This page outlines steps for configuring an IPSec tunnel for a VPN connection to the Logic-5000 modem in the field. This example uses an Ubuntu Server 11.04 running Openswan for the VPN connectivity and illustrates how to establish a secure, encrypted communication between field data devices and internal corporate LANs.
The Logic-5000's IPSec connectivity is not limited to other Openswan servers. Because it uses an open standard for building tunnels, it should be able to communicate with all other devices supporting the standard set of IPSec protocols.
Note: The following instructions are meant only to serve as a guide and do not address any security scenarios whatsoever. Consult with a professional network security specialist for actual implementation.
For a more in depth article on configuring an IPSec VPN,
see here.
1 - Prerequisites
Below are the required components for setting up an IPSec tunnel for this example. The configuration instructions in this document may be used as a guide for configuring the Logic-5000 to connect with other devices including Cisco routers or VPN concentrators.
1.1 - Server Components
The server handles interaction with the modems by accepting connection requests and building tunnels. A successfully connected modem will be able to access network resources on the corporate LAN, and allow the corporate LAN to communicate with the vehicle LAN.
The following is required on the server for this example:
- Ubuntu Server 11.04
- Two (2) network interface cards (NICs)
- Static, public routeable IP address (assumed to be on eth0 interface).
- Private IP address on same subnet as office/corporate LAN (assumed to be on eth1 interface).
- Openswan IPSec Software
1.2 - Vehicle Components
To enable an IPSec connection to the vehicle, only the Logic-5000 cellular router is required along with an active cellular data plan.
Note: The IPSec connection
will not work when the cellular data connection is lost. Thus, an IPSec tunnel is not currently supported when the Logic-5000 is operating in WiFi client mode (which causes the default gateway to change to the WiFi connection, from cellular).
2 - Server Configuration
The following instructions assume a fresh installation of Ubuntu has been performed.
2.1 - Update Software
Ensure Ubuntu is up to date by executing the following commands from the command line.
- Get update software list:
$ sudo apt-get update
$ sudo apt-get upgrade
2.2 - Install Openswan
Execute from the command line:
$ sudo apt-get install openswan
Configure Openswan to start at boot time:
$ chkconfig ipsec on
Enable IP forwarding by adding the following entry to the /etc/sysctl.conf file:
#
# File: /etc/sysctl.conf
#
#---------------------------------------------------------------
# Enable routing (IP forwarding)
#---------------------------------------------------------------
net/ipv4/ip_forward = 1
Use the sysctl -p command to activate the settings:
$ sysctl -p
2.3 - Configure IPSec Settings
Configuration of Openswan consists of creating two files, both located in the /etc folder:
- ipsec.conf - Configuration settings for IPSec, including connection definitions.
- ipsec.secrets - Preshared key definitions.
2.3.1 - IPSec Connection Settings
Open ipsec.conf in a text editor by typing the following command:
$ nano /etc/ipsec.conf
In this example, we use the following assumptions:
- Office subnet: 192.168.254.0/24
- Vehicle subnet: 192.168.1.0/24 (default for Logic-5000 router)
- Logic-5000 internal IP address: 192.168.1.50
- External public IP of the eth0 interface on the Ubuntu server is the default route.
Enter the following data into your ipsec.conf file, substituting the appropriate value for your particular network configuration:
# Manual: ipsec.conf.5
version 2.0
# basic configuration
config setup
# Do not set debug options to debug configuration issues!
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
# eg:
# plutodebug="control parsing"
#
# enable to get logs per-peer
# plutoopts="--perpeerlog"
#
# Again: only enable plutodebug or klipsdebug when asked by a developer
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
nat_traversal=yes
# *** Exclude office network ***
# exclude networks used on server side by adding %v4:!a.b.c.0/24
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.254.0/24
# OE is now off by default. Uncomment and change to on, to enable.
oe=off
# which IPsec stack to use. netkey,klips,mast,auto or none
protostack=netkey
nhelpers=0
# Add connections here
conn vehicle-office
type=tunnel
auth=esp
authby=secret
auto=add
esp=aes
forceencaps=yes
left=%defaultroute
leftsubnet=192.168.254.0/24
leftsourceip=192.168.254.6
right=%any
conn office-vehicle
type=tunnel
auth=esp
authby=secret
auto=add
esp=aes
left=%defaultroute
right=%any
rightsubnet=192.168.1.0/24
rightsourceip=192.168.1.50
Set the value of the preshared key (PSK) for the modems by editing the file
/etc/ipsec.secrets with a text editor:
$ nano /etc/ipsec.secrets
Enter the preshared keys as follows in the
ipsec.secrets file, then save:
%defaultroute %any: "C4A9A45045AA7C2E33BCE532015DCF" # Enter your own preshared key value
Once the
ipsec.conf and
ipsec.secrets files have been modified, restart IPSec with this command:
$ sudo service ipsec restart
If successful, the server should respond with the following lines:
ipsec_setup: Stopping Openswan IPSec...
ipsec_setup: Starting Openswan IPSec U2.6.26/K2.6.35-22-server...
2.3.2 - Configure iptables
If running iptables with masquerading/NAT for the VPN devices, then you must exclude packets traversing the tunnel from the NAT operation.
Exclude packets going from office LAN to vehicle LAN:
$ iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -d \! 10.0.1.0/24 -j MASQUERADE
If the Ubuntu server is not the default gateway for internal devices on the office LAN, configure packets to respond back to the Ubuntu server's
eth1 interface instead of the default gateway.
Note: This will cause packets inbound from the vehicle LAN to appear as if they are coming from the IP of
eth1, the internal facing NIC.
$ iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 192.168.1.244
At this point, the server is configured and ready for connections from the Logic-5000. Perform the the following steps now for configuration of the Logic-5000 cellular router.
3 - Logic-5000 Configuration
Log in to the Logic-5000 by entering it's IP address in the address bar of your browser and pressing enter. The Logic-5000 can be accessed by any of the following methods:
- Remotely using cellular public ip - Enter the public cellular IP in your address bar followed by port 8080 (ex: http://12.23.45.56:8080)
- Locally via ethernet connection - Enter the ethernet address of the router (ex: http://192.168.1.50 by default)
- Using WiFi - Enter the WiFi address of the router (ex: http://192.168.2.50 by default)
Once logged in, ensure the cellular connection is up by verifying that the IP address in the upper right side of the screen is something other than
n/a:
Next, browse to the IPSec settings by selecting the
Advanced Settings menu item from the left, then the
IPSec tab:
3.1 - Configure Vehicle to Office Tunnel (network 1 to network 2 tunnel)
Enter the following data, substituting the appropriate values for your particular configuration:
- IPSec - Select Enable.
- Tunnel no - Enter a unique number to identify this tunnel.
- Enabled - Select this checkbox to automatically bring up the tunnel once the settings are saved.
- Label - Enter a label that makes sense to you. In this case we use vehicle-office which indicates this is the vehicle to office network.
- Remote IP Address - Enter the external publicly routeable IP address of the Ubuntu server. This should be the same IP as the eth0 adapter.
- Remote Subnet - Ensure the Enabled checkbox is selected and enter the internal subnet of your Ubuntu server. This tells the Logic-5000 to protect addresses on this subnet by the IPSec tunnel.
- Local Subnet - Leave unchecked.
- Encryption - Select AES-128 (should match the settings of the /etc/ipsec.conf file on the Ubuntu server).
- Pre-shared Key - Enter the value of the key specified in the /etc/ipsec.secrets file on the Ubuntu server.
3.2 - Configure Office to Vehicle Tunnel (network 2 to network 1 tunnel)
- Tunnel no - Enter an unused, unique number to identify this tunnel.
- Enabled - Select this checkbox to automatically bring up the tunnel once the settings are saved.
- Label - Enter a label describing this tunnel. Here we use office-vehicle to indicate this is the tunnel from the office to the vehicle network.
- Remote IP Address - Enter the external, publicly routeable IP address of the Ubuntu server. This should be the same IP as the eth0 adapter.
- Remote Subnet - Leave the blank. Uncheck Enabled checkbox.
- Local Subnet - Select the Enabled checkbox.
- Encryption - Select AES-128 (must match the settings of the /etc/ipsec.conf file on the Ubuntu server).
- Pre-shared Key - Enter the value specified in the /etc/ipsec.secrets file on the Ubuntu server.
Access Point Bluetooth Configuration Contact Deployment Garmin Installation Logic-5000 Modems Network Recovery RoadSafety Setup Support Users Vehicle Web Application