VPN example: Site-to-Site VPN, Bridge(Virtual Ethernet over IPsec), Multihoming (gateways), MOBIKE, and certificates(PKCS#12/X.509).


The following image shows example network for this scenario.

Ubuntu is installed on VPN Gateway1(Bridge), VPN Gateway2(Bridge) and Internal DNS/File/Web Server.

Rockhopper VPN software is installed on VPN Gateway1(Bridge) and VPN Gateway2(Bridge). VPN is connected between these two nodes. Each VPN gateway works as a bridge between protected networks(LAN, 192.168.0.0/24).

RSA-Signature(certificate) is used as an authentication method.

VPN gateways are multihomed and MOBIKE is enabled by default.



sample0
rhpvif10: A virtual interface(a Tunnel/TAP interface) to access internal network. "10" is the VPN realm ID. This interface is automatically created by Rockhopper VPN service and configured not by system tools like ifconfig command but by Rockhopper Web console.

br0: A bridge interface linking eth2 and rhpvif10 interfaces as ports. This interface is managed by brctl command in the bridge-utils package. You need to manually link eth1 with br0 by brctl command, while rhpvif10 is automatically linked with br0 by Rockhopper VPN service.

eth0, eth1 and eth2: Real interfaces to access physical network.

A VPN realm is a security domain for group members to share the same security policy and VPN configuration. For instance, you can define the VPN realm "10" for a sales team and the other VPN realm "20" for a developing team.


Advance preparation:


- VPN Gateway1 (gateway1.example.com):
# sudo ifconfig eth0 10.0.0.1 netmask 255.255.255.0
# sudo ifconfig eth1 10.0.1.1 netmask 255.255.255.0
# sudo brctl addbr br0
# sudo brctl addif eth2
# sudo ifconfig br0 192.168.0.1 netmask 255.255.255.0

- VPN Gateway2 (gateway2.example.com):
# sudo ifconfig eth0 10.0.0.2 netmask 255.255.255.0
# sudo ifconfig eth1 10.0.1.2 netmask 255.255.255.0
# sudo brctl addbr br0
# sudo brctl addif eth2
# sudo ifconfig br0 192.168.0.100 netmask 255.255.255.0
Please see also "man 8 brctl" for more details to setup a bridge interface.
If you manually setup a bridge interface after configuring Rockhopper, please restart Rockhopper like this:
# sudo /etc/init.d/rockhopper restart


- Internal DNS/File/Web Server:
# sudo ifconfig eth0 192.168.0.10 netmask 255.255.255.0


Above configuration will be lost after you restart your computer. To setup permanent configuration, you can edit /etc/network/interfaces like this. This is an example for VPN Gateway1 (gateway1.example.com) on Ubuntu.

- /etc/network/interfaces (Ubuntu)
auto eth0
iface eth0 inet static
address 10.0.0.1
network 10.0.0.0
netmask 255.255.255.0
broadcast 10.0.0.255

auto eth1
iface eth1 inet static
address 10.0.1.1
network 10.0.0.0
netmask 255.255.255.0
broadcast 10.0.0.255

auto eth2
iface eth2 inet manual
up /sbin/ifconfig eth2 promisc

auto br0
iface br0 inet static
address 192.168.0.1
network 192.168.0.0
netmask 255.255.255.0
broadcast 192.168.0.255
bridge_ports eth2
bridge_stp off
bridge_maxwait 10


- PKCS#12 files:
   - VPN Gateway1(Bridge): gateway1.example.com.p12 (PKCS#12)
   - VPN Gateway2(Bridge): gateway2.example.com.p12 (PKCS#12)

   The certificate(X.509) for each node includes a subjectAltName(Host name/FQDN).
   - VPN Gateway1(Bridge): gateway1.example.com (Host name/FQDN)
   - VPN Gateway2(Bridge): gateway2.example.com (Host name/FQDN)

See "Documents/Tips: Managing certificates by XCA" to create the each PKCS#12 file including a private key and a certificate(X.509) for the each node and a CA certificate(X.509).



Configuring VPN:



VPN Gateway1 (gateway1.example.com):


  1. Open Rockhopper Web console on http://127.0.0.1:32501 (by default) by Firefox.
  2. Login with administrator's name and password (by default, admin and secret).
  3. If VPN Configuration tab is not shown, uncheck Hide configuration tabs checkbox.
  4. Add a new VPN realm.

    - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]: Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

    - Click Add VPN Realm button.

    - Add a VPN Realm[Dialog]: Enter the following, then click OK button.

    Realm ID: 10
    Realm Name: "Example VPN"
    Description: "Config for Example VPN."
    Mode: Bridge

  5. Setup VPN Interface.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Bridge)[Left-Tree] > VPN Interface[Left-Tree]: Click this tree node and show VPN Tunnel/TAP Interface pane.

    - Enter or select the following.

    Internal Address Type: Unnumbered(for bridging)
    Linked Bridge Name: br0

  6. Setup Network Interface.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Bridge)[Left-Tree] > Network Interface[Left-Tree]: Click this tree node and show Network Interface pane.

    - Uncheck Use default route and enter the followings.

        Primary interface:

          - Name: Select eth0 as a primary source interface.

        Secondary interface:

          - Name: Select eth1 as a secondary source interface.


  7. Setup Service.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Bridge)[Left-Tree] > Service[Left-Tree]:
    Click this tree node and show Service pane.

    - Network Deployment: Select Spoke Node / Client / Other.

  8. Setup My Key Store.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Bridge)[Left-Tree] > My Key Store[Left-Tree]:
    Click this tree node and show My Key Store pane.

    - Enter the following.

    Authentication Method: RSA Signature(RSA-Sig)
    My ID Type: auto
    Imported Key Format: PKCS#12 - File
    PKCS#12 file(*.p12): gateway1.example.com.p12
    RSA Private Key's Password: himitsu

  9. Save this realm's configuration.

    - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
    Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

    - Click Save Configuration button.



VPN Gateway2 (gateway2.example.com):


  1. Open Rockhopper Web console on http://127.0.0.1:32501 (by default) by Firefox.
  2. Login with administrator's name and password (by default, admin and secret).
  3. If VPN Configuration tab is not shown, uncheck Hide configuration tabs checkbox.
  4. Add a new VPN realm.

    - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]: Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

    - Click Add VPN Realm button.

    - Add a VPN Realm[Dialog]: Enter the following, then click OK button.

    Realm ID: 10
    Realm Name: "Example VPN"
    Description: "Config for Example VPN."
    Mode: Bridge

  5. Setup VPN Interface.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Bridge)[Left-Tree] > VPN Interface[Left-Tree]: Click this tree node and show VPN Tunnel/TAP Interface pane.

    - Enter or select the following.

    Internal Address Type: Unnumbered(for bridging)
    Linked Bridge Name: br0

  6. Setup Network Interface.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Bridge)[Left-Tree] > Network Interface[Left-Tree]: Click this tree node and show Network Interface pane.

    - Uncheck Use default route and enter the followings.

        Primary interface:

          - Name: Select eth0 as a primary source interface.

        Secondary interface:

          - Name: Select eth1 as a secondary source interface.


  7. Setup Service.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Bridge)[Left-Tree] > Service[Left-Tree]:
    Click this tree node and show Service pane.

    - Network Deployment: Select Spoke Node / Client / Other.

  8. Setup My Key Store.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Bridge)[Left-Tree] > My Key Store[Left-Tree]:
    Click this tree node and show My Key Store pane.

    - Enter the following.

    Authentication Method: RSA Signature(RSA-Sig)
    My ID Type: auto
    Imported Key Format: PKCS#12 - File
    PKCS#12 file(*.p12): gateway2.example.com.p12
    RSA Private Key's Password: himitsu

  9. Setup Peers.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Remote Client)[Left-Tree] > Peers[Left-Tree]: Click this tree node and show Peers pane.

    - Click Add Peer button.
    Add a New Peer[Dialog]: Enter the following, then click OK button.

    Peer ID Type: IKEv2: Host Name(FQDN)
    Peer ID: gateway1.example.com

  10. Setup the Peer's information.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Remote Client)[Left-Tree] > Peers[Left-Tree] > gateway1.example.com(FQDN)[Left-Tree]:
    Click this tree node and show Peer: gateway1.example.com(FQDN) pane.

    - Enter the following.

    Peer's IPv4 Address: 10.0.0.1
    This peer's Network Deployment: Spoke Node / Other
    Always-on connection: Check Enabled.

  11. Save this realm's configuration.

    - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
    Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

    - Click Save Configuration button.


Back to Top