How to setup IPCOP IPSEC VPN (RoadWarrior)
Transcription
How to setup IPCOP IPSEC VPN (RoadWarrior)
www.JumpingBean.co.za Your Java and Linux Experts Page 1 of 11 How to setup IPCOP IPSEC VPN (RoadWarrior) This brief “how to” setsout how to setup IPCOP and Linux clients to successfully connect to the openswan IPSEC based VPN that comes standard with IPCOP. Jumping Bean (www.jumpingbean.co.za) is a South African based, opensource, company specializing in Java/PHP applications and Linux/Open Source support. Many of our consultants are off site so we needed to enable them to connect to our internal network via VPN to fill out timesheets etc. We used to use OpenVPN but wanted to try out IPSEC. This document is intended to help others successfully connect Linux clients via IPSEC to IPCOP server. The document has two main section: ● Configuring IPCOP Server and ● Linux Client Setup License This documentation is provided under the GNU GPL. Configuring IPCOP Server If this guide to setup the server is not clear enough for you, please have a look at the IPCOP.org web site for links. There are quite a few “how tos” there for server setup, and it is not that difficult. There is very little information on the Linux client setup and this quide is mainly meant to fill that gap. The only issue we had was setting up the connections. We needed to enable the “roadwarrior virtual ip” option under the advanced tab. (See below). www.JumpingBean.co.za IPCOP Linux Setup www.JumpingBean.co.za Your Java and Linux Experts Page 2 of 11 VPN Main Page First you need to setup IPCOP correctly. Click on the VPNs=>VPN drop down box from the toolbar menu. You will see a screen like the one below. Global Settings The first thing to fill out is the “Global Settings” panel. Under Global Setting you need to fill out: ● ● ● Local vpn hostname/ip address: The hostname or public IP of your firewall, (if this is incorrect you may get no RASSIG policy errors) Enabled: Click enabled to enable the VPN Enable on Green/Red/Orange: This is the network you wish to VPN into. Certificate Authorities Next setup the certificate authority (CA). This is necessary if you are going to use www.JumpingBean.co.za IPCOP Linux Setup www.JumpingBean.co.za Your Java and Linux Experts Page 3 of 11 certificates, as opposed to shared secrets, for your users to connect. Using ca certificates is more secure and, in my opinion, the only way to go. Click on the “Generate Root/Host Certificates” button. This will generate the certificates automatically. You will be prompted for information about the certificates. I did not take screenshots of this part but it is quiet straight forward. Usually the most crucial field to get right is the “common name” or “cn” entry. Some ssl validators complain if the common name does not match the hostname so make it the same as your public hostname. It may work if it doesn't match but past experience has taught that ssl authentication can fail if they dont match. Better to just eliminate this possibility by making sure they match. After generating the certificate your screen should look like the one below. www.JumpingBean.co.za IPCOP Linux Setup www.JumpingBean.co.za Your Java and Linux Experts Page 4 of 11 The process creates a root (ca) certificate, used to sign connection and host certificates and a host certificate. Notice the blue floppy disk icon. You will use it later to download both the root (ca) certificate and the host certificate when setting up the client. Connection Status and Control Next we need to setup the connection certificates for users. Under connection status and control click the “Add” button. Select hosttonet Virtual Private Network (roadwarrior) in the screen that follows. You will then be presented with a screen asking for the details of the connection you are trying to create. This is pretty straight forward. The name field may be anything but we use the employee number for consistency. Fill in the network and subnet of the network you are trying to connect to (i.e. Green/orange or red.). This must match the actual subnet of the network you are connecting to otherwise the connection will not work. www.JumpingBean.co.za IPCOP Linux Setup www.JumpingBean.co.za Your Java and Linux Experts Page 5 of 11 During the setup you will be asked to enter a passphrase. This is used to encrypt your certificate. Please remember the phrase you used as you will need it later. The key thing to do here, if you are setting up roadwarrior access, is to click on the “Advance” button. You will be presented with the screen below. It is important to enable the “roadwarrior virtual IP” option. If you don't your roadwarrior users will not be able to connect. You should also enable “Perfect Forward Security” if you say pfs= yes in your /etc/ipsec.conf file on the client machine. (see client setup) www.JumpingBean.co.za IPCOP Linux Setup www.JumpingBean.co.za Your Java and Linux Experts Page 6 of 11 After setting up the client connection your screen should look like this. www.JumpingBean.co.za IPCOP Linux Setup www.JumpingBean.co.za Your Java and Linux Experts Page 7 of 11 Notice the blue floppy disk icon. You will use this to download the connection certificate later. Linux Client Setup. We use various distros at our offices. This howto was done using Fedora Core 5 but the steps below should work on any machine that runs Linux and Openswan. (I used the setup below on Suse too and it worked.) The file locations may be all that will change. To setup the client you need to download the connection certificate, ca certificate and firewall host certificate from IPCOP. You can do this by clicking on the disc icon next to the entry on the VPN page. Save them somewhere easy to access. Extract Connection Key and Public Certificate The connection certificate is in pkcs12 format which is of no use to us. We need to extract the private key and public key for the connection from this file. We can use openssl to do this so make sure its installed. Extract your public certificate www.JumpingBean.co.za IPCOP Linux Setup www.JumpingBean.co.za Your Java and Linux Experts Page 8 of 11 openssl pkcs12 clcerts nodes nokeys in /certs/client.p12 out client.pem You will need to enter the password you locked your certificate with when you set them up in IPCOP. Enter Import Password: MAC verified OK Extract your secret private key openssl pkcs12 nodes nocerts in /certs/client.p12 out client.key Enter the pass phrase you encrypted the cert with. Enter Import Password: MAC verified OK You then need to copy the certificates to the locations below. Copy the client.pem file to /etc/ipsec.d/certs Copy the client.key fiel to /etc/ipsec.d/private Copy the hostkey.pem (the firewalls host certificate) to /etc/ipsec.d/certs (downloaded from ipcop) Copy the cacert.pem file to /etc/ipsec.d/cacerts/ (downloaded from ipcop) You may now delete the pkcs12 format certificate. You now need to setup your ipsec.conf file. This is the file I use on clients below. # /etc/ipsec.conf Openswan IPsec configuration file # # Manual: ipsec.conf.5 # www.JumpingBean.co.za IPCOP Linux Setup www.JumpingBean.co.za Your Java and Linux Experts Page 9 of 11 # Please place your own config files in /etc/ipsec.d/ ending in .conf # conforms to second version of ipsec.conf specification # basic configuration version 2.0 config setup # Debuglogging controls: "none" for (almost) none, "all" for lots. klipsdebug=all #plutodebug="control parsing" plutodebug=all nat_traversal=yes interfaces="%defaultroute" include /etc/ipsec.d/no_oe.conf conn <connection_name> ===> change this to something useful. authby=rsasig pfs=yes ===> make sure you clicked the perfect forward security option when creating this connection on IPCOP compress=yes auto=add left=%defaultroute leftcert=/etc/ipsec.d/certs/client.pem right=<public ip address of your ipcop firewall> ==> change this rightcert=/etc/ipsec.d/certs/hostcert.pem rightsubnet=192.168.10.0/255.255.255.0 ===> The subnet range. Same as the one you setup during the connection creation above.) rightrsasigkey=%cert leftrsasigkey=%cert You need to setup your /etc/ipsec.secrets file as follows: : RSA /etc/ipsec.d/private/client.key You should now be able to connect via VPN to your office. You may have to start ipsec www.JumpingBean.co.za IPCOP Linux Setup www.JumpingBean.co.za Your Java and Linux Experts Page 10 of 11 /etc/init.d/ipsec start Give it a minute to initialise then go ipsec auto –up <connection name> ===> must match the connection name used in ipsec.conf Troubleshooting: If you are experiencing problems I suggest watching the syslog messages. You should select the debug options under “Global Setting” on IPCOP's VPN control panel to get verbose error messages. I usually ssh into the IPCOP box and then go tail f /var/log/messages On the client side it depends if the messages are written to /var/log/messages of /var/log/secure. On fedora it is tail f /var/log/secure This will usually give you an idea of what the problem is. On the client machine you can also run: ipsec verify I get the following output. Checking your system to see if IPsec got installed and started correctly: Version check and ipsec onpath [OK] Linux Openswan U2.4.4/K2.6.171.2187_FC5 (netkey) Checking for IPsec support in kernel [OK] Checking for RSA private key (/etc/ipsec.secrets) [FAILED] hostname: Unknown host ipsec showhostkey: no default key in "/etc/ipsec.secrets" Checking that pluto is running [OK] Two or more interfaces found, checking IP forwarding [FAILED] Checking for 'ip' command [OK] www.JumpingBean.co.za IPCOP Linux Setup www.JumpingBean.co.za Your Java and Linux Experts Page 11 of 11 Checking for 'iptables' command [OK] Checking for 'setkey' command for NETKEY IPsec stack support [OK] Opportunistic Encryption Support [DISABLED] IP forwarding does not need to be enabled unless you have machine behind the vpn server. The issue about around /etc/ipsec.secrets can be ignored. Some of the log messages I got while setting things up. : initial Main Mode message received on XXX.XXX.XXX.XX:500 but no connection has been authorized with policy=RSASIG This was due to the left=IP address in the file /etc/ipsec.conf on IPCOP being set incorrectly. In the “Global Setting” on the main control panel for VPN setup on the IPCOP machine make sure that the “Local vpn hostname/ip address” setting is set to the public ip of the IPCOP server. In our case I use the machines FQDN but our internal DNS server resolves this to a different (orange) address internally as opposed to the public DNS servers. We do this so we don't have to type different URLs when we out of the office as opposed to in the office. :). I fixed the problem by entering the public IP address. The other problem we faced was enabling the “virtual ip” on the ipcop server under the connection setup's advanced options. Until we did this we got error messages about no match being found. Conclusion I hope this helps others. About Jumping Bean Jumping Bean (www.jumpingbean.co.za) is a South African company that builds solutions our clients using open source components and Java/PHP. We offer support for ● open source applications, ● installation and configuration of Linux servers, ● Java and PHP development, ● Asterisk, Email and Small Business Server installation and support. www.JumpingBean.co.za IPCOP Linux Setup