Rockhopper VPN

IPsec/IKEv2-based VPN software for Linux

• Top
• About
• Getting Started
• Screenshots
• Download
• Documents
• Contact

Simple VPN example: [IPv4 and IPv6] Bridge(Virtual Ethernet over IPsec) and certificate (PKCS#12/X.509).

The following image shows example network for this scenario.

Ubuntu is installed on VPN Gateway(Bridge), VPN remote host and Internal host.

Rockhopper VPN software is installed on VPN remote host and VPN Gateway(Bridge). VPN is connected between these two nodes. VPN Gateway works as a bridge between VPN remote host and protected network(LAN, 2001:db8::/64).

RSA-Signature(certificate) is used as an authentication method.



rhpvif10: A virtual interface(a Tunnel/TAP interface) to access internal network. "10" is the VPN realm ID. This interface is automatically created by Rockhopper VPN service and configured not by system tools like ifconfig command but by Rockhopper Web console.

br0: A bridge interface linking eth1 and rhpvif10 interfaces as ports. This interface is managed by brctl command in the bridge-utils package. You need to manually link eth1 with br0 by brctl command, while rhpvif10 is automatically linked with br0 by Rockhopper VPN service.

eth0 and eth1: Real interfaces to access physical network.

A VPN realm is a security domain for group members to share the same security policy and VPN configuration. For instance, you can define the VPN realm "10" for a sales team and the other VPN realm "20" for a developing team.

Advance preparation:

- VPN Gateway(gateway1.example.com):

# sudo ip addr add 10.0.0.11/24 brd + dev eth0 # sudo brctl addbr br0 # sudo brctl addif eth1 # sudo ip -6 addr add 2001:db8::1/64 dev br0

Please see also "man 8 brctl" for more details to setup a bridge interface.
If you manually setup a bridge interface after configuring Rockhopper, please restart Rockhopper like this:
# sudo /etc/init.d/rockhopper restart
or
# sudo systemctl restart rockhopper

- VPN remote host(remotehost1.example.com):

# sudo ip addr add 10.0.0.10/24 brd + dev eth0

- Internal host:

# sudo ip -6 addr add 2001:db8::100/64 dev eth0

Above configuration will be lost after you restart your computer. To setup permanent configuration, you can edit /etc/network/interface like this. This is an example for VPN Gateway(gateway1.example.com) on Ubuntu.

- /etc/network/interfaces (Ubuntu)

auto eth0 iface eth0 inet static address 10.0.0.1 network 10.0.0.0 netmask 255.255.255.0 broadcast 10.0.0.255 auto eth1 iface eth1 inet manual up ip link set dev eth1 promisc on auto br0 iface br0 inet6 static address 2001:db8::1 netmask 64 bridge_ports eth1 bridge_stp off bridge_maxwait 10

- PKCS#12 files:
   - VPN Gateway(Bridge): gateway1.example.com.p12 (PKCS#12)
   - VPN remote host: remotehost1.example.com.p12 (PKCS#12)

   The certificate(X.509) for each node includes a subjectAltName(Host name/FQDN).
   - VPN Gateway: gateway1.example.com (Host name/FQDN)
   - VPN remote host: remotehost1.example.com (Host name/FQDN)

See "Documents/Tips: Managing certificates by XCA" to create the each PKCS#12 file including a private key and a certificate(X.509) for the each node and a CA certificate(X.509).

Configuring VPN:

VPN Gateway(gateway1.example.com):

1. Open Rockhopper Web console on http://127.0.0.1:32501 (by default) by Firefox.
2. Login with administrator's name and password (by default, admin and secret).
3. If VPN Configuration tab is not shown, uncheck Hide configuration tabs checkbox.
4. Add a new VPN realm.

   - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]: Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

   - Click Add VPN Realm button.

   - Add a VPN Realm[Dialog]: Enter the following, then click OK button.

   Realm ID: 10
   Realm Name: "Example VPN"
   Description: "Config for Example VPN."
   Mode: Bridge

5. Setup VPN Interface.

   - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Bridge)[Left-Tree]
   > VPN Interface[Left-Tree]: Click this tree node and show VPN Tunnel/TAP Interface pane.

   - Enter or select the following.

   Internal Address Type: Unnumbered(for bridging)
   Linked Bridge Name: br0

6. Setup Network Interface.

   - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Bridge)[Left-Tree]
   > Network Interface[Left-Tree]: Click this tree node and show Network Interface pane.

   - Uncheck Use default route and enter the followings.
       Primary interface:
         - Select eth0 as a source interface and IPv4.
   

7. Setup Service.

   - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Bridge)[Left-Tree]
   > Service[Left-Tree]:
   Click this tree node and show Service pane.

   - Network Deployment: Select Hub(Concentrator) Node.

   - Remote Configuration(IKEv2): Select Disabled.

8. Setup My Key Store.

   - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Bridge)[Left-Tree]
   > My Key Store[Left-Tree]:
   Click this tree node and show My Key Store pane.

   - Enter the following.

   Authentication Method: RSA Signature(RSA-Sig)
   My ID Type: auto
   Imported Key Format: PKCS#12 - File
   PKCS#12 file(*.p12): gateway1.example.com.p12
   RSA Private Key's Password: himitsu

9. Save this realm's configuration.

   - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
   Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

   - Click Save Configuration button.

VPN remote host(remotehost1.example.com):

1. Open Rockhopper Web console on http://127.0.0.1:32501 (by default) by Firefox.
2. Login with administrator's name and password (by default, admin and secret).
3. If VPN Configuration tab is not shown, uncheck Hide configuration tabs checkbox.
4. Add a new VPN realm.

   - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
   Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

   - Click Add VPN Realm button.

   - Add a VPN Realm[Dialog]: Enter the following, then click OK button.

   Realm ID: 10
   Realm Name: "Example VPN"
   Description: "Config for Example VPN."
   Mode: End Node

5. Setup VPN Interface.

   - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(End Node)[Left-Tree]
   > VPN Interface[Left-Tree]: Click this tree node and show VPN Tunnel/TAP Interface pane.

   - Enter the following.

   Internal Address Type: Static Address
   Internal Address > IPv6: 2001:db8::10
   Prefix: 64

6. Setup Network Interface.

   - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(End Node)[Left-Tree]
   > Network Interface[Left-Tree]:
   Click this tree node and show Network Interface pane.

   - Check Use default route.
   or
   - Uncheck Use default route and enter the followings.
       Primary interface:
         - Select eth0 as a source interface and IPv4.
   

7. Setup Service.

   - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(End Node)[Left-Tree]
   > Service[Left-Tree]:
   Click this tree node and show Service pane.

   - Network Deployment: Select Spoke Node/Other.

   - Remote Configuration(IKEv2): Select Disabled.

8. Setup My Key Store.

   - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(End Node)[Left-Tree]
   > My Key Store[Left-Tree]:
   Click this tree node and show My Key Store pane.

   - Enter the following.

   Authentication Method: RSA Signature(RSA-Sig)
   My ID Type: auto
   Imported Key Format: PKCS#12 - File
   PKCS#12 file(*.p12): remotehost1.example.com.p12
   RSA Private Key's Password: naisho

9. Setup Peers.

   - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(End Node)[Left-Tree]
   > Peers[Left-Tree]:
   Click this tree node and show Peers pane.

   - Click Add Peer button.

   - Add a New Peer[Dialog]: Enter the following, then click OK button.

   Peer ID Type: Host Name(FQDN)
   Peer ID: gateway1.example.com

10. Setup the Peer's information.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(End Node)[Left-Tree]
    > Peers[Left-Tree] > gateway1.example.com(FQDN)[Left-Tree]:
    Click this tree node and show Peer: gateway1.example.com(FQDN) pane.

    - Enter the following.

    Peer's IP Address: IPv4 and 10.0.0.1
    This peer's Network Deployment: Hub(Concentrator) Node

11. Save this realm's configuration.

    - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
    Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

    - Click Save Configuration button.

    
    

Connecting VPN (remotehost1.example.com):

1. Open VPN remote host's Web console on "http://127.0.0.1:32501"(by default) by Firefox.
2. Login with administrator's name and password (by default, admin and secret).
3. Top [Tab] >  10:Example VPN[Left-Tree] > gateway1.example.com(FQDN)[Left-Tree]:
   Click this tree node and show 10: gateway1.example.com(FQDN) pane.
4. Click Connect button.

Back to Top

Copyright © 2011 T.HANADA All Rights Reserved.