IPSec Configuration

Modified on 2011/05/02 10:09 by Administrator — Categorized as: Configuration, Deployment, Modems, Network, Setup

This page outlines steps for configuring an IPSec tunnel for a VPN connection to the Logic-5000 modem in the field. This example uses an Ubuntu Server 11.04 running Openswan for the VPN connectivity and illustrates how to establish a secure, encrypted communication between field data devices and internal corporate LANs.

The Logic-5000's IPSec connectivity is not limited to other Openswan servers. Because it uses an open standard for building tunnels, it should be able to communicate with all other devices supporting the standard set of IPSec protocols.

Note: The following instructions are meant only to serve as a guide and do not address any security scenarios whatsoever. Consult with a professional network security specialist for actual implementation.

For a more in depth article on configuring an IPSec VPN, see here.

1 - Prerequisites

Below are the required components for setting up an IPSec tunnel for this example. The configuration instructions in this document may be used as a guide for configuring the Logic-5000 to connect with other devices including Cisco routers or VPN concentrators.

1.1 - Server Components

The server handles interaction with the modems by accepting connection requests and building tunnels. A successfully connected modem will be able to access network resources on the corporate LAN, and allow the corporate LAN to communicate with the vehicle LAN.

The following is required on the server for this example:

  1. Ubuntu Server 11.04
  2. Two (2) network interface cards (NICs)
  3. Static, public routeable IP address (assumed to be on eth0 interface).
  4. Private IP address on same subnet as office/corporate LAN (assumed to be on eth1 interface).
  5. Openswan IPSec Software

1.2 - Vehicle Components

To enable an IPSec connection to the vehicle, only the Logic-5000 cellular router is required along with an active cellular data plan.

Note: The IPSec connection will not work when the cellular data connection is lost. Thus, an IPSec tunnel is not currently supported when the Logic-5000 is operating in WiFi client mode (which causes the default gateway to change to the WiFi connection, from cellular).

2 - Server Configuration

The following instructions assume a fresh installation of Ubuntu has been performed.

2.1 - Update Software

Ensure Ubuntu is up to date by executing the following commands from the command line.

$ sudo apt-get update

$ sudo apt-get upgrade

2.2 - Install Openswan

Execute from the command line:

$ sudo apt-get install openswan

Configure Openswan to start at boot time:

$ chkconfig ipsec on

Enable IP forwarding by adding the following entry to the /etc/sysctl.conf file:

# File: /etc/sysctl.conf
# Enable routing (IP forwarding)

net/ipv4/ip_forward = 1

Use the sysctl -p command to activate the settings:

$ sysctl -p

2.3 - Configure IPSec Settings

Configuration of Openswan consists of creating two files, both located in the /etc folder:

2.3.1 - IPSec Connection Settings

Open ipsec.conf in a text editor by typing the following command:

$ nano /etc/ipsec.conf

In this example, we use the following assumptions:

Enter the following data into your ipsec.conf file, substituting the appropriate value for your particular network configuration:

# Manual:     ipsec.conf.5

version 2.0

# basic configuration
config setup
        # Do not set debug options to debug configuration issues!
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
        # eg:
        # plutodebug="control parsing"
        # enable to get logs per-peer
        # plutoopts="--perpeerlog"
        # Again: only enable plutodebug or klipsdebug when asked by a developer
        # NAT-TRAVERSAL support, see README.NAT-Traversal

        # *** Exclude office network ***
        # exclude networks used on server side by adding %v4:!a.b.c.0/24

        # OE is now off by default. Uncomment and change to on, to enable.

        # which IPsec stack to use. netkey,klips,mast,auto or none

# Add connections here
conn vehicle-office



conn office-vehicle



Set the value of the preshared key (PSK) for the modems by editing the file /etc/ipsec.secrets with a text editor:

$ nano /etc/ipsec.secrets

Enter the preshared keys as follows in the ipsec.secrets file, then save:

%defaultroute %any: "C4A9A45045AA7C2E33BCE532015DCF" # Enter your own preshared key value

Once the ipsec.conf and ipsec.secrets files have been modified, restart IPSec with this command:

$ sudo service ipsec restart

If successful, the server should respond with the following lines:

ipsec_setup: Stopping Openswan IPSec...
ipsec_setup: Starting Openswan IPSec U2.6.26/K2.6.35-22-server...

2.3.2 - Configure iptables

If running iptables with masquerading/NAT for the VPN devices, then you must exclude packets traversing the tunnel from the NAT operation.

Exclude packets going from office LAN to vehicle LAN:

$ iptables -t nat -A POSTROUTING -o eth0 -s -d \! -j MASQUERADE

If the Ubuntu server is not the default gateway for internal devices on the office LAN, configure packets to respond back to the Ubuntu server's eth1 interface instead of the default gateway. Note: This will cause packets inbound from the vehicle LAN to appear as if they are coming from the IP of eth1, the internal facing NIC.

$ iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source

At this point, the server is configured and ready for connections from the Logic-5000. Perform the the following steps now for configuration of the Logic-5000 cellular router.

3 - Logic-5000 Configuration

Log in to the Logic-5000 by entering it's IP address in the address bar of your browser and pressing enter. The Logic-5000 can be accessed by any of the following methods:

Once logged in, ensure the cellular connection is up by verifying that the IP address in the upper right side of the screen is something other than n/a:


Next, browse to the IPSec settings by selecting the Advanced Settings menu item from the left, then the IPSec tab:


3.1 - Configure Vehicle to Office Tunnel (network 1 to network 2 tunnel)

Enter the following data, substituting the appropriate values for your particular configuration:


3.2 - Configure Office to Vehicle Tunnel (network 2 to network 1 tunnel)


Access Point Bluetooth Configuration Contact Deployment Garmin Installation Logic-5000 Modems Network Recovery RoadSafety Setup Support Users Vehicle Web Application