Difference between revisions of "IPSec Tunnel w/CA Certs Configuration"

From Teltonika Networks Wiki
 
Line 1: Line 1:
[[IPSec Tunnel w/CA Certs Configuration]]
+
<p style="color:red">The information in this page is updated in accordance with [https://wiki.teltonika-networks.com/view/FW_%26_SDK_Downloads'''00.07.08'''] firmware version.</p>
  
 
==Introduction==
 
==Introduction==
  
In computing, '''Internet Protocol Security''' ('''IPsec''') is a secure network protocol suite of IPv4 that authenticates and encrypts the packets of data sent over an IPv4 network. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to use during the session. IPsec can protect data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). Internet Protocol security (IPsec) uses cryptographic security services to protect communications over Internet Protocol (IP) networks. IPsec supports network-level peer authentication, data-origin authentication, data integrity, data confidentiality (encryption), and replay protection.
+
In computing, '''Internet Protocol Security''' ('''IPsec''') is a secure network protocol suite of IPv4 that authenticates and encrypts the packets of data sent over an IPv4 network. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to use during the session. IPsec can protect data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). Internet Protocol security (IPsec) uses cryptographic security services to protect communications over Internet Protocol (IP) networks. IPsec supports network-level peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and replay protection.
  
This article provides an extensive configuration example with details on how to create a tunnel connection authenticating with X.509 Certs between two IPsec instances, both of which configured on RUTxxx routers.
+
This article provides an extensive configuration example with details on how to create a tunnel connection authenticating with X.509 Certs between two IPsec instances, both of which are configured on RUTxxx routers.
  
 
==Configuration overview and prerequisites==
 
==Configuration overview and prerequisites==
Line 12: Line 12:
  
 
'''Prerequisites''':
 
'''Prerequisites''':
* Two RUTxxx routers of any type
+
* Two RUTxxx routers of any type;
* Both RUTxxx routers must be accessible from each other's WAN connection
+
* One RUTxxx router with public IP address;
* Firmware for the devices must be 00.07.xx.x or above. This is in part to make sure the StrongSwan service is U5.9.6 or >
+
* Both RUTxxx routers must be accessible from each other's WAN connection;
* An end device (PC, Laptop) for configuration
+
* Firmware for the devices must be 00.07.xx.x or above. This is in part to make sure the StrongSwan service is at least version U5.9.6;
* (Optional) A second end device to test remote LAN access
+
* An end device (PC, Laptop) for configuration;
 +
* (Optional) A second end device to test remote LAN access;
 
----
 
----
  
Line 27: Line 28:
 
We will start our configuration with RUT1.
 
We will start our configuration with RUT1.
  
This configuration guide will generate our own CA cert that will be used to self-sign our own keys and local certs for both devices.
+
To generate certificates via router, you can refer to this link, whereas we will cover: [https://wiki.teltonika-networks.com/view/RUTX11_Administration#Certificates Generating certificate via router]
  
===Generating Certs===
+
===IPsec RUT1 Config===
 
----
 
----
 +
* Make sure that you have your certificates generated both for '''RUT1''' and '''RUT2''' routers.
 +
* Login to the router's WebUI and go to '''System → Services → VPN -> IPsec'''
 +
* Add a new instance with your desired name, in my case I will be using '''RUT1'''
  
First we will generate our CA cert. Login to the router's WebUI and go to '''System → Administration → Certificates'''.  
+
[[File:RutOS_IPsec_tunnel_with_certificates_7.8_add_ipsec.png|border|center|class=tlt-border|1102px]]
  
====Certificates Generation====
+
Start by configuring the '''RUT''' device. Login to the WebUI, navigate to '''Services → VPN → IPsec and add a new IPsec instance.''' Configure everything as follows.
 +
'''Note:''' ''Not specified fields can be left as is or changed according to your needs.''
 +
====Instance configuration====
 +
----
 +
Make the following changes:
 +
# '''''Enable''''' instance;
 +
# Remote endpoint - '''''RUT2 WAN IP;'''''
 +
# Authentication method - '''''X.509;'''''
 +
# Key - the '''''RUT1.key.pem''''' that you have generated from certificates;
 +
# Local certificate - the '''''RUT1.cert.pem''''' that you have generated from certificates;
 +
# CA certificate - the '''''CA.cert.pem''''' that you have generated from certificates;
 +
# Local identifier – '''''RUT1 LAN IP, which is 192.168.3.1 in this case;'''''
 +
# Remote identifier – '''''RUT2 LAN IP, which is 192.168.14.1 in this case'''''
 +
[[File:RutOS_IPsec_tunnel_with_certificates_7.8_add_ipsec_config_general_instnace.png|border|class=tlt-border|center]]
 +
----
 +
We will need to add RUT2 certificate in the '''Advanced settings''':
 +
# Click on '''Advanced settings''' in the IPsec instance section;
 +
# Remote certificate - the '''''RUT2.cert.pem''''' that you have generated from certificates;
 +
[[File:RutOS_IPsec_tunnel_with_certificates_7.8_add_ipsec_config_general_instnace_advanced.png|border|class=tlt-border|center]]
 +
====Connection general section configuration====
 
----
 
----
 +
Make the following changes:
 +
# Mode - '''''Start;'''''
 +
# Type - '''''Tunnel;'''''
 +
# Local subnet – '''''192.168.3.0/24;'''''
 +
# Remote subnet – '''''192.168.14.0/24;'''''
 +
# Key exchange - '''''IKEv2;'''''
  
First we will generate our CA cert.
+
[[File:RutOS_IPsec_tunnel_with_certificates_7.8_add_ipsec_config_connection.png|border|class=tlt-border|center]]
  
Follow the steps below to generate a CA certificate.
+
====Connection advanced section configuration====
 
+
----
The following are the settings used for this example, but values should be changed depending on your specific needs:
+
Make the following changes:
 
+
# Open '''Advanced settings''';
1. File Type: '''''CA'''''
+
# '''''Enable Force encapsulation''''';
 
+
# '''''Enable Local firewall''''';
2. Key Size: '''''1024'''''
+
# '''''Enable Remote firewall''''';
 
+
# Inactivity: '''''3600''''' - Defines the timeout interval, after which the connection is closed;
3. Name (CN): '''''CAIPSec''''' // This can be whatever name you choose.
+
# '''''Enable Dead peer detection''''';
 
+
# DPD action – '''''Restart''''';
4. Subject Information: '''''Toggled On''''' // It is recommended to fill out at least Country Code, State/Province and Organization Name.
+
[[File:RutOS_IPsec_tunnel_with_certificates_7.8_add_ipsec_config_connection_advanced.png|border|class=tlt-border|center]]
 
+
====Proposal configuration====
5. Country Code (CC): '''''US''''' // Fill your country code
+
'''Important:''' Both the RUT1 and RUT2 Encryptions must match in order for this configuration to work.
 
 
6. State or Province Name (ST): '''''TX''''' // Fill your State/Province name
 
 
 
7. Locality Name (L): '''''CAIPSec''''' // Fill your locality name, or at least a recognizable name for your CA
 
 
 
8. Organization Name (O): '''''CAIPSec''''' // Fill your Organization name
 
 
 
9. Organizational Unit Name (OU): '''''CAIPSEC''''' // Fill your specific Unit Name
 
 
 
10. '''''Generate''''' Certificate
 
<br>
 
 
 
[[File:IPSec CA Cert Generating.png|none|none]]
 
 
 
<br>
 
After you hit Generate the CA cert you should see a confirmation notification pop-up near the top right, and if you select Certificates Manager you should see a CAIPSec.key.pem under *Keys* and a CAIPSec.req.pem under *Certificate requests*.
 
<br>
 
 
 
[[File:IPSec CA Cert Generating Confirmation.png|none|none]]
 
[[File:IPSec CA Cert Generating Manager Check.png|none|none]]
 
 
 
<br>
 
 
 
Follow the steps below to generate a RUT1 client certificate.
 
 
 
The following are the settings used for this example, but values should be changed depending on your specific needs:
 
 
 
1. File Type: '''''Client'''''
 
 
 
2. Key Size: '''''1024'''''
 
 
 
3. Name (CN): '''''RUT1''''' // This can be whatever name you choose.
 
 
 
4. Subject Information: '''''Toggled On''''' // It is recommended to fill out at least Country Code, State/Province and Organization Name.
 
 
 
5. Country Code (CC): '''''US''''' // Fill your country code
 
 
 
6. State or Province Name (ST): '''''TX''''' // Fill your State/Province name
 
 
 
7. Locality Name (L): '''''RUT1''''' // Fill your locality name, or at least a recognizable name for your CA
 
 
 
8. Organization Name (O): '''''RUT1''''' // Fill your Organization name
 
 
 
9. Organizational Unit Name (OU): '''''RUT1''''' // Fill your specific Unit Name
 
 
 
10. '''''Generate''''' Certificate
 
<br>
 
 
 
[[File:IPSec RUT1 Cert Generating.png|none|none]]
 
 
 
<br>
 
After you hit Generate the Client cert you should see a notification pop-up near the top right, and if you select Certificates Manager you should see a RUT1.key.pem under *Keys* and a RUT1.req.pem under *Certificate requests*.
 
<br>
 
 
 
[[File:IPSec RUT1 Cert Generating Confirmation.png|none|none]]
 
 
 
<br>
 
 
 
We will still generate RUT2 certs on the RUT1 device, so that we can sign our certs with the CA created earlier.
 
Later we will download the certs required for RUT2 and import them there.
 
 
 
Follow the steps below to generate a RUT2 client certificate.
 
 
 
The following are the settings used for this example, but values should be changed depending on your specific needs:
 
 
 
1. File Type: '''''Client'''''
 
 
 
2. Key Size: '''''1024'''''
 
 
 
3. Name (CN): '''''RUT2''''' // This can be whatever name you choose.
 
 
 
4. Subject Information: '''''Toggled On''''' // It is recommended to fill out at least Country Code, State/Province and Organization Name.
 
 
 
5. Country Code (CC): '''''US''''' // Fill your country code
 
 
 
6. State or Province Name (ST): '''''TX''''' // Fill your State/Province name
 
 
 
7. Locality Name (L): '''''RUT2''''' // Fill your locality name, or at least a recognizable name for your CA
 
 
 
8. Organization Name (O): '''''RUT2''''' // Fill your Organization name
 
 
 
9. Organizational Unit Name (OU): '''''RUT2''''' // Fill your specific Unit Name
 
 
 
10. '''''Generate''''' Certificate
 
<br>
 
 
 
[[File:IPSec RUT2 Cert Generating.png|none|none]]
 
 
 
<br>
 
After you hit Generate the Client cert you should see a notification pop-up near the top right, and if you select Certificates Manager you should see a RUT2.key.pem under *Keys* and a RUT2.req.pem under *Certificate requests*.
 
<br>
 
 
 
[[File:IPSec RUT2 Cert Generating Confirmation.png|none|none]]
 
 
 
====Signing Certificates====
 
 
----
 
----
 +
'''Note:''' ''This is only an example of a secure configuration. Other algorithms or even combinations of them could be used. However, we strongly recommend refraining from using older encryption and hashing algorithms unless support for certain legacy systems is required.''
  
Next we need to sign the CAIPSec CA. We will be Self-Signing our own CA.
+
Make the following changes:
Under the '''Certificate signing''' configure as follows:
+
<table class="nd-othertables_2">
 
+
    <tr>
1. Signed Certificate Name: '''''CAIPSec'''''
+
        <th width=330; style="border-bottom: 1px solid white;></th>
 
+
        <th width=800; style="border-bottom: 1px solid white;" rowspan=2>[[File:Networking_webui_manual_IPsec_configuration_proposal_phase1_settings_v1.png|border|class=tlt-border|671x336px|center]]</th>
2. Type of Certificate to Sign: '''''Certificate Authority'''''
+
    </tr>
 
+
    <tr>
3. Certificate Request File: '''''CAIPSec.req.pem'''''
+
        <td style="border-bottom: 4px solid white>
 
+
# Encryption - '''''AES256;'''''
4. Days Valid: '''''3650''''' // For this example we will use 3650 days, but you can configure this to be longer if needed. I would caution against too long of a CA.
+
# Authentication - '''''SHA512;'''''
 
+
# DH group - '''''MODP4096;'''''
5. Certificate Authority Key: '''''CAIPSec.key.pem'''''
+
# IKE lifetime - '''86400s'''.
 
+
        </td>
6. Leave the rest of the configuration default
+
    </tr>
 
+
</table>
7. '''''Sign'''''
 
<br>
 
 
 
[[File:IPSec CA Cert Signing.png|none|none]]
 
 
 
<br>
 
After you hit *Sign* the CA cert you should see a notification pop-up near the top right, and if you select Certificates Manager you should see a CAIPSec.cert.pem under *Certificates*.
 
<br>
 
 
 
[[File:IPSec CA Cert Generating Confirmation2.png|none|none]]
 
<br>
 
 
 
Next we need to sign the RUT1 cert.
 
Under the `Certificate signing` configure as follows:
 
 
 
1. Signed Certificate Name: '''''RUT1'''''
 
 
 
2. Type of Certificate to Sign: '''''Client Certificate'''''
 
 
 
3. Certificate Request File: '''''RUT1.req.pem'''''
 
 
 
4. Days Valid: '''''3650'''''
 
 
 
5. Certificate Authority File: '''''CAIPSec.cert.pem'''''
 
 
 
6. Certificate Authority Key: '''''CAIPSec.key.pem'''''
 
 
 
7. Leave the rest of the configuration alone
 
 
 
8. '''''Sign'''''
 
<br>
 
 
 
[[File:IPSec RUT1 Cert Signing.png|none|none]]
 
 
 
<br>
 
After you hit *Sign* the Client cert you should see a notification pop-up near the top right, and if you select Certificates Manager you should see a RUT1.cert.pem under *Certificates*.
 
<br>
 
 
 
[[File:IPSec RUT1 Cert Manager Check.png|none|none]]
 
 
 
<br>
 
 
 
<br>
 
Next we need to sign the RUT2 cert.
 
Under the `Certificate signing` configure as follows:
 
 
 
1. Signed Certificate Name: '''''RUT2'''''
 
 
 
2. Type of Certificate to Sign: '''''Client Certificate'''''
 
 
 
3. Certificate Request File: '''''RUT2.req.pem'''''
 
  
4. Days Valid: '''''3650'''''
 
 
5. Certificate Authority File: '''''CAIPSec.cert.pem'''''
 
 
6. Certificate Authority Key: '''''CAIPSec.key.pem'''''
 
 
7. Leave the rest of the configuration alone
 
 
8. '''''Sign'''''
 
<br>
 
 
[[File:IPSec RUT2 Cert Signing.png|none|none]]
 
 
<br>
 
After you hit *Sign* the Client cert you should see a notification pop-up near the top right, and if you select Certificates Manager you should see a RUT2.cert.pem under *Certificates*.
 
<br>
 
 
[[File:IPSec RUT2 Cert Manager Check.png|none|none]]
 
 
<br>
 
====Download/Import Certs====
 
 
----
 
----
 +
<table class="nd-othertables_2">
 +
    <tr>
 +
        <th width=330; style="border-bottom: 1px solid white;></th>
 +
        <th width=800; style="border-bottom: 1px solid white;" rowspan=2>[[File:Networking_webui_manual_IPsec_configuration_proposal_phase2_settings_v1.png|border|class=tlt-border|644x331px|center]]</th>
 +
    </tr>
 +
    <tr>
 +
        <td style="border-bottom: 4px solid white>
 +
# Encryption - '''''AES256;'''''
 +
# Authentication - '''''SHA512;'''''
 +
# PFS group - '''''MODP4096;'''''
 +
# Lifetime – '''''86400s;'''''
 +
        </td>
 +
    </tr>
 +
</table>
  
Starting with RUT1
 
  
* Login to the router's WebUI and go to '''System → Administration → Certificates -> Certificates Manager'''
 
* Download CAIPSec.cert.pem, RUT1.cert.pem, RUT1.key.pem, RUT2.cert.pem & RUT2.key.pem
 
* Go to '''System → Administration → Certificates -> Root CA'''. Toggle '''On'''. Select '''CAIPSec.cert.pem''' -> '''Upload''' & then '''Save'''
 
  
Next moving to RUT2
 
  
* Login to the router's WebUI and go to '''System → Administration → Certificates -> Certificates Manager'''
+
===IPsec RUT2 Config===
* Import Certificate File *Browse* and import CAIPSec.cert.pem, RUT1.cert.pem, RUT2.cert.pem & RUT2.key.pem
 
* Go to '''System → Administration → Certificates -> Root CA'''. Toggle '''On'''. Select '''CAIPSec.cert.pem''' -> '''Upload''' & then '''Save'''
 
 
 
===IPSec RUT1 Config===
 
 
----
 
----
 
+
* Make sure that you have your certificates generated both for '''RUT1''' and '''RUT2''' routers.
 
* Login to the router's WebUI and go to '''System → Services → VPN -> IPsec'''
 
* Login to the router's WebUI and go to '''System → Services → VPN -> IPsec'''
* Add a new instance called '''CA_EX'''
+
* Add a new instance with your desired name, in my case I will be using '''RUT2'''
<br>
 
  
[[File:IPSec RUT1 Config Add CA EX.png|none|none]]
+
[[File:RutOS_IPsec_tunnel_with_certificates_7.8_add_ipsec.png|border|center|class=tlt-border|1102px]]
  
<br>
+
Start by configuring the '''RUT''' device. Login to the WebUI, navigate to '''Services → VPN → IPsec and add a new IPsec instance.''' Configure everything as follows.
* IPsec Instance General settings configuration as follows:
+
'''Note:''' ''Not specified fields can be left as is or changed according to your needs.''
 
+
====Instance configuration====
    - Remote endpoint: '''''192.168.1.14''''' // This should be RUT2 WAN IP. You should be able to ping this IP from RUT1 WAN IP.
+
----
 +
Make the following changes:
 +
# '''''Enable''''' instance;
 +
# Authentication method - '''''X.509;'''''
 +
# Key - the '''''RUT2.key.pem''''' that you have generated from certificates;
 +
# Local certificate - the '''''RUT2.cert.pem''''' that you have generated from certificates;
 +
# CA certificate - the '''''CA.cert.pem''''' that you have generated from certificates;
 +
# Local identifier – '''''RUT2 LAN IP, which is 192.168.14.1 in this case;'''''
 +
# Remote identifier – '''''RUT1 LAN IP, which is 192.168.3.1 in this case'''''
 +
[[File:RutOS_IPsec_tunnel_with_certificates_7.8_add_ipsec_config_connection_rut2.png|border|class=tlt-border|center]]
 +
----
 +
We will need to add RUT2 certificate in the '''Advanced settings''':
 +
# Click on '''Advanced settings''' in the IPsec instance section;
 +
# Remote certificate - the '''''RUT1.cert.pem''''' that you have generated from certificates;
 +
[[File:RutOS_IPsec_tunnel_with_certificates_7.8_add_ipsec_config_connection_advanced_rut2.png|border|class=tlt-border|center]]
 +
====Connection general section configuration====
 +
----
 +
Make the following changes:
 +
# Mode - '''''Start;'''''
 +
# Type - '''''Tunnel;'''''
 +
# Local subnet – '''''192.168.14.0/24;'''''
 +
# Remote subnet – '''''192.168.3.0/24;'''''
 +
# Key exchange - '''''IKEv2;'''''
  
    - Authentication method: '''''X.509'''''
+
[[File:RutOS_IPsec_tunnel_with_certificates_7.8_add_ipsec_config_connection_rut2_general.png|border|class=tlt-border|center]]
  
    - Key: '''''RUT1.key.pem''''' // Browse and import the RUT1.key.pem we created & downloaded earlier.
+
====Connection advanced section configuration====
 +
----
 +
Make the following changes:
 +
# Open '''Advanced settings''';
 +
# '''''Enable Force encapsulation''''';
 +
# '''''Enable Local firewall''''';
 +
# '''''Enable Remote firewall''''';
 +
# Inactivity: '''''3600''''' - Defines the timeout interval, after which the connection is closed;
 +
# '''''Enable Dead peer detection''''';
 +
# DPD action – '''''Restart''''';
 +
[[File:RutOS_IPsec_tunnel_with_certificates_7.8_add_ipsec_config_connection_advanced.png|border|class=tlt-border|center]]
 +
====Proposal configuration====
 +
'''Important:''' Both the RUT1 and RUT2 Encryptions must match in order for this configuration to work.
 +
----
 +
'''Note:''' ''This is only an example of a secure configuration. Other algorithms or even combinations of them could be used. However, we strongly recommend refraining from using older encryption and hashing algorithms unless support for certain legacy systems is required.''
  
     - Key decryption passphrase: Leave blank // This is only needed if an additional password was added to the cert, which we did not do in our earlier steps.
+
Make the following changes:
 +
<table class="nd-othertables_2">
 +
     <tr>
 +
        <th width=330; style="border-bottom: 1px solid white;></th>
 +
        <th width=800; style="border-bottom: 1px solid white;" rowspan=2>[[File:Networking_webui_manual_IPsec_configuration_proposal_phase1_settings_v1.png|border|class=tlt-border|671x336px|center]]</th>
 +
    </tr>
 +
    <tr>
 +
        <td style="border-bottom: 4px solid white>
 +
# Encryption - '''''AES256;'''''
 +
# Authentication - '''''SHA512;'''''
 +
# DH group - '''''MODP4096;'''''
 +
# IKE lifetime - '''86400s'''.
 +
        </td>
 +
    </tr>
 +
</table>
  
    - Local certificate: '''''RUT1.cert.pem''''' // Browse and import the RUT1.cert.pem we created & downloaded earlier.
 
 
    - CA certificate: '''''CAIPSec.cert.pem''''' // Browse and import the CAIPSec.cert.pem we created & downloaded earlier.
 
 
    - Local identifier: '''''192.168.3.1''''' // We will use the LAN IP of RUT1 for the Identifier
 
 
    - Remote identifier: '''''192.168.14.1''''' // We will use the LAN IP of RUT2 for the Identifier
 
<br>
 
 
[[File:RUT1 IPSec Instance General Settings Configuration.png|none|none]]
 
 
<br>
 
 
* IPsec Instance Advanced settings configuration as follows:
 
 
 
    - Remote certificate: '''''RUT2.cert.pem''''' // Upload RUT2 cert we created earlier.
 
<br>
 
 
[[File:RUT1 IPSec Instance Advanced Settings Configuration.png|none|none]]
 
 
<br>
 
 
* Connection settings General settings configuration as follows:
 
 
    - Mode: '''''Start''''' // start loads a connection and brings it up immediately. For more configuration information please reference *auto* here (https://wiki.strongswan.org/projects/strongswan/wiki/Connsection)
 
 
    - Type: '''''Tunnel'''''
 
 
    - Default route: '''''off''''' // Only use this if you want your default route to be out this tunnel.
 
 
    - Local subnet: '''''192.168.3.0/24''''' // RUT1 LAN subnet we want access to through the tunnel
 
 
    - Remote subnet: '''''192.168.14.0/24''''' // RUT2 LAN subnet we want access to through the tunnel
 
 
    - Key exchange: '''''IKEv2'''''
 
<br>
 
 
[[File:RUT1 IPSec Connection Settings General Settings Configuration.png|none|none]]
 
 
<br>
 
 
* Connection settings Advanced settings configuration as follows:
 
 
    - Force encapsulation: '''''On'''''
 
 
    - Local Firewall: '''''On'''''
 
 
    - Remote Firewall: '''''On'''''
 
 
    - Inactivity: '''''3600''''' // This is in seconds. Can be changed depending on how often you want the tunnel to be checked for data passing.
 
 
    - Dead peer detection: '''''On'''''
 
 
    - DPD action: '''''Restart'''''
 
 
    - DPD delay: '''''30''''' // This is in seconds.
 
 
    - DPD Timeout: '''''150''''' // This is in seconds.
 
 
    - The rest of the configuration leave as default
 
 
<br>
 
 
[[File:RUT1 IPSec Connection Settings Advanced Settings Configuration.png|none|none]]
 
 
<br>
 
 
* Connection settings Proposal settings configuration as follows:
 
 
* Phase 1
 
- Proposals // It is VERY important that these settings match between both RUT1 & RUT2
 
  - Encryption: '''''AES 128'''''
 
 
  - Authentication: '''''SHA1'''''
 
 
  - DH group: '''''MODP1536'''''
 
 
  - Force crypto proposal: '''''Off'''''
 
 
  - IKE lifetime: '''''3h'''''
 
<br>
 
 
[[File:RUT1 IPSec Proposal Settings Phase1.png|none|none]]
 
 
<br>
 
 
* Phase 2
 
- Proposals // It is VERY important that these settings match between both RUT1 & RUT2
 
  - Encryption: '''''AES 128'''''
 
 
  - Hash: '''''SHA1'''''
 
 
  - PFS group: '''''MODP1536'''''
 
 
  - Force crypto proposal: '''''Off'''''
 
 
  - IKE lifetime: '''''3h'''''
 
<br>
 
 
[[File:RUT1 IPSec Proposal Settings Phase2.png|none|none]]
 
 
<br>
 
 
* Hit '''''Save & Apply'''''
 
* Toggle the CA_EX tunnel on and hit '''''Save & Apply''''' once more
 
<br>
 
[[File:RUT1 IPSec Toggle On Save And Apply.png|none|none]]
 
 
<br>
 
* Reboot the device once you have finished.
 
 
 
===IPSec RUT2 Config===
 
 
----
 
----
 +
<table class="nd-othertables_2">
 +
    <tr>
 +
        <th width=330; style="border-bottom: 1px solid white;></th>
 +
        <th width=800; style="border-bottom: 1px solid white;" rowspan=2>[[File:Networking_webui_manual_IPsec_configuration_proposal_phase2_settings_v1.png|border|class=tlt-border|644x331px|center]]</th>
 +
    </tr>
 +
    <tr>
 +
        <td style="border-bottom: 4px solid white>
 +
# Encryption - '''''AES256;'''''
 +
# Authentication - '''''SHA512;'''''
 +
# PFS group - '''''MODP4096;'''''
 +
# Lifetime – '''''86400s;'''''
 +
        </td>
 +
    </tr>
 +
</table>
  
  
* Login to the router's WebUI and go to '''System → Services → VPN -> IPsec'''
+
==Testing the configuration==
* Add a new instance called '''CA_EX'''
+
If you have followed all the above steps, your configuration should be finished. But as with any other configuration, it is always wise to test the setup in order to make sure that it works properly.  
<br>
 
 
 
[[File:IPSec_RUT1_Config_Add_CA_EX.png|none|none]]
 
 
 
<br>
 
 
 
* IPsec Instance General settings configuration as follows:
 
 
 
    - Remote endpoint: '''''192.168.1.3''''' // This should be RUT1 WAN IP. You should be able to ping this IP from RUT2 WAN IP.
 
 
 
    - Authentication method: '''''X.509'''''
 
  
    - Key: '''''RUT2.key.pem''''' // Browse and import the RUT2.key.pem we created & downloaded earlier.
+
Using the <code><span class="highlight">'''ipsec status'''</span></code> or we can use <code><span class="highlight">'''ipsec statusall'''</span></code> command for a more verbose output. With these commands we can see that the IPsec tunnel is successfully established on RUTxxx router. The command output on a '''RUT1''' device:
 
+
[[File:RutOS_IPsec_tunnel_with_certificates_7.8_ipsec_status.png|border|class=tlt-border|center]]
    - Key decryption passphrase: Leave blank // This is only needed if an additional password was added to the cert, which we did not do in our earlier steps.
 
 
 
    - Local certificate: '''''RUT2.cert.pem''''' // Browse and import the RUT1.cert.pem we created & downloaded earlier.
 
 
 
    - CA certificate: '''''CAIPSec.cert.pem''''' // Browse and import the CAIPSec.cert.pem we created & downloaded earlier.
 
 
 
    - Local identifier: '''''192.168.14.1''''' // We will use the LAN IP of RUT2 for the Identifier
 
 
 
    - Remote identifier: '''''192.168.3.1''''' // We will use the LAN IP of RUT1 for the Identifier
 
<br>
 
 
 
[[File:RUT2 IPSec Instance General Settings Configuration.png|none|none]]
 
 
 
<br>
 
 
 
* Connection settings Advanced settings configuration as follows:
 
 
 
    - Remote certificate: '''''RUT1.cert.pem''''' // Upload RUT1 cert we created earlier.
 
<br>
 
 
 
[[File:RUT2 IPSec Instance Advanced Settings Configuration.png|none|none]]
 
 
 
<br>
 
 
 
* Connection settings General settings configuration as follows:
 
 
 
    - Mode: '''''Start''''' // start loads a connection and brings it up immediately. For more configuration information please reference *auto* here (https://wiki.strongswan.org/projects/strongswan/wiki/Connsection)
 
 
 
    - Type: '''''Tunnel'''''
 
 
 
    - Default route: '''''off''''' // Only use this if you want your default route to be out this tunnel.
 
 
 
    - Local subnet: '''''192.168.14.0/24''''' // RUT2 LAN subnet we want access to through the tunnel
 
 
 
    - Remote subnet: '''''192.168.3.0/24''''' // RUT1 LAN subnet we want access to through the tunnel
 
 
 
    - Key exchange: '''''IKEv2'''''
 
<br>
 
 
 
[[File:RUT2 IPSec Connection Settings General Settings Configuration.png|none|none]]
 
 
 
<br>
 
 
 
* Connection settings Advanced settings configuration as follows:
 
 
 
    - Force encapsulation: '''''On'''''
 
 
 
    - Local Firewall: '''''On'''''
 
 
 
    - Remote Firewall: '''''On'''''
 
 
 
    - Inactivity: '''''3600''''' // This is in seconds. Can be changed depending on how often you want the tunnel to be checked for data passing.
 
 
 
    - Dead peer detection: '''''On'''''
 
 
 
    - DPD action: '''''Restart'''''
 
 
 
    - DPD delay: '''''30''''' // This is in seconds.
 
 
 
    - DPD Timeout: '''''150''''' // This is in seconds.
 
 
 
    - The rest of the configuration leave as default
 
<br>
 
 
 
[[File:RUT2 IPSec Connection Settings Advanced Settings Configuration.png|none|none]]
 
 
 
<br>
 
 
 
* Connection settings Proposal settings configuration as follows:
 
 
 
* Phase 1
 
- Proposals // It is VERY important that these settings match between both RUT1 & RUT2
 
  - Encryption: '''''AES 128'''''
 
 
 
  - Authentication: '''''SHA1'''''
 
 
 
  - DH group: '''''MODP1536'''''
 
 
 
  - Force crypto proposal: '''''Off'''''
 
 
 
  - IKE lifetime: '''''3h'''''
 
<br>
 
 
 
[[File:RUT2 IPSec Proposal Settings Phase1.png|none|none]]
 
 
 
<br>
 
 
 
* Phase 2
 
- Proposals // It is VERY important that these settings match between both RUT1 & RUT2
 
  - Encryption: '''''AES 128'''''
 
 
 
  - Hash: '''''SHA1'''''
 
 
 
  - PFS group: '''''MODP1536'''''
 
 
 
  - Force crypto proposal: '''''Off'''''
 
 
 
  - IKE lifetime: '''''3h'''''
 
<br>
 
 
 
[[File:RUT2 IPSec Proposal Settings Phase2.png|none|none]]
 
 
 
<br>
 
 
 
* Hit '''''Save & Apply'''''
 
* Toggle the CA_EX tunnel on and hit '''''Save & Apply''''' once more
 
<br>
 
 
 
[[File:RUT2 IPSec Toggle On Save And Apply.png|none|none]]
 
 
 
<br>
 
 
 
* Reboot the device once you have finished.
 
 
 
 
 
==Testing configuration==
 
 
----
 
----
 
+
Also, we can try to ping the RUT2 device by executing this command <code><span class="highlight" >'''ping 192.168.14.1'''</span></code>, by which you should get a response if the IPsec tunnel has been established properly.
===RUT1 to RUT2 Test===
+
[[File:RutOS_IPsec_tunnel_with_certificates_7.8_ipsec_ping_rut1_to_rut2.png|border|class=tlt-border|center]]
 
----
 
----
 
+
To check if IPsec tunnel is working properly from '''RUT2''', we can try pinging our '''RUT1''' device by using this command in command line interface on RUT2<code><span class="highlight" >'''ping 192.168.3.1'''</span></code>:
Here we will check via SSH on both RUT1 & RUT2 devices that the IPsec tunnel has been established.
+
[[File:RutOS_IPsec_tunnel_with_certificates_7.8_ipsec_ping_rut2_to_rut1.png|border|class=tlt-border|center]]
That each RUT device can ping the other's LAN IP. In this case 192.168.3.1 for RUT1 & 192.168.14.1 for RUT2.
 
And that LAN device on RUT1 can ping LAN device on RUT2.
 
 
* First make sure each device has been rebooted at least once after you have finished configuring the previous steps.
 
* SSH into RUT1 device
 
* '''''ipsec statusall''''' // This should show 2 up with Security Associations and that the connection should be up for some minutes. You should also see the Cert info from the certs we created earlier.
 
<br>
 
 
 
[[File:RUT1 IPSec Status.png|none|none]]
 
 
 
<br>
 
* '''''ping 192.168.14.1''''' // You should get a response if the tunnel has established properly
 
<br>
 
 
 
[[File:RUT1 Ping To RUT2 Check.png|none|none]]
 
 
 
<br>
 
 
 
* SSH into RUT2 device
 
* '''''ipsec statusall''''' // This should show 2 up with Security Associations and that the connection should be up for some minutes. You should also see the Cert info from the certs we created earlier.
 
<br>
 
 
 
[[File:RUT2 IPSec Status.png|none|none]]
 
 
 
<br>
 
 
 
* '''''ping 192.168.3.1''''' // You should get a response if the tunnel has established properly
 
<br>
 
 
 
[[File:RUT2 Ping To RUT1 Check.png|none|none]]
 
 
 
<br>
 
 
 
* SSH into RUT1 device
 
* '''''opkg update'''''
 
* '''''opkg install tcpdump'''''
 
* '''''tcpdump -i any -w Checking_For_ESP_Packets.pcap'''''
 
* SSH into RUT2 device
 
* On RUT2 ping the LAN ip for RUT1 and leave that running. In our example that would be `ping 192.168.3.1`
 
* On RUT1 wait 10 seconds then CTRL+C to stop the program
 
* Then use a program like WinSCP to download '''Checking_For_ESP_Packets.pcap''' from RUT1
 
* Open the file in a program called Wireshark and filter for encrypted ESP packets with this '''_ws.col.protocol == "ESP"'''. You should see ESP packets from both the WAN IPs. You shouldn't be able to see inside the packet because it is now encrypted, but if we decrypted the packets we would see the ICMP packets between the 2 RUT devices.
 
<br>
 
 
 
[[File:Checking Pcap With Wireshark.png|none|none]]
 
 
 
<br>
 
 
 
===RUT1 LAN device to RUT2 LAN device Test===
 
 
----
 
----
 
+
Also we can check it by executing the <code><span class="highlight">'''ipsec status'''</span></code> or we can use <code><span class="highlight">'''ipsec statusall'''</span></code> command for a more verbose output. With these commands we can see that the IPsec tunnel is successfully established on RUTxxx router. The command output on a '''RUT2''' device:
Here we will confirm that LAN devices behind either RUTxxx devices are able to communicate with each other.
+
[[File:RutOS_IPsec_tunnel_with_certificates_7.8_ipsec_status_rut2.png|border|class=tlt-border|center]]
 
 
[[File:RUT END-To END Example Image.png|none|none]]
 
 
 
The figure above depicts two RUTxxx routers (RUT1 and RUT2) connected by an IPsec tunnel via their WAN interfaces. Where each RUT router has a LAN device connected that has received a DHCP address.
 
 
 
* Attach a Windows/MacOS/Linux PC via ethernet or wifi to RUT1 LAN. Remove or disable any other active interfaces on your PC.
 
* Disable the firewall. Examples for each OS as follows.
 
  * Windows 10/11
 
    1. Press '''''Windows-Key + R'''''
 
    2. Type '''''control''''' and hit enter
 
    3. Navigate to Firewall Settings -> System and Security -> Windows Defender Firewall
 
    4. On the left sidebar, click "Turn Windows Defender Firewall on or off"
 
    5. Select "Turn off Windows Defender Firewall (not recommended)" under both the Private and Public network settings
 
    6. Click "OK" to apply the changes
 
  * MacOS Ventura
 
    1. Click on Apple menu and select "System Preferences"
 
    2. Click on "Security & Privacy"
 
    3. Click on the "Firewall" tab
 
    4. Select the lock icon at the bottom left and enter your administrator password
 
    5. Select "Turn Off Firewall"
 
  * Linux (Ubuntu)
 
    1. Open a Terminal window
 
    2. '''''sudo ufw disable'''''
 
* Perform similar steps above for a 2nd device connected to RUT2 LAN
 
* Once both devices are connected to the LAN of RUT1 & RUT2 you should be able to ping the devices from each other.
 
<br>
 
 
 
[[File:LAN To LAN Device Ping.png|none|none]]
 
 
 
<br>
 
* Afterwards make sure to re-enable the firewall for both LAN devices
 

Latest revision as of 14:26, 6 August 2024

The information in this page is updated in accordance with 00.07.08 firmware version.

Introduction

In computing, Internet Protocol Security (IPsec) is a secure network protocol suite of IPv4 that authenticates and encrypts the packets of data sent over an IPv4 network. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to use during the session. IPsec can protect data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). Internet Protocol security (IPsec) uses cryptographic security services to protect communications over Internet Protocol (IP) networks. IPsec supports network-level peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and replay protection.

This article provides an extensive configuration example with details on how to create a tunnel connection authenticating with X.509 Certs between two IPsec instances, both of which are configured on RUTxxx routers.

Configuration overview and prerequisites

Before we begin, let's overview the configuration that we are attempting to achieve and the prerequisites that make it possible.

Prerequisites:

  • Two RUTxxx routers of any type;
  • One RUTxxx router with public IP address;
  • Both RUTxxx routers must be accessible from each other's WAN connection;
  • Firmware for the devices must be 00.07.xx.x or above. This is in part to make sure the StrongSwan service is at least version U5.9.6;
  • An end device (PC, Laptop) for configuration;
  • (Optional) A second end device to test remote LAN access;
IPSec RUT1-IPSec RUT2 Example Image.png

The figure above depicts two RUTxxx routers (RUT1 and RUT2) connected by an IPsec tunnel via their WAN interfaces.

Router configuration

We will start our configuration with RUT1.

To generate certificates via router, you can refer to this link, whereas we will cover: Generating certificate via router

IPsec RUT1 Config

  • Make sure that you have your certificates generated both for RUT1 and RUT2 routers.
  • Login to the router's WebUI and go to System → Services → VPN -> IPsec
  • Add a new instance with your desired name, in my case I will be using RUT1
RutOS IPsec tunnel with certificates 7.8 add ipsec.png

Start by configuring the RUT device. Login to the WebUI, navigate to Services → VPN → IPsec and add a new IPsec instance. Configure everything as follows. Note: Not specified fields can be left as is or changed according to your needs.

Instance configuration

Make the following changes:

  1. Enable instance;
  2. Remote endpoint - RUT2 WAN IP;
  3. Authentication method - X.509;
  4. Key - the RUT1.key.pem that you have generated from certificates;
  5. Local certificate - the RUT1.cert.pem that you have generated from certificates;
  6. CA certificate - the CA.cert.pem that you have generated from certificates;
  7. Local identifier – RUT1 LAN IP, which is 192.168.3.1 in this case;
  8. Remote identifier – RUT2 LAN IP, which is 192.168.14.1 in this case
RutOS IPsec tunnel with certificates 7.8 add ipsec config general instnace.png

We will need to add RUT2 certificate in the Advanced settings:

  1. Click on Advanced settings in the IPsec instance section;
  2. Remote certificate - the RUT2.cert.pem that you have generated from certificates;
RutOS IPsec tunnel with certificates 7.8 add ipsec config general instnace advanced.png

Connection general section configuration

Make the following changes:

  1. Mode - Start;
  2. Type - Tunnel;
  3. Local subnet – 192.168.3.0/24;
  4. Remote subnet – 192.168.14.0/24;
  5. Key exchange - IKEv2;
RutOS IPsec tunnel with certificates 7.8 add ipsec config connection.png

Connection advanced section configuration

Make the following changes:

  1. Open Advanced settings;
  2. Enable Force encapsulation;
  3. Enable Local firewall;
  4. Enable Remote firewall;
  5. Inactivity: 3600 - Defines the timeout interval, after which the connection is closed;
  6. Enable Dead peer detection;
  7. DPD action – Restart;
RutOS IPsec tunnel with certificates 7.8 add ipsec config connection advanced.png

Proposal configuration

Important: Both the RUT1 and RUT2 Encryptions must match in order for this configuration to work.

Note: This is only an example of a secure configuration. Other algorithms or even combinations of them could be used. However, we strongly recommend refraining from using older encryption and hashing algorithms unless support for certain legacy systems is required.

Make the following changes:

Networking webui manual IPsec configuration proposal phase1 settings v1.png
  1. Encryption - AES256;
  2. Authentication - SHA512;
  3. DH group - MODP4096;
  4. IKE lifetime - 86400s.
Networking webui manual IPsec configuration proposal phase2 settings v1.png
  1. Encryption - AES256;
  2. Authentication - SHA512;
  3. PFS group - MODP4096;
  4. Lifetime – 86400s;



IPsec RUT2 Config

  • Make sure that you have your certificates generated both for RUT1 and RUT2 routers.
  • Login to the router's WebUI and go to System → Services → VPN -> IPsec
  • Add a new instance with your desired name, in my case I will be using RUT2
RutOS IPsec tunnel with certificates 7.8 add ipsec.png

Start by configuring the RUT device. Login to the WebUI, navigate to Services → VPN → IPsec and add a new IPsec instance. Configure everything as follows. Note: Not specified fields can be left as is or changed according to your needs.

Instance configuration

Make the following changes:

  1. Enable instance;
  2. Authentication method - X.509;
  3. Key - the RUT2.key.pem that you have generated from certificates;
  4. Local certificate - the RUT2.cert.pem that you have generated from certificates;
  5. CA certificate - the CA.cert.pem that you have generated from certificates;
  6. Local identifier – RUT2 LAN IP, which is 192.168.14.1 in this case;
  7. Remote identifier – RUT1 LAN IP, which is 192.168.3.1 in this case
RutOS IPsec tunnel with certificates 7.8 add ipsec config connection rut2.png

We will need to add RUT2 certificate in the Advanced settings:

  1. Click on Advanced settings in the IPsec instance section;
  2. Remote certificate - the RUT1.cert.pem that you have generated from certificates;
RutOS IPsec tunnel with certificates 7.8 add ipsec config connection advanced rut2.png

Connection general section configuration

Make the following changes:

  1. Mode - Start;
  2. Type - Tunnel;
  3. Local subnet – 192.168.14.0/24;
  4. Remote subnet – 192.168.3.0/24;
  5. Key exchange - IKEv2;
RutOS IPsec tunnel with certificates 7.8 add ipsec config connection rut2 general.png

Connection advanced section configuration

Make the following changes:

  1. Open Advanced settings;
  2. Enable Force encapsulation;
  3. Enable Local firewall;
  4. Enable Remote firewall;
  5. Inactivity: 3600 - Defines the timeout interval, after which the connection is closed;
  6. Enable Dead peer detection;
  7. DPD action – Restart;
RutOS IPsec tunnel with certificates 7.8 add ipsec config connection advanced.png

Proposal configuration

Important: Both the RUT1 and RUT2 Encryptions must match in order for this configuration to work.

Note: This is only an example of a secure configuration. Other algorithms or even combinations of them could be used. However, we strongly recommend refraining from using older encryption and hashing algorithms unless support for certain legacy systems is required.

Make the following changes:

Networking webui manual IPsec configuration proposal phase1 settings v1.png
  1. Encryption - AES256;
  2. Authentication - SHA512;
  3. DH group - MODP4096;
  4. IKE lifetime - 86400s.
Networking webui manual IPsec configuration proposal phase2 settings v1.png
  1. Encryption - AES256;
  2. Authentication - SHA512;
  3. PFS group - MODP4096;
  4. Lifetime – 86400s;


Testing the configuration

If you have followed all the above steps, your configuration should be finished. But as with any other configuration, it is always wise to test the setup in order to make sure that it works properly.

Using the ipsec status or we can use ipsec statusall command for a more verbose output. With these commands we can see that the IPsec tunnel is successfully established on RUTxxx router. The command output on a RUT1 device:

RutOS IPsec tunnel with certificates 7.8 ipsec status.png

Also, we can try to ping the RUT2 device by executing this command ping 192.168.14.1, by which you should get a response if the IPsec tunnel has been established properly.

RutOS IPsec tunnel with certificates 7.8 ipsec ping rut1 to rut2.png

To check if IPsec tunnel is working properly from RUT2, we can try pinging our RUT1 device by using this command in command line interface on RUT2ping 192.168.3.1:

RutOS IPsec tunnel with certificates 7.8 ipsec ping rut2 to rut1.png

Also we can check it by executing the ipsec status or we can use ipsec statusall command for a more verbose output. With these commands we can see that the IPsec tunnel is successfully established on RUTxxx router. The command output on a RUT2 device:

RutOS IPsec tunnel with certificates 7.8 ipsec status rut2.png
Retrieved from "https://wiki.teltonika-networks.com/index.php?title=IPSec_Tunnel_w/CA_Certs_Configuration&oldid=130050"