Teltonika Networks Wiki

Changes

IPSec Tunnel w/CA Certs Configuration (view source)

Revision as of 00:05, 28 June 2024

364 bytes added ,  Friday at 00:05
no edit summary
Line 210: Line 210:  
Under the `Certificate signing` configure as follows:
 
Under the `Certificate signing` configure as follows:
   −
- Signed Certificate Name: `RUT2`
+
- Signed Certificate Name: '''''RUT2'''''
   −
- Type of Certificate to Sign: `Client Certificate`
+
- Type of Certificate to Sign: '''''Client Certificate'''''
   −
- Certificate Request File: `RUT2.req.pem`
+
- Certificate Request File: '''''RUT2.req.pem'''''
   −
- Days Valid: `3650`
+
- Days Valid: '''''3650'''''
   −
- Certificate Authority File: `CAIPSec.cert.pem`
+
- Certificate Authority File: '''''CAIPSec.cert.pem'''''
   −
- Certificate Authority Key: `CAIPSec.key.pem`
+
- Certificate Authority Key: '''''CAIPSec.key.pem'''''
    
- Leave the rest of the configuration alone
 
- Leave the rest of the configuration alone
   −
- `Sign`
+
- '''''Sign'''''
 
<br>
 
<br>
   Line 243: Line 243:  
* Login to the router's WebUI and go to '''System → Administration → Certificates -> Certificates Manager'''
 
* Login to the router's WebUI and go to '''System → Administration → Certificates -> Certificates Manager'''
 
* Download CAIPSec.cert.pem, RUT1.cert.pem, RUT1.key.pem, RUT2.cert.pem & RUT2.key.pem
 
* Download CAIPSec.cert.pem, RUT1.cert.pem, RUT1.key.pem, RUT2.cert.pem & RUT2.key.pem
* Go to '''System → Administration → Certificates -> Root CA'''. Toggle `On`. Select `CAIPSec.cert.pem` -> `Upload` & then `Save`
+
* Go to '''System → Administration → Certificates -> Root CA'''. Toggle '''On'''. Select '''CAIPSec.cert.pem''' -> '''Upload''' & then '''Save'''
    
Next moving to RUT2
 
Next moving to RUT2
Line 249: Line 249:  
* Login to the router's WebUI and go to '''System → Administration → Certificates -> Certificates Manager'''
 
* Login to the router's WebUI and go to '''System → Administration → Certificates -> Certificates Manager'''
 
* Import Certificate File *Browse* and import CAIPSec.cert.pem, RUT1.cert.pem, RUT2.cert.pem & RUT2.key.pem
 
* Import Certificate File *Browse* and import CAIPSec.cert.pem, RUT1.cert.pem, RUT2.cert.pem & RUT2.key.pem
* Go to '''System → Administration → Certificates -> Root CA'''. Toggle `On`. Select `CAIPSec.cert.pem` -> `Upload` & then `Save`
+
* Go to '''System → Administration → Certificates -> Root CA'''. Toggle '''On'''. Select '''CAIPSec.cert.pem''' -> '''Upload''' & then '''Save'''
    
===IPSec RUT1 Config===
 
===IPSec RUT1 Config===
Line 255: Line 255:     
* Login to the router's WebUI and go to '''System → Services → VPN -> IPsec'''
 
* Login to the router's WebUI and go to '''System → Services → VPN -> IPsec'''
* Add a new instance called `CA_EX`
+
* Add a new instance called '''CA_EX'''
 
<br>
 
<br>
   Line 263: Line 263:  
* IPsec Instance General settings configuration as follows:
 
* IPsec Instance General settings configuration as follows:
 
    
 
    
- Remote endpoint: `192.168.1.14` // This should be RUT2 WAN IP. You should be able to ping this IP from RUT1 WAN IP.
+
- Remote endpoint: '''''192.168.1.14''''' // This should be RUT2 WAN IP. You should be able to ping this IP from RUT1 WAN IP.
   −
- Authentication method: `X.509`
+
- Authentication method: '''''X.509'''''
   −
- Key: `RUT1.key.pem` // Browse and import the RUT1.key.pem we created & downloaded earlier.
+
- Key: '''''RUT1.key.pem''''' // Browse and import the RUT1.key.pem we created & downloaded earlier.
    
- Key decryption passphrase: Leave blank // This is only needed if an additional password was added to the cert, which we did not do in our earlier steps.
 
- Key decryption passphrase: Leave blank // This is only needed if an additional password was added to the cert, which we did not do in our earlier steps.
   −
- Local certificate: `RUT1.cert.pem` // Browse and import the RUT1.cert.pem we created & downloaded earlier.
+
- Local certificate: '''''RUT1.cert.pem''''' // Browse and import the RUT1.cert.pem we created & downloaded earlier.
   −
- CA certificate: `CAIPSec.cert.pem` // Browse and import the CAIPSec.cert.pem we created & downloaded earlier.
+
- CA certificate: '''''CAIPSec.cert.pem''''' // Browse and import the CAIPSec.cert.pem we created & downloaded earlier.
   −
- Local identifier: `192.168.3.1` // We will use the LAN IP of RUT1 for the Identifier
+
- Local identifier: '''''192.168.3.1''''' // We will use the LAN IP of RUT1 for the Identifier
   −
- Remote identifier: `192.168.14.1` // We will use the LAN IP of RUT2 for the Identifier
+
- Remote identifier: '''''192.168.14.1''''' // We will use the LAN IP of RUT2 for the Identifier
 
<br>
 
<br>
   Line 286: Line 286:  
* IPsec Instance Advanced settings configuration as follows:
 
* IPsec Instance Advanced settings configuration as follows:
 
    
 
    
- Remote certificate: `RUT2.cert.pem` // Upload RUT2 cert we created earlier.
+
- Remote certificate: '''''RUT2.cert.pem''''' // Upload RUT2 cert we created earlier.
 
<br>
 
<br>
   Line 295: Line 295:  
* Connection settings General settings configuration as follows:
 
* Connection settings General settings configuration as follows:
   −
- Mode: `Start` // start loads a connection and brings
+
- Mode: '''''Start''''' // start loads a connection and brings
 
it up immediately. For more configuration information please reference *auto* here (https://wiki.strongswan.org/projects/strongswan/wiki/Connsection)
 
it up immediately. For more configuration information please reference *auto* here (https://wiki.strongswan.org/projects/strongswan/wiki/Connsection)
   −
- Type: `Tunnel`
+
- Type: '''''Tunnel'''''
   −
- Default route: `off` // Only use this if you want your default route to be out this tunnel.
+
- Default route: '''''off''''' // Only use this if you want your default route to be out this tunnel.
   −
- Local subnet: `192.168.3.0/24` // RUT1 LAN subnet we want access to through the tunnel
+
- Local subnet: '''''192.168.3.0/24''''' // RUT1 LAN subnet we want access to through the tunnel
   −
- Remote subnet: `192.168.14.0/24` // RUT2 LAN subnet we want access to through the tunnel
+
- Remote subnet: '''''192.168.14.0/24''''' // RUT2 LAN subnet we want access to through the tunnel
   −
- Key exchange: `IKEv2`
+
- Key exchange: '''''IKEv2'''''
 
<br>
 
<br>
   Line 315: Line 315:  
* Connection settings Advanced settings configuration as follows:
 
* Connection settings Advanced settings configuration as follows:
   −
- Force encapsulation: `On`
+
- Force encapsulation: '''''On'''''
   −
- Local Firewall: `On`
+
- Local Firewall: '''''On'''''
   −
- Remote Firewall: `On`
+
- Remote Firewall: '''''On'''''
   −
- Inactivity: `3600` // This is in seconds. Can be changed depending on how often you want the tunnel to be checked for data passing.
+
- Inactivity: '''''3600''''' // This is in seconds. Can be changed depending on how often you want the tunnel to be checked for data passing.
   −
- Dead peer detection: `On`
+
- Dead peer detection: '''''On'''''
   −
- DPD action: `Restart`
+
- DPD action: '''''Restart'''''
   −
- DPD delay: `30` // This is in seconds.
+
- DPD delay: '''''30''''' // This is in seconds.
   −
- DPD Timeout: `150` // This is in seconds.
+
- DPD Timeout: '''''150''''' // This is in seconds.
    
- The rest of the configuration leave as default
 
- The rest of the configuration leave as default
Line 343: Line 343:  
* Phase 1
 
* Phase 1
 
- Proposals // It is VERY important that these settings match between both RUT1 & RUT2
 
- Proposals // It is VERY important that these settings match between both RUT1 & RUT2
   - Encryption: `AES 128`
+
   - Encryption: '''''AES 128'''''
   −
   - Authentication: `SHA1`
+
   - Authentication: '''''SHA1'''''
   −
   - DH group: `MODP1536`
+
   - DH group: '''''MODP1536'''''
   −
- Force crypto proposal: `Off`
+
- Force crypto proposal: '''''Off'''''
   −
- IKE lifetime: `3h`
+
- IKE lifetime: '''''3h'''''
 
<br>
 
<br>
   Line 360: Line 360:  
* Phase 2
 
* Phase 2
 
- Proposals // It is VERY important that these settings match between both RUT1 & RUT2
 
- Proposals // It is VERY important that these settings match between both RUT1 & RUT2
   - Encryption: `AES 128`
+
   - Encryption: '''''AES 128'''''
   −
   - Hash: `SHA1`
+
   - Hash: '''''SHA1'''''
   −
   - PFS group: `MODP1536`
+
   - PFS group: '''''MODP1536'''''
   −
- Force crypto proposal: `Off`
+
- Force crypto proposal: '''''Off'''''
   −
- IKE lifetime: `3h`
+
- IKE lifetime: '''''3h'''''
 
<br>
 
<br>
   Line 375: Line 375:  
<br>
 
<br>
   −
* Hit 'Save & Apply'
+
* Hit '''''Save & Apply'''''
* Toggle the CA_EX tunnel on and hit 'Save & Apply' once more
+
* Toggle the CA_EX tunnel on and hit '''''Save & Apply''''' once more
 
<br>
 
<br>
 
[[File:RUT1 IPSec Toggle On Save And Apply.png|frame|none]]
 
[[File:RUT1 IPSec Toggle On Save And Apply.png|frame|none]]
Retrieved from "https://wiki.teltonika-networks.com/view/Special:MobileDiff/128171"