Line 210: |
Line 210: |
| Under the `Certificate signing` configure as follows: | | Under the `Certificate signing` configure as follows: |
| | | |
− | - Signed Certificate Name: `RUT2` | + | - Signed Certificate Name: '''''RUT2''''' |
| | | |
− | - Type of Certificate to Sign: `Client Certificate` | + | - Type of Certificate to Sign: '''''Client Certificate''''' |
| | | |
− | - Certificate Request File: `RUT2.req.pem` | + | - Certificate Request File: '''''RUT2.req.pem''''' |
| | | |
− | - Days Valid: `3650` | + | - Days Valid: '''''3650''''' |
| | | |
− | - Certificate Authority File: `CAIPSec.cert.pem` | + | - Certificate Authority File: '''''CAIPSec.cert.pem''''' |
| | | |
− | - Certificate Authority Key: `CAIPSec.key.pem` | + | - Certificate Authority Key: '''''CAIPSec.key.pem''''' |
| | | |
| - Leave the rest of the configuration alone | | - Leave the rest of the configuration alone |
| | | |
− | - `Sign` | + | - '''''Sign''''' |
| <br> | | <br> |
| | | |
Line 243: |
Line 243: |
| * Login to the router's WebUI and go to '''System → Administration → Certificates -> Certificates Manager''' | | * Login to the router's WebUI and go to '''System → Administration → Certificates -> Certificates Manager''' |
| * Download CAIPSec.cert.pem, RUT1.cert.pem, RUT1.key.pem, RUT2.cert.pem & RUT2.key.pem | | * Download CAIPSec.cert.pem, RUT1.cert.pem, RUT1.key.pem, RUT2.cert.pem & RUT2.key.pem |
− | * Go to '''System → Administration → Certificates -> Root CA'''. Toggle `On`. Select `CAIPSec.cert.pem` -> `Upload` & then `Save` | + | * Go to '''System → Administration → Certificates -> Root CA'''. Toggle '''On'''. Select '''CAIPSec.cert.pem''' -> '''Upload''' & then '''Save''' |
| | | |
| Next moving to RUT2 | | Next moving to RUT2 |
Line 249: |
Line 249: |
| * Login to the router's WebUI and go to '''System → Administration → Certificates -> Certificates Manager''' | | * Login to the router's WebUI and go to '''System → Administration → Certificates -> Certificates Manager''' |
| * Import Certificate File *Browse* and import CAIPSec.cert.pem, RUT1.cert.pem, RUT2.cert.pem & RUT2.key.pem | | * Import Certificate File *Browse* and import CAIPSec.cert.pem, RUT1.cert.pem, RUT2.cert.pem & RUT2.key.pem |
− | * Go to '''System → Administration → Certificates -> Root CA'''. Toggle `On`. Select `CAIPSec.cert.pem` -> `Upload` & then `Save` | + | * Go to '''System → Administration → Certificates -> Root CA'''. Toggle '''On'''. Select '''CAIPSec.cert.pem''' -> '''Upload''' & then '''Save''' |
| | | |
| ===IPSec RUT1 Config=== | | ===IPSec RUT1 Config=== |
Line 255: |
Line 255: |
| | | |
| * Login to the router's WebUI and go to '''System → Services → VPN -> IPsec''' | | * Login to the router's WebUI and go to '''System → Services → VPN -> IPsec''' |
− | * Add a new instance called `CA_EX` | + | * Add a new instance called '''CA_EX''' |
| <br> | | <br> |
| | | |
Line 263: |
Line 263: |
| * IPsec Instance General settings configuration as follows: | | * IPsec Instance General settings configuration as follows: |
| | | |
− | - Remote endpoint: `192.168.1.14` // This should be RUT2 WAN IP. You should be able to ping this IP from RUT1 WAN IP. | + | - Remote endpoint: '''''192.168.1.14''''' // This should be RUT2 WAN IP. You should be able to ping this IP from RUT1 WAN IP. |
| | | |
− | - Authentication method: `X.509` | + | - Authentication method: '''''X.509''''' |
| | | |
− | - Key: `RUT1.key.pem` // Browse and import the RUT1.key.pem we created & downloaded earlier. | + | - Key: '''''RUT1.key.pem''''' // Browse and import the RUT1.key.pem we created & downloaded earlier. |
| | | |
| - Key decryption passphrase: Leave blank // This is only needed if an additional password was added to the cert, which we did not do in our earlier steps. | | - Key decryption passphrase: Leave blank // This is only needed if an additional password was added to the cert, which we did not do in our earlier steps. |
| | | |
− | - Local certificate: `RUT1.cert.pem` // Browse and import the RUT1.cert.pem we created & downloaded earlier. | + | - Local certificate: '''''RUT1.cert.pem''''' // Browse and import the RUT1.cert.pem we created & downloaded earlier. |
| | | |
− | - CA certificate: `CAIPSec.cert.pem` // Browse and import the CAIPSec.cert.pem we created & downloaded earlier. | + | - CA certificate: '''''CAIPSec.cert.pem''''' // Browse and import the CAIPSec.cert.pem we created & downloaded earlier. |
| | | |
− | - Local identifier: `192.168.3.1` // We will use the LAN IP of RUT1 for the Identifier | + | - Local identifier: '''''192.168.3.1''''' // We will use the LAN IP of RUT1 for the Identifier |
| | | |
− | - Remote identifier: `192.168.14.1` // We will use the LAN IP of RUT2 for the Identifier | + | - Remote identifier: '''''192.168.14.1''''' // We will use the LAN IP of RUT2 for the Identifier |
| <br> | | <br> |
| | | |
Line 286: |
Line 286: |
| * IPsec Instance Advanced settings configuration as follows: | | * IPsec Instance Advanced settings configuration as follows: |
| | | |
− | - Remote certificate: `RUT2.cert.pem` // Upload RUT2 cert we created earlier. | + | - Remote certificate: '''''RUT2.cert.pem''''' // Upload RUT2 cert we created earlier. |
| <br> | | <br> |
| | | |
Line 295: |
Line 295: |
| * Connection settings General settings configuration as follows: | | * Connection settings General settings configuration as follows: |
| | | |
− | - Mode: `Start` // start loads a connection and brings | + | - Mode: '''''Start''''' // start loads a connection and brings |
| it up immediately. For more configuration information please reference *auto* here (https://wiki.strongswan.org/projects/strongswan/wiki/Connsection) | | it up immediately. For more configuration information please reference *auto* here (https://wiki.strongswan.org/projects/strongswan/wiki/Connsection) |
| | | |
− | - Type: `Tunnel` | + | - Type: '''''Tunnel''''' |
| | | |
− | - Default route: `off` // Only use this if you want your default route to be out this tunnel. | + | - Default route: '''''off''''' // Only use this if you want your default route to be out this tunnel. |
| | | |
− | - Local subnet: `192.168.3.0/24` // RUT1 LAN subnet we want access to through the tunnel | + | - Local subnet: '''''192.168.3.0/24''''' // RUT1 LAN subnet we want access to through the tunnel |
| | | |
− | - Remote subnet: `192.168.14.0/24` // RUT2 LAN subnet we want access to through the tunnel | + | - Remote subnet: '''''192.168.14.0/24''''' // RUT2 LAN subnet we want access to through the tunnel |
| | | |
− | - Key exchange: `IKEv2` | + | - Key exchange: '''''IKEv2''''' |
| <br> | | <br> |
| | | |
Line 315: |
Line 315: |
| * Connection settings Advanced settings configuration as follows: | | * Connection settings Advanced settings configuration as follows: |
| | | |
− | - Force encapsulation: `On` | + | - Force encapsulation: '''''On''''' |
| | | |
− | - Local Firewall: `On` | + | - Local Firewall: '''''On''''' |
| | | |
− | - Remote Firewall: `On` | + | - Remote Firewall: '''''On''''' |
| | | |
− | - Inactivity: `3600` // This is in seconds. Can be changed depending on how often you want the tunnel to be checked for data passing. | + | - Inactivity: '''''3600''''' // This is in seconds. Can be changed depending on how often you want the tunnel to be checked for data passing. |
| | | |
− | - Dead peer detection: `On` | + | - Dead peer detection: '''''On''''' |
| | | |
− | - DPD action: `Restart` | + | - DPD action: '''''Restart''''' |
| | | |
− | - DPD delay: `30` // This is in seconds. | + | - DPD delay: '''''30''''' // This is in seconds. |
| | | |
− | - DPD Timeout: `150` // This is in seconds. | + | - DPD Timeout: '''''150''''' // This is in seconds. |
| | | |
| - The rest of the configuration leave as default | | - The rest of the configuration leave as default |
Line 343: |
Line 343: |
| * Phase 1 | | * Phase 1 |
| - Proposals // It is VERY important that these settings match between both RUT1 & RUT2 | | - Proposals // It is VERY important that these settings match between both RUT1 & RUT2 |
− | - Encryption: `AES 128` | + | - Encryption: '''''AES 128''''' |
| | | |
− | - Authentication: `SHA1` | + | - Authentication: '''''SHA1''''' |
| | | |
− | - DH group: `MODP1536` | + | - DH group: '''''MODP1536''''' |
| | | |
− | - Force crypto proposal: `Off` | + | - Force crypto proposal: '''''Off''''' |
| | | |
− | - IKE lifetime: `3h` | + | - IKE lifetime: '''''3h''''' |
| <br> | | <br> |
| | | |
Line 360: |
Line 360: |
| * Phase 2 | | * Phase 2 |
| - Proposals // It is VERY important that these settings match between both RUT1 & RUT2 | | - Proposals // It is VERY important that these settings match between both RUT1 & RUT2 |
− | - Encryption: `AES 128` | + | - Encryption: '''''AES 128''''' |
| | | |
− | - Hash: `SHA1` | + | - Hash: '''''SHA1''''' |
| | | |
− | - PFS group: `MODP1536` | + | - PFS group: '''''MODP1536''''' |
| | | |
− | - Force crypto proposal: `Off` | + | - Force crypto proposal: '''''Off''''' |
| | | |
− | - IKE lifetime: `3h` | + | - IKE lifetime: '''''3h''''' |
| <br> | | <br> |
| | | |
Line 375: |
Line 375: |
| <br> | | <br> |
| | | |
− | * Hit 'Save & Apply' | + | * Hit '''''Save & Apply''''' |
− | * Toggle the CA_EX tunnel on and hit 'Save & Apply' once more | + | * Toggle the CA_EX tunnel on and hit '''''Save & Apply''''' once more |
| <br> | | <br> |
| [[File:RUT1 IPSec Toggle On Save And Apply.png|frame|none]] | | [[File:RUT1 IPSec Toggle On Save And Apply.png|frame|none]] |