Rockhopper VPN
IPsec/IKEv2-based VPN software for Linux
Simple VPN example: Remote Access VPN, Bridge(Virtual Ethernet over IPsec) and Pre-Shared Key.
The following image shows example network for this scenario.
Ubuntu is installed on VPN Gateway(Bridge/Remote Accss Server), Remote Access Client and Internal host/Internal DNS server.
Rockhopper VPN software is installed on Remote Access Client and VPN Gateway. VPN is connected between these two nodes. Pre-Shared Key(PSK) is used as an authentication method. VPN Gateway works as a bridge between Remote Access Client and protected network(LAN, 192.168.0.0/24).
Though the following configuration is for bridging, you can apply it for a Routing-based VPN confinguration.
rhpvif10: A virtual interface(a Tunnel/TAP interface) to access internal network. "10" is the VPN realm ID. This interface is automatically created by Rockhopper VPN service and configured not by system tools like ifconfig command but by Rockhopper Web console.
br0: A bridge interface linking eth1 and rhpvif10 interfaces as ports. This interface is managed by brctl command in the bridge-utils package. You need to manually link eth1 with br0 by brctl command, while rhpvif10 is automatically linked with br0 by Rockhopper VPN service.
eth0 and eth1: Real interfaces to access physical network.
A VPN realm is a security domain for group members to share the same security policy and VPN configuration. For instance, you can define the VPN realm "10" for a sales team and the other VPN realm "20" for a developing team.
Advance preparation:
- VPN Gateway(gateway1.example.com):
|
# sudo ifconfig eth0 10.0.0.1 netmask 255.255.255.0
# sudo brctl addbr br0 # sudo brctl addif eth1 # sudo ifconfig br0 192.168.0.100 netmask 255.255.255.0 |
If you manually setup a bridge interface after configuring Rockhopper, please restart Rockhopper like this:
# sudo /etc/init.d/rockhopper restart
- VPN remote host(remotehost1.example.com):
| # sudo ifconfig eth0 10.0.0.10 netmask 255.255.255.0 |
- Internal host/Internal DNS server:
| # sudo ifconfig eth0 192.168.0.101 netmask 255.255.255.0 |
Above configuration will be lost after you restart your computer. To setup permanent configuration, you can edit /etc/network/interface like this. This is an example for VPN Gateway(gateway1.example.com) on Ubuntu.
- /etc/network/interfaces (Ubuntu)
|
auto eth0
iface eth0 inet static address 10.0.0.1 network 10.0.0.0 netmask 255.255.255.0 broadcast 10.0.0.255 auto eth1 iface eth1 inet manual up /sbin/ifconfig eth1 promisc auto br0 iface br0 inet static address 192.168.0.100 network 192.168.0.0 netmask 255.255.255.0 broadcast 192.168.0.255 bridge_ports eth1 bridge_stp off bridge_maxwait 10 |
Configuring VPN:
VPN Gateway(gateway1.example.com):
- Open Rockhopper Web console on http://127.0.0.1:32501 (by default) by Firefox.
- Login with administrator's name and password (by default, admin and secret).
- If VPN Configuration tab is not shown, uncheck Hide configuration tabs checkbox.
-
Add a new VPN realm.
- VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.- Click Add VPN Realm button.
- Add a VPN Realm[Dialog]: Enter the following, then click OK button.
Realm ID: 10
Realm Name: "Example VPN"
Description: "Config for Example VPN."
Mode: Bridge -
Setup VPN Interface.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Bridge)[Left-Tree] > VPN Interface[Left-Tree]: Click this tree node and show VPN Tunnel/TAP Interface pane.
- Enter or select the following.
Internal Address Type: Unnumbered(for bridging)
Linked Bridge Name: br0 -
Setup Network Interface.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Bridge)[Left-Tree] > Network Interface[Left-Tree]: Click this tree node and show Network Interface pane.
- Uncheck Use default route and enter the followings.
Primary interface:
- Name: Select eth0 as a source interface.
-
Setup Service.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Bridge)[Left-Tree] > Service[Left-Tree]: Click this tree node and show Service pane.
- Network Deployment: Select Hub(Concentrator) Node.
- Remote Configuration(IKEv2): Select Remote Configuration Server.
-
Setup Remote Config Server.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Bridge)[Left-Tree] >Service[Left-Tree] > Remote Config Server[Left-Tree]:
Click this tree node and show Remote Config Server(IKEv2) pane.
-
Setup Remote Config Server - Internal Address Pool.
- Remote Config Server(IKEv2)[Pane] > Internal Address Pool[Tab]:
Click Add Address Pool button.
Add a New Address Pool [Dialog]: Enter the following, then click OK button.
Address Type: Address Range
IPv4 Address Range: 192.168.0.20 - 192.168.0.30
-
Setup Remote Config Server - Internal Route Map.
- Remote Config Server(IKEv2)[Pane] > Internal Route Map[Tab]:
Enter the following as an Internal router's address.
Gateway IPv4 Address: 192.168.0.1
- Click Add Destination IPv4 Network button.
Add a New Internal Route[Dialog]: Enter the following, then click OK button.
Destination IPv4 Network: 192.168.10.0
Netmask: 255.255.255.0
-
Setup Remote Config Server - Internal DNS.
- Remote Config Server(IKEv2)[Pane] > Internal DNS[Tab]:
Enter the following as an Internal DNS server's address.
DNS Server's IPv4 Address: 192.168.0.101
- Click Add DNS Suffix button.
Add a New DNS Suffix[Dialog]: Enter the following, then click OK button.
DNS Suffix: .example.com
-
Setup My Key Store.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Bridge)[Left-Tree] > My Key Store[Left-Tree]:
Click this tree node and show My Key Store pane.- Enter the following.
Authentication Method: Pre-Shared Key(PSK)
My ID Type: Host Name(FQDN)
My ID: gateway1.example.com
Pre-Shared Key(PSK): abcdefghij -
Setup Peers' Key Store.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Bridge)[Left-Tree] > Peers' Key Store[Left-Tree]: Click this tree node and show Peers Key Store pane.
- Click Add Peer's Pre-Shared Key(PSK) button.
Add a New Peer's Pre-Shared Key(PSK)[Dialog]: Enter the following, then click OK button.
Peer ID Type: IKEv2: Host Name(FQDN)
Peer ID: remoteclient1.example.com
Pre-Shared Key(PSK): 1234567890 -
Save this realm's configuration.
- VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.- Click Save Configuration button.
Remote Access Client(remoteclient1.example.com):
- Version: 0.2.b1-021 or later
- Open Rockhopper Web console on http://127.0.0.1:32501 (by default) by Firefox.
- Login with administrator's name and password (by default, admin and secret).
- If VPN Configuration tab is not shown, uncheck Hide configuration tabs checkbox.
-
Add a new VPN realm.
- VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.- Click Add VPN Realm button.
- Add a VPN Realm[Dialog]: Enter the following, then click OK button.
Realm ID: 10
Realm Name: "Example VPN"
Description: "Config for Example VPN."
Mode: Remote Client -
Setup Destination.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Remote Client)[Left-Tree] > Destination[Left-Tree]: Click this tree node and show Destination (Concentrator / Gateway) pane.
- Enter the following.
Destination Address: IPv4 and 10.0.0.1
or
Destination Address: Host Name(FQDN) and gateway1.example.com
Destination ID Type: Host Name(FQDN)
Destination ID: gateway1.example.com
Destination's Pre-Shared Key (PSK): abcdefghij -
Setup My Key Store.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Remote Client)[Left-Tree] > My Key Store[Left-Tree]: Click this tree node and show My Key Store pane.
- Enter the following.
Authentication Method: Pre-Shared Key(PSK)
My ID Type: Host Name(FQDN)
My ID: remoteclient1.example.com
Pre-Shared Key(PSK): 1234567890 -
Save this realm's configuration.
- VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.- Click Save Configuration button.
- Advanced Settings
- Open Rockhopper Web console on http://127.0.0.1:32501 (by default) by Firefox.
- Login with administrator's name and password (by default, admin and secret).
- If VPN Configuration tab is not shown, uncheck Hide configuration tabs checkbox.
-
Add a new VPN realm.
- VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.- Click Add VPN Realm button.
- Add a VPN Realm[Dialog]: Enter the following, then click OK button.
Realm ID: 10
Realm Name: "Example VPN"
Description: "Config for Example VPN."
Mode: Remote Client
- Check Advanced Settings. (Version: 0.2.b1-021 or later)
-
Setup VPN Interface.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Remote Client)[Left-Tree] > VPN Interface[Left-Tree]: Click this tree node and show VPN Tunnel/TAP Interface pane.
- Enter the following.
Internal Address Type: Auto(IKEv2 Configuration)
-
Setup Network Interface.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Remote Client)[Left-Tree] > Network Interface[Left-Tree]: Click this tree node and show Network Interface pane.
- Check Use default route.
or
- Uncheck Use default route and enter the followings.
Primary interface:
- Name: Select eth0 as a source interface.
-
Setup Service.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Remote Client)[Left-Tree] > Service[Left-Tree]: Click this tree node and show Service pane.
- Network Deployment: Select Spoke Node/Other.
- Remote Configuration(IKEv2): Select Remote Access Client.
-
Setup My Key Store.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Remote Client)[Left-Tree] > My Key Store[Left-Tree]: Click this tree node and show My Key Store pane.
- Enter the following.
Authentication Method: Pre-Shared Key(PSK)
My ID Type: Host Name(FQDN)
My ID: remoteclient1.example.com
Pre-Shared Key(PSK): 1234567890 -
Setup Remote Peers.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Remote Client)[Left-Tree] > Remote Peers[Left-Tree]: Click this tree node and show Remote Peers pane.
- Click Add Peer button.
- Add a New Peer[Dialog]: Enter the following, then click OK button.
Peer ID Type: Host Name(FQDN)
Peer ID: gateway1.example.com -
Setup the Remote Peer's information.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Remote Client)[Left-Tree] > Remote Peers[Left-Tree] > gateway1.example.com(FQDN)[Left-Tree]:
Click this tree node and show Remote Peer: gateway1.example.com(FQDN) pane.- Enter the following.
Peer's IP Address: IPv4 and 10.0.0.1
This peer's Network Deployment: Hub(Concentrator) Node -
Setup Peers' Key Store.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Remote Client)[Left-Tree] > Peers' Key Store[Left-Tree]:
Click this tree node and show Peers Key Store pane.- Click Add Peer's Pre-Shared Key(PSK) button.
- Add a New Peer's Pre-Shared Key(PSK)[Dialog]: Enter the following, then click OK button.
Peer ID Type: IKEv2: Host Name(FQDN)
Peer ID: gateway1.example.com
Pre-Shared Key(PSK): abcdefghij -
Save this realm's configuration.
- VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.- Click Save Configuration button.
Connecting VPN (remoteclient1.example.com):
- Open Remote Access Client's Web console on http://127.0.0.1:32501 (by default) by Firefox.
- Login with administrator's name and password (by default, admin and secret).
-
Top [Tab] >
10:Example VPN[Left-Tree] >
gateway1.example.com(FQDN)[Left-Tree]:
Click this tree node and show 10: gateway1.example.com(FQDN) pane. - Click Connect button.