Rockhopper VPN (Site-to-Site VPN EXAMPLE, Bridge, Virtual Ethernet over IPsec)

VPN example:
Site-to-Site VPN (Hub and Spoke), Bridge (Virtual Ethernet over IPsec), One-armed, Behind a NAT/NAPT and Pre-Shared Key (Spoke gateways) / certificate (Hub gateway, PKCS#12/X.509).

The following image shows example hub and spoke VPN for this scenario.

Ubuntu is installed on HubGw (Bridge/Hub), SpokeGw1 (Bridge/Spoke), SpokeGw2 (Bridge/Spoke), Router1 (Destination NAPT or Port Forwarding and Firewall), Router2 (Source NAPT) and Router3 (Source NAPT).

Rockhopper VPN software is installed on HubGw, SpokeGw1 and SpokeGw2.

VPN is connected between HubGw, SpokeGw1 and SpokeGw2. Each of the VPN gateways works as a bridge between Hub site, Spoke site1 and Spoke site2. These sites belong to the same subnet (192.168.0.0/24) and HubGw fowards packets between these sites.

Both Pre-Shared Key (for SpokeGw1 and SpokeGw2) and RSA-Signature(certificate) (for HubGw) are used as authentication methods for the VPN peers.

All gateways are deployed in a one-armed configuration. In addition, they are located behind a NAT(NAPT). Router1, Router2 and Router3 provide Port Forwarding service or NAT/NAPT(Network Address Port Translation) service for them.

sample0

rhpvif10 on each gateway: A virtual interface(a Tunnel/TAP interface) to access protected network. "10" is the VPN realm ID. This interface is automatically created by Rockhopper VPN service and configured not by system tools like ifconfig command but by Rockhopper Web console.

br0 on each gateway: A bridge interface linking eth0 and rhpvif10 interfaces as ports. This interface is managed by brctl command in the bridge-utils package. You need to manually link eth0 with br0 by brctl command, while rhpvif10 is automatically linked with br0 by Rockhopper VPN service.

eth0 on each gateway: A real interface to access physical network.

Advance preparation:

- HubGw (gateway1.example.com):

Setup a bridge interface.
# sudo brctl addbr br0
# sudo brctl addif eth0
# sudo ifconfig br0 192.168.0.11 netmask 255.255.255.0

# sudo route add default gw 192.168.0.10

- SpokeGw1 (spoke1.example.com):

Setup a bridge interface.
# sudo brctl addbr br0
# sudo brctl addif eth0
# sudo ifconfig br0 192.168.0.21 netmask 255.255.255.0

# sudo route add default gw 192.168.0.20

- SpokeGw2 (spoke2.example.com):

Setup a bridge interface.
# sudo brctl addbr br0
# sudo brctl addif eth0
# sudo ifconfig br0 192.168.0.31 netmask 255.255.255.0

# sudo route add default gw 192.168.0.30

Please see also "man 8 brctl" for more details to setup a bridge interface.
If you manually setup a bridge interface after configuring Rockhopper, please restart Rockhopper like this:
# sudo /etc/init.d/rockhopper restart

- Router1 (Port Forwarding):

# sudo ifconfig eth0 10.0.0.1 netmask 255.255.255.0
# sudo ifconfig eth1 192.168.0.10 netmask 255.255.255.0

Enable IPv4 routing.
# sudo sysctl net.ipv4.ip_forward=1

Forward packets destinated to 10.0.0.1:500(Router1) to 192.168.0.11:500(HubGw).
# sudo iptables -t nat -A PREROUTING -p udp --dst 10.0.0.1 --dport 500 -j DNAT --to-destination 192.168.0.11:500

Forward packets destinated to 10.0.0.1:4500(Router1) to 192.168.0.11:4500(HubGw).
# sudo iptables -t nat -A PREROUTING -p udp --dst 10.0.0.1 --dport 4500 -j DNAT --to-destination 192.168.0.11:4500

- Router2 and Router3 (Source NAPT):

Enable IPv4 routing.
# sudo sysctl net.ipv4.ip_forward=1

Exec NAPT for packets from private network(192.168.0.0/24).
# sudo iptables -t -nat -A POSTROUTING -o eth0 -j MASQUERADE --random

- Internal DNS / File / Web server:

# sudo ifconfig eth0 192.168.0.12 netmask 255.255.255.0
# sudo route add default gw 192.168.0.10

Above configuration will be lost after you restart your computer. To setup permanent configuration, you can edit /etc/network/interfaces like this. This is an example for HubGw (gateway1.example.com) on Ubuntu.

- /etc/network/interfaces (Ubuntu):

auto eth0
iface eth0 inet manual
up /sbin/ifconfig eth0 promisc

auto br0
iface br0 inet static
address 192.168.0.11
network 192.168.0.0
netmask 255.255.255.0
broadcast 192.168.0.255
gateway 192.168.0.10
bridge_ports eth0
bridge_stp off
bridge_maxwait 10

- A PKCS#12 file including certificates(X.509) and a private key:

   - HubGw: gateway1.example.com.p12 (PKCS#12)

   The certificate(X.509) for HubGw includes a subjectAltName(Host name/FQDN).

   - HubGw: gateway1.example.com (Host name/FQDN)

- A PEM file including a CA certificate(X.509):

   - CA: TestCa-cacert.pem (X.509, PEM/Base64-encoding)

See "Documents/Tips: Managing certificates by XCA" to create a PKCS#12 file, including a private key and a certificate(X.509) and a CA certificate(X.509), and a PEM file for the CA certificate(X.509).

Configuring VPN:

HubGw (gateway1.example.com):

Open Rockhopper Web console on http://127.0.0.1:32501 (by default) by Firefox.
Login with administrator's name and password (by default, admin and secret).
If VPN Configuration tab is not shown, uncheck Hide configuration tabs checkbox.
Add a new VPN realm.
- VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]: Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

- Click Add VPN Realm button.

- Add a VPN Realm[Dialog]: Enter the following, then click OK button.

Realm ID: 10
Realm Name: "Example VPN"
Description: "Config for Example VPN."
Mode: Bridge
Setup VPN Interface.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Bridge)[Left-Tree] > VPN Interface[Left-Tree]: Click this tree node and show VPN Tunnel/TAP Interface pane.

- Enter or select the following.

Internal Address Type: Unnumbered(for bridging)
Linked Bridge Name: br0
Encapsulation Mode: Ethernet over IP (EtherIP)
Setup Network Interface.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Bridge)[Left-Tree] > Network Interface[Left-Tree]: Click this tree node and show Network Interface pane.

- Uncheck Use default route and enter the followings.
Primary interface:
- Name: Select br0 as a source interface.
Setup Service.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Bridge)[Left-Tree] > Service[Left-Tree]:
Click this tree node and show Service pane.

- Network Deployment: Select Hub(Concentrator) Node.
Setup My Key Store.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Bridge)[Left-Tree] > My Key Store[Left-Tree]:
Click this tree node and show My Key Store pane.

- Enter the following.

Authentication Method: RSA Signature(RSA-Sig)
My ID Type: auto
Imported Key Format: PKCS#12 - File
PKCS#12 file(*.p12): gateway1.example.com.p12
RSA Private Key's Password: himitsu
Setup Peers' Key Store.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Bridge)[Left-Tree] > Peers' Key Store[Left-Tree]:
Click this tree node and show Peers Key Store pane.

- Click Add Peer's Pre-Shared Key(PSK) button to add a Pre-Shared Key (PSK) for SpokeGw1 (spoke1.example.com).

- Add a New Peer's Pre-Shared Key(PSK)[Dialog]: Enter the following, then click OK button.

Peer ID Type: IKEv2: Host Name(FQDN)
Peer ID: spoke1.example.com
Pre-Shared Key(PSK): abcdefghij

Similarly, add a Pre-Shared Key (PSK) for SpokeGw2 (spoke2.example.com).

Peer ID Type: IKEv2: Host Name(FQDN)
Peer ID: spoke2.example.com
Pre-Shared Key(PSK): 1234567890
Save this realm's configuration.
- VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

- Click Save Configuration button.

SpokeGw1 (spoke1.example.com):

Open Rockhopper Web console on http://127.0.0.1:32501 (by default) by Firefox.
Login with administrator's name and password (by default, admin and secret).
If VPN Configuration tab is not shown, uncheck Hide configuration tabs checkbox.
Add a new VPN realm.
- VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]: Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

- Click Add VPN Realm button.

- Add a VPN Realm[Dialog]: Enter the following, then click OK button.

Realm ID: 10
Realm Name: "Example VPN"
Description: "Config for Example VPN."
Mode: Bridge
Setup VPN Interface.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Bridge)[Left-Tree] > VPN Interface[Left-Tree]: Click this tree node and show VPN Tunnel/TAP Interface pane.

- Enter or select the following.

Internal Address Type: Unnumbered(for bridging)
Linked Bridge Name: br0
Encapsulation Mode: Ethernet over IP (EtherIP)
Setup Network Interface.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Bridge)[Left-Tree] > Network Interface[Left-Tree]: Click this tree node and show Network Interface pane.

- Uncheck Use default route and enter the followings.
Primary interface:
- Name: Select br0 as a source interface.
Setup Service.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Bridge)[Left-Tree] > Service[Left-Tree]:
Click this tree node and show Service pane.

- Network Deployment: Select Spoke Node / Other.
Setup My Key Store.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Bridge)[Left-Tree] > My Key Store[Left-Tree]:
Click this tree node and show My Key Store pane.

- Enter the following.

Authentication Method: Pre-Shared Key(PSK)
My ID Type: Host Name(FQDN)
My ID: spoke1.example.com
Pre-Shared Key(PSK): abcdefghij
Setup Peers.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Remote Client)[Left-Tree] > Peers[Left-Tree]: Click this tree node and show Peers pane.

- Click Add Peer button.
Add a New Peer[Dialog]: Enter the following, then click OK button.

Peer ID Type: IKEv2: Host Name(FQDN)
Peer ID: gateway1.example.com
Setup the Peer's information.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Remote Client)[Left-Tree] > Peers[Left-Tree] > gateway1.example.com(FQDN)[Left-Tree]:
Click this tree node and show Peer: gateway1.example.com(FQDN) pane.

- Enter the following.

Peer's IPv4 Address: 10.0.0.1 (Router1's global address)
This peer's Network Deployment: Hub(Concentrator) Node
Always-on connection: Check Enabled.
Setup CA Certificate/CRL.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Remote Client)[Left-Tree] > CA Certificate/CRL[Left-Tree]:
Click this tree node and show CA Certificate/Certificate Revocation List(CRL) pane.

- Enter the following.

Imported Certificate/CRL Format: PEM(Base64-encoding) - File
CA Certificates(X.509, *.pem): TestCA-cacert.pem
Save this realm's configuration.
- VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

- Click Save Configuration button.

SpokeGw2 (spoke2.example.com):

Open Rockhopper Web console on http://127.0.0.1:32501 (by default) by Firefox.
Login with administrator's name and password (by default, admin and secret).
If VPN Configuration tab is not shown, uncheck Hide configuration tabs checkbox.
Add a new VPN realm.
- VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]: Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

- Click Add VPN Realm button.

- Add a VPN Realm[Dialog]: Enter the following, then click OK button.

Realm ID: 10
Realm Name: "Example VPN"
Description: "Config for Example VPN."
Mode: Bridge
Setup VPN Interface.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Bridge)[Left-Tree] > VPN Interface[Left-Tree]: Click this tree node and show VPN Tunnel/TAP Interface pane.

- Enter or select the following.

Internal Address Type: Unnumbered(for bridging)
Linked Bridge Name: br0
Encapsulation Mode: Ethernet over IP (EtherIP)
Setup Network Interface.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Bridge)[Left-Tree] > Network Interface[Left-Tree]: Click this tree node and show Network Interface pane.

- Uncheck Use default route and enter the followings.
Primary interface:
- Name: Select br0 as a source interface.
Setup Service.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Bridge)[Left-Tree] > Service[Left-Tree]:
Click this tree node and show Service pane.

- Network Deployment: Select Spoke Node / Other.
Setup My Key Store.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Bridge)[Left-Tree] > My Key Store[Left-Tree]:
Click this tree node and show My Key Store pane.

- Enter the following.

Authentication Method: Pre-Shared Key(PSK)
My ID Type: Host Name(FQDN)
My ID: spoke2.example.com
Pre-Shared Key(PSK): 1234567890
Setup Peers.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Remote Client)[Left-Tree] > Peers[Left-Tree]: Click this tree node and show Peers pane.

- Click Add Peer button.
Add a New Peer[Dialog]: Enter the following, then click OK button.

Peer ID Type: IKEv2: Host Name(FQDN)
Peer ID: gateway1.example.com
Setup the Peer's information.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Remote Client)[Left-Tree] > Peers[Left-Tree] > gateway1.example.com(FQDN)[Left-Tree]:
Click this tree node and show Peer: gateway1.example.com(FQDN) pane.

- Enter the following.

Peer's IPv4 Address: 10.0.0.1 (Router1's global address)
This peer's Network Deployment: Hub(Concentrator) Node
Always-on connection: Check Enabled.
Setup CA Certificate/CRL.
- VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Remote Client)[Left-Tree] > CA Certificate/CRL[Left-Tree]:
Click this tree node and show CA Certificate/Certificate Revocation List(CRL) pane.

- Enter the following.

Imported Certificate/CRL Format: PEM(Base64-encoding) - File
CA Certificates(X.509, *.pem): TestCA-cacert.pem
Save this realm's configuration.
- VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

- Click Save Configuration button.