| 50.8. IKEv2 Mode with Certificate: Example of IPSEC configuration | ||
|---|---|---|
 | Chapter 50. IPSEC - Internet Protocol SECurity |  |
| 50.8. IKEv2 Mode with Certificate: Example of IPSEC configuration | ||
|---|---|---|
| | Chapter 50. IPSEC - Internet Protocol SECurity | |
Consider an IPSEC VPN in TUNNEL mode that uses the IKE protocol and an ANONYMOUS access, as shown in the following figure.
![[Caution]](../images/caution.png) | Caution |
|---|---|
The IPSEC connection works ONLY if the LAN, where the PC client is connected to, is different from the LAN of Abilis (e.g. in the previous case if the PC client IP address is belonging to the 192.168.1.0/24 the IPSEC connection doesn't work!). |
![[Tip]](../images/tip.png) | Tip |
|---|---|
Interesting chapters: Section 83.19.1, “How to configure a RAS using IPSEC VPN server”; |
Set the IPSEC parameter to
YES in the IP resource in which you want to
encapsulate IPSEC packets (outgoing traffic). If you want to use the
IP-2 resource (ADSL line), type:
[15:54:12] ABILIS_CPX:s p ip-2 ipsec:yesCOMMAND EXECUTED [16:08:53] ABILIS_CPX:d p ip-2RES:Ip-2 - IP over PPP (PPP) -------------------------------------------------- Run DESCR:ADSL_line OPSTATE:UP LOG:NO STATE-DETECT:NORMAL LOWRES:Dsl-1 IPADD:RETRIEVE NEIGH:RETRIEVE REDIS:EXT HIDE:NO RP:NONE IPSEC:YES VRRP:NO NAT:OUTSIDE UPNP:NO DIFFSERV:NO DDNS:NO OUTBUF:100 OUTQUEUE:FAIR MTU:1500 OUTSPL:NO INBUF:0 mru:1500 SRCV:NO - TRFA section --------------------------------------------------------- TRFA:NO - Ppp ------------------------------------------------------------------ LOG:DS NRTY3:3 PPP-ENC:RFC2364-VCMUX RADIUS:NO VPI:8 VCI:35 - Tcp-MSS/Lcp/IpCp ----------------------------------------------------- TCP-MSS-CLAMP:NO maxmru:1500 DNS:NO - Authentication ------------------------------------------------------- USERNAME:abilis PASSWORD:******** LOCAL:CHAP,PAP SERVNAME: REMOTE:NONE REPEAT:0 RES:Dsl-1 - Not Saved (SAVE CONF), Not Refreshed (INIT) ----------------------- ------------------------------------------------------------------------ DESCR: LOG:DST MODE:ADSL payload-rxbuf:30 - Specific for Abilis-VDSL2 modem -------------------------------------- MORE-ADSL-ANNEX:L,M - Specific for Abilis-5800UB modem ------------------------------------- 5800UB-MODULATION:AUTO - Adsl-ATM ------------------------------------------------------------- max-vc:1 adsl-usb-rxbuf:3 adsl-usb-txbuf:1 - Vdsl-PTM ------------------------------------------------------------- vdsl-usb-rxbuf:15 vdsl-usb-txbuf:15
| Caution |
|---|---|
To activate the changes made, execute the initialization command init res:ip-2. |
Add an IKE Host with Aggressive mode:
[16:06:36] ABILIS_CPX:a ike host:1 name:Windows_IKE2 mode:ike2
COMMAND EXECUTEDGive the host the following characteristics:
lLocal IP used for the VPN: 81.81.81.81;
IP resource used for the VPN: IP-2 (ADSL line);
No verify of the client's IP address that tries to open the VPN;
Authentication method: RSA;
Diffie-Hellman group: MODP1024;
Extended authentication method: eap-mschap;
NAT type: INSIDE;
Local Distinguished Name.: /CN=domain.adiens.it.
[16:16:33] ABILIS_CPX:s ike host:1 locip:81.81.81.81 remip:* side:inside auth:rsa id-type:cert dh:modp1024 auth2:eap-mschap auth2-user:vpn_user auth2-pwd:vpn_password cert-send:no asn1-dn:/CN=domain.adiens.it cert-peer:no cert-verify:noCOMMAND EXECUTED [17:55:47] ABILIS_CPX:d ike host:1 - Not Saved (SAVE CONF), Not Refreshed (INIT) --------------------------------- ------------------------------------------------------------------------------- HOST: NAME: LIFETIME: HASH: DPD: DPD-ACTION: LOCIP: NATT: MODE: MODE-CFG: DH: DPD-DELAY: REMIP: SIDE: AUTH: AUTH2: CIPHER: SA-TRY: DPD-TOUT: AUTH2-USER: AUTH2-PWD: -- ID ------------------------------------------------------------------- ID-TYPE: IP:/ID: PEER-ID-TYPE: PEER-IP:/PEER-ID: -- RSA Cert ------------------------------------------------------------- CERT-SEND: ASN1-DN: CERT-PEER: PEER-ASN1-DN: CERT-VERIFY: ------------------------------------------------------------------------------- 1 Windows_IKE2 3600 SHA1 YES STOP 081.081.081.081 YES IKE2 MODP1024 30 * INSIDE RSA EAP-MSCHAP AES256 3 120 vpn_user ******** -- ID ------------------------------------------------------------------- CERT REMIP -- RSA Cert ------------------------------------------------------------- NO /CN=domain.adiens.it NO NO -------------------------------------------------------------------------------
| Caution |
|---|---|
To activate the changes made, execute the initialization command init res:ike. |
Add an IKE client:
[16:29:57] ABILIS_CPX:a ike cli:1 name:Windows_IKE2_CliCOMMAND EXECUTED
Give the host the following characteristics:
IP address of the server: 192.168.1.0/24; In IKEv2 most IPsec clients use the default route, i.e. 0.0.0.0.0/0.
IP address of the client: 192.168.200.1/32.
[16:30:15] ABILIS_CPX:s ike cli:1 host:1 net-loc:0.0.0.0/0 net-rem:192.168.200.1/32 pfs:noCOMMAND EXECUTED [16:40:16] ABILIS_CPX:d ike cli:1- Not Saved (SAVE CONF), Not Refreshed (INIT) --------------------------------- ------------------------------------------------------------------------------- CLI: NAME: LIFETIME: ESP: AH: HOST: NET-LOC: RULE: PASSIVE: PFS: ESP-AUTH: AH-AUTH: NET-REM: PERMANENT: TUNNEL: ESP-CIPHER: MODE-CFG-DNS: ------------------------------------------------------------------------------- 1 Windows_IKE2_Cli 28800 YES NO 1 000.000.000.000/00 IPSEC YES NO SHA1 SHA1 192.168.200.001/32 YES YES AES256 SYS -------------------------------------------------------------------------------
| Caution |
|---|---|
To activate the changes made, execute the initialization command init res:ike. |
An IKEv2 server requires a certificate to identify itself to clients. To help create the required certificate, the strongswan-pki package on Ubuntu comes with a utility called pki to generate a Certificate Authority and server certificates:
pki --gen --type rsa --size 4096 --outform pem > ca-key.pem
pki --self --ca --lifetime 3650 --in ca-key.pem --type rsa --dn "CN=VPN Abilis CA" --outform pem > ca-cert.pem
pki --gen --type rsa --size 4096 --outform pem > server-key.pem
pki --pub --in server-key.pem --type rsa | pki --issue --lifetime 3650 --cacert ca-cert.pem --cakey ca-key.pem --dn "CN=domain.adiens.it" --san 81.81.81.81 --flag serverAuth --flag ikeIntermediate --outform pem > server-cert.pemThe server-cert.pem and
server-cert.pem files must be uploaded to the
C:\APP\X509\LOCAL\ folder. The upload can be done
using the file put command
(with Z-MODEM) or the FTP resource.
After uploading the files in abilis, execute the initialization command init res:x509.
To verify that the certificate has been loaded correctly, use this command:
[16:40:16] ABILIS_CPX:debug res:x509 lsn:4
RES:X509 ----------------------------------------------------------------------
X509_certificate_manager
BufferLength:64512 Date/Time:21/11/2024 16:40:16 TraceTime:<NotRunning>
------------------------------------------------------------------------------
Certification Authorities (CA) table (0):
------------------------------------------------------------------------------
table is empty
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Peers certificates table (0):
------------------------------------------------------------------------------
table is empty
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Local certificate and RSA private key table (1):
------------------------------------------------------------------------------
1 file: server-cert
subj: /CN=domain.adiens.it
------------------------------------------------------------------------------On the Windows machine, instead you need to install the
certificate from the ca-cert.pem file. Rename the
file with a .cer extension to make it easier to install on
Windows.
Ensuring that outgoing IPSEC packets are routed toward appropriate resource is important.
Add a static route for remote network (in our situation only for host 192.168.200.1/32) towards IP-2 resource (specifying eventually the gateway).
[16:51:32] ABILIS_CPX:a ipr net:192.168.200.1/32 ip:2COMMAND EXECUTED [16:52:17] ABILIS_CPX:d iprDestination routes and conditional source routes: +-+-+-+-+--------------------+--------------------+-----------------+----+---+ |B|P|S|H| NET:/MASK: | MASK: or | GW: or |IP: |AD:| | | | | | | SRNET:/SRMASK: | IPLB | | | +-+-+-+-+--------------------+--------------------+-----------------+----+---+ |*|C| | | 081.081.081.081/32 | 255.255.255.255 | |R-ID| 0| |*|C| | | 192.168.000.000/24 | 255.255.255.000 | | 1| 0| |*|S| | | 192.168.200.001/32 | 255.255.255.255 | | 2| 1| |*|S| | | 000.000.000.000/0 | 000.000.000.000 | | 2| 1| +-+-+-+-+--------------------+--------------------+-----------------+----+---+
| |  | |
| 50.7. IKEv2 Mode with Preshared Key: Example of IPSEC configuration |  | 50.9. Appendix - IPSEC protocol |