Difference between revisions of "IPSec Tunnel w/CA Certs Configuration"
ChaseHarler (talk | contribs) m (ChaseHarler moved page CH Testing to IPSec Tunnel w/CA Certs Configuration) |
ChaseHarler (talk | contribs) |
||
| (One intermediate revision by the same user not shown) | |||
| Line 1: | Line 1: | ||
[[IPSec Tunnel w/CA Certs Configuration]] | [[IPSec Tunnel w/CA Certs Configuration]] | ||
| + | |||
| + | ==Introduction== | ||
| + | |||
| + | In computing, '''Internet Protocol Security''' ('''IPsec''') is a secure network protocol suite of IPv4 that authenticates and encrypts the packets of data sent over an IPv4 network. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to use during the session. IPsec can protect data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). Internet Protocol security (IPsec) uses cryptographic security services to protect communications over Internet Protocol (IP) networks. IPsec supports network-level peer authentication, data-origin authentication, data integrity, data confidentiality (encryption), and replay protection. | ||
| + | |||
| + | This article provides an extensive configuration example with details on how to create a tunnel connection authenticating with CA Certs between two IPsec instances, both of which configured on RUTxxx routers. | ||
| + | |||
| + | ==Configuration overview and prerequisites== | ||
| + | |||
| + | Before we begin, let's overview the configuration that we are attempting to achieve and the prerequisites that make it possible. | ||
| + | |||
| + | '''Prerequisites''': | ||
| + | * Two RUTxxx routers of any type | ||
| + | * Both RUTxxx routers must be accessible from each other's WAN connection | ||
| + | * (Optional) A second end device to configure and test remote LAN access | ||
| + | ---- | ||
| + | |||
| + | [Image Here showing RUT1 & RUT2 connected via Wan connection] | ||
| + | [RUT1 Wan IP: 10.0.5.1 Lan IP: 192.168.1.1] | ||
| + | [RUT2 Wan IP: 10.0.5.2 Lan IP: 192.168.2.1] | ||
| + | |||
| + | The figure above depicts two RUTxxx routers (RUT1 and RUT2) connected by an IPsec tunnel via their WAN interfaces. | ||
| + | |||
| + | ==Router configuration== | ||
| + | |||
| + | We will start our configuration with RUT1. | ||
| + | |||
| + | This configuration guide will generate our own CA cert that will be used to self-sign our own keys and local certs for both devices. | ||
| + | |||
| + | ===Generating Certs=== | ||
| + | ---- | ||
| + | |||
| + | |||
| + | ====Generating CA Cert==== | ||
| + | ---- | ||
| + | |||
| + | First we will generate our CA cert. | ||
| + | |||
| + | * Login to the router's WebUI and go to '''System → Administration → Certificates'''. | ||
| + | The following are the settings used for this example, but values should be changed depending on your specific needs: | ||
| + | |||
| + | - File Type: CA | ||
| + | - Key Size: 1024 | ||
| + | - Name (CN): CAIPSec // This can be whatever name you choose. | ||
| + | - Subject Information: Toggled On // It is recommended to fill out at least Country Code, State/Province and Organization Name. | ||
| + | - Country Code (CC): US // Fill your country code | ||
| + | - State or Province Name (ST): TX // Fill your State/Province name | ||
| + | - Locality Name (L): CAIPSec // Fill your locality name, or at least a recognizable name for your CA | ||
| + | - Organization Name (O): CAIPSec // Fill your Organization name | ||
| + | - Organizational Unit Name (OU): CAIPSEC // Fill your specific Unit Name | ||
| + | - `Generate` Certificate | ||
| + | |||
| + | [Screenshot Here] | ||
| + | |||
| + | After you hit Generate the CA cert you should see a notification pop-up near the top right, and if you select Certificates Manager you should see a CAIPSec.key.pem under *Keys* and a CAIPSec.req.pem under *Certificate requests*. | ||
| + | |||
| + | [Screenshot Here] | ||
| + | |||
| + | |||
| + | Next we need to sign the CAIPSec CA. We will be Self-Signing our own CA. | ||
| + | Under the `Certificate signing` configure as follows: | ||
| + | |||
| + | - Signed Certificate Name: CAIPSec | ||
| + | - Type of Certificate to Sign: Certificate Authority | ||
| + | - Certificate Request File: CAIPSec.req.pem | ||
| + | - Days Valid: 3650 // For this example we will use 3650 days, but you can configure this to be longer if needed. I would caution against too long of a CA. | ||
| + | - Certificate Authority Key: CAIPSec.key.pem | ||
| + | - Leave the rest of the configuration alone | ||
| + | - `Sign` | ||
| + | |||
| + | After you hit *Sign* the CA cert you should see a notification pop-up near the top right, and if you select Certificates Manager you should see a CAIPSec.cert.pem under *Certificates*. | ||
| + | |||
| + | [Screenshot Here] | ||
| + | |||
| + | ====Generating Rut1 Client Cert==== | ||
| + | ---- | ||
| + | |||
| + | * Login to the router's WebUI and go to '''System → Administration → Certificates'''. | ||
| + | The following are the settings used for this example, but values should be changed depending on your specific needs: | ||
| + | |||
| + | - File Type: Client | ||
| + | - Key Size: 1024 | ||
| + | - Name (CN): RUT1 // This can be whatever name you choose. | ||
| + | - Subject Information: Toggled On // It is recommended to fill out at least Country Code, State/Province and Organization Name. | ||
| + | - Country Code (CC): US // Fill your country code | ||
| + | - State or Province Name (ST): TX // Fill your State/Province name | ||
| + | - Locality Name (L): RUT1 // Fill your locality name, or at least a recognizable name for your CA | ||
| + | - Organization Name (O): RUT1 // Fill your Organization name | ||
| + | - Organizational Unit Name (OU): RUT1 // Fill your specific Unit Name | ||
| + | - `Generate` Certificate | ||
| + | |||
| + | [Screenshot Here] | ||
| + | |||
| + | After you hit Generate the Client cert you should see a notification pop-up near the top right, and if you select Certificates Manager you should see a RUT1.key.pem under *Keys* and a RUT1.req.pem under *Certificate requests*. | ||
| + | |||
| + | |||
| + | Next we need to sign the RUT1 cert. | ||
| + | Under the `Certificate signing` configure as follows: | ||
| + | |||
| + | - Signed Certificate Name: RUT1 | ||
| + | - Type of Certificate to Sign: Client Certificate | ||
| + | - Certificate Request File: RUT1.req.pem | ||
| + | - Days Valid: 3650 | ||
| + | - Certificate Authority File: CAIPSec.cert.pem | ||
| + | - Certificate Authority Key: CAIPSec.key.pem | ||
| + | - Leave the rest of the configuration alone | ||
| + | - `Sign` | ||
| + | |||
| + | After you hit *Sign* the Client cert you should see a notification pop-up near the top right, and if you select Certificates Manager you should see a RUT1.cert.pem under *Certificates*. | ||
| + | |||
| + | [Screenshot Here] | ||
| + | |||
| + | ====Generating Rut2 Client Cert==== | ||
| + | ---- | ||
| + | |||
| + | We will still generate RUT2 certs on the RUT1 device, so that we can sign our certs with the CA created earlier. | ||
| + | Later we will download the certs required for RUT2 and import them there. | ||
| + | |||
| + | * Login to the router's WebUI and go to '''System → Administration → Certificates'''. | ||
| + | The following are the settings used for this example, but values should be changed depending on your specific needs: | ||
| + | |||
| + | - File Type: Client | ||
| + | - Key Size: 1024 | ||
| + | - Name (CN): RUT2 // This can be whatever name you choose. | ||
| + | - Subject Information: Toggled On // It is recommended to fill out at least Country Code, State/Province and Organization Name. | ||
| + | - Country Code (CC): US // Fill your country code | ||
| + | - State or Province Name (ST): TX // Fill your State/Province name | ||
| + | - Locality Name (L): RUT2 // Fill your locality name, or at least a recognizable name for your CA | ||
| + | - Organization Name (O): RUT2 // Fill your Organization name | ||
| + | - Organizational Unit Name (OU): RUT2 // Fill your specific Unit Name | ||
| + | - `Generate` Certificate | ||
| + | |||
| + | [Screenshot Here] | ||
| + | |||
| + | After you hit Generate the Client cert you should see a notification pop-up near the top right, and if you select Certificates Manager you should see a RUT2.key.pem under *Keys* and a RUT1.req.pem under *Certificate requests*. | ||
| + | |||
| + | |||
| + | Next we need to sign the RUT2 cert. | ||
| + | Under the `Certificate signing` configure as follows: | ||
| + | |||
| + | - Signed Certificate Name: RUT2 | ||
| + | - Type of Certificate to Sign: Client Certificate | ||
| + | - Certificate Request File: RUT2.req.pem | ||
| + | - Days Valid: 3650 | ||
| + | - Certificate Authority File: CAIPSec.cert.pem | ||
| + | - Certificate Authority Key: CAIPSec.key.pem | ||
| + | - Leave the rest of the configuration alone | ||
| + | - `Sign` | ||
| + | |||
| + | After you hit *Sign* the Client cert you should see a notification pop-up near the top right, and if you select Certificates Manager you should see a RUT2.cert.pem under *Certificates*. | ||
| + | |||
| + | [Screenshot Here] | ||
| + | |||
| + | ====Download/Import Certs==== | ||
| + | ---- | ||
| + | |||
| + | Starting with RUT1 | ||
| + | |||
| + | * Login to the router's WebUI and go to '''System → Administration → Certificates -> Certificates Manager''' | ||
| + | * Download CAIPSec.cert.pem, RUT2.cert.pem & RUT2.key.pem | ||
| + | |||
| + | Next moving to RUT2 | ||
| + | |||
| + | * Login to the router's WebUI and go to '''System → Administration → Certificates -> Certificates Manager''' | ||
| + | * Import Certificate File *Browse* and import CAIPSec.cert.pem, RUT2.cert.pem & RUT2.key.pem | ||
| + | |||
| + | ===IPSec RUT1 Config=== | ||
| + | ---- | ||
| + | |||
| + | ===IPSec RUT2 Config=== | ||
| + | ---- | ||
Revision as of 04:52, 18 June 2024
IPSec Tunnel w/CA Certs Configuration
Introduction
In computing, Internet Protocol Security (IPsec) is a secure network protocol suite of IPv4 that authenticates and encrypts the packets of data sent over an IPv4 network. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to use during the session. IPsec can protect data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). Internet Protocol security (IPsec) uses cryptographic security services to protect communications over Internet Protocol (IP) networks. IPsec supports network-level peer authentication, data-origin authentication, data integrity, data confidentiality (encryption), and replay protection.
This article provides an extensive configuration example with details on how to create a tunnel connection authenticating with CA Certs between two IPsec instances, both of which configured on RUTxxx routers.
Configuration overview and prerequisites
Before we begin, let's overview the configuration that we are attempting to achieve and the prerequisites that make it possible.
Prerequisites:
- Two RUTxxx routers of any type
- Both RUTxxx routers must be accessible from each other's WAN connection
- (Optional) A second end device to configure and test remote LAN access
[Image Here showing RUT1 & RUT2 connected via Wan connection] [RUT1 Wan IP: 10.0.5.1 Lan IP: 192.168.1.1] [RUT2 Wan IP: 10.0.5.2 Lan IP: 192.168.2.1]
The figure above depicts two RUTxxx routers (RUT1 and RUT2) connected by an IPsec tunnel via their WAN interfaces.
Router configuration
We will start our configuration with RUT1.
This configuration guide will generate our own CA cert that will be used to self-sign our own keys and local certs for both devices.
Generating Certs
Generating CA Cert
First we will generate our CA cert.
- Login to the router's WebUI and go to System → Administration → Certificates.
The following are the settings used for this example, but values should be changed depending on your specific needs:
- File Type: CA - Key Size: 1024 - Name (CN): CAIPSec // This can be whatever name you choose. - Subject Information: Toggled On // It is recommended to fill out at least Country Code, State/Province and Organization Name. - Country Code (CC): US // Fill your country code - State or Province Name (ST): TX // Fill your State/Province name - Locality Name (L): CAIPSec // Fill your locality name, or at least a recognizable name for your CA - Organization Name (O): CAIPSec // Fill your Organization name - Organizational Unit Name (OU): CAIPSEC // Fill your specific Unit Name - `Generate` Certificate
[Screenshot Here]
After you hit Generate the CA cert you should see a notification pop-up near the top right, and if you select Certificates Manager you should see a CAIPSec.key.pem under *Keys* and a CAIPSec.req.pem under *Certificate requests*.
[Screenshot Here]
Next we need to sign the CAIPSec CA. We will be Self-Signing our own CA.
Under the `Certificate signing` configure as follows:
- Signed Certificate Name: CAIPSec - Type of Certificate to Sign: Certificate Authority - Certificate Request File: CAIPSec.req.pem - Days Valid: 3650 // For this example we will use 3650 days, but you can configure this to be longer if needed. I would caution against too long of a CA. - Certificate Authority Key: CAIPSec.key.pem - Leave the rest of the configuration alone - `Sign`
After you hit *Sign* the CA cert you should see a notification pop-up near the top right, and if you select Certificates Manager you should see a CAIPSec.cert.pem under *Certificates*.
[Screenshot Here]
Generating Rut1 Client Cert
- Login to the router's WebUI and go to System → Administration → Certificates.
The following are the settings used for this example, but values should be changed depending on your specific needs:
- File Type: Client - Key Size: 1024 - Name (CN): RUT1 // This can be whatever name you choose. - Subject Information: Toggled On // It is recommended to fill out at least Country Code, State/Province and Organization Name. - Country Code (CC): US // Fill your country code - State or Province Name (ST): TX // Fill your State/Province name - Locality Name (L): RUT1 // Fill your locality name, or at least a recognizable name for your CA - Organization Name (O): RUT1 // Fill your Organization name - Organizational Unit Name (OU): RUT1 // Fill your specific Unit Name - `Generate` Certificate
[Screenshot Here]
After you hit Generate the Client cert you should see a notification pop-up near the top right, and if you select Certificates Manager you should see a RUT1.key.pem under *Keys* and a RUT1.req.pem under *Certificate requests*.
Next we need to sign the RUT1 cert.
Under the `Certificate signing` configure as follows:
- Signed Certificate Name: RUT1 - Type of Certificate to Sign: Client Certificate - Certificate Request File: RUT1.req.pem - Days Valid: 3650 - Certificate Authority File: CAIPSec.cert.pem - Certificate Authority Key: CAIPSec.key.pem - Leave the rest of the configuration alone - `Sign`
After you hit *Sign* the Client cert you should see a notification pop-up near the top right, and if you select Certificates Manager you should see a RUT1.cert.pem under *Certificates*.
[Screenshot Here]
Generating Rut2 Client Cert
We will still generate RUT2 certs on the RUT1 device, so that we can sign our certs with the CA created earlier. Later we will download the certs required for RUT2 and import them there.
- Login to the router's WebUI and go to System → Administration → Certificates.
The following are the settings used for this example, but values should be changed depending on your specific needs:
- File Type: Client - Key Size: 1024 - Name (CN): RUT2 // This can be whatever name you choose. - Subject Information: Toggled On // It is recommended to fill out at least Country Code, State/Province and Organization Name. - Country Code (CC): US // Fill your country code - State or Province Name (ST): TX // Fill your State/Province name - Locality Name (L): RUT2 // Fill your locality name, or at least a recognizable name for your CA - Organization Name (O): RUT2 // Fill your Organization name - Organizational Unit Name (OU): RUT2 // Fill your specific Unit Name - `Generate` Certificate
[Screenshot Here]
After you hit Generate the Client cert you should see a notification pop-up near the top right, and if you select Certificates Manager you should see a RUT2.key.pem under *Keys* and a RUT1.req.pem under *Certificate requests*.
Next we need to sign the RUT2 cert.
Under the `Certificate signing` configure as follows:
- Signed Certificate Name: RUT2 - Type of Certificate to Sign: Client Certificate - Certificate Request File: RUT2.req.pem - Days Valid: 3650 - Certificate Authority File: CAIPSec.cert.pem - Certificate Authority Key: CAIPSec.key.pem - Leave the rest of the configuration alone - `Sign`
After you hit *Sign* the Client cert you should see a notification pop-up near the top right, and if you select Certificates Manager you should see a RUT2.cert.pem under *Certificates*.
[Screenshot Here]
Download/Import Certs
Starting with RUT1
- Login to the router's WebUI and go to System → Administration → Certificates -> Certificates Manager
- Download CAIPSec.cert.pem, RUT2.cert.pem & RUT2.key.pem
Next moving to RUT2
- Login to the router's WebUI and go to System → Administration → Certificates -> Certificates Manager
- Import Certificate File *Browse* and import CAIPSec.cert.pem, RUT2.cert.pem & RUT2.key.pem
