Rockhopper VPN (REMOTE ACCESS EXAMPLE, strongSwan client)

VPN example:
Remote Access VPN, Bridge, strongSwan(client), One-armed, Behind a NAT/NAPT and certificate(PKCS#12/PEM/X.509) for both strongSwan and Rockhoppper.

The following image shows example network for this scenario.

Ubuntu is installed on VPN Gateway(Bridge/Remote Access Server), strongSwan(client), Internal host/Internal DNS server, Router1(Source NAPT) and Router2(Destination NAPT or Port Forwarding).

Rockhopper VPN software is installed on VPN Gateway. A VPN is connected between this node and strongSwan client(IKEv2). VPN Gateway works as a bridge between strongSwan client and protected network(LAN, 192.168.0.0/24). The gateway is deployed as a one-armed gateway.

RSA-Signature(certificate) is used for both strongSwan client and VPN Gateway.

StrongSwan client and VPN Gateway are located behind a NAT(NAPT). Router1 and Router2 provide NAT/NAPT(Network Address Port Translation) service or Port Forwarding service for them.

sample0

rhpvif10 on VPN Gateway: A virtual interface(a Tunnel/TAP interface) to access internal network. "10" is the VPN realm ID. This interface is automatically created by Rockhopper VPN service and configured not by system tools like ifconfig command but by Rockhopper Web console.

br0 on VPN Gateway: A bridge interface linking eth0 and rhpvif10 interfaces as ports. This interface is managed by brctl command in the bridge-utils package. You need to manually link eth0 with br0 by brctl command, while rhpvif10 is automatically linked with br0 by Rockhopper VPN service.

eth0 and/or eth1 on each host: Real interfaces to access physical network.

A VPN realm is a security domain for group members to share the same security policy and VPN configuration. For instance, you can define the VPN realm "10" for a sales team and the other VPN realm "20" for a developing team.

Advance preparation:

- VPN Gateway(gateway1.example.com):

# sudo brctl addbr br0
# sudo brctl addif eth0
# sudo ifconfig br0 192.168.0.100 netmask 255.255.255.0

# sudo route add default gw 192.168.0.10

Please see also "man 8 brctl" for more details to setup a bridge interface.
If you manually setup a bridge interface after configuring Rockhopper, please restart Rockhopper like this:
# sudo /etc/init.d/rockhopper restart

- Router1(Port Forwarding):

# sudo ifconfig eth0 10.0.0.1 netmask 255.255.255.0
# sudo ifconfig eth1 192.168.0.10 netmask 255.255.255.0

Enable IPv4 routing.
# sudo sysctl net.ipv4.ip_forward=1

Forward packets destinated to 10.0.0.1:500(Router1) to 192.168.0.100:500(VPN Gateway).
# sudo iptables -t nat -A PREROUTING -p udp --dst 10.0.0.1 --dport 500 -j DNAT --to-destination 192.168.0.100:500

Forward packets destinated to 10.0.0.1:4500(Router1) to 192.168.0.100:4500(VPN Gateway).
# sudo iptables -t nat -A PREROUTING -p udp --dst 10.0.0.1 --dport 4500 -j DNAT --to-destination 192.168.0.100:4500

- Router2(Source NAPT):

# sudo ifconfig eth0 10.0.0.10 netmask 255.255.255.0
# sudo ifconfig eth1 192.168.2.1 netmask 255.255.255.0

Enable IPv4 routing.
# sudo sysctl net.ipv4.ip_forward=1

Exec NAPT for packets from private network(192.168.2.0/24).
# sudo iptables -t -nat -A POSTROUTING -o eth0 -j MASQUERADE --random

- Internal host/Internal DNS server:

# sudo ifconfig eth0 192.168.0.101 netmask 255.255.255.0

Above configuration will be lost after you restart your computer. To setup permanent configuration, you can edit /etc/network/interface like this. This is an example for VPN Gateway(gateway1.example.com) on Ubuntu.

- /etc/network/interface (Ubuntu):

auto eth0
iface eth0 inet manual
up /sbin/ifconfig eth0 promisc

auto br0
iface br0 inet static
address 192.168.0.100
network 192.168.0.0
netmask 255.255.255.0
gateway 192.168.0.10
broadcast 192.168.0.255
bridge_ports eth0
bridge_stp off
bridge_maxwait 10

- PKCS#12/PEM files including certificates(X.509) and private keys:

   - VPN Gateway(Router): gateway1.example.com.p12 (PKCS#12)
   - strongSwan client:
      remotehost1.example.com.key.pem (private key, PEM),
      remotehost1.example.com.cert.pem (X.509, PEM)
      and TestCa-cacert.pem (CA's X.509, PEM)

See "Documents/Tips: Managing certificates by XCA on Ubuntu" to create the each PKCS#12 or PEM file, including a private key or a certificate(X.509) for VPN Gateway or strongSwan client.

Configuring VPN:

VPN Gateway(gateway1.example.com):

Open Rockhopper Web console on http://127.0.0.1:32501 (by default) by Firefox.
Login with administrator's name and password. (by default, admin and secret).
If VPN Configuration tab is not shown, uncheck Hide configuration tabs checkbox.
Add a new VPN realm.
- VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

- Click Add VPN Realm button.

- Add a VPN Realm[Dialog]: Enter the following, then click OK button.

Realm ID: 10
Realm Name: Example VPN
Description: Config for Example VPN.
Mode: Bridge
Setup VPN Interface.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Bridge)[Left-Tree] > VPN Interface[Left-Tree]:
Click this tree node and show VPN Tunnel/TAP Interface pane.

- Enter or select the following.

Internal Address Type: Unnumbered(for bridging)
Linked Bridge Name: br0

- If the strongSwan client communicates with hosts on other subnets like 192.168.1.0/24, please enter the following router's address. VPN Gateway will forward decrypted packets destinated to other subnets to the router(192.168.0.1).

Internal Gateway's IPv4 Address (optional): 192.168.0.1
Setup Network Interface.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Bridge)[Left-Tree] > Network Interface[Left-Tree]:
Click this tree node and show Network Interface pane.

- Uncheck Use default route and enter the followings.
Primary interface:
- Name: Select br0 as a source interface.
Setup Service.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Bridge)[Left-Tree] > Service[Left-Tree]:
Click this tree node and show Service pane.

- Network Deployment: Select Hub(Concentrator) Node.

- Remote Configuration(IKEv2): Select Remote Configuration Server.
Setup Remote Config Server.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Bridge)[Left-Tree] >Service[Left-Tree] > Remote Config Server[Left-Tree]:
Click this tree node and show Remote Config Server(IKEv2) pane.
Setup Remote Config Server - Internal Address Pool.

- Remote Config Server(IKEv2)[Pane] > Internal Address Pool[Tab]:
Click Add Address Pool button.

- Add a New Address Pool[Dialog]: Enter the following, then click OK button.
Address Type: Address Range IPv4 Address Range: 192.168.0.20 - 192.168.0.30
Setup Remote Config Server - Internal DNS (if needed).

- Remote Config Server(IKEv2)[Pane] > Internal DNS[Tab]:
Enter the following as an Internal DNS server's address.

DNS Server's IPv4 Address: 192.168.0.101
Setup My Key Store.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Bridge)[Left-Tree] > My Key Store[Left-Tree]:
Click this tree node and show My Key Store pane.

- Enter the following.

Authentication Method: RSA Signature(RSA-Sig)
My ID Type: auto
Imported Key Format: PKCS#12 - File
PKCS#12 file(*.p12): gateway1.example.com.p12
RSA Private Key's Password: himitsu
Setup Peers.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(End Host)[Left-Tree] > Peers[Left-Tree]:
Click this tree node and show Peers pane.

- Click Add Peer button.

- Add a New Peer[Dialog]: Enter the following, then click OK button.

Peer ID Type: Any
Setup traffic selectors.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(End Host)[Left-Tree] > Peers[Left-Tree] > any[Left-Tree]:
Click this tree node and show Peer: any pane.

- Click Add Traffic Selector button on My Traffic Selector tab.

- Add My New Traffic Selector[Dialog]: Enter the followings, then click OK button.

Priority: 10
Address Type: Network
IPv4 Network: 192.168.0.0 / Netmask : 255.255.255.0

- Similarly, add the following traffic selector if needed.

Priority: 10
Address Type: Network
IPv4 Network: 192.168.1.0 / Netmask : 255.255.255.0
Save this realm's configuration.
- VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]: Click this tree node and show "Edit VPN Realm(Save, Add, Remove, or Load)" pane.

- Click Save Configuration button.

strongSwan client:

Please visit strongSwan User Documentation to get more detailed information.

- Import certificates and private key files.

# sudo cp remotehost1.example.com.key.pem /etc/ipsec.d/private/
# sudo cp remotehost1.example.com.cert.pem /etc/ipsec.d/certs/
# sudo cp TestCa-cacert.pem /etc/ipsec.d/cacerts/

- Setup a VPN connection.

/etc/ipsec.conf

# ipsec.conf - strongSwan IPsec configuration file

config setup
   nat_traversal=yes
   charonstart=yes
   plutostart=no

# Add connections here.

# Example VPN connections

conn strongSwan-client
   keyexchange=ikev2
   auto=add
   authby=rsasig
   left=%defaultroute
   leftcert=remotehost1.example.com.cert.pem
   right=10.0.0.1
   rightid=@gateway1.example.com
   leftsourceip=%config
   rightsubnet=0.0.0.0/0
   #leftdns=%config4 (if needed)

'rightsubnet=0.0.0.0/0' : This means 'any' traffic selectors. Rockhopper(VPN Gateway) will narrow down the traffic selectors based on the settings specified on the Peers/any pane of the Web Console.

'rightid=@gateway1.example.com' : @gateway1.example.com is the same ID value as you setup on the My Key Store pane of the Rockhopper's Web Console. In case of this example configuration, gateway1.example.com is specified because VPN Gateway's certificate includes a subjectAltName (SAN) of FQDN-type and this value is used as the ID for VPN Gateway (My Key Store/My ID Type : auto). This is either a subject (DN) or a subjectAltName(SAN)(a FQDN or an E-Mail address).

/etc/ipsec.secrets

# /etc/ipsec.secrets - strongSwan IPsec secrets file

: RSA remotehost1.example.com.key.pem "naisho"

- Connecting VPN (strongSwan client):

# sudo ipsec restart
# sudo ipsec up strongSwan-client

Rockhopper VPN

VPN example: Remote Access VPN, Bridge, strongSwan(client), One-armed, Behind a NAT/NAPT and certificate(PKCS#12/PEM/X.509) for both strongSwan and Rockhoppper.