Rockhopper VPN
IPsec/IKEv2-based VPN software for Linux
Dynamic Multipoint VPN (DMVPN): SSO (Single Sign-On) for spoke-to-spoke (shortcut) authentication
- Version: 0.2.b1-022 or later
When you deploy DMVPN-enabled nodes, it is annoyed to distribute and configure other peer's pre-shared keys (PSKs) for every node, though RSA Signature is strongly recommended as an authenticaton method of course. Similary, in case of EAP authenticaton, you may need to additionally prepare a secure path to access an EAP backend node (e.g. a RADIUS server) for every node.
To facilitate the additional work, Rockhopper implements a kind of SSO (Single Sign-On) feature for a simple spoke-to-spoke (shortcut) authentication. By enabling this feature, you don't need to obtain PSKs for other spoke peers and configure the each key for every spoke-to-spoke tunnel. Instead, an authentication ticket automatically issued by hub node, which authenticates all spoke nodes, is used by each spoke node to mutually authenticate the other spoke peer.
This specification is an IKEv2 Rockhopper private extension.
- Configure Hub node and Spoke nodes
This feature is supported only for IKEv2.
-
Open Rockhopper Web Console and login.
-
Load a VPN realm's configuration.
- VPN Configuration[Tab] > VPN Realms[Left-Tree]
-
Setup Service.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > Realm ID: Realm Name[Left-Tree]
> Service[Left-Tree]: Click this tree node and show Service pane.- NHRP (Next Hop Resolution Protocol): Check Enable (Internal Address Registration).
- DMVPN (Dynamic Multipoint VPN): Check Enable (Shortcut Switching Enhancements for NHRP).
- IKEv2 Authentication Ticket: Check Enable SSO (Single Sign-On) for spoke-to-spoke authentication (Rockhopper's private extension).
-
Save this realm's configuration.
- VPN Configuration[Tab] > Edit VPN Realm(Save, Add, Remove or Load)[Left-Tree]:
Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.- Click Save Configuration button.