Welcome Guest, you are in: Login
RSS RSS

Navigation






Search the wiki
»

PoweredBy
This page outlines steps for configuring an IPSec tunnel for a VPN connection to the Logic-5000 modem in the field. This example uses an Ubuntu Server 11.04 running Openswan for the VPN connectivity and illustrates how to establish a secure, encrypted communication between field data devices and internal corporate LANs.

The Logic-5000's IPSec connectivity is not limited to other Openswan servers. Because it uses an open standard for building tunnels, it should be able to communicate with all other devices supporting the standard set of IPSec protocols.

Note: The following instructions are meant only to serve as a guide and do not address any security scenarios whatsoever. Consult with a professional network security specialist for actual implementation.

For a more in depth article on configuring an IPSec VPN, see here.


1 - Prerequisites

Below are the required components for setting up an IPSec tunnel for this example. The configuration instructions in this document may be used as a guide for configuring the Logic-5000 to connect with other devices including Cisco routers or VPN concentrators.

1.1 - Server Components

The server handles interaction with the modems by accepting connection requests and building tunnels. A successfully connected modem will be able to access network resources on the corporate LAN, and allow the corporate LAN to communicate with the vehicle LAN.

The following is required on the server for this example:

  1. Ubuntu Server 11.04
  2. Two (2) network interface cards (NICs)
  3. Static, public routeable IP address (assumed to be on eth0 interface).
  4. Private IP address on same subnet as office/corporate LAN (assumed to be on eth1 interface).
  5. Openswan IPSec Software

1.2 - Vehicle Components

To enable an IPSec connection to the vehicle, only the Logic-5000 cellular router is required along with an active cellular data plan.

Note: The IPSec connection will not work when the cellular data connection is lost. Thus, an IPSec tunnel is not currently supported when the Logic-5000 is operating in WiFi client mode (which causes the default gateway to change to the WiFi connection, from cellular).

2 - Server Configuration

The following instructions assume a fresh installation of Ubuntu has been performed.

2.1 - Update Software

Ensure Ubuntu is up to date by executing the following commands from the command line.

  • Get update software list:

$ sudo apt-get update


  • Update software

$ sudo apt-get upgrade

2.2 - Install Openswan

Execute from the command line:

$ sudo apt-get install openswan

Configure Openswan to start at boot time:

$ chkconfig ipsec on

Enable IP forwarding by adding the following entry to the /etc/sysctl.conf file:

#
# File: /etc/sysctl.conf
#
#---------------------------------------------------------------
# Enable routing (IP forwarding)
#---------------------------------------------------------------

net/ipv4/ip_forward = 1

Use the sysctl -p command to activate the settings:

$ sysctl -p

2.3 - Configure IPSec Settings

Configuration of Openswan consists of creating two files, both located in the /etc folder:

  • ipsec.conf - Configuration settings for IPSec, including connection definitions.
  • ipsec.secrets - Preshared key definitions.

2.3.1 - IPSec Connection Settings

Open ipsec.conf in a text editor by typing the following command:

$ nano /etc/ipsec.conf

In this example, we use the following assumptions:

  • Office subnet: 192.168.254.0/24
  • Vehicle subnet: 192.168.1.0/24 (default for Logic-5000 router)
  • Logic-5000 internal IP address: 192.168.1.50
  • External public IP of the eth0 interface on the Ubuntu server is the default route.

Enter the following data into your ipsec.conf file, substituting the appropriate value for your particular network configuration:

# Manual:     ipsec.conf.5

version 2.0

# basic configuration
config setup
        # Do not set debug options to debug configuration issues!
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
        # eg:
        # plutodebug="control parsing"
        #
        # enable to get logs per-peer
        # plutoopts="--perpeerlog"
        #
        # Again: only enable plutodebug or klipsdebug when asked by a developer
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        nat_traversal=yes

        # *** Exclude office network ***
        # exclude networks used on server side by adding %v4:!a.b.c.0/24
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.254.0/24

        # OE is now off by default. Uncomment and change to on, to enable.
        oe=off

        # which IPsec stack to use. netkey,klips,mast,auto or none
        protostack=netkey
        nhelpers=0

# Add connections here
conn vehicle-office
        type=tunnel
        auth=esp
        authby=secret
        auto=add
        esp=aes
        forceencaps=yes

        left=%defaultroute
        leftsubnet=192.168.254.0/24
        leftsourceip=192.168.254.6

        right=%any

conn office-vehicle
        type=tunnel
        auth=esp
        authby=secret
        auto=add
        esp=aes

        left=%defaultroute

        right=%any
        rightsubnet=192.168.1.0/24
        rightsourceip=192.168.1.50

Set the value of the preshared key (PSK) for the modems by editing the file /etc/ipsec.secrets with a text editor:

$ nano /etc/ipsec.secrets

Enter the preshared keys as follows in the ipsec.secrets file, then save:

%defaultroute %any: "C4A9A45045AA7C2E33BCE532015DCF" # Enter your own preshared key value

Once the ipsec.conf and ipsec.secrets files have been modified, restart IPSec with this command:

$ sudo service ipsec restart

If successful, the server should respond with the following lines:

ipsec_setup: Stopping Openswan IPSec...
ipsec_setup: Starting Openswan IPSec U2.6.26/K2.6.35-22-server...

2.3.2 - Configure iptables

If running iptables with masquerading/NAT for the VPN devices, then you must exclude packets traversing the tunnel from the NAT operation.

Exclude packets going from office LAN to vehicle LAN:

$ iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -d \! 10.0.1.0/24 -j MASQUERADE

If the Ubuntu server is not the default gateway for internal devices on the office LAN, configure packets to respond back to the Ubuntu server's eth1 interface instead of the default gateway. Note: This will cause packets inbound from the vehicle LAN to appear as if they are coming from the IP of eth1, the internal facing NIC.

$ iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 192.168.1.244

At this point, the server is configured and ready for connections from the Logic-5000. Perform the the following steps now for configuration of the Logic-5000 cellular router.

3 - Logic-5000 Configuration

Log in to the Logic-5000 by entering it's IP address in the address bar of your browser and pressing enter. The Logic-5000 can be accessed by any of the following methods:

  • Remotely using cellular public ip - Enter the public cellular IP in your address bar followed by port 8080 (ex: http://12.23.45.56:8080)
  • Locally via ethernet connection - Enter the ethernet address of the router (ex: http://192.168.1.50 by default)
  • Using WiFi - Enter the WiFi address of the router (ex: http://192.168.2.50 by default)

Once logged in, ensure the cellular connection is up by verifying that the IP address in the upper right side of the screen is something other than n/a:

Image

Next, browse to the IPSec settings by selecting the Advanced Settings menu item from the left, then the IPSec tab:

Image

3.1 - Configure Vehicle to Office Tunnel (network 1 to network 2 tunnel)

Enter the following data, substituting the appropriate values for your particular configuration:

  • IPSec - Select Enable.
  • Tunnel no - Enter a unique number to identify this tunnel.
  • Enabled - Select this checkbox to automatically bring up the tunnel once the settings are saved.
  • Label - Enter a label that makes sense to you. In this case we use vehicle-office which indicates this is the vehicle to office network.
  • Remote IP Address - Enter the external publicly routeable IP address of the Ubuntu server. This should be the same IP as the eth0 adapter.
  • Remote Subnet - Ensure the Enabled checkbox is selected and enter the internal subnet of your Ubuntu server. This tells the Logic-5000 to protect addresses on this subnet by the IPSec tunnel.
  • Local Subnet - Leave unchecked.
  • Encryption - Select AES-128 (should match the settings of the /etc/ipsec.conf file on the Ubuntu server).
  • Pre-shared Key - Enter the value of the key specified in the /etc/ipsec.secrets file on the Ubuntu server.

Image

3.2 - Configure Office to Vehicle Tunnel (network 2 to network 1 tunnel)

  • Tunnel no - Enter an unused, unique number to identify this tunnel.
  • Enabled - Select this checkbox to automatically bring up the tunnel once the settings are saved.
  • Label - Enter a label describing this tunnel. Here we use office-vehicle to indicate this is the tunnel from the office to the vehicle network.
  • Remote IP Address - Enter the external, publicly routeable IP address of the Ubuntu server. This should be the same IP as the eth0 adapter.
  • Remote Subnet - Leave the blank. Uncheck Enabled checkbox.
  • Local Subnet - Select the Enabled checkbox.
  • Encryption - Select AES-128 (must match the settings of the /etc/ipsec.conf file on the Ubuntu server).
  • Pre-shared Key - Enter the value specified in the /etc/ipsec.secrets file on the Ubuntu server.

Image

Access Point Bluetooth Configuration Contact Deployment Garmin Installation Logic-5000 Modems Network Recovery RoadSafety Setup Support Users Vehicle Web Application

Wiki version 3.0.4.560.