Rockhopper VPN
IPsec/IKEv2-based VPN software for Linux
VPN example:
[Null Authentication, IPv4 and IPv6] Single-side authenticated VPN, Bridge(Virtual Ethernet over IPsec),
IPv6 address Auto-configuration over IPsec, unauthenticated (anonymous) clients
and two gateways authenticated by certificates (PKCS#12/X.509) on the same host (Multi-hosting).
The following image shows example network for this scenario.
Ubuntu is installed on VPN Gateway (Bridge/Remote Access Server), Remote Access Client 1, Remote Access Client 2, Application Server 1 (app1.example.com (FQDN)), Application Server 2 (app2.example.com (FQDN)) and Router1 (Destination NAPT or Port Forwarding and Firewall).
Rockhopper VPN software is installed on VPN Gateway, Remote Access Client 1 and Remote Access Client 2.
VPN Gateway hosts two gateway services (gateway1.example.com (FQDN) and gateway2.example.com (FQDN)). Two VPN realms are defined for the services (The realm ID 10 is for gateway1.example.com and the ID 20 is for gateway2.example.com). Gateway1.example.com is linked to Application Server 1 and gateway2.example.com is connected with Application Server 2.
VPN Gateway works as a bridge between the VPN remote clients and protected application servers. Remote Access Client 1 connects VPN with gateway1.example.com and accesses Application Server 1 over IPv4. Similarly, Remote Access Client 2 communicates with Application Server 2 via gateway2.example.com over IPv6.
A VPN connection's lifetime is specified for each remote client. If it expires, the VPN connection with the client is closed by VPN Gateway.
Both gateways on VPN Gateway are authenticated by RSA-Signature(certificate). On the other hand, two VPN remote clients are unauthenticated and establish VPN connections as anonymous hosts (The NULL Authentication Method in IKEv2).
Of course, you can also configure user authentication for services or softwares installed on the application servers respectively if needed.
VPN Gateway is located behind a NAT(NAPT). Router1 provides Port Forwarding service.
rhpvif10 on VPN Gateway: A virtual interface(a Tunnel/TAP interface) to access Application Server 1. "10" is the VPN realm ID. This interface is automatically created by Rockhopper VPN service and configured not by system tools like ifconfig command but by Rockhopper Web console.
Similarly, rhpvif20 is for the VPN realm 20.
br0 on VPN Gateway: A bridge interface linking eth1 and rhpvif10 interfaces as ports. This interface is managed by brctl command in the bridge-utils package. You need to manually link eth1 with br0 by brctl command, while rhpvif10 is automatically linked with br0 by Rockhopper VPN service.
Similarly, br1 links eth2 and rhpvif20 interfaces as ports.
eth0, eth1 and eth2: Real interfaces to access physical network.
Advance preparation:
- VPN Gateway (gateway1.example.com):
|
# sudo ip addr add 192.168.0.100/24 brd + dev eth0
# sudo ip -6 addr add 2001:db8::100/64 dev eth0 Setup a bridge interface for gateway1.example.com. # sudo brctl addbr br0 # sudo brctl addif eth1 # sudo ip addr add 10.10.0.1/16 brd + dev br0 Setup a bridge interface for gateway2.example.com. # sudo brctl addbr br1 # sudo brctl addif eth2 # sudo ip -6 addr add 2001:db8:100::1/64 dev br1 # sudo ip ro add default via 192.168.0.10 dev eth0 # sudo ip -6 ro add default via 2001:db8::10 dev eth0 |
If you manually setup a bridge interface after configuring Rockhopper, restart Rockhopper like this:
# sudo /etc/init.d/rockhopper restart
or
# sudo systemctl restart rockhopper
Install radvd for IPv6 address Auto-configuration through a VPN connection.
|
# sudo sysctl net.ipv6.conf.all.forwarding=1
# sudo apt-get install radvd # sudo touch /etc/radvd.conf # sudo vi /etc/radvd.conf |
|
interface rhpvif20
{ AdvSendAdvert on; MaxRtrAdvInterval 60; prefix 2001:db8:100::/64 { }; }; |
|
# sudo /etc/init.d/radvd restart
or # sudo systemctl restart radvd |
- Router1 (Port Forwarding):
|
# sudo ip addr add 10.0.0.1/24 brd + dev eth0
# sudo ip -6 addr add 2001:db8:10::1/64 dev eth0 # sudo ip addr add 192.168.0.10/24 brd + dev eth1 # sudo ip -6 addr add 2001:db8::10/64 dev eth1 Enable IPv4/IPv6 routing. # sudo sysctl net.ipv4.ip_forward=1 # sudo sysctl net.ipv6.conf.all.forwarding=1 Forward packets destinated to 10.0.0.1:500(Router1) to 192.168.0.100:500(VPN Gateway). # sudo iptables -t nat -A PREROUTING -p udp --dst 10.0.0.1 --dport 500 -j DNAT --to-destination 192.168.0.100:500 Forward packets destinated to 10.0.0.1:4500(Router1) to 192.168.0.100:4500(VPN Gateway). # sudo iptables -t nat -A PREROUTING -p udp --dst 10.0.0.1 --dport 4500 -j DNAT --to-destination 192.168.0.100:4500 Forward packets destinated to [2001:db8:10::1]:500(Router1) to [2001:db8::1]:500(VPN Gateway). # sudo ip6tables -t nat -A PREROUTING -p udp --dst 2001:db8:10::1 --dport 500 -j DNAT --to-destination [2001:db8::100]:500 Forward packets destinated to [2001:db8:10::1]:4500(Router1) to [2001:db8::1]:4500(VPN Gateway). # sudo ip6tables -t nat -A PREROUTING -p udp --dst 2001:db8:10::1 --dport 4500 -j DNAT --to-destination [2001:db8::100]:4500 |
Above configuration will be lost after you restart your computer. To setup permanent configuration, you can edit /etc/network/interface like this. This is an example for VPN Gateway (gateway1.example.com) on Ubuntu.
- /etc/network/interface (Ubuntu):
|
auto eth0
iface eth0 inet static address 192.168.0.100 netmask 255.255.255.0 gateway 192.168.0.10 iface eth0 inet6 static address 2001:db8::100 netmask 64 gateway 2001:db8::10 auto eth1 iface eth1 inet manual up /sbin/ifconfig eth1 promisc auto eth2 iface eth2 inet manual up /sbin/ifconfig eth2 promisc auto br0 iface br0 inet static address 10.10.0.1 network 10.10.0.0 netmask 255.255.0.0 broadcast 10.10.255.255 bridge_ports eth1 bridge_stp off bridge_maxwait 10 auto br1 iface br1 inet6 static address 2001:db8:100::1 netmask 64 bridge_ports eth2 bridge_stp off bridge_maxwait 10 |
- Application Server 1 (app1.example.com) and Application Server 2 (app2.example.com):
Install and setup DNSMasq's DNS service as an Internal DNS server. In addtion, add the following line to /etc/hosts for DNSMasq.
- Application Server 1 (app1.example.com)
| 10.10.0.2 app1.example.com |
- Application Server 2 (app2.example.com)
| 2001:db8:100::2 app2.example.com |
- PKCS#12 files for VPN Gateway:
- gateway1.example.com.p12 and gateway2.example.com.p12 (PKCS#12)
Each certificate(X.509) includes a subjectAltName(Host name/DNS).
- A X.509 Certificate for gateway1.example.com (gateway1.example.com.p12):
| SubjectName (DN) | C=JP, ST=Tokyo, L=Minatoku, O=example, OU=sales, CN=gateway1 |
| SubjectAltName (SAN) | gateway1.example.com (DNS) |
- A X.509 Certificate for gateway2.example.com (gateway2.example.com.p12):
| SubjectName (DN) | C=JP, ST=Tokyo, L=Minatoku, O=example, OU=sales, CN=gateway2 |
| SubjectAltName (SAN) | gateway2.example.com (DNS) |
- A PEM file including a CA certificate(X.509):
- CA: TestCa-cacert.pem (X.509, PEM/Base64-encoding)
See also "Documents/Tips: Managing certificates by XCA".
Configure VPN:
VPN Gateway:
-
Open Rockhopper Web console on http://127.0.0.1:32501 (by default)
by Firefox.
-
Login with administrator's name and password. (by default, admin
and secret).
-
If VPN Configuration
tab is not shown, uncheck Hide configuration tabs checkbox.
- Configure a VPN realm for gateway1.example.com (Realm ID: 10).
-
Add a new VPN realm.
- VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.- Click Add VPN Realm button.
- Add a VPN Realm[Dialog]: Enter the following, then click OK button.
Realm ID: 10
Realm Name: Gateway1
Description: Config for Example VPN.
Mode: Bridge
-
Setup VPN Interface.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Gateway1(Bridge)[Left-Tree] > VPN Interface[Left-Tree]:
Click this tree node and show VPN Tunnel/TAP Interface pane.- Enter or select the following.
Internal Address Type: Unnumbered(for bridging)
Linked Bridge Name: br0
-
Setup Network Interface.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Gateway1(Bridge)[Left-Tree] > Network Interface[Left-Tree]:
Click this tree node and show Network Interface pane.- Uncheck Use default route and enter the followings.
Primary interface:
- Name: Select eth0 as a source interface and enable IPv4 and IPv6.
- Check Destination NAT Address (MOBIKE Responder) and enter the followings.
Dest NAT IPv4 Address: 10.0.0.1 (Router1's global IPv4 address)
Dest NAT IPv6 Address: 2001:db8:10::1 (Router1's global IPv6 address)
These are mapped (reflexive) addresses on Router1. A remote clinet (a MOBIKE initiators) will be notified of either address as a VPN gateway's additional address.
-
Setup Service.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Gateway1(Bridge)[Left-Tree] > Service[Left-Tree]:
Click this tree node and show Service pane.- Network Deployment: Select Hub(Concentrator) Node.
- Remote Configuration(IKEv2): Select Remote Configuration Server.
- Authentication Method for Remote Peers: Select No Authentication.
-
Setup Remote Configuration Server.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Gateway1(Bridge)[Left-Tree] >Service[Left-Tree] > Remote Config Server[Left-Tree]:
Click this tree node and show Remote Configuration Server(IKEv2) pane.
-
Setup Remote Configuration Server - Internal Address Pool.
- Remote Configuration Server(IKEv2)[Pane] > Internal Address Pool[Tab]:
Click Add Address Pool button.
- Add a New Address Pool[Dialog]: Enter the following, then click OK button.
Address Type: IPv4 Address Range IPv4 Address Range: 10.10.0.10 - 10.0.255.254
-
Setup Remote Configuration Server - Internal DNS.
- Remote Configuration Server(IKEv2)[Pane] > Internal DNS[Tab]:
Enter the following as an Internal DNS server's address.
IPv4: 10.10.0.2
- Click Add DNS Suffix button.
Add a New DNS Suffix[Dialog] for VPN remote host (Ubuntu, Dave):
Enter the following, then click OK button.
DNS Suffix: .example.com
-
Setup Remote Configuration Server - Options.
- Remote Configuration Server(IKEv2)[Pane] > Options[Tab]:
Narrow traffic selectors for remote clients by using assigned address(es): Select Enable.
Check Reject VPN connections with peers other than remote clients.
Check Don't forward packets between remote clients.
Check Reject traffic selectors requested by remote client.
-
Setup My Key Store.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Gateway1(Bridge)[Left-Tree] > My Key Store[Left-Tree]:
Click this tree node and show My Key Store pane.- Enter the following.
Authentication Method: RSA Signature(RSA-Sig)
My ID Type: auto
Imported Key Format: PKCS#12 - File
PKCS#12 file(*.p12): gateway1.example.com.p12
RSA Private Key's Password: himitsu
-
Setup Peers.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Gateway1(Bridge)[Left-Tree] > Peers[Left-Tree]: Click this tree node and show Peers pane.
- Click Add Peer button.
Add a New Peer[Dialog]: Enter the following, then click OK button.Peer ID Type: IKEv2: Any
-
Setup My Traffic selector for a remote client.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Gateway1(Bridge)[Left-Tree] > Peers[Left-Tree] > any[Left-Tree]:
Click this tree node and show Remote Peer: any pane.- Remote Peer: any[Pane] > My Traffic Selector[Tab]
- Click Add Traffic Selector button.
Add My New Traffic Selector[Dialog]: Enter the following, then click OK button.Address Type: IPv4 Address Range
Address Range: Starting Address: 10.10.0.2 - Ending Address: 10.10.0.2 (Application Server 1: ap1.example.com)
Protocol: Any
-
Setup Peer's Traffic selector for a remote client.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Gateway1(Bridge)[Left-Tree] > Peers[Left-Tree] > any[Left-Tree]:
Click this tree node and show Remote Peer: any pane.- Remote Peer: any[Pane] > Peer's Traffic Selector[Tab]
- Click Add Traffic Selector button.
Add Peer's New Traffic Selector[Dialog]: Enter the following, then click OK button.Address Type: Any (IPv4)
Protocol: Any
Actually, this selector is narrowed by using an IPv4 address assigned for the remote client. -
Setup VPN connection's lifetime for each remote access client (if needed).
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Gateway1(Bridge)[Left-Tree]
> IKE SA Settings[Left-Tree]:
Click this tree node and show IKE SA Detailed Settings pane.Enter the following in seconds.
VPN connection's lifetime: 3600
- Similarly, configure a VPN realm for gateway2.example.com (Realm ID: 20).
-
Add a new VPN realm.
- VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.- Click Add VPN Realm button.
- Add a VPN Realm[Dialog]: Enter the following, then click OK button.
Realm ID: 20
Realm Name: Gateway2
Description: Config for Example VPN.
Mode: Bridge
-
Setup VPN Interface.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 20:Gateway2(Bridge)[Left-Tree] > VPN Interface[Left-Tree]:
Click this tree node and show VPN Tunnel/TAP Interface pane.- Enter or select the following.
Internal Address Type: Unnumbered(for bridging)
Linked Bridge Name: br1
-
Setup Network Interface.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 20:Gateway2(Bridge)[Left-Tree] > Network Interface[Left-Tree]:
Click this tree node and show Network Interface pane.- Uncheck Use default route and enter the followings.
Primary interface:
- Name: Select eth0 as a source interface and enable IPv4 and IPv6.
- Check Destination NAT Address (MOBIKE Responder) and enter the followings.
Dest NAT IPv4 Address: 10.0.0.1 (Router1's global IPv4 address)
Dest NAT IPv6 Address: 2001:db8:10::1 (Router1's global IPv6 address)
-
Setup Service.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 20:Gateway2(Bridge)[Left-Tree] > Service[Left-Tree]:
Click this tree node and show Service pane.- Network Deployment: Select Hub(Concentrator) Node.
- Remote Configuration(IKEv2): Select Remote Configuration Server.
- Authentication Method for Remote Peers: Select No Authentication.
-
Setup Remote Configuration Server.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 20:Gateway2(Bridge)[Left-Tree] >Service[Left-Tree] > Remote Config Server[Left-Tree]:
Click this tree node and show Remote Configuration Server(IKEv2) pane.
-
Setup Remote Configuration Server - Internal DNS.
- Remote Configuration Server(IKEv2)[Pane] > Internal DNS[Tab]:
Enter the following as an Internal DNS server's address.
IPv6: 2001:db8:100::2
- Click Add DNS Suffix button.
Add a New DNS Suffix[Dialog] for VPN remote host (Ubuntu, Dave):
Enter the following, then click OK button.
DNS Suffix: .example.com
-
Setup Remote Configuration Server - Options.
- Remote Configuration Server(IKEv2)[Pane] > Options[Tab]:
- Narrow traffic selectors for remote clients by using assigned address(es): Select Enable.
- Check Reject VPN connections with peers other than remote clients.
- Check Allow IPv6 address Auto-configuration for remote clients. (Rockhopper's private extension).
- Check Don't forward packets between remote clients.
- Check Reject traffic selectors requested by remote client.
-
Setup My Key Store.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 20:Gateway2(Bridge)[Left-Tree] > My Key Store[Left-Tree]:
Click this tree node and show My Key Store pane.- Enter the following.
Authentication Method: RSA Signature(RSA-Sig)
My ID Type: auto
Imported Key Format: PKCS#12 - File
PKCS#12 file(*.p12): gateway2.example.com.p12
RSA Private Key's Password: himitsu
-
Setup Peers.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 20:Gateway2(Bridge)[Left-Tree] > Peers[Left-Tree]: Click this tree node and show Peers pane.
- Click Add Peer button.
Add a New Peer[Dialog]: Enter the following, then click OK button.Peer ID Type: IKEv2: Any
-
Setup My Traffic selector for a remote client.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 20:Gateway2(Bridge)[Left-Tree] > Peers[Left-Tree] > any[Left-Tree]:
Click this tree node and show Remote Peer: any pane.- Remote Peer: any[Pane] > My Traffic Selector[Tab]
- Click Add Traffic Selector button.
Add My New Traffic Selector[Dialog]: Enter the following, then click OK button.Address Type: IPv6 Address Range
Address Range: Starting Address: 2001:db8:100::2 - Ending Address: 2001:db8:100::2 (Application Server 2: ap2.example.com)
Protocol: Any
-
Setup Peer's Traffic selector for a remote client.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 20:Gateway2(Bridge)[Left-Tree] > Peers[Left-Tree] > any[Left-Tree]:
Click this tree node and show Remote Peer: any pane.- Remote Peer: any[Pane] > Peer's Traffic Selector[Tab]
- Click Add Traffic Selector button.
Add Peer's New Traffic Selector[Dialog]: Enter the following, then click OK button.Address Type: Any (IPv6)
Protocol: Any
Actually, this selector is narrowed by using IPv6 addresses assigned for the remote client. -
Setup VPN connection's lifetime for each remote access client (if needed).
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 20:Gateway2(Bridge)[Left-Tree]
> IKE SA Settings[Left-Tree]:
Click this tree node and show IKE SA Detailed Settings pane.Enter the following in seconds.
VPN connection's lifetime: 3600
- Finally, save this realm's configuration.
- VPN Configuration[Tab]
> Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
Click this tree node and show "Edit
VPN Realm(Save, Add, Remove, or Load)" pane.
- Click Save Configuration button.
Remote Access Client 1
- Setup a VPN connection.
- Version: 0.2.b1-021 or later
- Open Rockhopper Web console on http://127.0.0.1:32501 (by default) by Firefox.
- Login with administrator's name and password (by default, admin and secret).
- If VPN Configuration tab is not shown, uncheck Hide configuration tabs checkbox.
-
Add a new VPN realm.
- VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]: Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.
- Click Add VPN Realm button.
Add a VPN Realm[Dialog]: Enter the following, then click OK button.Realm ID: 10
Realm Name: "RA Client 1"
Description: "Config for Example VPN."
Mode: Remote Client
-
Setup Destination.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:RA Client 1(Remote Client)[Left-Tree] > Destination[Left-Tree]: Click this tree node and show Destination (Concentrator / Gateway) pane.
- Enter the following.
Destination Address: IPv4 and 10.0.0.1 or IPv6 and 2001:db8:10::1 (Router1's global address) [Optional]
If this address is not specified, a public DNS server is expected to resolve IPv4 address and/or IPv6 address for gateway1.example.com (Destination ID. See below). Also, you can edit /etc/hosts file.
Destination ID Type: Host Name(FQDN)
Destination ID: gateway1.example.com
VPN Gateway hosts two gateway services (VPN realms) and so the above peer ID needs to be specified here.
-
Setup My Key Store.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:RA Client 1(Remote Client)[Left-Tree] > My Key Store[Left-Tree]:
Click this tree node and show My Key Store pane.- Enter the following.
Authentication Method: No Authentication
My ID Type: Null ID
-
Setup CA Certificate/CRL.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:RA Client 1(Remote Client)[Left-Tree]
> CA Certificate/CRL[Left-Tree]:
Click this tree node and show CA Certificate/Certificate Revocation List(CRL) pane.- Enter the following.
Imported Certificate/CRL Format: PEM(Base64-encoding) - File
CA Certificates(X.509, *.pem): TestCA-cacert.pem
-
Save this realm's configuration.
- VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.- Click Save Configuration button.
- Advanced Settings
- Open Rockhopper Web console on http://127.0.0.1:32501 (by default) by Firefox.
- Login with administrator's name and password (by default, admin and secret).
- If VPN Configuration tab is not shown, uncheck Hide configuration tabs checkbox.
-
Add a new VPN realm.
- VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]: Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.
- Click Add VPN Realm button.
Add a VPN Realm[Dialog]: Enter the following, then click OK button.Realm ID: 10
Realm Name: "RA Client 1"
Description: "Config for Example VPN."
Mode: Remote Client
- Check Advanced Settings. (Version: 0.2.b1-021 or later)
-
Setup VPN Interface.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:RA Client 1(Remote Client)[Left-Tree] > VPN Interface[Left-Tree]: Click this tree node and show VPN Tunnel/TAP Interface pane.
- Enter the following.
Internal Address Type: Auto(IKEv2 Configuration)
-
Setup Network Interface.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:RA Client 1(Remote Client)[Left-Tree] > Network Interface[Left-Tree]: Click this tree node and show Network Interface pane.
- Check Use default route.
or
- Uncheck Use default route and enter the followings.
Primary interface:
- Name: Select eth0 as a source interface.
-
Setup Service.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:RA Client 1(Remote Client)[Left-Tree] > Service[Left-Tree]: Click this tree node and show Service pane.
- Network Deployment: Select Spoke Node/Other.
- Remote Configuration(IKEv2): Select Remote Access Client.
-
Setup My Key Store.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:RA Client 1(Remote Client)[Left-Tree] > My Key Store[Left-Tree]:
Click this tree node and show My Key Store pane.- Enter the following.
Authentication Method: No Authentication
My ID Type: Null ID
-
Setup Peers.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:RA Client 1(Remote Client)[Left-Tree] > Peers[Left-Tree]: Click this tree node and show Peers pane.
- Click Add Peer button.
Add a New Peer[Dialog]: Enter the following, then click OK button.Peer ID Type: IKEv2: Host Name(FQDN)
Peer ID: gateway1.example.com
VPN Gateway hosts two gateway services (VPN realms) and so the above peer ID needs to be specified here.
-
Setup the Peer's information.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:RA Client 1(Remote Client)[Left-Tree] > Peers[Left-Tree] > gateway1.example.com(FQDN)[Left-Tree]:
Click this tree node and show Peer: gateway1.example.com(FQDN) pane.- Enter the following.
Peer's IP Address : IPv4 and 10.0.0.1 or IPv6 and 2001:db8:10::1 (Router1's global address) [Optional]
If this address is not specified, a public DNS server is expected to resolve IPv4 address and/or IPv6 address for gateway1.example.com (the remote peeer's ID). Also, you can edit /etc/hosts file.
This peer's Network Deployment: Hub(Concentrator) Node
-
Setup CA Certificate/CRL.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:RA Client 1(Remote Client)[Left-Tree]
> CA Certificate/CRL[Left-Tree]:
Click this tree node and show CA Certificate/Certificate Revocation List(CRL) pane.- Enter the following.
Imported Certificate/CRL Format: PEM(Base64-encoding) - File
CA Certificates(X.509, *.pem): TestCA-cacert.pem
-
Save this realm's configuration.
- VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.- Click Save Configuration button.
- Connect VPN
- Open VPN remote host's Web console on http://127.0.0.1:32501 (by default) by Firefox.
- Login with administrator's name and password (by default, admin and secret).
- Top [Tab] > 10:RA Client 1[Left-Tree] > gateway1.example.com(FQDN)[Left-Tree]: Click this tree node and show 10: gateway1.example.com(FQDN) pane.
- Click Connect VPN button.
Remote Access Client 2
- Version: 0.2.b1-021 or later
- Open Rockhopper Web console on http://127.0.0.1:32501 (by default) by Firefox.
- Login with administrator's name and password (by default, admin and secret).
- If VPN Configuration tab is not shown, uncheck Hide configuration tabs checkbox.
-
Add a new VPN realm.
- VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]: Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.
- Click Add VPN Realm button.
Add a VPN Realm[Dialog]: Enter the following, then click OK button.Realm ID: 20
Realm Name: "RA Client 2"
Description: "Config for Example VPN."
Mode: Remote Client
-
Setup Destination.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 20:RA Client 2(Remote Client)[Left-Tree] > Destination[Left-Tree]: Click this tree node and show Destination (Concentrator / Gateway) pane.
- Enter the following.
Destination Address: IPv4 and 10.0.0.1 or IPv6 and 2001:db8:10::1 (Router1's global address) [Optional]
If this address is not specified, a public DNS server is expected to resolve IPv4 address and/or IPv6 address for gateway2.example.com (Destination ID. See below). Also, you can edit /etc/hosts file.
Destination ID Type: Host Name(FQDN)
Destination ID: gateway2.example.com
VPN Gateway hosts two gateway services (VPN realms) and so the above peer ID needs to be specified here.
-
Setup My Key Store.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 20:RA Client 2(Remote Client)[Left-Tree] > My Key Store[Left-Tree]:
Click this tree node and show My Key Store pane.- Enter the following.
Authentication Method: No Authentication
My ID Type: Null ID
-
Setup CA Certificate/CRL.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 20:RA Client 2(Remote Client)[Left-Tree]
> CA Certificate/CRL[Left-Tree]:
Click this tree node and show CA Certificate/Certificate Revocation List(CRL) pane.- Enter the following.
Imported Certificate/CRL Format: PEM(Base64-encoding) - File
CA Certificates(X.509, *.pem): TestCA-cacert.pem
-
Save this realm's configuration.
- VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.- Click Save Configuration button.
- Advanced Settings
- Open Rockhopper Web console on http://127.0.0.1:32501 (by default) by Firefox.
- Login with administrator's name and password (by default, admin and secret).
- If VPN Configuration tab is not shown, uncheck Hide configuration tabs checkbox.
-
Add a new VPN realm.
- VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]: Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.
- Click Add VPN Realm button.
Add a VPN Realm[Dialog]: Enter the following, then click OK button.Realm ID: 20
Realm Name: "RA Client 2"
Description: "Config for Example VPN."
Mode: Remote Client
- Check Advanced Settings. (Version: 0.2.b1-021 or later)
-
Setup VPN Interface.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 20:RA Client 2(Remote Client)[Left-Tree] > VPN Interface[Left-Tree]: Click this tree node and show VPN Tunnel/TAP Interface pane.
- Enter the following.
Internal Address Type: Auto(IKEv2 Configuration)
Check Enable IPv6 address Auto-configuration. (Rockhopper's private extension).
-
Setup Network Interface.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 20:RA Client 2(Remote Client)[Left-Tree] > Network Interface[Left-Tree]: Click this tree node and show Network Interface pane.
- Check Use default route.
or
- Uncheck Use default route and enter the followings.
Primary interface:
- Name: Select eth0 as a source interface.
-
Setup Service.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 20:RA Client 2(Remote Client)[Left-Tree] > Service[Left-Tree]: Click this tree node and show Service pane.
- Network Deployment: Select Spoke Node/Other.
- Remote Configuration(IKEv2): Select Remote Access Client.
-
Setup My Key Store.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 20:RA Client 2(Remote Client)[Left-Tree] > My Key Store[Left-Tree]:
Click this tree node and show My Key Store pane.- Enter the following.
Authentication Method: No Authentication
My ID Type: Null ID
-
Setup Peers.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 20:RA Client 2(Remote Client)[Left-Tree] > Peers[Left-Tree]: Click this tree node and show Peers pane.
- Click Add Peer button.
Add a New Peer[Dialog]: Enter the following, then click OK button.Peer ID Type: IKEv2: Host Name(FQDN)
Peer ID: gateway2.example.com
VPN Gateway hosts two gateway services (VPN realms) and so the above peer ID needs to be specified here.
-
Setup the Peer's information.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 20:RA Client 2(Remote Client)[Left-Tree] > Peers[Left-Tree] > gateway2.example.com(FQDN)[Left-Tree]:
Click this tree node and show Peer: gateway2.example.com(FQDN) pane.- Enter the following.
Peer's IP Address : IPv4 and 10.0.0.1 or IPv6 and 2001:db8:10::1 (Router1's global address) [Optional]
If this address is not specified, a public DNS server is expected to resolve IPv4 address and/or IPv6 address for gateway2.example.com (the remote peeer's ID). Also, you can edit /etc/hosts file.
This peer's Network Deployment: Hub(Concentrator) Node
-
Setup CA Certificate/CRL.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 20:RA Client 2(Remote Client)[Left-Tree]
> CA Certificate/CRL[Left-Tree]:
Click this tree node and show CA Certificate/Certificate Revocation List(CRL) pane.- Enter the following.
Imported Certificate/CRL Format: PEM(Base64-encoding) - File
CA Certificates(X.509, *.pem): TestCA-cacert.pem
-
Save this realm's configuration.
- VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.- Click Save Configuration button.
- Connect VPN
- Open VPN remote host's Web console on http://127.0.0.1:32501 (by default) by Firefox.
- Login with administrator's name and password (by default, admin and secret).
- Top [Tab] > 20:RA Client 2[Left-Tree] > gateway2.example.com(FQDN)[Left-Tree]: Click this tree node and show 20: gateway2.example.com(FQDN) pane.
- Click Connect VPN button.