Line 14: |
Line 14: |
| * Two RUTxxx routers of any type | | * Two RUTxxx routers of any type |
| * Both RUTxxx routers must be accessible from each other's WAN connection | | * Both RUTxxx routers must be accessible from each other's WAN connection |
| + | * Firmware for the devices must be 00.07.xx.x or above. This is in part to make sure the StrongSwan service is U5.9.6 or > |
| * (Optional) A second end device to configure and test remote LAN access | | * (Optional) A second end device to configure and test remote LAN access |
| ---- | | ---- |
| | | |
| [Image Here showing RUT1 & RUT2 connected via Wan connection] | | [Image Here showing RUT1 & RUT2 connected via Wan connection] |
− | [RUT1 Wan IP: 10.0.5.1 Lan IP: 192.168.1.1] | + | [RUT1 Wan IP: 192.168.1.3 Lan IP: 192.168.3.1] |
− | [RUT2 Wan IP: 10.0.5.2 Lan IP: 192.168.2.1] | + | [RUT2 Wan IP: 192.168.1.14 Lan IP: 192.168.14.1] |
| | | |
| The figure above depicts two RUTxxx routers (RUT1 and RUT2) connected by an IPsec tunnel via their WAN interfaces. | | The figure above depicts two RUTxxx routers (RUT1 and RUT2) connected by an IPsec tunnel via their WAN interfaces. |
Line 159: |
Line 160: |
| | | |
| * Login to the router's WebUI and go to '''System → Administration → Certificates -> Certificates Manager''' | | * Login to the router's WebUI and go to '''System → Administration → Certificates -> Certificates Manager''' |
− | * Download CAIPSec.cert.pem, RUT2.cert.pem & RUT2.key.pem | + | * Download CAIPSec.cert.pem, RUT1.cert.pem, RUT1.key.pem, RUT2.cert.pem & RUT2.key.pem |
| + | * Go to '''System → Administration → Certificates -> Root CA'''. Toggle `On`. Select `CAIPSec.cert.pem` -> `Upload` & then `Save` |
| | | |
| Next moving to RUT2 | | Next moving to RUT2 |
| | | |
| * Login to the router's WebUI and go to '''System → Administration → Certificates -> Certificates Manager''' | | * Login to the router's WebUI and go to '''System → Administration → Certificates -> Certificates Manager''' |
− | * Import Certificate File *Browse* and import CAIPSec.cert.pem, RUT2.cert.pem & RUT2.key.pem | + | * Import Certificate File *Browse* and import CAIPSec.cert.pem, RUT1.cert.pem, RUT2.cert.pem & RUT2.key.pem |
| + | * Go to '''System → Administration → Certificates -> Root CA'''. Toggle `On`. Select `CAIPSec.cert.pem` -> `Upload` & then `Save` |
| | | |
| ===IPSec RUT1 Config=== | | ===IPSec RUT1 Config=== |
| ---- | | ---- |
| + | |
| + | * Login to the router's WebUI and go to '''System → Services → VPN -> IPsec''' |
| + | * Add a new instance called `CA_EX` |
| + | [Screenshot Here] |
| + | |
| + | * IPsec Instance General settings configuration as follows: |
| + | |
| + | - Remote endpoint: `192.168.1.14` // This should be RUT2 WAN IP. You should be able to ping this IP from RUT1 WAN IP. |
| + | - Authentication method: `X.509` |
| + | - Key: `RUT1.key.pem` // Browse and import the RUT1.key.pem we created & downloaded earlier. |
| + | - Key decryption passphrase: Leave blank // This is only needed if an additional password was added to the cert, which we did not do in our earlier steps. |
| + | - Local certificate: `RUT1.cert.pem` // Browse and import the RUT1.cert.pem we created & downloaded earlier. |
| + | - CA certificate: `CAIPSec.cert.pem` // Browse and import the CAIPSec.cert.pem we created & downloaded earlier. |
| + | - Local identifier: `192.168.3.1` // We will use the LAN IP of RUT1 for the Identifier |
| + | - Remote identifier: `192.168.14.1` // We will use the LAN IP of RUT2 for the Identifier |
| + | [Screenshot Here] |
| + | |
| + | |
| + | * Connection settings Advanced settings configuration as follows: |
| + | |
| + | - Remote certificate: `RUT2.cert.pem` // Upload RUT2 cert we created earlier. |
| + | |
| + | |
| + | * Connection settings General settings configuration as follows: |
| + | |
| + | - Mode: `Start` // start loads a connection and brings |
| + | it up immediately. For more configuration information please reference *auto* here (https://wiki.strongswan.org/projects/strongswan/wiki/Connsection) |
| + | - Type: `Tunnel` |
| + | - Default route: `off` // Only use this if you want your default route to be out this tunnel. |
| + | - Local subnet: `192.168.3.0/24` // RUT1 LAN subnet we want access to through the tunnel |
| + | - Remote subnet: `192.168.14.0/24` // RUT2 LAN subnet we want access to through the tunnel |
| + | - Key exchange: `IKEv2` |
| + | [Screenshot Here] |
| + | |
| + | |
| + | * Connection settings Advanced settings configuration as follows: |
| + | |
| + | - Force encapsulation: `On` |
| + | - Local Firewall: `On` |
| + | - Remote Firewall: `On` |
| + | - Inactivity: `3600` // This is in seconds. Can be changed depending on how often you want the tunnel to be checked for data passing. |
| + | - Dead peer detection: `On` |
| + | - DPD action: `Restart` |
| + | - DPD delay: `30` // This is in seconds. |
| + | - DPD Timeout: `150` // This is in seconds. |
| + | - The rest of the configuration leave as default |
| + | [Screenshot Here] |
| + | |
| + | |
| + | * Connection settings Proposal settings configuration as follows: |
| + | |
| + | * Phase 1 |
| + | - Proposals // It is VERY important that these settings match between both RUT1 & RUT2 |
| + | - Encryption: `AES 128` |
| + | - Authentication: `SHA1` |
| + | - DH group: `MODP1536` |
| + | - Force crypto proposal: `Off` |
| + | - IKE lifetime: `3h` |
| + | [Screenshot Here] |
| + | |
| + | * Phase 2 |
| + | - Proposals // It is VERY important that these settings match between both RUT1 & RUT2 |
| + | - Encryption: `AES 128` |
| + | - Hash: `SHA1` |
| + | - PFS group: `MODP1536` |
| + | - Force crypto proposal: `Off` |
| + | - IKE lifetime: `3h` |
| + | [Screenshot Here] |
| + | |
| + | |
| + | * Hit 'Save & Apply' |
| + | * Toggle the CA_EX tunnel on and hit 'Save & Apply' once more |
| + | [Screenshot Here] |
| + | |
| + | * Reboot the device once you have finished. |
| + | |
| | | |
| ===IPSec RUT2 Config=== | | ===IPSec RUT2 Config=== |
| + | ---- |
| + | |
| + | |
| + | * Login to the router's WebUI and go to '''System → Services → VPN -> IPsec''' |
| + | * Add a new instance called `CA_EX` |
| + | [Screenshot Here] |
| + | |
| + | * IPsec Instance General settings configuration as follows: |
| + | |
| + | - Remote endpoint: `192.168.1.3` // This should be RUT1 WAN IP. You should be able to ping this IP from RUT2 WAN IP. |
| + | - Authentication method: `X.509` |
| + | - Key: `RUT2.key.pem` // Browse and import the RUT2.key.pem we created & downloaded earlier. |
| + | - Key decryption passphrase: Leave blank // This is only needed if an additional password was added to the cert, which we did not do in our earlier steps. |
| + | - Local certificate: `RUT2.cert.pem` // Browse and import the RUT1.cert.pem we created & downloaded earlier. |
| + | - CA certificate: `CAIPSec.cert.pem` // Browse and import the CAIPSec.cert.pem we created & downloaded earlier. |
| + | - Local identifier: `192.168.14.1` // We will use the LAN IP of RUT2 for the Identifier |
| + | - Remote identifier: `192.168.3.1` // We will use the LAN IP of RUT1 for the Identifier |
| + | [Screenshot Here] |
| + | |
| + | |
| + | * Connection settings Advanced settings configuration as follows: |
| + | |
| + | - Remote certificate: `RUT1.cert.pem` // Upload RUT1 cert we created earlier. |
| + | |
| + | |
| + | * Connection settings General settings configuration as follows: |
| + | |
| + | - Mode: `Start` // start loads a connection and brings |
| + | it up immediately. For more configuration information please reference *auto* here (https://wiki.strongswan.org/projects/strongswan/wiki/Connsection) |
| + | - Type: `Tunnel` |
| + | - Default route: `off` // Only use this if you want your default route to be out this tunnel. |
| + | - Local subnet: `192.168.14.0/24` // RUT2 LAN subnet we want access to through the tunnel |
| + | - Remote subnet: `192.168.3.0/24` // RUT1 LAN subnet we want access to through the tunnel |
| + | - Key exchange: `IKEv2` |
| + | [Screenshot Here] |
| + | |
| + | |
| + | * Connection settings Advanced settings configuration as follows: |
| + | |
| + | - Force encapsulation: `On` |
| + | - Local Firewall: `On` |
| + | - Remote Firewall: `On` |
| + | - Inactivity: `3600` // This is in seconds. Can be changed depending on how often you want the tunnel to be checked for data passing. |
| + | - Dead peer detection: `On` |
| + | - DPD action: `Restart` |
| + | - DPD delay: `30` // This is in seconds. |
| + | - DPD Timeout: `150` // This is in seconds. |
| + | - The rest of the configuration leave as default |
| + | [Screenshot Here] |
| + | |
| + | |
| + | * Connection settings Proposal settings configuration as follows: |
| + | |
| + | * Phase 1 |
| + | - Proposals // It is VERY important that these settings match between both RUT1 & RUT2 |
| + | - Encryption: `AES 128` |
| + | - Authentication: `SHA1` |
| + | - DH group: `MODP1536` |
| + | - Force crypto proposal: `Off` |
| + | - IKE lifetime: `3h` |
| + | [Screenshot Here] |
| + | |
| + | * Phase 2 |
| + | - Proposals // It is VERY important that these settings match between both RUT1 & RUT2 |
| + | - Encryption: `AES 128` |
| + | - Hash: `SHA1` |
| + | - PFS group: `MODP1536` |
| + | - Force crypto proposal: `Off` |
| + | - IKE lifetime: `3h` |
| + | [Screenshot Here] |
| + | |
| + | |
| + | * Hit 'Save & Apply' |
| + | * Toggle the CA_EX tunnel on and hit 'Save & Apply' once more |
| + | [Screenshot Here] |
| + | |
| + | * Reboot the device once you have finished. |
| + | |
| + | |
| + | ==Testing configuration== |
| + | ---- |
| + | |
| + | Here we will check via SSH on both RUT1 & RUT2 devices that the IPsec tunnel has been established. |
| + | That each RUT device can ping the other's LAN IP. In this case 192.168.3.1 for RUT1 & 192.168.14.1 for RUT2. |
| + | And that LAN device on RUT1 can ping LAN device on RUT2. |
| + | |
| + | ===RUT1 to RUT2 Test=== |
| + | ---- |
| + | |
| + | * First make sure each device has been rebooted at least once after you have finished configuring the previous steps. |
| + | * SSH into RUT1 device. |
| + | * `ipsec statusall` // This should show 2 up with Security Associations and that the connection should be up for some minutes. You should also see the Cert info from the certs we created earlier. |
| + | [Screenshot Here] |
| + | |
| + | * `ping 192.168.14.1` // You should get a response if the tunnel has established properly. |
| + | [Screenshot Here] |
| + | |
| + | * SSH into RUT2 device. |
| + | * `ipsec statusall` // This should show 2 up with Security Associations and that the connection should be up for some minutes. You should also see the Cert info from the certs we created earlier. |
| + | [Screenshot Here] |
| + | |
| + | * `ping 192.168.3.1` // You should get a response if the tunnel has established properly. |
| + | [Screenshot Here] |
| + | |
| + | ===RUT1 LAN device to RUT2 LAN device Test=== |
| ---- | | ---- |