Welcome
Guest
, you are in:
<root>
•
Login
Navigation
¶
Getting Started
Deployment
Equipment Help
Install Wiring Diagrams
Contact Us
Support Tickets
Technician Login
Create a new Page
All Pages
Categories
Navigation Paths
Administration
File Management
Create Account
Search the wiki
»
Back
IPSec Configuration
This page outlines steps for configuring an IPSec tunnel for a VPN connection to the Logic-5000 modem in the field. This example uses an Ubuntu Server 11.04 running Openswan for the VPN connectivity and illustrates how to establish a secure, encrypted communication between field data devices and internal corporate LANs. The Logic-5000's IPSec connectivity is not limited to other Openswan servers. Because it uses an open standard for building tunnels, it should be able to communicate with all other devices supporting the standard set of IPSec protocols. '''Note: ''' The following instructions are meant only to serve as a guide and do not address any security scenarios whatsoever. Consult with a professional network security specialist for actual implementation. For a more in depth article on configuring an IPSec VPN, [http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch35_:_Configuring_Linux_VPNs|see here]. {toc} ==1 - Prerequisites== Below are the required components for setting up an IPSec tunnel for this example. The configuration instructions in this document may be used as a guide for configuring the Logic-5000 to connect with other devices including Cisco routers or VPN concentrators. ===1.1 - Server Components=== The server handles interaction with the modems by accepting connection requests and building tunnels. A successfully connected modem will be able to access network resources on the corporate LAN, and allow the corporate LAN to communicate with the vehicle LAN. The following is required on the server for this example: # [www.ubuntu.com|Ubuntu Server] 11.04 # Two (2) network interface cards (NICs) # Static, public routeable IP address (assumed to be on '''eth0''' interface). # Private IP address on same subnet as office/corporate LAN (assumed to be on '''eth1''' interface). # [http://www.openswan.org|Openswan] IPSec Software ===1.2 - Vehicle Components=== To enable an IPSec connection to the vehicle, only the Logic-5000 cellular router is required along with an active cellular data plan. '''Note: ''' The IPSec connection ''will not'' work when the cellular data connection is lost. Thus, an IPSec tunnel is not currently supported when the Logic-5000 is operating in WiFi client mode (which causes the default gateway to change to the WiFi connection, from cellular). ==2 - Server Configuration== The following instructions assume a fresh installation of Ubuntu has been performed. ===2.1 - Update Software=== Ensure Ubuntu is up to date by executing the following commands from the command line. * Get update software list: @@$ sudo apt-get update@@ * Update software @@$ sudo apt-get upgrade@@ ===2.2 - Install Openswan=== Execute from the command line: @@$ sudo apt-get install openswan@@ Configure Openswan to start at boot time: @@$ chkconfig ipsec on@@ Enable IP forwarding by adding the following entry to the /etc/sysctl.conf file: @@ # # File: /etc/sysctl.conf # #--------------------------------------------------------------- # Enable routing (IP forwarding) #--------------------------------------------------------------- net/ipv4/ip_forward = 1 @@ Use the sysctl -p command to activate the settings: @@$ sysctl -p@@ ===2.3 - Configure IPSec Settings=== Configuration of Openswan consists of creating two files, both located in the /etc folder: * '''ipsec.conf''' - Configuration settings for IPSec, including connection definitions. * '''ipsec.secrets''' - Preshared key definitions. ====2.3.1 - IPSec Connection Settings==== Open ipsec.conf in a text editor by typing the following command: @@$ nano /etc/ipsec.conf@@ In this example, we use the following assumptions: * Office subnet: '''192.168.254.0/24''' * Vehicle subnet: '''192.168.1.0/24''' (default for Logic-5000 router) * Logic-5000 internal IP address: '''192.168.1.50''' * External public IP of the '''eth0''' interface on the Ubuntu server is the default route. Enter the following data into your ipsec.conf file, substituting the appropriate value for your particular network configuration: @@ # Manual: ipsec.conf.5 version 2.0 # basic configuration config setup # Do not set debug options to debug configuration issues! # plutodebug / klipsdebug = "all", "none" or a combation from below: # "raw crypt parsing emitting control klips pfkey natt x509 dpd private" # eg: # plutodebug="control parsing" # # enable to get logs per-peer # plutoopts="--perpeerlog" # # Again: only enable plutodebug or klipsdebug when asked by a developer # # NAT-TRAVERSAL support, see README.NAT-Traversal nat_traversal=yes # *** Exclude office network *** # exclude networks used on server side by adding %v4:!a.b.c.0/24 virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.254.0/24 # OE is now off by default. Uncomment and change to on, to enable. oe=off # which IPsec stack to use. netkey,klips,mast,auto or none protostack=netkey nhelpers=0 # Add connections here conn vehicle-office type=tunnel auth=esp authby=secret auto=add esp=aes forceencaps=yes left=%defaultroute leftsubnet=192.168.254.0/24 leftsourceip=192.168.254.6 right=%any conn office-vehicle type=tunnel auth=esp authby=secret auto=add esp=aes left=%defaultroute right=%any rightsubnet=192.168.1.0/24 rightsourceip=192.168.1.50 @@ Set the value of the preshared key (PSK) for the modems by editing the file '''/etc/ipsec.secrets''' with a text editor: @@$ nano /etc/ipsec.secrets@@ Enter the preshared keys as follows in the '''ipsec.secrets''' file, then save: @@ %defaultroute %any: "C4A9A45045AA7C2E33BCE532015DCF" # Enter your own preshared key value @@ Once the '''ipsec.conf''' and '''ipsec.secrets''' files have been modified, restart IPSec with this command: @@ $ sudo service ipsec restart @@ If successful, the server should respond with the following lines: @@ ipsec_setup: Stopping Openswan IPSec... ipsec_setup: Starting Openswan IPSec U2.6.26/K2.6.35-22-server... @@ ====2.3.2 - Configure iptables==== If running iptables with masquerading/NAT for the VPN devices, then you must exclude packets traversing the tunnel from the NAT operation. Exclude packets going from office LAN to vehicle LAN: @@ $ iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -d \! 10.0.1.0/24 -j MASQUERADE @@ If the Ubuntu server is not the default gateway for internal devices on the office LAN, configure packets to respond back to the Ubuntu server's '''eth1''' interface instead of the default gateway. '''Note: ''' This will cause packets inbound from the vehicle LAN to appear as if they are coming from the IP of '''eth1''', the internal facing NIC. @@ $ iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 192.168.1.244 @@ At this point, the server is configured and ready for connections from the Logic-5000. Perform the the following steps now for configuration of the Logic-5000 cellular router. ==3 - Logic-5000 Configuration== Log in to the Logic-5000 by entering it's IP address in the address bar of your browser and pressing enter. The Logic-5000 can be accessed by any of the following methods: * '''Remotely using cellular public ip''' - Enter the public cellular IP in your address bar followed by port 8080 (ex: ''http://12.23.45.56:8080'') * '''Locally via ethernet connection''' - Enter the ethernet address of the router (ex: ''http://192.168.1.50'' by default) * '''Using WiFi''' - Enter the WiFi address of the router (ex: ''http://192.168.2.50'' by default) Once logged in, ensure the cellular connection is up by verifying that the IP address in the upper right side of the screen is something other than '''n/a''': [imageauto||{UP}/ipsec/home.png] Next, browse to the IPSec settings by selecting the '''Advanced Settings''' menu item from the left, then the '''IPSec''' tab: [imageauto||{UP}/ipsec/ipsec-empty.png] ===3.1 - Configure Vehicle to Office Tunnel (network 1 to network 2 tunnel)=== Enter the following data, substituting the appropriate values for your particular configuration: * '''IPSec''' - Select ''Enable''. * '''Tunnel no''' - Enter a unique number to identify this tunnel. * '''Enabled''' - Select this checkbox to automatically bring up the tunnel once the settings are saved. * '''Label''' - Enter a label that makes sense to you. In this case we use ''vehicle-office'' which indicates this is the vehicle to office network. * '''Remote IP Address''' - Enter the external publicly routeable IP address of the Ubuntu server. This should be the same IP as the '''eth0''' adapter. * '''Remote Subnet''' - Ensure the ''Enabled'' checkbox is selected and enter the internal subnet of your Ubuntu server. This tells the Logic-5000 to protect addresses on this subnet by the IPSec tunnel. * '''Local Subnet''' - Leave unchecked. * '''Encryption''' - Select AES-128 (should match the settings of the '''/etc/ipsec.conf''' file on the Ubuntu server). * '''Pre-shared Key''' - Enter the value of the key specified in the '''/etc/ipsec.secrets''' file on the Ubuntu server. [imageauto||{UP}/ipsec/vehicle-office.png] ===3.2 - Configure Office to Vehicle Tunnel (network 2 to network 1 tunnel)=== * '''Tunnel no''' - Enter an unused, unique number to identify this tunnel. * '''Enabled''' - Select this checkbox to automatically bring up the tunnel once the settings are saved. * '''Label''' - Enter a label describing this tunnel. Here we use ''office-vehicle'' to indicate this is the tunnel from the office to the vehicle network. * '''Remote IP Address''' - Enter the external, publicly routeable IP address of the Ubuntu server. This should be the same IP as the '''eth0''' adapter. * '''Remote Subnet''' - Leave the blank. Uncheck ''Enabled'' checkbox. * '''Local Subnet''' - Select the ''Enabled'' checkbox. * '''Encryption''' - Select AES-128 (must match the settings of the '''/etc/ipsec.conf''' file on the Ubuntu server). * '''Pre-shared Key''' - Enter the value specified in the '''/etc/ipsec.secrets''' file on the Ubuntu server. [imageauto||{UP}/ipsec/office-vehicle.png] {cloud}
Meta Keywords:
IPSec, Tunnel, VPN
Meta Description:
Change Comment:
Wiki version 3.0.4.560.