Rockhopper VPN
IPsec/IKEv2-based VPN software for Linux
VPN example:
Role-based Management (Two VPN realms for the Sales Dep. and the Development Dep.),
Remote Access VPN, Bridge, Windows 7/8/10(client),
Behind a NAT/NAPT and EAP(MSCHAPv2)/certificate(PKCS#12/X.509).
The following image shows example network for this scenario.
Two VPN realms are defined. One is for the Sales Department (Realm ID: 10) and the other is for the Development Department (Realm ID: 20).
A VPN realm is a security domain for group members to share the same security policy and VPN configuration. Also, see "Documents/What is a VPN Realm?" to understand it.
Alice and Dave work for the Sales Department and Bob and Sue belong to the Development Department. When each of them tries to establish a VPN connection, Rockhopper (a VPN gateway) maps his or her VPN client to an appropriate VPN realm based on a prefix or a suffix of the client's ID.
Ubuntu is installed on VPN Gateway (Bridge/Remote Access Server), VPN remote host, Internal DNS server, Router1 (Destination NAPT or Port Forwarding and Firewall), Router2 (Source NAPT) and Router3 (Source NAPT).
Rockhopper VPN software is installed on VPN Gateway and VPN remote host.
VPNs are connected between VPN Gateway and VPN clients (Windows 7/8/10 VPN Clients and VPN remote host (Ubuntu)). VPN Gateway works as a bridge between the VPN clients and protected networks (the Sales Department's subnet (192.168.100.0/24) and the Development Department's subnet (192.168.101.0/24)). On the other hand, this VPN Gateway does not work as a router. When each of the gateway's bridge interfaces receives decrypted packets destinated to other subnets, it forwards the packets to Router1. Router1 filters the decyrpted packets based on the security policy (by iptables) and then forwards or drops them.
Both EAP-MSCHAPv2 (for Alice and Bob) and RSA-Signature(certificate) (for VPN Gateway, Sue and Dave) are used as authentication methods for the VPN peers.
Some VPN clients and VPN Gateway are located behind a NAT(NAPT). Router1, Router2 and Router3 provide Port Forwarding service or NAT/NAPT(Network Address Port Translation) service for them.
rhpvif10 on VPN Gateway: A virtual interface(a Tunnel/TAP interface) to access the Sales Department's subnet. "10" is the VPN realm ID. This interface is automatically created by Rockhopper VPN service and configured not by system tools like ifconfig command but by Rockhopper Web console.
Similarly, rhpvif20 is for the VPN realm 20 (the Development Department).
br0 on VPN Gateway: A bridge interface linking eth1 and rhpvif10 interfaces as ports. This interface is managed by brctl command in the bridge-utils package. You need to manually link eth1 with br0 by brctl command, while rhpvif10 is automatically linked with br0 by Rockhopper VPN service.
Similarly, br1 links eth2 and rhpvif20 interfaces as ports.
eth0, eth1, eth2 and eth4: Real interfaces to access physical network.
Advance preparation:
- VPN Gateway (gateway1.example.com):
|
# sudo ifconfig eth0 192.168.0.100 netmask 255.255.255.0
Setup a bridge interface for the Sales Department's subnet. # sudo brctl addbr br0 # sudo brctl addif eth1 # sudo ifconfig br0 192.168.100.100 netmask 255.255.255.0 Setup a bridge interface for the Development Department's subnet. # sudo brctl addbr br1 # sudo brctl addif eth2 # sudo ifconfig br1 192.168.101.100 netmask 255.255.255.0 # sudo route add default gw 192.168.0.10 |
If you manually setup a bridge interface after configuring Rockhopper, please restart Rockhopper like this:
# sudo /etc/init.d/rockhopper restart
- Router1 (Port Forwarding):
|
# sudo ifconfig eth0 10.0.0.1 netmask 255.255.255.0
# sudo ifconfig eth1 192.168.0.10 netmask 255.255.255.0 Enable IPv4 routing. # sudo sysctl net.ipv4.ip_forward=1 Forward packets destinated to 10.0.0.1:500(Router1) to 192.168.0.100:500(VPN Gateway). # sudo iptables -t nat -A PREROUTING -p udp --dst 10.0.0.1 --dport 500 -j DNAT --to-destination 192.168.0.100:500 Forward packets destinated to 10.0.0.1:4500(Router1) to 192.168.0.100:4500(VPN Gateway). # sudo iptables -t nat -A PREROUTING -p udp --dst 10.0.0.1 --dport 4500 -j DNAT --to-destination 192.168.0.100:4500 |
- Router2 and Router3 (Source NAPT):
|
Enable IPv4 routing. # sudo sysctl net.ipv4.ip_forward=1 Exec NAPT for packets from private network(192.168.2.0/24). # sudo iptables -t -nat -A POSTROUTING -o eth0 -j MASQUERADE --random |
- Internal DNS server:
|
# sudo ifconfig eth0 192.168.0.101 netmask 255.255.255.0
# sudo route add default gw 192.168.0.10 |
Above configuration will be lost after you restart your computer. To setup permanent configuration, you can edit /etc/network/interface like this. This is an example for VPN Gateway (gateway1.example.com) on Ubuntu.
- /etc/network/interface (Ubuntu):
|
auto eth0
iface eth0 inet static address 192.168.0.100 netmask 255.255.255.0 gateway 192.168.0.10 auto eth1 iface eth1 inet manual up /sbin/ifconfig eth1 promisc auto eth2 iface eth2 inet manual up /sbin/ifconfig eth2 promisc auto br0 iface br0 inet static address 192.168.100.100 network 192.168.100.0 netmask 255.255.255.0 broadcast 192.168.100.255 bridge_ports eth1 bridge_stp off bridge_maxwait 10 auto br1 iface br1 inet static address 192.168.101.100 network 192.168.101.0 netmask 255.255.255.0 broadcast 192.168.101.255 bridge_ports eth2 bridge_stp off bridge_maxwait 10 |
- PKCS#12 files:
- VPN Gateway: gateway1.example.com.p12 (PKCS#12)
- Windows 8 VPN client(IKEv2) 1: sue.dev.example.com.p12 (PKCS#12)
- VPN remote host (Ubuntu): dave.sales.example.com.p12 (PKCS#12)
The certificate(X.509) for each node includes a subjectAltName(Host name/DNS).
- VPN Gateway: gateway1.example.com (Host name/DNS)
- Windows 8 VPN client: sue.dev.example.com (Host name/DNS)
- VPN remote host (Ubuntu): dave.sales.example.com.com (Host name/DNS)
- A PEM file including a CA certificate(X.509):
- CA: TestCa-cacert.pem (X.509, PEM/Base64-encoding)
See "Tips: Creating a Rockhopper's certificate compatible with a Windows 7/8/10 VPN client by XCA." and "Documents/Tips: Managing certificates by XCA" to create a PKCS#12 file, including a private key and a certificate(X.509) and a CA certificate(X.509), and a PEM file for the CA certificate(X.509).
Configuring VPN:
VPN Gateway (gateway1.example.com):
-
Open Rockhopper Web console on http://127.0.0.1:32501 (by default)
by Firefox.
-
Login with administrator's name and password. (by default, admin
and secret).
-
If VPN Configuration
tab is not shown, uncheck Hide configuration tabs checkbox.
- Configure a VPN realm for the Sales Department (Realm ID: 10).
-
Add a new VPN realm.
- VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.- Click Add VPN Realm button.
- Add a VPN Realm[Dialog]: Enter the following, then click OK button.
Realm ID: 10
Realm Name: Sales Dep.
Description: Config for Example VPN.
Mode: Bridge
-
Setup VPN Interface.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Sales Dep.(Bridge)[Left-Tree] > VPN Interface[Left-Tree]:
Click this tree node and show VPN Tunnel/TAP Interface pane.- Enter or select the following.
Internal Address Type: Unnumbered(for bridging)
Linked Bridge Name: br0
If VPN clients (Alice and Dave) communicate with hosts on other subnets like Internal DNS Server1 on the DMZ or Internal File/Web Server3 on the Development Department's subnet, enter the Router1's address into Internal Gateway's IPv4 Address. VPN Gateway forwards decrypted packets destinated to other subnets to the Router1's eth2 (192.168.100.10) interface, and then the router filters and forwards the packets if the traffic is allowed.
For example, if Windows 8 VPN Client (IKEv2) 3 (Alice, the Sales Department) sends a packet to Internal File / Web Server3 (the Development Department), the packet travels like this:
Windows 8 VPN Client (IKEv2) 3 (Alice, the Sales Dep.)
==> Router1(eth0) ==> Router1(eth1)
==> VPN Gateway(eth0) =(decyrpted)=> VPN Gateway(rhpvif10) ==> VPN Gateway(br0) ==> VPN Gateway(eth1)
==> Router1(eth2) ==> Router1(eth3)
==> Internal File / Web Server3 (the Dev Dep.)
Though you can also enable routing service on VPN Gateway for a shorter path, it may complicate network and security management.
Of course, you can setup additional firewall rules for this VPN Gateway's bridge interfaces (br0 and br1) by using the iptables' physdev module.
Internal Gateway's IPv4 Address: 192.168.100.10
-
Setup Network Interface.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Sales Dep.(Bridge)[Left-Tree] > Network Interface[Left-Tree]:
Click this tree node and show Network Interface pane.- Uncheck Use default route and enter the followings.
Primary interface:
- Name: Select eth0 as a source interface.
-
Setup Service.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Sales Dep.(Bridge)[Left-Tree] > Service[Left-Tree]:
Click this tree node and show Service pane.- Network Deployment: Select Hub(Concentrator) Node.
- Remote Configuration(IKEv2): Select Remote Configuration Server.
- Authentication Method for remote peers: Check RSA-Sig (RSA Signature) and EAP (Extensible Authentication Protocol) Clients. [Version 0.2.b1-021 -]
- EAP Server: Select EAP-MSCHAPv2.
- Default EAP Server: Check Enable.
This means that this realm's My Key Store is used for all VPN realms which enable EAP-MSCHAPv2 EAP Server. When the EAP-MSCHAPv2 is used to authenticate a Windows 7/8/10 VPN client, it doesn't send any useful ID information in the first IKE_AUTH message. Therefore, this realm's settings (My Key Store) are used as default at this time. After receiving a user name in the following IKE_AUTH/EAP message, VPN Gateway maps the client to an actual VPN realm by verifying the user name.
-
Setup Remote Config Server.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Sales Dep.(Bridge)[Left-Tree] >Service[Left-Tree] > Remote Config Server[Left-Tree]:
Click this tree node and show Remote Config Server(IKEv2) pane.
-
Setup Remote Config Server - Internal Address Pool.
- Remote Config Server(IKEv2)[Pane] > Internal Address Pool[Tab]:
Click Add Address Pool button.
- Add a New Address Pool[Dialog]: Enter the following, then click OK button.
Address Type: Address Range IPv4 Address Range: 192.168.100.20 - 192.168.100.30
-
Setup Remote Config Server - Internal Route Map
for VPN remote host (Ubuntu, Dave).
- Remote Config Server(IKEv2)[Pane] > Internal Route Map[Tab]:
Enter the following as an Internal router's address.
Gateway IPv4 Address: 192.168.100.10
- Click Add Destination IPv4 Network button.
Add a New Internal Route[Dialog]:
Enter the following route map to the DMZ, then click OK button.
Destination IPv4 Network: 192.168.0.0
Netmask: 255.255.255.0
Similarly, add the following route map (to the Development Dep.) if needed:
Destination IPv4 Network: 192.168.101.0
Netmask: 255.255.255.0
-
Setup Remote Config Server - Internal DNS.
- Remote Config Server(IKEv2)[Pane] > Internal DNS[Tab]:
Enter the following as an Internal DNS server's address.
DNS Server's IPv4 Address: 192.168.0.101
- Click Add DNS Suffix button.
Add a New DNS Suffix[Dialog] for VPN remote host (Ubuntu, Dave):
Enter the following, then click OK button.
DNS Suffix: .example.com
-
Setup My Key Store.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Sales Dep.(Bridge)[Left-Tree] > My Key Store[Left-Tree]:
Click this tree node and show My Key Store pane.- Enter the following.
Authentication Method: RSA Signature(RSA-Sig)
My ID Type: auto
Imported Key Format: PKCS#12 - File
PKCS#12 file(*.p12): gateway1.example.com.p12
RSA Private Key's Password: himitsu
-
Setup Peers' Key Store.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Sales Dep.(Bridge)[Left-Tree] > Peers' Key Store[Left-Tree]:
Click this tree node and show Peers Key Store pane.- Click Add Peer's Key/Password button.
- Add a New Peer's Key[Dialog]: Enter the following, then click "OK" button.
Peer ID Type: EAP-MSCHAPv2: User Name
Peer ID: alice.sales
- ".sales" is a common suffix for the Sales Department.
Pre-Shared Key(PSK)/Password: 1234567890
-
Setup VPN Role.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Sales Dep.(Bridge)[Left-Tree] > VPN's Role[Left-Tree]:
Click this tree node and show VPN Role pane.- Click Add Role Prefix / Suffix button.
- Add a New Role Prefix / Suffix[Dialog]: Enter the following, then click "OK" button.
(1)
Role Type: EAP-MSCHAPv2: User Name (Suffix-search)
Role Prefix/Suffix: .sales
- Similarly, add one more prefix and two more suffixes.
(2)
Role Type: subjectName(DN) (Prefix-search)
Role Prefix/Suffix: C=JP, ST=Tokyo, L=Minatoku, O=example, OU=sales
(3)
Role Type: subjectAltName: Host Name(FQDN) (Suffix-search)
Role Prefix/Suffix: .sales.example.com
(4)
Role Type: Host Name(FQDN) (Suffix-search)
Role Prefix/Suffix: .sales.example.com
- Similarly, configure a VPN realm for the Development Department (Realm ID: 20).
-
Add a new VPN realm.
- VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.- Click Add VPN Realm button.
- Add a VPN Realm[Dialog]: Enter the following, then click OK button.
Realm ID: 20
Realm Name: Dev Dep.
Description: Config for Example VPN.
Mode: Bridge
-
Setup VPN Interface.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 20:Dev Dep.(Bridge)[Left-Tree] > VPN Interface[Left-Tree]:
Click this tree node and show VPN Tunnel/TAP Interface pane.- Enter or select the following.
Internal Address Type: Unnumbered(for bridging)
Linked Bridge Name: br1Internal Gateway's IPv4 Address: 192.168.101.10
-
Setup Network Interface.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 20:Dev Dep.(Bridge)[Left-Tree] > Network Interface[Left-Tree]:
Click this tree node and show Network Interface pane.- Uncheck Use default route and enter the followings.
Primary interface:
- Name: Select eth0 as a source interface.
-
Setup Service.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 20:Dev Dep.(Bridge)[Left-Tree] > Service[Left-Tree]:
Click this tree node and show Service pane.- Network Deployment: Select Hub(Concentrator) Node.
- Remote Configuration(IKEv2): Select Remote Configuration Server.
- Authentication Method for remote peers: Check RSA-Sig (RSA Signature) and EAP (Extensible Authentication Protocol) Clients. [Version 0.2.b1-021 -]
- EAP Server: Select EAP-MSCHAPv2.
-
Setup Remote Config Server.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 20:Dev Dep.(Bridge)[Left-Tree] >Service[Left-Tree] > Remote Config Server[Left-Tree]:
Click this tree node and show Remote Config Server(IKEv2) pane.
-
Setup Remote Config Server - Internal Address Pool.
- Remote Config Server(IKEv2)[Pane] > Internal Address Pool[Tab]:
Click Add Address Pool button.
- Add a New Address Pool[Dialog]: Enter the following, then click OK button.
Address Type: Address Range IPv4 Address Range: 192.168.101.20 - 192.168.101.30
-
Setup Remote Config Server - Internal DNS.
- Remote Config Server(IKEv2)[Pane] > Internal DNS[Tab]:
Enter the following as an Internal DNS server's address.
DNS Server's IPv4 Address: 192.168.0.101
-
Setup My Key Store.
If only the EAP-MSCHAPv2 is used as an authentication method for VPN clients, you don't need to setup this. As mentioned above, a setting of the VPN realm 10 is used as default.
The following is the same setting as the VPN realm 10's. Also, the same PKCS#12 file for VPN Gateway can be specified.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 20:Dev Dep.(Bridge)[Left-Tree] > My Key Store[Left-Tree]:
Click this tree node and show My Key Store pane.- Enter the following.
Authentication Method: RSA Signature(RSA-Sig)
My ID Type: auto
Imported Key Format: PKCS#12 - File
PKCS#12 file(*.p12): gateway1.example.com.p12
RSA Private Key's Password: himitsu
-
Setup Peers' Key Store.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 20:Dev Dep.(Bridge)[Left-Tree] > Peers' Key Store[Left-Tree]:
Click this tree node and show Peers Key Store pane.- Click Add Peer's Key/Password button.
- Add a New Peer's Key[Dialog]: Enter the following, then click "OK" button.
Peer ID Type: EAP-MSCHAPv2: User Name
Peer ID: bob.dev
- ".dev" is a common suffix for the Development Department.
Pre-Shared Key(PSK)/Password: abcdefghij
-
Setup VPN Role.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 20:Dev Dep.(Bridge)[Left-Tree] > VPN's Role[Left-Tree]:
Click this tree node and show VPN Role pane.- Click Add Role Prefix / Suffix button.
- Add a New Role Prefix / Suffix[Dialog]: Enter the following, then click "OK" button.
(1)
Role Type: EAP-MSCHAPv2: User Name (Suffix-search)
Role Prefix/Suffix: .dev
- Similarly, add one more prefix and two more suffixes.
(2)
Role Type: subjectName(DN) (Prefix-search)
Role Prefix/Suffix: C=JP, ST=Tokyo, L=Minatoku, O=example, OU=dev
(3)
Role Type: subjectAltName: Host Name(FQDN) (Suffix-search)
Role Prefix/Suffix: .dev.example.com
(4)
Role Type: Host Name(FQDN) (Suffix-search)
Role Prefix/Suffix: .dev.example.com
- Finally, save this realm's configuration.
- VPN Configuration[Tab]
> Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
Click this tree node and show "Edit
VPN Realm(Save, Add, Remove, or Load)" pane.
- Click Save Configuration button.
Windows 8 VPN Client (IKEv2) 1 - Sue
Also, see Windows 8 VPN Get Connected by Microsoft.
- A X.509 Certificate for Sue:
| SubjectName (DN) | C=JP, ST=Tokyo, L=Minatoku, O=example, OU=dev, CN=sue / emailAddress=sue@dev.example.com |
| SubjectAltName (SAN) | sue.dev.example.com (DNS) |
- Import a certificate, a private key and a CA certificate for the Computer account by Microsoft Management Console(MMC).
- Move the cursor to the right corner of your screen and open Charms.
- Open Microsoft Management Console(MMC) by clicking the Search icon and entering "mmc" into the search box.
- On the File menu, point to Add/Remove Snap-in, and open the Add or Remove Snap-ins dialog.
- Click the certificates under Available snap-ins and push Add.
- Select the Computer account and push Next.
- Select the Local computer and push Finish.
- Push OK on Add or Remove Snap-ins dialog and close it.
- Click the folder Certificates(Local Computer) / Personal / Certificates folder, click the Action menu, point to All Tasks, and then click Import.
-
Click Next and follow the instructions.
- An imported PKCS#12 file: sue.dev.example.com.p12
- Password for the private key: naisho
- If a CA's certificate (TestCA) is extracted into Certificates(Local Computer) / Personal / Certificates folder, move it to Certificates(Local Computer) / Trusted Root Certification Authorities / Certificates folder by dragging and dropping the certificate's icon.
- Setup a VPN connection.
- Move the cursor to the right corner of your screen and open Charms.
- Open Control Panel by clicking the Search icon and entering "Control Panel" into the search box.
- Open Network and sharing center from the Control Panel's Network and Internet and then click Set up a new connection or network.
- Click Connect to a workplace and push Next.
- Click Use my Internet connection (VPN).
- Enter gateway1.example.com into Internet Address and Dev Dep. into Destination name and push Create.
- Open Network and sharing center from Control Panel again and click Change adapter settings.
- Open the properties dialog of Dev Dep. adapter and show Security tab.
-
Enter the following:
- Type of VPN: IKEv2
- Data encryption: Require encryption (disconnect if server declines)
- Authentication: "Use machine certificates"
- Push OK.
- Edit the hosts file if DNS service is not available for gateway1.example.com.
- Open "C:Windows/System32/drivers/etc/hosts" by notepad as an administrator. If you can't find these folders, please see Show hidden files.
-
Add the following line into this hosts file.
10.0.0.1 gateway1.example.com # (Dev Dep.)
-
Save and close the file.
- Connect VPN:
- Move the cursor to the right corner of your screen and open Charms.
- Click Settings and then click the Network icon.
- In Networks click the VPN connection Dev Dep. and then push Connect.
Windows 7 VPN Client (IKEv2) 2 - Bob
- Import a CA certificate for the Computer account by Microsoft Management Console(MMC).
- Open Microsoft Management Console(MMC) by clicking the Start button, enter "mmc" into the search box, and push Enter.
- On the File menu, point to Add/Remove Snap-in, and open the Add or Remove Snap-ins dialog.
- Click the certificates under Available snap-ins and push Add.
- Select the Computer account and push Next.
- Select the Local computer and push Finish.
- Push OK on Add or Remove Snap-ins dialog and close it.
- Click the folder Certificates(Local Computer) / Trusted Root Certification Authorities / Certificates folder, click the Action menu, point to All Tasks, and then click Import.
-
Click Next and follow the instructions.
- An imported CA certificate's file: TestCa-cacert.pem
- Setup a VPN connection.
- Open Network and sharing center from Control Panel and click Set up a new connection or network.
- Click Connect to a workplace and push Next.
- Click Use my Internet connection (VPN).
- Enter gateway1.example.com into Internet Address and Dev Dep. into Destination name, check Don't connect now; just set it up so I can connect later and push Next.
- Enter "bob.dev" into User Name and "abcdefghij" into Password, push Create and close the wizard dialog.
- Open Network and sharing center from Control Panel again and select Change adapter settings.
- Open the properties dialog of Dev Dep. adapter and show Security tab.
-
Enter the following:
- Type of VPN: IKEv2
- Data encryption: Require encryption (disconnect if server declines)
- Authentication: Use Extensible Authentication Protocol(EAP) and EAP-MSCHAPv2
- Push OK.
- Edit the hosts file if DNS service is not available for gateway1.example.com.
- Open "C:Windows/System32/drivers/etc/hosts" by notepad as an administrator. If you can't find these folders, please see Show hidden files.
-
Add the following line into this hosts file.
10.0.0.1 gateway1.example.com # (Dev Dep.)
-
Save and close the file.
- Connect VPN
- Open Network and sharing center from Control Panel again and then click Connect to a network.
- Click the Dev Dep. VPN connection, push the Connect button and open Connect Dev Dep. dialog.
- Enter the user name (bob.dev) and the password, and then push Connect button.
Windows 8 VPN Client (IKEv2) 3 - Alice
Also, see Windows 8 VPN Get Connected by Microsoft.
- Import a CA certificate for the Computer account by Microsoft Management Console(MMC).
- Move the cursor to the right corner of your screen and open Charms.
- Open Microsoft Management Console(MMC) by clicking the Search icon and entering "mmc" into the search box.
- On the File menu, point to Add/Remove Snap-in, and open the Add or Remove Snap-ins dialog.
- Click the certificates under Available snap-ins and push Add.
- Select the Computer account and push Next.
- Select the Local computer and push Finish.
- Push OK on Add or Remove Snap-ins dialog and close it.
- Click the folder Certificates(Local Computer) / Trusted Root Certification Authorities / Certificates folder, click the Action menu, point to All Tasks, and then click Import.
-
Click Next and follow the instructions.
- An imported CA certificate's file: TestCa-cacert.pem
- Setup a VPN connection.
- Move the cursor to the right corner of your screen and open Charms.
- Open Control Panel by clicking the Search icon and entering "Control Panel" into the search box.
- Open Network and sharing center from the Control Panel's Network and Internet and then click Set up a new connection or network.
- Click Connect to a workplace and push Next.
- Click Use my Internet connection (VPN).
- Enter gateway1.example.com into Internet Address and Sales Dep. into Destination name and push Create.
- Open Network and sharing center from Control Panel again and click Change adapter settings.
- Open the properties dialog of Sales Dep. adapter and show Security tab.
-
Enter the following:
- Type of VPN: IKEv2
- Data encryption: Require encryption (disconnect if server declines)
- Authentication: Use Extensible Authentication Protocol(EAP) and EAP-MSCHAPv2
- Push OK.
- Edit the hosts file if DNS service is not available for gateway1.example.com as mentioned above.
- Connect VPN:
- Move the cursor to the right corner of your screen and open Charms.
- Click Settings and then click the Network icon.
- In Networks click the VPN connection Sales Dep. and then push Connect.
- Enter the user name (alice.sales) and the password, and then push Connect button.
VPN remote host (Ubuntu) - Dave
- A X.509 Certificate for Dave:
| SubjectName (DN) | C=JP, ST=Tokyo, L=Minatoku, O=example, OU=sales, CN=dave / emailAddress=dave@sales.example.com |
| SubjectAltName (SAN) | dave.sales.example.com (DNS) |
- Setup a VPN connection.
- Version: 0.2.b1-021 or later
- Open Rockhopper Web console on http://127.0.0.1:32501 (by default) by Firefox.
- Login with administrator's name and password (by default, admin and secret).
- If VPN Configuration tab is not shown, uncheck Hide configuration tabs checkbox.
-
Add a new VPN realm.
- VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]: Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.
- Click Add VPN Realm button.
Add a VPN Realm[Dialog]: Enter the following, then click OK button.Realm ID: 10
Realm Name: "Sales Dep."
Description: "Config for Example VPN."
Mode: Remote Client -
Setup Destination.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Remote Client)[Left-Tree] > Destination[Left-Tree]: Click this tree node and show Destination (Concentrator / Gateway) pane.
- Enter the following.
Destination Address: IPv4 and 10.0.0.1 (Router1's global address)
-
Setup My Key Store.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Sales Dep.(End Host)[Left-Tree] > My Key Store[Left-Tree]:
Click this tree node and show My Key Store pane.- Enter the following.
Authentication Method: RSA Signature(RSA-Sig)
My ID Type: auto
Imported Key Format: PKCS#12 - File
PKCS#12 file(*.p12): dave.sales.example.com.p12
RSA Private Key's Password: naisho -
Save this realm's configuration.
- VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.- Click Save Configuration button.
- Advanced Settings
- Open Rockhopper Web console on http://127.0.0.1:32501 (by default) by Firefox.
- Login with administrator's name and password (by default, admin and secret).
- If VPN Configuration tab is not shown, uncheck Hide configuration tabs checkbox.
-
Add a new VPN realm.
- VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]: Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.
- Click Add VPN Realm button.
Add a VPN Realm[Dialog]: Enter the following, then click OK button.Realm ID: 10
Realm Name: "Sales Dep."
Description: "Config for Example VPN."
Mode: Remote Client
- Check Advanced Settings. (Version: 0.2.b1-021 or later)
-
Setup VPN Interface.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Sales Dep.(Remote Client)[Left-Tree] > VPN Interface[Left-Tree]: Click this tree node and show VPN Tunnel/TAP Interface pane.
- Enter the following.
Internal Address Type: Auto(IKEv2 Configuration)
-
Setup Network Interface.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Sales Dep.(Remote Client)[Left-Tree] > Network Interface[Left-Tree]: Click this tree node and show Network Interface pane.
- Check Use default route.
or
- Uncheck Use default route and enter the followings.
Primary interface:
- Name: Select eth0 as a source interface.
-
Setup Service.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Sales Dep.(Remote Client)[Left-Tree] > Service[Left-Tree]: Click this tree node and show Service pane.
- Network Deployment: Select Spoke Node/Other.
- Remote Configuration(IKEv2): Select Remote Access Client.
-
Setup My Key Store.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Sales Dep.(End Host)[Left-Tree] > My Key Store[Left-Tree]:
Click this tree node and show My Key Store pane.- Enter the following.
Authentication Method: RSA Signature(RSA-Sig)
My ID Type: auto
Imported Key Format: PKCS#12 - File
PKCS#12 file(*.p12): dave.sales.example.com.p12
RSA Private Key's Password: naisho -
Setup Peers.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Sales Dep.(Remote Client)[Left-Tree] > Peers[Left-Tree]: Click this tree node and show Peers pane.
- Click Add Peer button.
Add a New Peer[Dialog]: Enter the following, then click OK button.Peer ID Type: IKEv2: Host Name(FQDN)
Peer ID: gateway1.example.com -
Setup the Peer's information.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Sales Dep.(Remote Client)[Left-Tree] > Peers[Left-Tree] > gateway1.example.com(FQDN)[Left-Tree]:
Click this tree node and show Peer: gateway1.example.com(FQDN) pane.- Enter the following.
Peer's IP Address: IPv4 and 10.0.0.1 (Router1's global address)
This peer's Network Deployment: Hub(Concentrator) Node -
Save this realm's configuration.
- VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.- Click Save Configuration button.
- Connect VPN
- Open VPN remote host's Web console on http://127.0.0.1:32501 (by default) by Firefox.
- Login with administrator's name and password (by default, admin and secret).
- Top [Tab] > 10:Sales Dep.[Left-Tree] > gateway1.example.com(FQDN)[Left-Tree]: Click this tree node and show 10: gateway1.example.com(FQDN) pane.
- Click Connect VPN button.
Windows 10 VPN Client:
See Connecting a Windows 10 VPN client with Rockhopper.