Rockhopper VPN

IPsec/IKEv2-based VPN software for Linux

• Top
• About
• Getting Started
• Screenshots
• Download
• Documents
• Contact

VPN example:
Site-to-Site VPN (Hub and Spoke), Router (Routing-based VPN), Dynamic routing(OSPF), Quagga, Behind a NAT/NAPT and certificate (PKCS#12/X.509).

The following image shows example hub and spoke VPN for this scenario.

Ubuntu is installed on HubGw (Hub), SpokeGw1 (Spoke), SpokeGw2 (Spoke) and Router1.

Rockhopper VPN software and Quagga are installed on HubGw, SpokeGw1 and SpokeGw2.

VPN is connected between HubGw, SpokeGw1 and SpokeGw2. Each of these three gateways works as a router between Site0, Site1 and Site2. HubGw fowards packets between the spoke sites.

Quagga's OSPFv2 service is enabled on each gateway (HubGw, SpokeGw1 and SpokeGw2) and it exchanges routing information between the sites.

RSA-Signature(certificate) is used as an authentication method for all the VPN gateways.

HubGw is deployed in a one-armed configuration and located behind a NAT(NAPT). Therefore, a default gateway for an internal server in the Site0 is not Router1(192.168.0.1/24) but HubGw(192.168.0.10/24).

Router1 provides Port Forwarding service.





rhpvif10 on each gateway: A virtual interface(a Tunnel/TAP interface) to access protected network. "10" is the VPN realm ID. This interface is automatically created by Rockhopper VPN service and configured not by system tools like ifconfig command but by Rockhopper Web console. Of course, you can see this interface's information from Quagga's terminal like vtysh.

eth0 and eth1 on each gateway: A real interface to access physical network.

Advance preparation:

- HubGw (gateway1.example.com):

Setup a physical interface. # sudo ifconfig eth0 192.168.0.10 netmask 255.255.255.0 Add a default route. # sudo route add default gw 192.168.0.1 Enable IPv4 routing. # sudo sysctl net.ipv4.ip_forward=1

- SpokeGw1 (spoke1.example.com):

Setup physical interfaces. eth0 and a routing table are configured according to your service provider's instructions. # sudo ifconfig eth1 192.168.1.10 netmask 255.255.255.0 Enable IPv4 routing. # sudo sysctl net.ipv4.ip_forward=1

- SpokeGw2 (spoke2.example.com):

Setup physical interfaces. eth0 and a routing table are configured according to your service provider's instructions. # sudo ifconfig eth1 192.168.2.10 netmask 255.255.255.0 Enable IPv4 routing. # sudo sysctl net.ipv4.ip_forward=1

- Router1 (Port Forwarding):

Setup physical interfaces. eth0 and a routing table are configured according to your service provider's instructions. # sudo ifconfig eth0 10.0.0.1 netmask 255.255.255.0 # sudo ifconfig eth1 192.168.0.1 netmask 255.255.255.0 Enable IPv4 routing. # sudo sysctl net.ipv4.ip_forward=1 Forward packets destinated to 10.0.0.1:500(Router1) to 192.168.0.10:500(HubGw). # sudo iptables -t nat -A PREROUTING -p udp --dst 10.0.0.1 --dport 500 -j DNAT --to-destination 192.168.0.10:500 Forward packets destinated to 10.0.0.1:4500(Router1) to 192.168.0.10:4500(HubGw). # sudo iptables -t nat -A PREROUTING -p udp --dst 10.0.0.1 --dport 4500 -j DNAT --to-destination 192.168.0.10:4500

Above configuration will be lost after you restart your computer. To setup permanent configuration, you can edit /etc/network/interfaces like this. This is an example for HubGw (gateway1.example.com) on Ubuntu.

- /etc/network/interfaces (Ubuntu):

auto eth0 iface eth0 inet static address 192.168.0.10 network 192.168.0.0 netmask 255.255.255.0 broadcast 192.168.0.255 gateway 192.168.0.1

- PKCS#12 files:

   - HubGw: gateway1.example.com.p12
   - SpokeGw1: spoke1.example.com.p12
   - SpokeGw2: spoke2.example.com.p12

   The certificate(X.509) for each node includes a subjectAltName(Host name/FQDN).
   - HubGw: gateway1.example.com (Host name/FQDN)
   - SpokeGw1: spoke1.example.com (Host name/FQDN)
   - SpokeGw2: spoke2.example.com (Host name/FQDN)

See "Documents/Tips: Managing certificates by XCA" to create each PKCS#12 file, including a private key and a certificate(X.509) and a CA certificate(X.509).

Configuring VPN:

HubGw (gateway1.example.com):

Rockhopper configuration:

1. Open Rockhopper Web console on http://127.0.0.1:32501 (by default) by Firefox.
2. Login with administrator's name and password (by default, admin and secret).
3. If VPN Configuration tab is not shown, uncheck Hide configuration tabs checkbox.
4. Add a new VPN realm.

   - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]: Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

   - Click Add VPN Realm button.

   - Add a VPN Realm[Dialog]: Enter the following, then click OK button.

   Realm ID: 10
   Realm Name: "Example VPN"
   Description: "Config for Example VPN."
   Mode: Router

5. Setup VPN Interface.

   - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Router)[Left-Tree] > VPN Interface[Left-Tree]:
   Click this tree node and show VPN Tunnel/TAP Interface pane.

   - Enter the following. This address is for the virtual interface rhpvif10.

   Internal Address Type: Static Address
   Internal IPv4 Address: 192.168.100.1
   Netmask: 255.255.255.248

6. Setup Network Interface.

   - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Router)[Left-Tree] > Network Interface[Left-Tree]: Click this tree node and show Network Interface pane.

   - Uncheck Use default route and enter the followings.
       Primary interface:
         - Name: Select eth0 as a source interface.
   

7. Setup Service.

   - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Router)[Left-Tree] > Service[Left-Tree]:
   Click this tree node and show Service pane.

   - Network Deployment: Select Hub(Concentrator) Node.

8. Setup My Key Store.

   - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Router)[Left-Tree] > My Key Store[Left-Tree]:
   Click this tree node and show My Key Store pane.

   - Enter the following.

   Authentication Method: RSA Signature(RSA-Sig)
   My ID Type: auto
   Imported Key Format: PKCS#12 - File
   PKCS#12 file(*.p12): gateway1.example.com.p12
   RSA Private Key's Password: himitsu

9. Save this realm's configuration.

   - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
   Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

   - Click Save Configuration button.

Quagga configuration:

Please visit Quagga's Documentation to get more detailed information.

/etc/quagga/daemons

zebra=yes   bgpd=no   ospfd=yes   ospf6d=no   ripd=no   ripngd=no   isisd=no

/etc/quagga/debian.conf

vtysh_enable=yes   zebra_options=" --daemon -A 127.0.0.1"   bgpd_options=" --daemon -A 127.0.0.1"   ospfd_options=" --daemon -A 127.0.0.1"   ospf6d_options="--daemon -A ::1"   ripd_options=" --daemon -A 127.0.0.1"   ripngd_options="--daemon -A ::1"   isisd_options=" --daemon -A 127.0.0.1"

/etc/quagga/vtysh.conf

!service integrated-vtysh-config   hostname hubgw   username root nopassword   !

#sudo cp /usr/share/doc/quagga/examples/zebra.conf.sample /etc/quagga/zebra.conf #sudo cp /usr/share/doc/quagga/examples/ospfd.conf.sample /etc/quagga/ospfd.conf

#sudo chown quagga:quaggavty /etc/quagga/*.conf #sudo chmod 640 /etc/quagga/*.conf

#sudo /etc/init.d/quagga restart

# sudo vtysh

configure terminal   router ospf     router-id 0.0.0.100     network 192.168.0.0/24 area 0.0.0.0     network 192.168.100.0/29 area 0.0.0.0   !

SpokeGw1 (spoke1.example.com):

Rockhopper configuration:

1. Open Rockhopper Web console on http://127.0.0.1:32501 (by default) by Firefox.
2. Login with administrator's name and password (by default, admin and secret).
3. If VPN Configuration tab is not shown, uncheck Hide configuration tabs checkbox.
4. Add a new VPN realm.

   - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]: Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

   - Click Add VPN Realm button.

   - Add a VPN Realm[Dialog]: Enter the following, then click OK button.

   Realm ID: 10
   Realm Name: "Example VPN"
   Description: "Config for Example VPN."
   Mode: Router

5. Setup VPN Interface.

   - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Router)[Left-Tree] > VPN Interface[Left-Tree]:
   Click this tree node and show VPN Tunnel/TAP Interface pane.

   - Enter the following. This address is for the virtual interface rhpvif10.

   Internal Address Type: Static Address
   Internal IPv4 Address: 192.168.100.2
   Netmask: 255.255.255.248

6. Setup Network Interface.

   - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Router)[Left-Tree] > Network Interface[Left-Tree]: Click this tree node and show Network Interface pane.

   - Uncheck Use default route and enter the followings.
       Primary interface:
         - Name: Select eth0 as a source interface.
   

7. Setup Service.

   - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Router)[Left-Tree] > Service[Left-Tree]:
   Click this tree node and show Service pane.

   - Network Deployment: Select Spoke Node / Client / Other.

8. Setup My Key Store.

   - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Router)[Left-Tree] > My Key Store[Left-Tree]:
   Click this tree node and show My Key Store pane.

   - Enter the following.

   Authentication Method: RSA Signature(RSA-Sig)
   My ID Type: auto
   Imported Key Format: PKCS#12 - File
   PKCS#12 file(*.p12): spoke1.example.com.p12
   RSA Private Key's Password: himitsu

9. Setup Peers.

   - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Router)[Left-Tree] > Peers[Left-Tree]: Click this tree node and show Peers pane.

   - Click Add Peer button.
   Add a New Peer[Dialog]: Enter the following, then click OK button.

   Peer ID Type: IKEv2: Host Name(FQDN)
   Peer ID: gateway1.example.com

10. Setup the Peer's information.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Router)[Left-Tree] > Peers[Left-Tree] > gateway1.example.com(FQDN)[Left-Tree]:
    Click this tree node and show Peer: gateway1.example.com(FQDN) pane.

    - Enter the following.

    Peer's IPv4 Address: 10.0.0.1 (Router1's global address)
    This peer's Network Deployment: Hub(Concentrator) Node
    Always-on connection: Check Enabled.

11. Save this realm's configuration.

    - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
    Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

    - Click Save Configuration button.

Quagga configuration:

# sudo vtysh

configure terminal   router ospf     router-id 0.0.0.90     network 192.168.1.0/24 area 0.0.0.0     network 192.168.100.0/29 area 0.0.0.0   !

SpokeGw2 (spoke2.example.com):

Rockhopper configuration:

1. Open Rockhopper Web console on http://127.0.0.1:32501 (by default) by Firefox.
2. Login with administrator's name and password (by default, admin and secret).
3. If VPN Configuration tab is not shown, uncheck Hide configuration tabs checkbox.
4. Add a new VPN realm.

   - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]: Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

   - Click Add VPN Realm button.

   - Add a VPN Realm[Dialog]: Enter the following, then click OK button.

   Realm ID: 10
   Realm Name: "Example VPN"
   Description: "Config for Example VPN."
   Mode: Router

5. Setup VPN Interface.

   - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Router)[Left-Tree] > VPN Interface[Left-Tree]:
   Click this tree node and show VPN Tunnel/TAP Interface pane.

   - Enter the following. This address is for the virtual interface rhpvif10.

   Internal Address Type: Static Address
   Internal IPv4 Address: 192.168.100.3
   Netmask: 255.255.255.248

6. Setup Network Interface.

   - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Router)[Left-Tree] > Network Interface[Left-Tree]: Click this tree node and show Network Interface pane.

   - Uncheck Use default route and enter the followings.
       Primary interface:
         - Name: Select eth0 as a source interface.
   

7. Setup Service.

   - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Router)[Left-Tree] > Service[Left-Tree]:
   Click this tree node and show Service pane.

   - Network Deployment: Select Spoke Node / Client / Other.

8. Setup My Key Store.

   - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Router)[Left-Tree] > My Key Store[Left-Tree]:
   Click this tree node and show My Key Store pane.

   - Enter the following.

   Authentication Method: RSA Signature(RSA-Sig)
   My ID Type: auto
   Imported Key Format: PKCS#12 - File
   PKCS#12 file(*.p12): spoke2.example.com.p12
   RSA Private Key's Password: himitsu

9. Setup Peers.

   - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Router)[Left-Tree] > Peers[Left-Tree]: Click this tree node and show Peers pane.

   - Click Add Peer button.
   Add a New Peer[Dialog]: Enter the following, then click OK button.

   Peer ID Type: IKEv2: Host Name(FQDN)
   Peer ID: gateway1.example.com

10. Setup the Peer's information.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Router)[Left-Tree] > Peers[Left-Tree] > gateway1.example.com(FQDN)[Left-Tree]:
    Click this tree node and show Peer: gateway1.example.com(FQDN) pane.

    - Enter the following.

    Peer's IPv4 Address: 10.0.0.1 (Router1's global address)
    This peer's Network Deployment: Hub(Concentrator) Node
    Always-on connection: Check Enabled.

11. Save this realm's configuration.

    - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
    Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

    - Click Save Configuration button.

Quagga configuration:

# sudo vtysh

configure terminal   router ospf     router-id 0.0.0.80     network 192.168.2.0/24 area 0.0.0.0     network 192.168.100.0/29 area 0.0.0.0   !

Back to Top

Copyright © 2011 T.HANADA All Rights Reserved.