Rockhopper VPN

IPsec/IKEv2-based VPN software for Linux

• Top
• About
  
• Getting Started
  
• Screenshots
  
• Download
• Documents
• Contact

Reference Guide

• Installation
  
• Installation on the non-GUI environment.
  
• Uninstall Rockhopper VPN software.
  
  
• What is a VPN Realm? (Role-based VPN management)
  
  
• Rockhopper Web Console
  
• Easy user interface to configure a VPN client (Rockhopper Web Console)
  
  
• Simple VPN Client GUI
  
  
• VPN examples
  
  
• Changelog
  
  
• Manage certificates by XCA.
  
• Manage certificates by TinyCA. [OLD]
  
  
• [Windows] Create a certificate compatible with a Windows 7/8/10 VPN client by XCA.
  
• [Windows] Create a certificate compatible with a Windows 7/8/10 VPN client by TinyCA. [OLD]
  
  
• [Windows] Import a PKCS#12 file or a CA certificate(X.509) into Windows 7/8/10.
  
  
• [Windows] Connect a Windows 7 VPN client with Rockhopper.
  
• [Windows] Connect a Windows 8 VPN client with Rockhopper.
  
• [Windows] Connect a Windows 10 VPN client with Rockhopper.
  
  
• [Windows] Tips when connecting a Windows 7/8/10 VPN Client with Rockhopper.
  
  
  
• IPv6 configuration
  
  
• IKEv2 Mobility and Multihoming (MOBIKE)
  
  
• IKEv2 Quick Crash Detection (QCD)
  
  
• IKEv2 Message Fragmentation
  
  
• IKEv2 Session Resumption
  
  
• The NULL Authentication Method in IKEv2
  
  
• [Remote Access VPN] IPv6 address Auto-configuration over IPsec
  
  
• IKEv2 Hash and URL for a X.509 certificate.
  
• Use chained X.509 certificates (an end entity certificate signed by intermediate CA).
  
• Use chained X.509 certificates (Hash and URL).
  
  
• Enable logging at the debug level on the Event Log Viewer.
  
  
• Create a configuration's backup and restore it.
  
  
• Supported Protocols and Cryptographic algorithms.
  
  
• [Command-line tool] Usage examples of rockhopper command (Management tool).
  
• [Command-line tool] Usage examples of rockhopper_log command (Event-log tool).
  
  
• Configure multiple VPN realms on the same address and port by using Roles.
  
• Configuring Web Management Service.
  
• Configure simple and minimum firewall rules(iptables) on Rockhopper Web console.
  
• Configure another administrator to manage only a specified VPN realm.
  
• Rockhopper's default behavior and additional settings for small Path MTU.
  
• A difference in Encapsulation mode: Ethernet over IP(EtherIP) and IP Encapsulation(IP over IP)
  

VPN examples

1. Simple examples:
   
   
   • Router(Routing-based VPN) and Pre-Shared Key.
     
     
   • Bridge(Virtual Ethernet over IPsec) and Pre-Shared Key.
     
     
   • Bridge(Virtual Ethernet over IPsec) and certificate (PKCS#12/X.509).
     
     
     
   • [IPv6] Router(Routing-based VPN) and Pre-Shared Key.
     
     
   • [IPv4 and IPv6] Bridge(Virtual Ethernet over IPsec) and certificate (PKCS#12/X.509).
     
     
     
2. Remote Access VPN:
   
   
   • Bridge(Virtual Ethernet over IPsec) and Pre-Shared Key.
     
     
   • Bridge (Virtual Ethernet over IPsec), One-armed, Behind a NAT/NAPT and Pre-Shared Key(client) / certificate (gateway, PEM/Base64-encoded X.509).
     
     
   • Bridge (Virtual Ethernet over IPsec), One-armed, Behind a NAT/NAPT and EAP (MSCHAPv2, VPN client)/certificate (PKCS#12/X.509, gateway).
     
     
   • Bridge (Virtual Ethernet over IPsec), Windows 7/8/10(client), One-armed, Behind a NAT/NAPT and EAP(MSCHAPv2, Windows 7/8/10)/certificate(PKCS#12/X.509, Rockhopper).
     
     
   • Router(Routing-based VPN), Windows 7/8/10(client), One-armed, Behind a NAT/NAPT and certificate(PKCS#12/X.509) for both Windows 7/8/10 and Rockhoppper.
     
     
   • Role-based Management(Two VPN realms for the Sales Dep. and the Development Dep.), Bridge (Virtual Ethernet over IPsec), Windows 7/8/10(client), Behind a NAT/NAPT and EAP(MSCHAPv2)/certificate(PKCS#12/X.509).
     
     
   • Multihoming (gateway), Bridge (Virtual Ethernet over IPsec), MOBIKE, Mobile VPN clients (Windows 7/8/10 and Rockhopper), One-armed, Behind a NAT/NAPT and EAP (MSCHAPv2, VPN clients)/certificate (PKCS#12/X.509, Rockhopper(gateway)).
     
     
     
   • strongSwan(gateway), Rockhopper(client), Behind a NAT/NAPT and EAP(MSCHAPv2, Rockhopper)/certificate(PEM/X.509, strongSwan).
     
     
   • strongSwan(client), Rockhopper(gateway), Bridge (Virtual Ethernet over IPsec), One-armed, Behind a NAT/NAPT and certificate(PKCS#12/PEM/X.509) for both strongSwan and Rockhoppper.
     
     
     
   • [IPv4 and IPv6] Bridge (Virtual Ethernet over IPsec), One-armed, Behind a NAT/NAPT and Pre-Shared Key(Rockhopper client) / certificate (gateway, PEM/Base64-encoded X.509).
     
     
   • [IPv4 and IPv6] Bridge (Virtual Ethernet over IPsec), Windows 7/8/10(client), One-armed, Behind a NAT/NAPT and EAP(MSCHAPv2, Windows 7/8/10)/certificate(PKCS#12/X.509, Rockhopper).
     
     
   • [IPv4 and IPv6] Router(Routing-based VPN), Windows 7/8/10(client), One-armed, Behind a NAT/NAPT and certificate(PKCS#12/X.509) for both Windows 7/8/10 and Rockhoppper.
     
     
     
   • [IPv4 and IPv6] IPv6 address Auto-configuration over IPsec, Bridge (Virtual Ethernet over IPsec), One-armed, Behind a NAT/NAPT and EAP (Rockhopper client) / certificate (PKCS#12/X.509, Rockhopper gateway).
     
     
     
   • [Null Authentication, IPv4 and IPv6] Single-side authenticated VPN, Bridge(Virtual Ethernet over IPsec), IPv6 address Auto-configuration over IPsec, unauthenticated (anonymous) clients and two gateways authenticated by certificates (PKCS#12/X.509) on the same host (Multi-hosting).
     
     
     
3. Client-to-Server (End-to-End):
   
   
   • Windows 7/8/10(client), Samba(CIFS) File Server, Behind a NAT/NAPT and EAP(MSCHAPv2, Windows 7/8/10)/certificate(PKCS#12/X.509, Rockhopper).
     
     
4. Site-to-Site VPN (Bridge - Virtual Ethernet over IPsec):
   
   
   • Hub and Spoke: One-armed, Behind a NAT/NAPT and Pre-Shared Key(Spoke gateways) / certificate(Hub gateway, PKCS#12/X.509).
     
     
   • Multihoming (gateways), MOBIKE and certificates(PKCS#12/X.509).
     
     
5. Site-to-Site VPN (Static routing):
   
   
   • Hub and Spoke: Behind a NAT/NAPT and certificate (PKCS#12/X.509).
     
     
   • Multihoming (gateways), MOBIKE and certificates(PKCS#12/X.509).
     
     
6. Site-to-Site VPN (Dynamic routing):
   
   
   • Hub and Spoke: OSPFv2, Quagga, Behind a NAT/NAPT and certificate (PKCS#12/X.509).
     
     
   • Hub and Spoke: Multihoming, OSPFv2, Quagga, Behind a NAT/NAPT and certificate (PKCS#12/X.509).
     
     
   • Mesh: OSPFv2, Quagga, Behind a NAT/NAPT and certificate (PKCS#12/X.509).
     
     
   • Mesh: [IPv6] OSPFv3, Quagga, Behind a NAT/NAPT and certificate (PKCS#12/X.509).
     
     

Developer's Guide

• Debug Trace
• Debugging Rockhopper by GDB.
• Launching Rockhopper from terminal.
  

Technical information

• What are differences between IKEv1 and IKEv2?  (IKEv1 vs. IKEv2)
• Is "TCP over TCP" a good idea?

Publications

• “Modern Design and Implementation of New IPsec/IKEv2 VPN software, with all components, ESP protocol stack, IKEv2 service, and other functions executed in user space," (PDF, JAPANESE) Japan Linux Conference 2009 [September, 2009]


• “Modern Design and Implementation of New IPsec/IKEv2 VPN software, with all components executed in user space," (PDF, JAPANESE) Japan Linux Conference 2009, Tokyo, [September 17, 2009]

Back to Top

Copyright © 2011 T.HANADA All Rights Reserved.