Rockhopper VPN (Router IPv6 Example)

Simple VPN example: [IPv6] Router(Routing-based VPN) and Pre-Shared Key (PSK).

The following image shows example network for this scenario.

Ubuntu is installed on VPN Gateway(Router), VPN remote host and Internal host.

Rockhopper VPN software is installed on VPN remote host and VPN Gateway(Router). VPN is connected between these two nodes. Pre-Shared Key(PSK) is used as an authentication method.

sample0

rhpvif10: A virtual interface(a Tunnel/TAP interface) to access internal network. "10" is the VPN realm ID. This interface is automatically created by Rockhopper VPN service.

eth0 and eth1: Real interfaces to access physical network.

A VPN realm is a security domain for group members to share the same security policy and VPN configuration. For instance, you can define the VPN realm "10" for a sales team and the other VPN realm "20" for a developing team.

Advance preparation:

VPN Gateway(gateway1.example.com):

# sudo ip -6 addr add 2001:db8:10::1/64 dev eth0
# sudo ip -6 addr add 2001:db8:20::1/64 dev eth1
# sudo sysctl net.ipv6.conf.all.forwarding=1

VPN remote host(remotehost1.example.com):

# sudo ip -6 addr add 2001:db8:10::10/64 dev eth0

Internal host:

# sudo ip -6 addr add 2001:db8:20::100/64 dev eth0
# sudo ip -6 route add default via 2001:db8:20::1

Configuring VPN:

VPN Gateway(gateway1.example.com):

Open Rockhopper Web console on http://127.0.0.1:32501 (by default) by Firefox.
Login with administrator's name and password (by default, admin and secret).
If VPN Configuration tab is not shown, uncheck Hide configuration tabs checkbox.
Add a new VPN realm.
- VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]: Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

- Click Add VPN Realm button.

- Add a VPN Realm[Dialog]: Enter the following, then click OK button.

Realm ID: 10
Realm Name: "Example VPN"
Description: "Config for Example VPN."
Mode: Router
Setup VPN Interface.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Router)[Left-Tree] > VPN Interface[Left-Tree]:
Click this tree node and show VPN Tunnel/TAP Interface pane.

- Enter the following.

Internal Address Type: Static Address
Internal Address > IPv6: 2001:db8:30::1
Prefix: 64
Setup Network Interface.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Router)[Left-Tree] > Network Interface[Left-Tree]:
Click this tree node and show Network Interface pane.

- Uncheck Use default route and enter the followings.
Primary interface:
- Select eth0 as a source interface and IPv6.
Setup Service.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Router)[Left-Tree] > Service[Left-Tree]:
Click this tree node and show Service pane.

- Network Deployment: Select Hub(Concentrator) Node.

- Remote Configuration(IKEv2): Select Disabled.
Setup My Key Store.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Router)[Left-Tree] > My Key Store[Left-Tree]:
Click this tree node and show My Key Store pane.

- Enter the following.

Authentication Method: Pre-Shared Key(PSK)
My ID Type: Host Name(FQDN)
My ID: gateway1.example.com
Pre-Shared Key(PSK): abcdefghij
Setup Peers' Key Store.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Router)[Left-Tree] > Peers' Key Store[Left-Tree]:
Click this tree node and show Peers Key Store pane.

- Click Add Peer's Pre-Shared Key(PSK) button.

- Add a New Peer's Pre-Shared Key(PSK)[Dialog]:
Enter the following, then click OK button.

Peer ID Type: IKEv2: Host Name(FQDN)
Peer ID: remotehost1.example.com
Pre-Shared Key(PSK): 1234567890
Save this realm's configuration.
- VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

- Click Save Configuration button.

VPN remote host(remotehost1.example.com):

Open Rockhopper Web console on http://127.0.0.1:32501 (by default) by Firefox.
Login with administrator's name and password (by default, admin and secret).
If VPN Configuration tab is not shown, uncheck Hide configuration tabs checkbox.
Add a new VPN realm.
- VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

- Click Add VPN Realm button.

- Add a VPN Realm[Dialog]: Enter the following, then click OK button.

Realm ID: 10
Realm Name: "Example VPN"
Description: Config for Example VPN."
Mode: End Node
Setup VPN Interface.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(End Node)[Left-Tree]
> VPN Interface[Left-Tree]:
Click this tree node and show VPN Tunnel/TAP Interface pane.

- Enter the following.

Internal Address Type: Static Address
Internal Address > IPv6: 2001:db8:30::10
Prefix: 64
Setup Network Interface.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(End Node)[Left-Tree]
> Network Interface[Left-Tree]:
Click this tree node and show Network Interface pane.

- Check Use default route.
or
- Uncheck Use default route and enter the followings.
Primary interface:
- Select eth0 as a source interface and IPv6.
Setup Service.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(End Node)[Left-Tree]
> Service[Left-Tree]:
Click this tree node and show Service pane.

- Network Deployment: Select Spoke Node/Other.

- Remote Configuration(IKEv2): Select Disabled.
Setup My Key Store.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(End Node)[Left-Tree]
> My Key Store[Left-Tree]:
Click this tree node and show My Key Store pane.

- Enter the following.

Authentication Method: Pre-Shared Key(PSK)
My ID Type: Host Name(FQDN)
My ID: remotehost1.example.com
Pre-Shared Key(PSK): 1234567890
Setup Peers.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(End Node)[Left-Tree]
> Peers[Left-Tree]:
Click this tree node and show Peers pane.

- Click Add Peer button.

- Add a New Peer[Dialog]: Enter the following, then click OK button.

Peer ID Type: Host Name(FQDN)
Peer ID: gateway1.example.com
Setup the Peer's information.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(End Node)[Left-Tree]
> Peers[Left-Tree] > gateway1.example.com(FQDN)[Left-Tree]:
Click this tree node and show Peer: gateway1.example.com(FQDN) pane.

- Enter the following.

Peer's IP Address: IPv6, 2001:db8:10::1
This peer's Network Deployment: Hub(Concentrator) Node
Setup Peers' Key Store.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(End Node)[Left-Tree]
> Peers' Key Store[Left-Tree]:
Click this tree node and show Peers Key Store pane.

- Click Add Peer's Pre-Shared Key(PSK) button.

- Add a New Peer's Pre-Shared Key(PSK)[Dialog]: Enter the following, then click OK button.

Peer ID Type: IKEv2: Host Name(FQDN)
Peer ID: gateway1.example.com
Pre-Shared Key(PSK): abcdefghij
Setup Internal Route Map.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(End Node)[Left-Tree]
> Internal Route Map[Left-Tree]:
Click this tree node and show Internal Route Map pane.

- Click Add Route button.

- Add a New Internal Route[Dialog]: Enter the following, then click OK button.

IP Version: IPv6
Destination IPv6 Network: 2001:db8:20::
Prefix: 64
Forwarding Type: Gateway IP Address
Forward To: 2001:db8:30::1
Save this realm's configuration.
- VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

- Click Save Configuration button.

Connecting VPN (remotehost1.example.com):

Open VPN remote host's Web console on http://127.0.0.1:32501 (by default) by Firefox.
Login with administrator's name and password (by default, admin and secret).
Top [Tab] > 10:Example VPN[Left-Tree] > gateway1.example.com(FQDN)[Left-Tree]:
Click this tree node and show 10: gateway1.example.com(FQDN) pane.
Click Connect button.