Rockhopper VPN (VPN EXAMPLE, Site-to-Site, MOBIKE, Static routing over IPsec)

VPN example: Site-to-Site VPN, Router (Routing-based VPN), Static routing, Multihoming (gateways), MOBIKE, and certificates(PKCS#12/X.509).

The following image shows example network for this scenario.

Ubuntu is installed on VPN Gateway1(Router), VPN Gateway2(Router) and Internal DNS/File/Web Server.

Rockhopper VPN software is installed on VPN Gateway1 and VPN Gateway2. VPN is connected between these two nodes. Each VPN gateway works as a router between protected sites.

RSA-Signature(certificate) is used as an authentication method.

VPN gateways are multihomed and MOBIKE is enabled by default.

sample0

rhpvif10: A virtual interface(a Tunnel/TAP interface) to access internal network. "10" is the VPN realm ID. This interface is automatically created by Rockhopper VPN service and configured not by system tools like ifconfig command but by Rockhopper Web console.

eth0, eth1 and eth2: Real interfaces to access physical network.

A VPN realm is a security domain for group members to share the same security policy and VPN configuration. For instance, you can define the VPN realm "10" for a sales team and the other VPN realm "20" for a developing team.

Advance preparation:

- VPN Gateway1 (gateway1.example.com):

Setup physical interfaces.
# sudo ifconfig eth0 10.0.0.1 netmask 255.255.255.0
# sudo ifconfig eth1 10.0.1.1 netmask 255.255.255.0
# sudo ifconfig eth2 192.168.0.1 netmask 255.255.255.0

Enable IPv4 routing.
# sudo sysctl net.ipv4.ip_forward=1

- VPN Gateway2 (gateway2.example.com):

Setup physical interfaces.
# sudo ifconfig eth0 10.0.0.2 netmask 255.255.255.0
# sudo ifconfig eth1 10.0.1.2 netmask 255.255.255.0
# sudo ifconfig eth2 192.168.1.1 netmask 255.255.255.0

Enable IPv4 routing.
# sudo sysctl net.ipv4.ip_forward=1

- Internal DNS/File/Web Server:

Setup a physical interface.
# sudo ifconfig eth0 192.168.0.10 netmask 255.255.255.0

Add a default route.
# sudo route add default gw 192.168.0.1

Above configuration will be lost after you restart your computer. To setup permanent configuration, you can edit /etc/network/interfaces like this. This is an example for VPN Gateway1 (gateway1.example.com) on Ubuntu.

- /etc/network/interfaces (Ubuntu)

auto eth0
iface eth0 inet static
address 10.0.0.1
network 10.0.0.0
netmask 255.255.255.0
broadcast 10.0.0.255

auto eth1
iface eth1 inet static
address 10.0.1.1
network 10.0.0.0
netmask 255.255.255.0
broadcast 10.0.0.255

auto eth2
iface eth2 inet static
address 192.168.0.1
network 192.168.0.0
netmask 255.255.255.0
broadcast 192.168.0.255

- PKCS#12 files:
   - VPN Gateway1(Router): gateway1.example.com.p12 (PKCS#12)
   - VPN Gateway2(Router): gateway2.example.com.p12 (PKCS#12)

   The certificate(X.509) for each node includes a subjectAltName(Host name/FQDN).
   - VPN Gateway1(Router): gateway1.example.com (Host name/FQDN)
   - VPN Gateway2(Router): gateway2.example.com (Host name/FQDN)

See "Documents/Tips: Managing certificates by XCA" to create the each PKCS#12 file including a private key and a certificate(X.509) for each node and a CA certificate(X.509).

Configuring VPN:

VPN Gateway1 (gateway1.example.com):

Open Rockhopper Web console on http://127.0.0.1:32501 (by default) by Firefox.
Login with administrator's name and password (by default, admin and secret).
If VPN Configuration tab is not shown, uncheck Hide configuration tabs checkbox.
Add a new VPN realm.
- VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]: Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

- Click Add VPN Realm button.

- Add a VPN Realm[Dialog]: Enter the following, then click OK button.

Realm ID: 10
Realm Name: "Example VPN"
Description: "Config for Example VPN."
Mode: Router
Setup VPN Interface.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Router)[Left-Tree] > VPN Interface[Left-Tree]:
Click this tree node and show VPN Tunnel/TAP Interface pane.

- Enter the following. This address is for the virtual interface rhpvif10.

Internal Address Type: Static Address
Internal IPv4 Address: 192.168.100.1
Netmask: 255.255.255.252
Setup Network Interface.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Router)[Left-Tree] > Network Interface[Left-Tree]: Click this tree node and show Network Interface pane.

- Uncheck Use default route and enter the followings.

    Primary interface:

      - Name: Select eth0 as a primary source interface.

    Secondary interface:

      - Name: Select eth1 as a secondary source interface.
Setup Service.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Router)[Left-Tree] > Service[Left-Tree]:
Click this tree node and show Service pane.

- Network Deployment: Select Spoke Node / Client / Other.
Setup My Key Store.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Router)[Left-Tree] > My Key Store[Left-Tree]:
Click this tree node and show My Key Store pane.

- Enter the following.

Authentication Method: RSA Signature(RSA-Sig)
My ID Type: auto
Imported Key Format: PKCS#12 - File
PKCS#12 file(*.p12): gateway1.example.com.p12
RSA Private Key's Password: himitsu
Setup Internal Route Map (internal routing information).
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Router)[Left-Tree]
> Internal Route Map[Left-Tree]:
Click this tree node and show Internal Route Map pane.

- Click Add Route button.

Add a New Internal Route[Dialog]:
Enter the following routing entry to the peer site, then click OK button.

Destination IPv4 Network(*): 192.168.1.0
Netmask(*): 255.255.255.0
Forwarding Type(*): Gateway IPv4 Address
Forward to(*): 192.168.100.2
Save this realm's configuration.
- VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

- Click Save Configuration button.

VPN Gateway2 (gateway2.example.com):

Open Rockhopper Web console on http://127.0.0.1:32501 (by default) by Firefox.
Login with administrator's name and password (by default, admin and secret).
If VPN Configuration tab is not shown, uncheck Hide configuration tabs checkbox.
Add a new VPN realm.
- VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]: Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

- Click Add VPN Realm button.

- Add a VPN Realm[Dialog]: Enter the following, then click OK button.

Realm ID: 10
Realm Name: "Example VPN"
Description: "Config for Example VPN."
Mode: Router
Setup VPN Interface.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Router)[Left-Tree] > VPN Interface[Left-Tree]:
Click this tree node and show VPN Tunnel/TAP Interface pane.

- Enter the following. This address is for the virtual interface rhpvif10.

Internal Address Type: Static Address
Internal IPv4 Address: 192.168.100.2
Netmask: 255.255.255.252
Setup Network Interface.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Router)[Left-Tree] > Network Interface[Left-Tree]: Click this tree node and show Network Interface pane.

- Uncheck Use default route and enter the followings.

    Primary interface:

      - Name: Select eth0 as a primary source interface.

    Secondary interface:

      - Name: Select eth1 as a secondary source interface.
Setup Service.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Router)[Left-Tree] > Service[Left-Tree]:
Click this tree node and show Service pane.

- Network Deployment: Select Spoke Node / Client / Other.
Setup My Key Store.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Router)[Left-Tree] > My Key Store[Left-Tree]:
Click this tree node and show My Key Store pane.

- Enter the following.

Authentication Method: RSA Signature(RSA-Sig)
My ID Type: auto
Imported Key Format: PKCS#12 - File
PKCS#12 file(*.p12): gateway2.example.com.p12
RSA Private Key's Password: himitsu
Setup Peers.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Remote Client)[Left-Tree] > Peers[Left-Tree]: Click this tree node and show Peers pane.

- Click Add Peer button.
Add a New Peer[Dialog]: Enter the following, then click OK button.

Peer ID Type: IKEv2: Host Name(FQDN)
Peer ID: gateway1.example.com
Setup the Peer's information.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Remote Client)[Left-Tree] > Peers[Left-Tree] > gateway1.example.com(FQDN)[Left-Tree]:
Click this tree node and show Peer: gateway1.example.com(FQDN) pane.

- Enter the following.

Peer's IPv4 Address: 10.0.0.1
This peer's Network Deployment: Spoke Node / Other
Always-on connection: Check Enabled.
Setup Internal Route Map (internal routing information).
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Router)[Left-Tree]
> Internal Route Map[Left-Tree]:
Click this tree node and show Internal Route Map pane.

- Click Add Route button.

Add a New Internal Route[Dialog]:
Enter the following routing entry to the peer site, then click OK button.

Destination IPv4 Network(*): 192.168.0.0
Netmask(*): 255.255.255.0
Forwarding Type(*): Gateway IPv4 Address
Forward to(*): 192.168.100.1
Save this realm's configuration.
- VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

- Click Save Configuration button.