RuggedCom RX1000 Network Router User Manual


 
Chapter 15 - Configuring IPsec VPN
Generate X.509 Certificates
Use the authority to produce a certificate authority public certification (cacert) and a
certificate for each of the clients and a certificate for the router. The certificate
authority will require some information that is shared by all certificates (e.g. a
Country Name (C), a State Or Province Name (S), an Organization name (O)) and
some per-client information (e.g. a Common Name (CN) and an Email address (E)).
Together this information forms the Distinguished Name (DN) and is used by the
router and client to validate each other.
VPN Networking Parameters
The first step is to identify the key parameters required. The router public gateway
(here vpn@xyz.com) and its gateway interface (w1ppp) must be known. The local
network subnet (10.0.0.0/8) and each clients' internal network address (here 10.0.1.1)
must be known. All client addresses should be assigned from a subnet of the local
network (e.g. 10.0.1.0/24). A number of encryption parameters should be decided
upon depending upon the client capabilities. Avoid selecting 3DES if possible due to
its high overhead.
Client Configuration
Depending upon the client, you may be required to produce the certificate in a P12
format, and may be required to include an “export” password as well. This password
will be required to be known be the personnel that configure the client in order to
import the certificate.
Install the client IPSec software and import the cacert and the clients own certificate
and key. Configure the client with the router public gateway, the clients internal
network address and the desired encryption parameters. At this point the client should
be able to use its Internet connection to ping the public gateway.
Router IPSec Configuration
Transfer the cacert and the router's certificate to the router. If your authority prepares
a Certificate Revocation List (CRL), you will want to transfer that as well.
The cacert file should be renamed cacert.pem and installed in /etc/ipsec.d/cacerts/.
The CRL file should be renamed to crl.pem and installed in /etc/ipsec.d/crls/.
The router's certificate must be installed in /etc/ipsec.d/certs/. It's public key file (e.g.
router.key) must be installed in /etc/ipsec.d/private/ and a line ': RSA router.key
"Password"' (where Password is the pass phrase that was used to generate the
certificate) must be added to the end of the /etc/ipsec.secrets file.
Note: The Maintenance Menu, Upload/Download Files sub-menu provides a method to
transfer the files directly to the indicated directories.
Enable IPSec from the Bootup and Shutdown menu. Visit the IPSec VPN menu
and generate a public key.
Visit the Server Configuration menu and associate the ipsec0 interface with the
desired interface the connection will arrive on (here w1ppp).
Create a connection for the clients. Set the parameters as follows:
RuggedCom 149