IPsec Tunnel with X.509 Authentication configuration example

The information in this page is updated in accordance with 00.07.08 firmware version.

Introduction

In computing, Internet Protocol Security (IPsec) is a secure network protocol suite of IPv4 that authenticates and encrypts the packets of data sent over an IPv4 network. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to use during the session. IPsec can protect data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). Internet Protocol security (IPsec) uses cryptographic security services to protect communications over Internet Protocol (IP) networks. IPsec supports network-level peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and replay protection.

This article provides an extensive configuration example with details on how to create a tunnel connection authenticating with X.509 Certs between two IPsec instances, both of which are configured on RUTxxx routers.

Configuration overview and prerequisites

Before we begin, let's overview the configuration that we are attempting to achieve and the prerequisites that make it possible.

Prerequisites:

Two RUTxxx routers of any type;
One RUTxxx router with public IP address;
Both RUTxxx routers must be accessible from each other's WAN connection;
Firmware for the devices must be 00.07.xx.x or above. This is in part to make sure the StrongSwan service is at least version U5.9.6;
An end device (PC, Laptop) for configuration;
(Optional) A second end device to test remote LAN access;

If you're having trouble finding this page or some of the parameters described here on your device's WebUI, you should turn on "Advanced WebUI" mode. You can do that by clicking the "Advanced" button, located at the top of the WebUI.

Networking rutos manual webui basic advanced mode 75.gif

Topology

RUT1 – It will be connected to a RUT2 to be able to reach RUT2 LAN subnet. RUT1 has a LAN subnet of 192.168.3.0/24 and a WAN with private IP.

RUT2 – It will be our remote endpoint for the RUT1 router. RUT2 has a LAN subnet of 192.168.14.0/24 and a WAN with Public IP, which should be reachable by RUT1.

Router configuration

We will start our configuration with RUT1.

To generate certificates via router, you can refer to this link: Generating certificate via router

IPsec RUT1 Config

Make sure that you have your certificates generated both for RUT1 and RUT2 routers.
Login to the router's WebUI and go to System → Services → VPN -> IPsec
Add a new instance with your desired name, in my case I will be using RUT1

Start by configuring the RUT device. Login to the WebUI, navigate to Services → VPN → IPsec and add a new IPsec instance. Configure everything as follows. Note: Not specified fields can be left as is or changed according to your needs.

Instance configuration

Make the following changes:

Enable instance;
Remote endpoint - RUT2 WAN IP;
Authentication method - X.509;
Key - the RUT1.key.pem that you have generated from certificates;
Local certificate - the RUT1.cert.pem that you have generated from certificates;
CA certificate - the CA.cert.pem that you have generated from certificates;
Local identifier – RUT1 LAN IP, which is 192.168.3.1 in this case;
Remote identifier – RUT2 LAN IP, which is 192.168.14.1 in this case

RutOS IPsec tunnel with certificates 7.8 add ipsec config general instnace.png

We will need to add RUT2 certificate in the Advanced settings:

Click on Advanced settings in the IPsec instance section;
Remote certificate - the RUT2.cert.pem that you have generated from certificates;

RutOS IPsec tunnel with certificates 7.8 add ipsec config general instnace advanced.png

Connection general section configuration

Make the following changes:

Mode - Start;
Type - Tunnel;
Local subnet – 192.168.3.0/24;
Remote subnet – 192.168.14.0/24;
Key exchange - IKEv2;

RutOS IPsec tunnel with certificates 7.8 add ipsec config connection.png

Connection advanced section configuration

Make the following changes:

Open Advanced settings;
Enable Force encapsulation;
Enable Local firewall;
Enable Remote firewall;
Inactivity: 3600 - Defines the timeout interval, after which the connection is closed;
Enable Dead peer detection;
DPD action – Restart;

RutOS IPsec tunnel with certificates 7.8 add ipsec config connection advanced.png

Proposal configuration

Important: Both the RUT1 and RUT2 Encryptions must match in order for this configuration to work.

Note: This is only an example of a secure configuration. Other algorithms or even combinations of them could be used. However, we strongly recommend refraining from using older encryption and hashing algorithms unless support for certain legacy systems is required.

Make the following changes:


Encryption - AES256; Authentication - SHA512; DH group - MODP4096; IKE lifetime - 86400s.


Encryption - AES256; Authentication - SHA512; PFS group - MODP4096; Lifetime – 86400s;

IPsec RUT2 Config

Make sure that you have your certificates generated both for RUT1 and RUT2 routers.
Login to the router's WebUI and go to System → Services → VPN -> IPsec
Add a new instance with your desired name, in my case I will be using RUT2

Start by configuring the RUT device. Login to the WebUI, navigate to Services → VPN → IPsec and add a new IPsec instance. Configure everything as follows. Note: Not specified fields can be left as is or changed according to your needs.