You shouldn't be able to see inside the packet because it is now encrypted, but if we decrypted the packets we would see the ICMP packets between the 2 RUT devices.

−

[~~Screenshot Here~~]

+

+

[[File:Checking Pcap With Wireshark.png|frame|none]]

+

===RUT1 LAN device to RUT2 LAN device Test===

Line 506: Line 600:

* Perform similar steps above for a 2nd device connected to RUT2 LAN

* Once both devices are connected to the LAN of RUT1 & RUT2 you should be able to ping the devices from each other.

−

~~[Screenshot Here]~~

+

+

[[File:LAN To LAN Device Ping.png|frame|none]]

+

* Afterwards make sure to re-enable the firewall for both LAN devices

ChaseHarler

Administrators

95

edits