Changes

IPSec Tunnel w/CA Certs Configuration (view source)

Revision as of 00:17, 28 June 2024

1,272 bytes added ,  Friday at 00:17
no edit summary
Line 45: Line 45:  
- File Type: '''''CA'''''
 
- File Type: '''''CA'''''
   −
- Key Size: `1024`
+
- Key Size: '''''1024'''''
   −
- Name (CN): `CAIPSec` // This can be whatever name you choose.
+
- Name (CN): '''''CAIPSec''''' // This can be whatever name you choose.
   −
- Subject Information: `Toggled On` // It is recommended to fill out at least Country Code, State/Province and Organization Name.
+
- Subject Information: '''''Toggled On''''' // It is recommended to fill out at least Country Code, State/Province and Organization Name.
   −
- Country Code (CC): `US` // Fill your country code
+
- Country Code (CC): '''''US''''' // Fill your country code
   −
- State or Province Name (ST): `TX` // Fill your State/Province name
+
- State or Province Name (ST): '''''TX''''' // Fill your State/Province name
   −
- Locality Name (L): `CAIPSec` // Fill your locality name, or at least a recognizable name for your CA
+
- Locality Name (L): '''''CAIPSec''''' // Fill your locality name, or at least a recognizable name for your CA
   −
- Organization Name (O): `CAIPSec` // Fill your Organization name
+
- Organization Name (O): '''''CAIPSec''''' // Fill your Organization name
   −
- Organizational Unit Name (OU): `CAIPSEC` // Fill your specific Unit Name
+
- Organizational Unit Name (OU): '''''CAIPSEC''''' // Fill your specific Unit Name
   −
- `Generate` Certificate
+
- '''''Generate''''' Certificate
 
<br>
 
<br>
   Line 75: Line 75:  
<br>
 
<br>
 
Next we need to sign the CAIPSec CA. We will be Self-Signing our own CA.
 
Next we need to sign the CAIPSec CA. We will be Self-Signing our own CA.
Under the `Certificate signing` configure as follows:
+
Under the '''Certificate signing''' configure as follows:
   −
- Signed Certificate Name: `CAIPSec`
+
- Signed Certificate Name: '''''CAIPSec'''''
   −
- Type of Certificate to Sign: `Certificate Authority`
+
- Type of Certificate to Sign: '''''Certificate Authority'''''
   −
- Certificate Request File: `CAIPSec.req.pem`
+
- Certificate Request File: '''''CAIPSec.req.pem'''''
   −
- Days Valid: `3650` // For this example we will use 3650 days, but you can configure this to be longer if needed. I would caution against too long of a CA.
+
- Days Valid: '''''3650''''' // For this example we will use 3650 days, but you can configure this to be longer if needed. I would caution against too long of a CA.
   −
- Certificate Authority Key: `CAIPSec.key.pem`
+
- Certificate Authority Key: '''''CAIPSec.key.pem'''''
    
- Leave the rest of the configuration default
 
- Leave the rest of the configuration default
   −
- `Sign`
+
- '''''Sign'''''
 
<br>
 
<br>
   Line 107: Line 107:  
The following are the settings used for this example, but values should be changed depending on your specific needs:
 
The following are the settings used for this example, but values should be changed depending on your specific needs:
   −
- File Type: `Client`
+
- File Type: '''''Client'''''
   −
- Key Size: `1024`
+
- Key Size: '''''1024'''''
   −
- Name (CN): `RUT1` // This can be whatever name you choose.
+
- Name (CN): '''''RUT1''''' // This can be whatever name you choose.
   −
- Subject Information: `Toggled On` // It is recommended to fill out at least Country Code, State/Province and Organization Name.
+
- Subject Information: '''''Toggled On''''' // It is recommended to fill out at least Country Code, State/Province and Organization Name.
   −
- Country Code (CC): `US` // Fill your country code
+
- Country Code (CC): '''''US''''' // Fill your country code
   −
- State or Province Name (ST): `TX` // Fill your State/Province name
+
- State or Province Name (ST): '''''TX''''' // Fill your State/Province name
   −
- Locality Name (L): `RUT1` // Fill your locality name, or at least a recognizable name for your CA
+
- Locality Name (L): '''''RUT1''''' // Fill your locality name, or at least a recognizable name for your CA
   −
- Organization Name (O): `RUT1` // Fill your Organization name
+
- Organization Name (O): '''''RUT1''''' // Fill your Organization name
   −
- Organizational Unit Name (OU): `RUT1` // Fill your specific Unit Name
+
- Organizational Unit Name (OU): '''''RUT1''''' // Fill your specific Unit Name
   −
- `Generate` Certificate
+
- '''''Generate''''' Certificate
 
<br>
 
<br>
   Line 141: Line 141:  
Under the `Certificate signing` configure as follows:
 
Under the `Certificate signing` configure as follows:
   −
- Signed Certificate Name: `RUT1`
+
- Signed Certificate Name: '''''RUT1'''''
   −
- Type of Certificate to Sign: `Client Certificate`
+
- Type of Certificate to Sign: '''''Client Certificate'''''
   −
- Certificate Request File: `RUT1.req.pem`
+
- Certificate Request File: '''''RUT1.req.pem'''''
   −
- Days Valid: `3650`
+
- Days Valid: '''''3650'''''
   −
- Certificate Authority File: `CAIPSec.cert.pem`
+
- Certificate Authority File: '''''CAIPSec.cert.pem'''''
   −
- Certificate Authority Key: `CAIPSec.key.pem`
+
- Certificate Authority Key: '''''CAIPSec.key.pem'''''
    
- Leave the rest of the configuration alone
 
- Leave the rest of the configuration alone
   −
- `Sign`
+
- '''''Sign'''''
 
<br>
 
<br>
   Line 177: Line 177:  
The following are the settings used for this example, but values should be changed depending on your specific needs:
 
The following are the settings used for this example, but values should be changed depending on your specific needs:
   −
- File Type: `Client`
+
- File Type: '''''Client'''''
   −
- Key Size: `1024`
+
- Key Size: '''''1024'''''
   −
- Name (CN): `RUT2` // This can be whatever name you choose.
+
- Name (CN): '''''RUT2''''' // This can be whatever name you choose.
   −
- Subject Information: `Toggled On` // It is recommended to fill out at least Country Code, State/Province and Organization Name.
+
- Subject Information: '''''Toggled On''''' // It is recommended to fill out at least Country Code, State/Province and Organization Name.
   −
- Country Code (CC): `US` // Fill your country code
+
- Country Code (CC): '''''US''''' // Fill your country code
   −
- State or Province Name (ST): `TX` // Fill your State/Province name
+
- State or Province Name (ST): '''''TX''''' // Fill your State/Province name
   −
- Locality Name (L): `RUT2` // Fill your locality name, or at least a recognizable name for your CA
+
- Locality Name (L): '''''RUT2''''' // Fill your locality name, or at least a recognizable name for your CA
   −
- Organization Name (O): `RUT2` // Fill your Organization name
+
- Organization Name (O): '''''RUT2''''' // Fill your Organization name
   −
- Organizational Unit Name (OU): `RUT2` // Fill your specific Unit Name
+
- Organizational Unit Name (OU): '''''RUT2''''' // Fill your specific Unit Name
   −
- `Generate` Certificate
+
- '''''Generate''''' Certificate
 
<br>
 
<br>
   Line 210: Line 210:  
Under the `Certificate signing` configure as follows:
 
Under the `Certificate signing` configure as follows:
   −
- Signed Certificate Name: `RUT2`
+
- Signed Certificate Name: '''''RUT2'''''
   −
- Type of Certificate to Sign: `Client Certificate`
+
- Type of Certificate to Sign: '''''Client Certificate'''''
   −
- Certificate Request File: `RUT2.req.pem`
+
- Certificate Request File: '''''RUT2.req.pem'''''
   −
- Days Valid: `3650`
+
- Days Valid: '''''3650'''''
   −
- Certificate Authority File: `CAIPSec.cert.pem`
+
- Certificate Authority File: '''''CAIPSec.cert.pem'''''
   −
- Certificate Authority Key: `CAIPSec.key.pem`
+
- Certificate Authority Key: '''''CAIPSec.key.pem'''''
    
- Leave the rest of the configuration alone
 
- Leave the rest of the configuration alone
   −
- `Sign`
+
- '''''Sign'''''
 
<br>
 
<br>
   Line 243: Line 243:  
* Login to the router's WebUI and go to '''System → Administration → Certificates -> Certificates Manager'''
 
* Login to the router's WebUI and go to '''System → Administration → Certificates -> Certificates Manager'''
 
* Download CAIPSec.cert.pem, RUT1.cert.pem, RUT1.key.pem, RUT2.cert.pem & RUT2.key.pem
 
* Download CAIPSec.cert.pem, RUT1.cert.pem, RUT1.key.pem, RUT2.cert.pem & RUT2.key.pem
* Go to '''System → Administration → Certificates -> Root CA'''. Toggle `On`. Select `CAIPSec.cert.pem` -> `Upload` & then `Save`
+
* Go to '''System → Administration → Certificates -> Root CA'''. Toggle '''On'''. Select '''CAIPSec.cert.pem''' -> '''Upload''' & then '''Save'''
    
Next moving to RUT2
 
Next moving to RUT2
Line 249: Line 249:  
* Login to the router's WebUI and go to '''System → Administration → Certificates -> Certificates Manager'''
 
* Login to the router's WebUI and go to '''System → Administration → Certificates -> Certificates Manager'''
 
* Import Certificate File *Browse* and import CAIPSec.cert.pem, RUT1.cert.pem, RUT2.cert.pem & RUT2.key.pem
 
* Import Certificate File *Browse* and import CAIPSec.cert.pem, RUT1.cert.pem, RUT2.cert.pem & RUT2.key.pem
* Go to '''System → Administration → Certificates -> Root CA'''. Toggle `On`. Select `CAIPSec.cert.pem` -> `Upload` & then `Save`
+
* Go to '''System → Administration → Certificates -> Root CA'''. Toggle '''On'''. Select '''CAIPSec.cert.pem''' -> '''Upload''' & then '''Save'''
    
===IPSec RUT1 Config===
 
===IPSec RUT1 Config===
Line 255: Line 255:     
* Login to the router's WebUI and go to '''System → Services → VPN -> IPsec'''
 
* Login to the router's WebUI and go to '''System → Services → VPN -> IPsec'''
* Add a new instance called `CA_EX`
+
* Add a new instance called '''CA_EX'''
 
<br>
 
<br>
   Line 263: Line 263:  
* IPsec Instance General settings configuration as follows:
 
* IPsec Instance General settings configuration as follows:
 
    
 
    
- Remote endpoint: `192.168.1.14` // This should be RUT2 WAN IP. You should be able to ping this IP from RUT1 WAN IP.
+
    - Remote endpoint: '''''192.168.1.14''''' // This should be RUT2 WAN IP. You should be able to ping this IP from RUT1 WAN IP.
   −
- Authentication method: `X.509`
+
    - Authentication method: '''''X.509'''''
   −
- Key: `RUT1.key.pem` // Browse and import the RUT1.key.pem we created & downloaded earlier.
+
    - Key: '''''RUT1.key.pem''''' // Browse and import the RUT1.key.pem we created & downloaded earlier.
   −
- Key decryption passphrase: Leave blank // This is only needed if an additional password was added to the cert, which we did not do in our earlier steps.
+
    - Key decryption passphrase: Leave blank // This is only needed if an additional password was added to the cert, which we did not do in our earlier steps.
   −
- Local certificate: `RUT1.cert.pem` // Browse and import the RUT1.cert.pem we created & downloaded earlier.
+
    - Local certificate: '''''RUT1.cert.pem''''' // Browse and import the RUT1.cert.pem we created & downloaded earlier.
   −
- CA certificate: `CAIPSec.cert.pem` // Browse and import the CAIPSec.cert.pem we created & downloaded earlier.
+
    - CA certificate: '''''CAIPSec.cert.pem''''' // Browse and import the CAIPSec.cert.pem we created & downloaded earlier.
   −
- Local identifier: `192.168.3.1` // We will use the LAN IP of RUT1 for the Identifier
+
    - Local identifier: '''''192.168.3.1''''' // We will use the LAN IP of RUT1 for the Identifier
   −
- Remote identifier: `192.168.14.1` // We will use the LAN IP of RUT2 for the Identifier
+
    - Remote identifier: '''''192.168.14.1''''' // We will use the LAN IP of RUT2 for the Identifier
 
<br>
 
<br>
   Line 286: Line 286:  
* IPsec Instance Advanced settings configuration as follows:
 
* IPsec Instance Advanced settings configuration as follows:
 
    
 
    
- Remote certificate: `RUT2.cert.pem` // Upload RUT2 cert we created earlier.
+
    - Remote certificate: '''''RUT2.cert.pem''''' // Upload RUT2 cert we created earlier.
 
<br>
 
<br>
   Line 295: Line 295:  
* Connection settings General settings configuration as follows:
 
* Connection settings General settings configuration as follows:
   −
- Mode: `Start` // start loads a connection and brings
+
    - Mode: '''''Start''''' // start loads a connection and brings
 
it up immediately. For more configuration information please reference *auto* here (https://wiki.strongswan.org/projects/strongswan/wiki/Connsection)
 
it up immediately. For more configuration information please reference *auto* here (https://wiki.strongswan.org/projects/strongswan/wiki/Connsection)
   −
- Type: `Tunnel`
+
    - Type: '''''Tunnel'''''
   −
- Default route: `off` // Only use this if you want your default route to be out this tunnel.
+
    - Default route: '''''off''''' // Only use this if you want your default route to be out this tunnel.
   −
- Local subnet: `192.168.3.0/24` // RUT1 LAN subnet we want access to through the tunnel
+
    - Local subnet: '''''192.168.3.0/24''''' // RUT1 LAN subnet we want access to through the tunnel
   −
- Remote subnet: `192.168.14.0/24` // RUT2 LAN subnet we want access to through the tunnel
+
    - Remote subnet: '''''192.168.14.0/24''''' // RUT2 LAN subnet we want access to through the tunnel
   −
- Key exchange: `IKEv2`
+
    - Key exchange: '''''IKEv2'''''
 
<br>
 
<br>
   Line 315: Line 315:  
* Connection settings Advanced settings configuration as follows:
 
* Connection settings Advanced settings configuration as follows:
   −
- Force encapsulation: `On`
+
    - Force encapsulation: '''''On'''''
   −
- Local Firewall: `On`
+
    - Local Firewall: '''''On'''''
   −
- Remote Firewall: `On`
+
    - Remote Firewall: '''''On'''''
   −
- Inactivity: `3600` // This is in seconds. Can be changed depending on how often you want the tunnel to be checked for data passing.
+
    - Inactivity: '''''3600''''' // This is in seconds. Can be changed depending on how often you want the tunnel to be checked for data passing.
   −
- Dead peer detection: `On`
+
    - Dead peer detection: '''''On'''''
   −
- DPD action: `Restart`
+
    - DPD action: '''''Restart'''''
   −
- DPD delay: `30` // This is in seconds.
+
    - DPD delay: '''''30''''' // This is in seconds.
   −
- DPD Timeout: `150` // This is in seconds.
+
    - DPD Timeout: '''''150''''' // This is in seconds.
   −
- The rest of the configuration leave as default
+
    - The rest of the configuration leave as default
    
<br>
 
<br>
Line 343: Line 343:  
* Phase 1
 
* Phase 1
 
- Proposals // It is VERY important that these settings match between both RUT1 & RUT2
 
- Proposals // It is VERY important that these settings match between both RUT1 & RUT2
   - Encryption: `AES 128`
+
   - Encryption: '''''AES 128'''''
   −
   - Authentication: `SHA1`
+
   - Authentication: '''''SHA1'''''
   −
   - DH group: `MODP1536`
+
   - DH group: '''''MODP1536'''''
   −
- Force crypto proposal: `Off`
+
  - Force crypto proposal: '''''Off'''''
   −
- IKE lifetime: `3h`
+
  - IKE lifetime: '''''3h'''''
 
<br>
 
<br>
   Line 360: Line 360:  
* Phase 2
 
* Phase 2
 
- Proposals // It is VERY important that these settings match between both RUT1 & RUT2
 
- Proposals // It is VERY important that these settings match between both RUT1 & RUT2
   - Encryption: `AES 128`
+
   - Encryption: '''''AES 128'''''
   −
   - Hash: `SHA1`
+
   - Hash: '''''SHA1'''''
   −
   - PFS group: `MODP1536`
+
   - PFS group: '''''MODP1536'''''
   −
- Force crypto proposal: `Off`
+
  - Force crypto proposal: '''''Off'''''
   −
- IKE lifetime: `3h`
+
  - IKE lifetime: '''''3h'''''
 
<br>
 
<br>
   Line 375: Line 375:  
<br>
 
<br>
   −
* Hit 'Save & Apply'
+
* Hit '''''Save & Apply'''''
* Toggle the CA_EX tunnel on and hit 'Save & Apply' once more
+
* Toggle the CA_EX tunnel on and hit '''''Save & Apply''''' once more
 
<br>
 
<br>
 
[[File:RUT1 IPSec Toggle On Save And Apply.png|frame|none]]
 
[[File:RUT1 IPSec Toggle On Save And Apply.png|frame|none]]
Line 389: Line 389:     
* Login to the router's WebUI and go to '''System → Services → VPN -> IPsec'''
 
* Login to the router's WebUI and go to '''System → Services → VPN -> IPsec'''
* Add a new instance called `CA_EX`
+
* Add a new instance called '''CA_EX'''
 
<br>
 
<br>
   Line 398: Line 398:  
* IPsec Instance General settings configuration as follows:
 
* IPsec Instance General settings configuration as follows:
 
    
 
    
- Remote endpoint: `192.168.1.3` // This should be RUT1 WAN IP. You should be able to ping this IP from RUT2 WAN IP.
+
    - Remote endpoint: '''''192.168.1.3''''' // This should be RUT1 WAN IP. You should be able to ping this IP from RUT2 WAN IP.
   −
- Authentication method: `X.509`
+
    - Authentication method: '''''X.509'''''
   −
- Key: `RUT2.key.pem` // Browse and import the RUT2.key.pem we created & downloaded earlier.
+
    - Key: '''''RUT2.key.pem''''' // Browse and import the RUT2.key.pem we created & downloaded earlier.
   −
- Key decryption passphrase: Leave blank // This is only needed if an additional password was added to the cert, which we did not do in our earlier steps.
+
    - Key decryption passphrase: Leave blank // This is only needed if an additional password was added to the cert, which we did not do in our earlier steps.
   −
- Local certificate: `RUT2.cert.pem` // Browse and import the RUT1.cert.pem we created & downloaded earlier.
+
    - Local certificate: '''''RUT2.cert.pem''''' // Browse and import the RUT1.cert.pem we created & downloaded earlier.
   −
- CA certificate: `CAIPSec.cert.pem` // Browse and import the CAIPSec.cert.pem we created & downloaded earlier.
+
    - CA certificate: '''''CAIPSec.cert.pem''''' // Browse and import the CAIPSec.cert.pem we created & downloaded earlier.
   −
- Local identifier: `192.168.14.1` // We will use the LAN IP of RUT2 for the Identifier
+
    - Local identifier: '''''192.168.14.1''''' // We will use the LAN IP of RUT2 for the Identifier
   −
- Remote identifier: `192.168.3.1` // We will use the LAN IP of RUT1 for the Identifier
+
    - Remote identifier: '''''192.168.3.1''''' // We will use the LAN IP of RUT1 for the Identifier
 
<br>
 
<br>
   Line 421: Line 421:  
* Connection settings Advanced settings configuration as follows:
 
* Connection settings Advanced settings configuration as follows:
 
    
 
    
- Remote certificate: `RUT1.cert.pem` // Upload RUT1 cert we created earlier.
+
    - Remote certificate: '''''RUT1.cert.pem''''' // Upload RUT1 cert we created earlier.
 
<br>
 
<br>
   Line 430: Line 430:  
* Connection settings General settings configuration as follows:
 
* Connection settings General settings configuration as follows:
   −
- Mode: `Start` // start loads a connection and brings
+
    - Mode: '''''Start''''' // start loads a connection and brings
 
it up immediately. For more configuration information please reference *auto* here (https://wiki.strongswan.org/projects/strongswan/wiki/Connsection)
 
it up immediately. For more configuration information please reference *auto* here (https://wiki.strongswan.org/projects/strongswan/wiki/Connsection)
   −
- Type: `Tunnel`
+
    - Type: '''''Tunnel'''''
   −
- Default route: `off` // Only use this if you want your default route to be out this tunnel.
+
    - Default route: '''''off''''' // Only use this if you want your default route to be out this tunnel.
   −
- Local subnet: `192.168.14.0/24` // RUT2 LAN subnet we want access to through the tunnel
+
    - Local subnet: '''''192.168.14.0/24''''' // RUT2 LAN subnet we want access to through the tunnel
   −
- Remote subnet: `192.168.3.0/24` // RUT1 LAN subnet we want access to through the tunnel
+
    - Remote subnet: '''''192.168.3.0/24''''' // RUT1 LAN subnet we want access to through the tunnel
   −
- Key exchange: `IKEv2`
+
    - Key exchange: '''''IKEv2'''''
 
<br>
 
<br>
   Line 450: Line 450:  
* Connection settings Advanced settings configuration as follows:
 
* Connection settings Advanced settings configuration as follows:
   −
- Force encapsulation: `On`
+
    - Force encapsulation: '''''On'''''
   −
- Local Firewall: `On`
+
    - Local Firewall: '''''On'''''
   −
- Remote Firewall: `On`
+
    - Remote Firewall: '''''On'''''
   −
- Inactivity: `3600` // This is in seconds. Can be changed depending on how often you want the tunnel to be checked for data passing.
+
    - Inactivity: '''''3600''''' // This is in seconds. Can be changed depending on how often you want the tunnel to be checked for data passing.
   −
- Dead peer detection: `On`
+
    - Dead peer detection: '''''On'''''
   −
- DPD action: `Restart`
+
    - DPD action: '''''Restart'''''
   −
- DPD delay: `30` // This is in seconds.
+
    - DPD delay: '''''30''''' // This is in seconds.
   −
- DPD Timeout: `150` // This is in seconds.
+
    - DPD Timeout: '''''150''''' // This is in seconds.
   −
- The rest of the configuration leave as default
+
    - The rest of the configuration leave as default
 
<br>
 
<br>
   Line 477: Line 477:  
* Phase 1
 
* Phase 1
 
- Proposals // It is VERY important that these settings match between both RUT1 & RUT2
 
- Proposals // It is VERY important that these settings match between both RUT1 & RUT2
   - Encryption: `AES 128`
+
   - Encryption: '''''AES 128'''''
   −
   - Authentication: `SHA1`
+
   - Authentication: '''''SHA1'''''
   −
   - DH group: `MODP1536`
+
   - DH group: '''''MODP1536'''''
   −
- Force crypto proposal: `Off`
+
  - Force crypto proposal: '''''Off'''''
   −
- IKE lifetime: `3h`
+
  - IKE lifetime: '''''3h'''''
 
<br>
 
<br>
   Line 494: Line 494:  
* Phase 2
 
* Phase 2
 
- Proposals // It is VERY important that these settings match between both RUT1 & RUT2
 
- Proposals // It is VERY important that these settings match between both RUT1 & RUT2
   - Encryption: `AES 128`
+
   - Encryption: '''''AES 128'''''
 
    
 
    
   - Hash: `SHA1`
+
   - Hash: '''''SHA1'''''
 
    
 
    
   - PFS group: `MODP1536`
+
   - PFS group: '''''MODP1536'''''
 
    
 
    
- Force crypto proposal: `Off`
+
  - Force crypto proposal: '''''Off'''''
   −
- IKE lifetime: `3h`
+
  - IKE lifetime: '''''3h'''''
 
<br>
 
<br>
   Line 509: Line 509:  
<br>
 
<br>
   −
* Hit 'Save & Apply'
+
* Hit '''''Save & Apply'''''
* Toggle the CA_EX tunnel on and hit 'Save & Apply' once more
+
* Toggle the CA_EX tunnel on and hit '''''Save & Apply''''' once more
 
<br>
 
<br>
   Line 532: Line 532:  
* First make sure each device has been rebooted at least once after you have finished configuring the previous steps.
 
* First make sure each device has been rebooted at least once after you have finished configuring the previous steps.
 
* SSH into RUT1 device
 
* SSH into RUT1 device
* `ipsec statusall` // This should show 2 up with Security Associations and that the connection should be up for some minutes. You should also see the Cert info from the certs we created earlier.
+
* '''''ipsec statusall''''' // This should show 2 up with Security Associations and that the connection should be up for some minutes. You should also see the Cert info from the certs we created earlier.
 
<br>
 
<br>
   Line 538: Line 538:     
<br>
 
<br>
* `ping 192.168.14.1` // You should get a response if the tunnel has established properly
+
* '''''ping 192.168.14.1''''' // You should get a response if the tunnel has established properly
 
<br>
 
<br>
   Line 546: Line 546:     
* SSH into RUT2 device
 
* SSH into RUT2 device
* `ipsec statusall` // This should show 2 up with Security Associations and that the connection should be up for some minutes. You should also see the Cert info from the certs we created earlier.
+
* '''''ipsec statusall''''' // This should show 2 up with Security Associations and that the connection should be up for some minutes. You should also see the Cert info from the certs we created earlier.
 
<br>
 
<br>
   Line 553: Line 553:  
<br>
 
<br>
   −
* `ping 192.168.3.1` // You should get a response if the tunnel has established properly
+
* '''''ping 192.168.3.1''''' // You should get a response if the tunnel has established properly
 
<br>
 
<br>
   Line 561: Line 561:     
* SSH into RUT1 device
 
* SSH into RUT1 device
* `opkg update`
+
* '''''opkg update'''''
* `opkg install tcpdump`
+
* '''''opkg install tcpdump'''''
* `tcpdump -i any -w Checking_For_ESP_Packets.pcap`
+
* '''''tcpdump -i any -w Checking_For_ESP_Packets.pcap'''''
 
* SSH into RUT2 device
 
* SSH into RUT2 device
 
* On RUT2 ping the LAN ip for RUT1 and leave that running. In our example that would be `ping 192.168.3.1`
 
* On RUT2 ping the LAN ip for RUT1 and leave that running. In our example that would be `ping 192.168.3.1`
 
* On RUT1 wait 10 seconds then CTRL+C to stop the program
 
* On RUT1 wait 10 seconds then CTRL+C to stop the program
* Then use a program like WinSCP to download `Checking_For_ESP_Packets.pcap` from RUT1
+
* Then use a program like WinSCP to download '''Checking_For_ESP_Packets.pcap''' from RUT1
 
* Open the file in a program called Wireshark and filter for encrypted ESP packets with this '''_ws.col.protocol == "ESP"'''. You should see ESP packets from both the WAN IPs. You shouldn't be able to see inside the packet because it is now encrypted, but if we decrypted the packets we would see the ICMP packets between the 2 RUT devices.
 
* Open the file in a program called Wireshark and filter for encrypted ESP packets with this '''_ws.col.protocol == "ESP"'''. You should see ESP packets from both the WAN IPs. You shouldn't be able to see inside the packet because it is now encrypted, but if we decrypted the packets we would see the ICMP packets between the 2 RUT devices.
 
<br>
 
<br>
Line 583: Line 583:  
* Disable the firewall. Examples for each OS as follows.
 
* Disable the firewall. Examples for each OS as follows.
 
   * Windows 10/11
 
   * Windows 10/11
     1. Press `Windows-Key + R`
+
     1. Press '''''Windows-Key + R'''''
     2. Type `control` and hit enter
+
     2. Type '''''control''''' and hit enter
 
     3. Navigate to Firewall Settings -> System and Security -> Windows Defender Firewall
 
     3. Navigate to Firewall Settings -> System and Security -> Windows Defender Firewall
 
     4. On the left sidebar, click "Turn Windows Defender Firewall on or off"
 
     4. On the left sidebar, click "Turn Windows Defender Firewall on or off"
Line 597: Line 597:  
   * Linux (Ubuntu)
 
   * Linux (Ubuntu)
 
     1. Open a Terminal window
 
     1. Open a Terminal window
     2. `sudo ufw disable`
+
     2. '''''sudo ufw disable'''''
 
* Perform similar steps above for a 2nd device connected to RUT2 LAN
 
* Perform similar steps above for a 2nd device connected to RUT2 LAN
 
* Once both devices are connected to the LAN of RUT1 & RUT2 you should be able to ping the devices from each other.
 
* Once both devices are connected to the LAN of RUT1 & RUT2 you should be able to ping the devices from each other.
Retrieved from "https://wiki.teltonika-networks.com/view/Special:MobileDiff/128169...128174"

Navigation menu