How to setup IPCOP IPSEC VPN (RoadWarrior)

Transcription

How to setup IPCOP IPSEC VPN (RoadWarrior)
www.JumpingBean.co.za ­ Your Java and Linux Experts
Page 1 of 11
How to setup IPCOP IPSEC VPN (RoadWarrior)
This brief “how to” sets­out how to setup IPCOP and Linux clients to successfully connect to the openswan IPSEC based VPN that comes standard with IPCOP. Jumping Bean (www.jumpingbean.co.za) is a South African based, open­source, company specializing in Java/PHP applications and Linux/Open Source support. Many of our consultants are off site so we needed to enable them to connect to our internal network via VPN to fill out time­sheets etc. We used to use OpenVPN but wanted to try out IPSEC. This document is intended to help others successfully connect Linux clients via IPSEC to IPCOP server.
The document has two main section:
● Configuring IPCOP Server and
● Linux Client Setup
License
This documentation is provided under the GNU GPL.
Configuring IPCOP Server
If this guide to setup the server is not clear enough for you, please have a look at the IPCOP.org web site for links. There are quite a few “how tos” there for server setup, and it is not that difficult. There is very little information on the Linux client setup and this quide is mainly meant to fill that gap.
The only issue we had was setting up the connections. We needed to enable the “roadwarrior virtual ip” option under the advanced tab. (See below).
www.JumpingBean.co.za IPCOP Linux Setup
www.JumpingBean.co.za ­ Your Java and Linux Experts
Page 2 of 11
VPN Main Page
First you need to setup IPCOP correctly. Click on the VPNs=>VPN drop down box from the toolbar menu. You will see a screen like the one below. Global Settings
The first thing to fill out is the “Global Settings” panel. Under Global Setting you need to fill out:
●
●
●
Local vpn hostname/ip address: ­ The hostname or public IP of your firewall, (if this is incorrect you may get no RASSIG policy errors)
Enabled: ­ Click enabled to enable the VPN
Enable on Green/Red/Orange: ­ This is the network you wish to VPN into.
Certificate Authorities
Next setup the certificate authority (CA). This is necessary if you are going to use www.JumpingBean.co.za IPCOP Linux Setup
www.JumpingBean.co.za ­ Your Java and Linux Experts
Page 3 of 11
certificates, as opposed to shared secrets, for your users to connect. Using ca certificates is more secure and, in my opinion, the only way to go.
Click on the “Generate Root/Host Certificates” button. This will generate the certificates automatically. You will be prompted for information about the certificates. I did not take screen­shots of this part but it is quiet straight forward. Usually the most crucial field to get right is the “common name” or “cn” entry. Some ssl validators complain if the common name does not match the hostname so make it the same as your public hostname. It may work if it doesn't match but past experience has taught that ssl authentication can fail if they dont match. Better to just eliminate this possibility by making sure they match. After generating the certificate your screen should look like the one below.
www.JumpingBean.co.za IPCOP Linux Setup
www.JumpingBean.co.za ­ Your Java and Linux Experts
Page 4 of 11
The process creates a root (ca) certificate, used to sign connection and host certificates and a host certificate. Notice the blue floppy disk icon. You will use it later to download both the root (ca) certificate and the host certificate when setting up the client.
Connection Status and Control
Next we need to setup the connection certificates for users. Under connection status and control click the “Add” button. Select host­to­net Virtual Private Network (roadwarrior) in the screen that follows. You will then be presented with a screen asking for the details of the connection you are trying to create. This is pretty straight forward. The name field may be anything but we use the employee number for consistency. Fill in the network and subnet of the network you are trying to connect to (i.e. Green/orange or red.). This must match the actual subnet of the network you are connecting to otherwise the connection will not work.
www.JumpingBean.co.za IPCOP Linux Setup
www.JumpingBean.co.za ­ Your Java and Linux Experts
Page 5 of 11
During the setup you will be asked to enter a pass­phrase. This is used to encrypt your certificate. Please remember the phrase you used as you will need it later.
The key thing to do here, if you are setting up roadwarrior access, is to click on the “Advance” button. You will be presented with the screen below. It is important to enable the “roadwarrior virtual IP” option. If you don't your roadwarrior users will not be able to connect. You should also enable “Perfect Forward Security” if you say pfs= yes in your /etc/ipsec.conf file on the client machine. (see client setup)
www.JumpingBean.co.za IPCOP Linux Setup
www.JumpingBean.co.za ­ Your Java and Linux Experts
Page 6 of 11
After setting up the client connection your screen should look like this.
www.JumpingBean.co.za IPCOP Linux Setup
www.JumpingBean.co.za ­ Your Java and Linux Experts
Page 7 of 11
Notice the blue floppy disk icon. You will use this to download the connection certificate later.
Linux Client Setup.
We use various distros at our offices. This how­to was done using Fedora Core 5 but the steps below should work on any machine that runs Linux and Openswan. (I used the setup below on Suse too and it worked.) The file locations may be all that will change.
To setup the client you need to download the connection certificate, ca certificate and firewall host certificate from IPCOP. You can do this by clicking on the disc icon next to the entry on the VPN page. Save them somewhere easy to access.
Extract Connection Key and Public Certificate
The connection certificate is in pkcs12 format which is of no use to us. We need to extract the private key and public key for the connection from this file. We can use openssl to do this so make sure its installed.
Extract your public certificate
www.JumpingBean.co.za IPCOP Linux Setup
www.JumpingBean.co.za ­ Your Java and Linux Experts
Page 8 of 11
openssl pkcs12 ­clcerts ­nodes ­nokeys ­in /certs/client.p12 ­out client.pem
You will need to enter the password you locked your certificate with when you set them up in IPCOP.
Enter Import Password:
MAC verified OK
Extract your secret private key
openssl pkcs12 ­nodes ­nocerts ­in /certs/client.p12 ­out client.key
Enter the pass phrase you encrypted the cert with.
Enter Import Password:
MAC verified OK
You then need to copy the certificates to the locations below.
Copy the client.pem file to /etc/ipsec.d/certs
Copy the client.key fiel to /etc/ipsec.d/private
Copy the hostkey.pem (the firewalls host certificate) to /etc/ipsec.d/certs (downloaded from ipcop)
Copy the cacert.pem file to /etc/ipsec.d/cacerts/ (downloaded from ipcop)
You may now delete the pkcs12 format certificate.
You now need to setup your ipsec.conf file. This is the file I use on clients below.
# /etc/ipsec.conf ­ Openswan IPsec configuration file
#
# Manual: ipsec.conf.5
#
www.JumpingBean.co.za IPCOP Linux Setup
www.JumpingBean.co.za ­ Your Java and Linux Experts
Page 9 of 11
# Please place your own config files in /etc/ipsec.d/ ending in .conf
# conforms to second version of ipsec.conf specification
# basic configuration
version 2.0
config setup
# Debug­logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=all
#plutodebug="control parsing"
plutodebug=all
nat_traversal=yes
interfaces="%defaultroute"
include /etc/ipsec.d/no_oe.conf
conn <connection_name> ===> change this to something useful.
authby=rsasig
pfs=yes ===> make sure you clicked the perfect forward security option when creating this connection on IPCOP
compress=yes
auto=add
left=%defaultroute
leftcert=/etc/ipsec.d/certs/client.pem
right=<public ip address of your ipcop firewall> ==> change this
rightcert=/etc/ipsec.d/certs/hostcert.pem
rightsubnet=192.168.10.0/255.255.255.0 ===> The subnet range. Same as the one you setup during the connection creation above.)
rightrsasigkey=%cert
leftrsasigkey=%cert
You need to setup your /etc/ipsec.secrets file as follows:
: RSA /etc/ipsec.d/private/client.key
You should now be able to connect via VPN to your office. You may have to start ipsec
www.JumpingBean.co.za IPCOP Linux Setup
www.JumpingBean.co.za ­ Your Java and Linux Experts
Page 10 of 11
/etc/init.d/ipsec start
Give it a minute to initialise then go
ipsec auto –up <connection name> ===> must match the connection name used in ipsec.conf
Troubleshooting:
If you are experiencing problems I suggest watching the syslog messages. You should select the debug options under “Global Setting” on IPCOP's VPN control panel to get verbose error messages. I usually ssh into the IPCOP box and then go tail ­f /var/log/messages
On the client side it depends if the messages are written to /var/log/messages of /var/log/secure. On fedora it is tail ­f /var/log/secure
This will usually give you an idea of what the problem is. On the client machine you can also run: ipsec verify I get the following output. Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on­path [OK]
Linux Openswan U2.4.4/K2.6.17­1.2187_FC5 (netkey)
Checking for IPsec support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) [FAILED]
hostname: Unknown host
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [FAILED]
Checking for 'ip' command [OK]
www.JumpingBean.co.za IPCOP Linux Setup
www.JumpingBean.co.za ­ Your Java and Linux Experts
Page 11 of 11
Checking for 'iptables' command [OK]
Checking for 'setkey' command for NETKEY IPsec stack support [OK]
Opportunistic Encryption Support [DISABLED]
IP forwarding does not need to be enabled unless you have machine behind the vpn server. The issue about around /etc/ipsec.secrets can be ignored.
Some of the log messages I got while setting things up.
: initial Main Mode message received on XXX.XXX.XXX.XX:500 but no connection has been authorized with policy=RSASIG
This was due to the left=IP address in the file /etc/ipsec.conf on IPCOP being set incorrectly. In the “Global Setting” on the main control panel for VPN setup on the IPCOP machine make sure that the “Local vpn hostname/ip address” setting is set to the public ip of the IPCOP server. In our case I use the machines FQDN but our internal DNS server resolves this to a different (orange) address internally as opposed to the public DNS servers. We do this so we don't have to type different URLs when we out of the office as opposed to in the office. :). I fixed the problem by entering the public IP address.
The other problem we faced was enabling the “virtual ip” on the ipcop server under the connection setup's advanced options. Until we did this we got error messages about no match being found. Conclusion
I hope this helps others.
About Jumping Bean
Jumping Bean (www.jumpingbean.co.za) is a South African company that builds solutions our clients using open source components and Java/PHP. We offer support for ●
open source applications,
●
installation and configuration of Linux servers,
●
Java and PHP development,
●
Asterisk, Email and Small Business Server installation and support. www.JumpingBean.co.za IPCOP Linux Setup