VPN example:
Remote Access VPN, Client, strongSwan(gateway), Behind a NAT/NAPT and EAP(MSCHAPv2, Rockhopper)/certificate(PEM/X.509, strongSwan)


The following image shows example network for this scenario.

Ubuntu is installed on VPN client(client), strongSwan(VPN gateway/Router/IKEv2/Remote Access Server) and Internal host/Internal DNS server. Router1 is a wireless access point and a router (Source NAPT/DHCP server).

Rockhopper VPN software is installed on VPN client. A VPN is connected between this node and strongSwan gateway.

EAP-MSCHAPv2 is used as an authentication method for VPN client and RSA-Signature (certificate) is used for strongSwan gateway.

VPN client is located behind a NAT(NAPT). NAT/NAPT(Network Address Port Translation) or VPN passthrough is enabled on Router1.

MOBIKE is enabled on both strongSwan and Rockhopper (by default).



sample0

rhpvif10 on VPN client: A virtual interface(a Tunnel/TAP interface) to access internal network. "10" is the VPN realm ID. This interface is automatically created by Rockhopper VPN service and configured not by system tools like ifconfig command but by Rockhopper Web console.

eth0 and/or eth1 on each host: Real interfaces to access physical network.


A VPN realm is a security domain for group members to share the same security policy and VPN configuration. For instance, you can define the VPN realm "10" for a sales team and the other VPN realm "20" for a developing team.


Advance preparation:


- strongSwan gateway (gateway1.example.com):
# sudo ifconfig eth0 10.0.0.1 netmask 255.255.255.0
# sudo ifconfig eth1 192.168.0.1 netmask 255.255.255.0

# sudo sysctl net.ipv4.ip_forward=1


- Internal host/Internal DNS server:
# sudo ifconfig eth0 192.168.0.101 netmask 255.255.255.0

# sudo route add -net 192.168.100.0/24 gw 192.168.0.1

Above configuration will be lost after you restart your computer. To setup permanent configuration, you can edit /etc/network/interfaces like this. This is an example for strongSwan gateway(gateway1.example.com) on Ubuntu.

- /etc/network/interfaces (Ubuntu):
auto eth0
iface eth0 inet static
address 10.0.0.1
network 10.0.0.0
netmask 255.255.255.0
broadcast 10.0.0.255

auto eth1
iface eth1 inet static
address 192.168.0.1
network 192.168.0.0
netmask 255.255.255.0
broadcast 192.168.0.255


- PEM files including certificates(X.509) and private keys:

   - strongSwan gateway
      gateway1.example.com.key.pem (private key, PEM),
      gateway1.example.com.cert.pem (X.509, PEM)
      and TestCa-cacert.pem (CA's X.509, PEM)


See "Documents/Tips: Managing certificates by XCA on Ubuntu" to create the each PEM file, including a private key or a certificate(X.509) for strongSwan gateway.



Configuring VPN:


VPN client:


- Version: 0.2.b1-021 or later


  1. Open Rockhopper Web console on http://127.0.0.1:32501 (by default) by Firefox.
  2. Login with administrator's name and password. (by default, admin and secret).
  3. If VPN Configuration tab is not shown, uncheck Hide configuration tabs checkbox.
  4. Add a new VPN realm.

    - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
    Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

    - Click Add VPN Realm button.

    - Add a VPN Realm[Dialog]: Enter the following, then click OK button.

    Realm ID: 10
    Realm Name: Example VPN
    Description: Config for Example VPN.
    Mode: Remote Client

  5. Setup Destination.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Remote Client)[Left-Tree] > Destination[Left-Tree]: Click this tree node and show Destination (Concentrator / Gateway) pane.

    - Enter the following.

    Destination Address: IPv4 and 10.0.0.1

  6. Setup My Key Store.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Remote Client)[Left-Tree] > My Key Store[Left-Tree]:
    Click this tree node and show My Key Store pane.

    - Enter the following.

    Authentication Method: EAP-MSCHAPv2


  7. Setup CA Certificate/CRL.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Remote Client)[Left-Tree] > CA Certificate/CRL[Left-Tree]: Click this tree node and show CA Certificate/Certificate Revocation List(CRL) pane.

    - Enter the following.

    Imported Certificate/CRL Format: PEM(Base64-encoding) - File
    CA Certificates(X.509, *.pem): TestCA-cacert.pem


  8. Save this realm's configuration.

    - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]: Click this tree node and show "Edit VPN Realm(Save, Add, Remove, or Load)" pane.

    - Click Save Configuration button.


- Advanced Settings


  1. Open Rockhopper Web console on http://127.0.0.1:32501 (by default) by Firefox.
  2. Login with administrator's name and password. (by default, admin and secret).
  3. If VPN Configuration tab is not shown, uncheck Hide configuration tabs checkbox.
  4. Add a new VPN realm.

    - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
    Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

    - Click Add VPN Realm button.

    - Add a VPN Realm[Dialog]: Enter the following, then click OK button.

    Realm ID: 10
    Realm Name: Example VPN
    Description: Config for Example VPN.
    Mode: Remote Client


    - Check Advanced Settings. (Version: 0.2.b1-021 or later)


  5. Setup VPN Interface.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Remote Client)[Left-Tree] > VPN Interface[Left-Tree]:
    Click this tree node and show VPN Tunnel/TAP Interface pane.

    - Enter or select the following.

    Internal Address Type: Auto (IKEv2 Configuration)


  6. Setup Network Interface.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Remote Client)[Left-Tree] > Network Interface[Left-Tree]:
    Click this tree node and show Network Interface pane.

    - Check Use default route.


  7. Setup Service.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Remote Client)[Left-Tree] > Service[Left-Tree]:
    Click this tree node and show Service pane.

    - Network Deployment: Select Spoke Node / Client / Other.

    - Remote Configuration(IKEv2): Select Remote Access Client.


  8. Setup My Key Store.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Remote Client)[Left-Tree] > My Key Store[Left-Tree]:
    Click this tree node and show My Key Store pane.

    - Enter the following.

    Authentication Method: EAP-MSCHAPv2


  9. Setup Peers.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Remote Client)[Left-Tree] > Peers[Left-Tree]:
    Click this tree node and show Peers pane.

    - Click Add Peer button.

    - Add a New Peer[Dialog]: Enter the following, then click OK button.

    Peer ID Type: Host Name(FQDN)
    Peer ID: gateway1.example.com


  10. Setup the Peer's information.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Remote Client)[Left-Tree] > Peers[Left-Tree] > gateway1.example.com(FQDN)[Left-Tree]:
    Click this tree node and show Peer: gateway1.example.com(FQDN) pane.

    - Enter the following.

    Peer's IP Address: IPv4 and 10.0.0.1
    This peer's Network Deployment: Hub(Concentrator) Node


  11. Setup CA Certificate/CRL.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Remote Client)[Left-Tree] > CA Certificate/CRL[Left-Tree]: Click this tree node and show CA Certificate/Certificate Revocation List(CRL) pane.

    - Enter the following.

    Imported Certificate/CRL Format: PEM(Base64-encoding) - File
    CA Certificates(X.509, *.pem): TestCA-cacert.pem


  12. Save this realm's configuration.

    - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]: Click this tree node and show "Edit VPN Realm(Save, Add, Remove, or Load)" pane.

    - Click Save Configuration button.



strongSwan gateway:


Please visit strongSwan User Documentation to get more detailed information.

- Import certificates and private key files.


# sudo cp gateway1.example.com.key.pem /etc/ipsec.d/private/
# sudo cp gateway1.example.com.cert.pem /etc/ipsec.d/certs/
# sudo cp TestCa-cacert.pem /etc/ipsec.d/cacerts/


- Setup a VPN connection.


/etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file

config setup
   nat_traversal=yes
   charonstart=yes
   plutostart=no

# Add connections here.

# Example VPN connections

conn strongSwan-gw
   keyexchange=ikev2
   auto=add
   left=10.0.0.1
   leftcert=gateway1.example.com.cert.pem
   leftid=@gateway1.example.com
   leftsubnet=192.168.0.0/24
   leftauth=pubkey
   leftsendcert=always
   right=%any
   rightsourceip=192.168.100.0/28
   rightauth=eap-mschapv2
   eap_identity=%any



/etc/strongswan.conf
# strongswan.conf - strongSwan configuration file

charon {
...
   plugins {

      attr {
        dns = 192.168.0.101
        subnet = 192.168.0.0/24
        netmask = 255.255.255.240
      }
   }
}
...


/etc/ipsec.secrets
# /etc/ipsec.secrets - strongSwan IPsec secrets file

: RSA gateway1.example.com.key.pem "naisho"

alice : EAP "1234567890"



Restart strongSwan gateway:


# sudo ipsec restart



Connecting VPN:


  1. Open VPN client's Web console on http://127.0.0.1:32501 (by default) by Firefox.
  2. Login with administrator's name and password (by default, admin and secret).
  3. Top [Tab] > 10:Example VPN[Left-Tree] > gateway1.example.com(FQDN)[Left-Tree]:
    Click this tree node and show 10: gateway1.example.com(FQDN) pane.
  4. Click Connect button and open the EAP Authentication dialog.
  5. Enter a user name (alice) and a password and then push OK button.

Back to Top