Router Installation and Configuration Manual/Configuring Services: IPSec VPN Menu

From ImageStream Router Documentation

< Router Installation and Configuration Manual(Difference between revisions)
Jump to: navigation, search
(Changes for 4.4)
 
(28 intermediate revisions not shown)
Line 1: Line 1:
-
:This chapter describes how to configure the IPSec Virtual Private Network (VPN) service on the ImageStream Router.   IPSec is a Internet Protocol Security.  It uses strong cryptography to provide both authentication and encryption services.  Authentication ensures that packets are from the proper sender and have not been altered in transit.  Encryption prevents unauthorized reading of packet contents.  
+
:This chapter describes how to configure the IPSec Virtual Private Network (VPN) service on the <brand info="co_short_name" /> Router. IPSec is a Internet Protocol Security.  It uses strong cryptography to provide both authentication and encryption services.  Authentication ensures that packets are from the proper sender and have not been altered in transit.  Encryption prevents unauthorized reading of packet contents.  
:These services allow you to build secure tunnels through untrusted networks, such as a public Frame Relay network or Internet backbone network.  All traffic passing through the untrusted network is encrypted by the IPSec gateway and decrypted by the gateway at the other end. The result is Virtual Private Network or VPN. This is a network which is effectively private even though it includes machines at several different sites connected by an insecure network.  This chapter outlines a simple network-to-network connection.  
:These services allow you to build secure tunnels through untrusted networks, such as a public Frame Relay network or Internet backbone network.  All traffic passing through the untrusted network is encrypted by the IPSec gateway and decrypted by the gateway at the other end. The result is Virtual Private Network or VPN. This is a network which is effectively private even though it includes machines at several different sites connected by an insecure network.  This chapter outlines a simple network-to-network connection.  
-
 
+
:[[Image:IPSec_VPN.png|500px|]]
-
'''Picture Under Construction'''''Italic text''
+
:More advanced configurations are possible.  This chapter includes the following topics:  
:More advanced configurations are possible.  This chapter includes the following topics:  
-
 
+
 
-
:::* Configuring the IPSec VPN service  
+
:* Configuring the IPSec VPN service  
-
:::* Enabling the IPSec VPN service at boot-time  
+
:* Enabling the IPSec VPN service at boot-time  
-
:::* Disabling the IPSec VPN service at boot-time
+
:* Disabling the IPSec VPN service at boot-time
-
:::* Starting the IPSec VPN service  
+
:* Starting the IPSec VPN service  
-
:::* Stopping the IPSec VPN service
+
:* Stopping the IPSec VPN service
   
   
:After logging in, the main menu is displayed (your menu may look slightly different):  
:After logging in, the main menu is displayed (your menu may look slightly different):  
Line 28: Line 27:
       0. Log off  
       0. Log off  
-
:Select the “Configuration menu”  by pressing 1 and '''Enter'' to configure the router.  The next menu should appear (your menu may look slightly different):
+
:Select menu option 1, Configuration menu, and press '''Enter''' to configure the router.  The Configuration menu should appear (your menu may look slightly different):
   
   
       Configuration menu  
       Configuration menu  
Line 40: Line 39:
       0. ISis-Router main menu  
       0. ISis-Router main menu  
-
:Select the “Service configuration” menu by pressing 5 and '''Enter''' to configure the router’s service configuration settings (again, your menu may look slightly different):  
+
:Select menu optioin 5, Service configuration, and press '''Enter''' to configure the router's service configuration settings.  The Service configuration menu will be displayed (again, your menu may look slightly different):  
       Service configuration  
       Service configuration  
Line 53: Line 52:
       0. Configuration menu  
       0. Configuration menu  
-
:Select the “IPSec VPN” menu by pressing 4 and '''Enter''' to configure the router’s IPSec VPN settings (again, your menu may look slightly different):  
+
:Select menu option 4, IPSec VPN, and press '''Enter''' to configure the router's IPSec VPN settings.  The IPSec VPN menu will be displayed (again, your menu may look slightly different):  
       IPSec VPN (Free S/Wan), (stopped)  
       IPSec VPN (Free S/Wan), (stopped)  
Line 69: Line 68:
:Refer to the VPN diagram above or Glossary if you do not understand the terms used in the table below.  Before attempting to complete your VPN configuration, you should have the following information ready:  
:Refer to the VPN diagram above or Glossary if you do not understand the terms used in the table below.  Before attempting to complete your VPN configuration, you should have the following information ready:  
-
==='''IPSEC VPN PRE-CONFIGURATION INFORMATION'''===
+
===IPSEC VPN Pre-Configuration Information===
:IPSec VPN Pre-Configuration Information  
:IPSec VPN Pre-Configuration Information  
-
:Ensure that you have the following information ready before you start configuring the VPN
+
:Ensure that you have the following information ready before you start configuring the VPN.
-
Parameter Where to find it
+
-
Left side VPN device Network diagram
+
{| border = "1" style="text-align:center"
 +
! Parameter  !!  Where to find  !!  Description
 +
|-
 +
! Left Side VPN device
 +
| Network Diagram || The Router on the left side of the VPN tunnel diagram.  This router will always be the "left: side endpoint for the purposes of configuring a VPN connection
 +
|-
 +
! Right Side VPN device
 +
| Network Diagram || The on the right side of the VPN tunnel diagram.  This router will always be the "right" side endpoint for the purposes of configuring a VPN connection
 +
|-
 +
! Left and Right Side Network devices
 +
| Network Diagram || The LAN or WAN interfaces used as the endpoints of the VPN tunnel.  These devices are typically the WAN or LAN devices closest to the external network and not internal LAN or WAN devices
 +
|-
 +
! Left and Right Side IP addresses
 +
| Line Provider or Network Administrator || The left and right side IP addresses will be IP addresses of the left and right side network devices used for the VPN tunnel endpoints
 +
|-
 +
! Left and Right Side Next Hop address
 +
| Line Provider or Network Administrator || The left and right side next hop address will be the gateway addresses for the VPN tunnel endpoints
 +
|-
 +
! Left and Right Side Subnets
 +
| Network Diagram or Network Administrator || The left and right side subnets will be the networks to be connected across the VPN tunnel.  These subnets must be non-overlapping
 +
|- 
 +
|}
 +
===Using the Built-in Automated Script to Configure a VPN Tunnel ===
 +
:To configure a simple IPSec VPN, select menu option 3, Configure a basic IPSec VPN, and press'''Enter'''.  This will start an interactive script that displays the following:
 +
Now generating a key for this host (May take some time)...done.
 +
Please see the <brand info="co_short_name" /> Technical Support Web site
 +
or the <brand info="co_short_name" /> Router Installation Guide
 +
for details on the information requested by this script.
 +
:The router will have generated a signature key used to authenticate the VPN connection.  The router will then display the following:
 +
Will this router be the [L]eft or [R]ight side tunnel endpoint (L/r) ?
 +
:Enter the correct side for this router.  The left and right side designations are not relative to the router.  This router will always be either the left side or right side router.  Use your network diagram to determine whether this router will act as the left or right side router. For example, if you want to configure this router as the left side router, enter L and '''Enter''' at this prompt.
-
Right side VPN device Network diagram
+
:The router will then ask you to confirm your choice. In the example below, we have accepted the default configuration and set this router as the left side router:
-
   
+
-
Description
+
-
The router on the left side of the VPN tunnel diagram.
+
This router will be configured as the left side for this IPSec configuration.   Is this correct (Y/n) :
-
This router will always be  
+
-
the “left” side endpoint for the purposes of configuring a VPN connection.
+
-
The router on the right side of the VPN tunnel diagram. This router will always be the “right” side endpoint for the purposes of configuring a VPN connection.
+
:If these values are correct, press 'Y' or leave the entry blank and press '''Enter'''.  If you have made a mistake, press 'N' and '''Enter''' and the router will reprompt you for the information.  
-
Left and right side network Network diagram The LAN or WAN interfaces
+
-
devices used as the endpoints of the
+
-
VPN tunnel.  These devices
+
-
are typically the WAN or
+
-
LAN devices closest to the
+
-
external network and not
+
-
internal LAN or WAN
+
-
devices.
+
-
Left and right side IP Line Provider or network
+
-
addresses administrator
+
 +
:If you pressed 'Y' or '''Enter'' the following script will be displayed:
 +
 +
Retrieving the public RSA key for this router...done
 +
 +
:The router will retrieve the public signature key generated earlier.  This key will be used in the IPSec configuration file and as part of the authentication process with the other router.
 +
 +
:The router will then display:
 +
What interface will this router use as the VPN device (default: Ethernet0) ?
 +
:At this prompt, enter the interface you want to use as the VPN device.  Typically, this will be the device closest to the upstream Internet connection on your network.  You can press '''Enter''' to accept the default value, or enter a device name.  For example, to use Serial0 as the VPN device, enter '''Serial0''' at this prompt and press Enter.
-
Left and right side next hop Line Provider or network
+
:The router will then ask you to confirm your choice.  In the example below, we have set Serial0 as the VPN device:
-
addresses administrator
+
 +
This router will use Serial0 as the VPN device for this IPSec configuration.  Is this correct (Y/n) :
-
Left and right side subnets Network diagram or network
+
:If these values are correct, press 'Y' or leave the entry blank and press '''Enter'''.  If you have made a mistake, press 'N' and '''Enter''' and the router will reprompt you for the information.
-
administrator
+
   
   
-
The left and right side IP
+
:If you pressed 'Y' or Enter, the following script will be displayed:
-
addresses will be the IP
+
-
addresses of the left and
+
-
right side network devices
+
-
used for the VPN tunnel
+
-
endpoints.
+
-
The left and right side next hop addresses will be the gateway addresses for the VPN tunnel endpoints.
+
What is the IP address of Serial0 used for IPSec?
-
The left and right side
+
-
subnets will be the networks
+
-
to be connected across the
+
-
VPN tunnel.  These subnets
+
-
must be non-overlapping
+
 +
:Enter the primary or secondary IP address used for the VPN tunnel endpoint.  For example, to use 192.168.8.1 as the IP address for this side, enter '''192.168.8.1''' at this prompt and press Enter.
 +
:The router will then ask you to confirm your choice.  In the example below, we have entered 192.168.8.1:
-
===Using the built-in automated script to configure a VPN tunnel ===
+
  This router will use 192.168.8.1 as the IP address for this IPSec configuration.  Is this correct (Y/n) :  
-
To configure a simple IPSec VPN, select the “Configure a basic IPSec VPN” menu
+
-
option by pressing 3 on the keyboard and pressing Enter. This will start an interactive script that displays:  
+
-
Now generating a key for this host (May take some time)...done. Please see the ImageStream Technical Support Web site
+
:If these values are correct, press 'Y' or leave the entry blank and press '''Enter'''.  If you have made a mistake, press 'N' and '''Enter''' and the router will reprompt you for the information.
-
or the ImageStream Router Installation Guide
+
-
for details on the information requested by this script.  
+
:If you pressed 'Y' or Enter, the following script will be displayed:  
-
The router will have generated a signature key used to authenticate the VPN connection.  The router will then display:  
+
-
Will this router be the [L]eft or [R]ight side tunnel endpoint (L/r) ?
+
-
Enter the correct side for this router.  The left and right side designations are not relative to the router.  This router will always be either the left side or right side router.  Use your network diagram to determine whether this router will act as the left or right side router. For example, if you want to configure this router as the left side router, enter L at this
+
What is the next hop address for this router?
-
prompt and press Enter.
+
-
The router will then ask you to confirm your choice.  In the example below, we have accepted the default configuration and set this router as the left side:
+
-
This router will be configured as the left side for this IPSec configuration.   Is this correct (Y/n) :
+
:Enter the gateway IP address for this VPN tunnel endpoint.  This address should be the one used by the router when traffic leaves the router for the other VPN tunnel endpoint. For example, to use 192.168.8.2 as the IP address for this side, enter '''192.168.8.2''' at this prompt and press '''Enter'''.
-
If these values are correct, press Y or leave the entry blank and press Enter.  If you have made a mistake, press N and Enter and the router will reprompt you for the
+
:The router will then ask you to confirm your choice. In the example below, we have entered 192.168.8.2:
-
information.  
+
-
The script will then display:
+
-
Retrieving the public RSA key for this router...done
+
-
The router will retreive the public signature key generated earlier. This key will be used
+
This router will use 192.168.8.2 as the next hop address for this IPSec configuration.   Is this correct (Y/n) :  
-
in the IPSec configuration file and as part of the authentication process with the other
+
-
router.  
+
-
The router will then display:  
+
-
What interface will this router use as the VPN device (default: Ethernet0) ?
+
:If these values are correct, press 'Y' or leave the entry blank and press '''Enter'''.  If you have made a mistake, press 'N' and '''Enter''' and the router will reprompt you for the information.
-
At this prompt, enter the interface you want to use as the VPN device.  Typically, this
+
:The following script will then displayed:  
-
will be the device closest to the upstream Internet connection on your network.  You can press Enter to accept the default value, or enter a device name.  For example, to use Serial0 as the VPN device, enter Serial0 at this prompt and press Enter.
+
-
The router will then ask you to confirm your choice.  In the example below, we have set Serial0 as the VPN device:  
+
-
This router will use Serial0 as the VPN device for this IPSec configuration.   Is this correct (Y/n) :  
+
What is the subnet on this router that is to be accessible across the VPN?
 +
 +
For the next question, please enter the value in the format of "ipnetwork/bitmask"
 +
 +
For example, the Class C 192.168.1.x would be entered as 192.168.1.0/24.
 +
 +
Enter the subnet on this router to be accessible across the VPN :  
-
If these values are correct, press Y or leave the entry blank and press Enter.  If you have made a mistake, press N and Enter and the router will reprompt you for the  
+
:Enter the subnet address for this side of the VPN tunnelThis subnet should be the network you want to make accessible from the other side of the VPN tunnel. For example, to use 192.168.1.0/24 as the subnet for this side, enter '''192.168.1.0/24''' at this prompt and press '''Enter'''.
-
information.  
+
-
Based on our example above, the script will then display:
+
-
What is the IP address of Serial0 used for IPSec?
+
-
Enter the primary or secondary IP address used for the VPN tunnel endpointFor
+
:The router will then ask you to confirm your choiceIn the example below, we have entered 192.168.1.0/24:
-
example, to use 192.168.8.1 as the IP address for this side, enter 192.168.8.1 at this prompt and press Enter.  
+
-
The router will then ask you to confirm your choice.  In the example below, we have entered 192.168.8.1:  
+
This router will use 192.168.1.0/24 as the subnet on this router to be accessible across the VPN.
 +
  Is this correct (Y/n) :  
-
This router will use 192.168.8.1 as the IP address for this IPSec configuration.   Is this correct (Y/n) :
+
:If these values are correct, press 'Y' or leave the entry blank and press '''Enter'''. If you have made a mistake, press 'N' and '''Enter''' and the router will reprompt you for the information.  
-
If these values are correct, press Y or leave the entry blank and press Enter.  If you have made a mistake, press N and Enter and the router will reprompt you for the  
+
:Once you have entered the correct values for the first side, the router will then prompt you for the information on the other side of the VPN tunnel.  Again, remember that the left and right side designations are not relative to the router.  The left side router will always be the left side router and vice versa.
-
information.
+
-
Based on our example above, the script will then display:
+
-
What is the next hop address for this router?
+
-
Enter the gateway IP address for this VPN tunnel endpoint. This address should be the one used by the router when traffic leaves the router for the other VPN tunnel endpoint. For example, to use 192.168.8.2 as the IP address for this side, enter 192.168.8.2 at this prompt and press Enter.  
+
:If enter 'Y' or pressed '''Enter''' the router will display:
 +
 +
  Next, we will enter the values for the right side router...  
-
The router will then ask you to confirm your choice. In the example below, we have entered 192.168.8.2:
+
:The router will then prompt you for the identical information for the other side of the VPN tunnel. Please refer to the above section for assistance in answering the questions.  
-
This router will use 192.168.8.2 as the next hop address for this IPSec configuration.  Is this correct (Y/n) :  
+
:Once you have entered the values for the other endpoint, the router, based on our example, will display:  
-
If these values are correct, press Y or leave the entry blank and press Enter. If you have made a mistake, press N and Enter and the router will reprompt you for the  
+
  If the right side router is <brand info="co_short_name" />, do you want to attempt to get the right side router's public RSA key automatically? (Y/n) :  
-
information.
+
-
The script will then display:  
+
-
What is the subnet on this router that is to be accessible across the VPN?
+
:If the remote router is <brand info="co_short_name" />, you can configure it for the IPSec VPN connection automatically.  To use this feature, the router you are configuring must have a network connection to the remote router and the remote router must have a signature key already generated.  If you want to attempt to get the remote router's public key, press 'Y' or leave the entry blank and press '''Enter'''.  If the remote router is not <brand info="co_short_name" />, or if you do not have access or a connection to it, press 'N' and '''Enter''' and the script will not attempt to automatically configure the remote router.
-
For the next question, please enter the value in the format of "ipnetwork/bitmask"
+
===Auto Configuring a VPN Tunnel on a Remote <brand info="co_short_name" /> Router===
 +
:If you have entered Y or left the entry blank and pressed '''Enter''' when prompted to get the remote router's public RSA key, the router will prompt you for the IP address of the remote router:
-
For example, the Class C 192.168.1.x would be entered as 192.168.1.0/24.
+
Enter the IP address of the right side router :  
-
Enter the subnet on this router to be accessible across the VPN :  
+
-
Enter the subnet address for this side of the VPN tunnel.  This subnet should be the  
+
:Enter the IP address of the remote router.  This address must be accessible to the local router, and the remote router must have SSH enabled and accessible.  If you enter an address that is not accessible, or your connection hangs, you will have an opportunity to terminate the connectionIn the example below, we have entered 192.168.100.140 as the remote router:
-
network you want to make accessible from the other side of the VPN tunnelFor
+
-
example, to use 192.168.1.0/24 as the subnet for this side, enter 192.168.1.0/24 at this prompt and press Enter.  
+
Attempting to contact the right side router...
 +
Press Control-\ at any time to interrupt the connection process. Attempting to contact the right side router.
 +
You will be prompted for the password...
 +
Warning: Permanently added '192.168.100.140' (RSA) to the list of known hosts.
 +
root@192.168.100.140's password:
-
The router will then ask you to confirm your choiceIn the example below, we have entered 192.168.1.0/24:  
+
:Enter the password for the remote router and press Enter. The script will then download the remote router's RSA signature key for use in the VPN configuration processThe router will then display following, based on our example:  
-
This router will use 192.168.1.0/24 as the subnet on this router to be accessible across the VPN.   Is this correct (Y/n) :
+
ipsec.secrets 100% |*** ***| 3814 00:00
 +
Retrieving the public RSA key for the right side router...done Successfully retrieved public RSA key.
 +
Now creating the tunnel configuration for this router...done
-
If these values are correct, press Y or leave the entry blank and press Enter. If you have made a mistake, press N and Enter and the router will reprompt you for the  
+
:If there is an error retrieving the key, either because an incorrect IP address was given or the "ipsec.secrets" file was not located, the router will display the following:
-
information.
+
-
Once you have entered the correct values for the first side, the router will then prompt you for the information on the other side of the VPN tunnel.  Again, remember that the left and right side designations are not relative to the router.   The left side router will always be the left side router and vice versa.
+
Unable to locate the IPSec keyfile on the right side router. You must generate a key on the remote router!
 +
Would you like to try again? (Y/n) :
-
In the example above, the router will display:
+
:You can generate an RSA signature key on the remote router, or check the connection to the remote router and try again by pressing 'Y' or by leaving the entry blank and pressing '''Enter'''.  Pressing 'N' and '''Enter''' will put the router in manual configuration mode. Please see the section below on manual configuration of a VPN tunnel.  
-
Next, we will enter the values for the right side router...  
+
-
The router will then prompt you for the identical information for the other side of the VPN tunnel.  Please refer to the above section for assistance in answering the questions.
+
:The router will then prompt you to configure the remote <brand info="co_short_name" /> router, assuming that the RSA signature key was retrieved successfully:
-
Once you have entered the values for the other endpoint, the router, based on our example, will display:  
+
The right side router is an ImageSteam router.  Do you want to attempt to configure the right side router also? (Y/n) :  
-
If the right side router is an ImageStream router, do you want to attempt to get the right side router's public RSA key
+
:If you want to attempt to configure the remote router for the VPN tunnel, press 'Y' or leave the entry blank and press '''Enter'''.  If you do not want to configure the remote router, press 'N' and '''Enter''' and the script will not attempt to automatically configure the remote router.
-
automatically? (Y/n) :
+
-
If the remote router is an ImageStream router, you can configure it for the IPSec VPN connection automatically.  To use this feature, the router you are configuring must have a network connection to the remote router and the remote router must have a signature key already generated.  If you want to attempt to get the remote router’s public key, press Y or leave the entry blank and press Enter.  If the remote router is not an
+
:If you pressed 'Y' or '''Enter''' the router will then display the following, based on our example:
-
ImageStream router, or if you do not have access or a connection to it, press N and Enter and the script will not attempt to automatically configure the remote router.
+
-
===Autoconfiguring a VPN tunnel on a remote ImageStream router===
+
Now creating the tunnel configuration for the right side router...done
-
If you have entered Y or left the entry blank and pressed Enter when prompted to get the remote router’s public RSA key, the router will prompt you for the IP address of the remote router:
+
Attempting to contact the right side router.  You will be prompted for the password...
-
Enter the IP address of the right side router :  
+
Press Control-\ at any time to interrupt the connection process. root@192.168.100.140's password:  
-
Enter the IP address of the remote router.  This address must be accessible to the local router, and the remote router must have SSH enabled and accessible. If you enter an
+
:Enter the password for the remote router and press '''Enter'''. The script will then upload the proper VPN configuration file to the remote router.   The router will then display:  
-
address that is not accessible, or your connection hangs, you will have an opportunity to terminate the connection.  In the example below, we have entered 192.168.100.140 as
+
-
the remote router:
+
-
Attempting to contact the right side router...
+
-
Press Control-\ at any time to interrupt the connection process. Attempting to contact the right side router.  You will be
+
-
prompted for the password...
+
-
Warning: Permanently added '192.168.100.140' (RSA) to the list of known hosts.
+
-
root@192.168.100.140's password:  
+
-
Enter the password for the remote router and press Enter. The script will then download the remote router’s RSA signature key for use in the VPN configuration process. The router will then display, based on our example:
+
  ipsec.conf-right 100% |*** *| 1581 00:00
-
ipsec.secrets 100% |*** ***| 3814 00:00
+
Successfully copied the configuration file to the right side router.  
-
Retrieving the public RSA key for the right side router...done Successfully retrieved public RSA key.
+
-
Now creating the tunnel configuration for this router...done
+
You must start the IPSec service before your configuration will be active.  
 +
Remember to save your configuration to flash, or the changes made in the IPSec configuration file will be lost.  
 +
 +
Press enter/return to quit
-
If there is an error retreiving the key, either because an incorrect IP address was given or the ipsec.secrets file was not located, the router will display:  
+
:If you have entered 'N' when prompted to configure the remote router, the script will save a copy of the remote configuration and display:  
-
Unable to locate the IPSec keyfile on the right side router. You must generate a key on the remote router!
+
A copy of the configuration file for the right side router has been saved in: /tmp/ipsec.conf-right
-
Would you like to try again? (Y/n) :
+
 +
You must start the IPSec service before your configuration will be active. 
 +
Remember to save your configuration to flash, or the changes made in the IPSec configuration file will be lost.
 +
 +
Press enter/return to quit
-
You can generate an RSA signature key on the remote router, or check the connection to the remote router and try again by pressing Y or by leaving the entry blank and
+
:If the remote router is an <brand info="co_short_name" /> router or uses a FreeSwan implementation, you will find a copy of the configuration for that router in the /tmp directory.   A copy of the local router's configuration, based on your entries, has been saved on the local router. Using this script does not start the IPSec service, nor will it enable the service on boot.  Use the IPSec menu to start or stop IPSec or to enable or disable the service at boot- time.  
-
pressing Enter. Pressing N and Enter will put the router in manual configuration mode. Please see the section below on manual configuration of a VPN tunnel.  
+
-
The router will then prompt you to configure the remote ImageStream router, assuming that the RSA signature key was retreived successfully:  
+
:'''Note: You must save the settings to the router's non-volatile flash memory! If the router is rebooted before saving, your changes will be lost!  See the Chapter 26, "Manual/Backup/Restore Menu: Managing Configurations" for more information.'''
-
The right side router is an ImageStream router.  Do you want to attempt to configure the right side router also? (Y/n) :
+
-
If you want to attempt to configure the remote router for the VPN tunnel, press Y or
+
-
leave the entry blank and press Enter. If you do not want to configure the remote
+
-
router, press N and Enter and the script will not attempt to automatically configure the remote router.
+
-
The router will then display, based on our example:  
+
-
Now creating the tunnel configuration for the right side router...done
+
-
Attempting to contact the right side router.  You will be prompted for the password...
+
-
Press Control-\ at any time to interrupt the connection process. root@192.168.100.140's password:
+
-
Enter the password for the remote router and press Enter. The script will then upload the proper VPN configuration file to the remote router.  The router will then display:
+
===Selecting manual configuration for a VPN tunnel ===
-
ipsec.conf-right 100% |*** *| 1581 00:00
+
:If you have entered 'N' when prompted to get the remote router's public RSA key, the router will proceed with manual entry of the VPN tunnel configuration and will display the following, based on our example above:
-
Successfully copied the configuration file to the right side router.
+
-
You must start the IPSec service before your configuration will be active.  Remember to save your configuration to flash, or the changes made in the IPSec configuration file will be lost.
+
-
Press enter/return to quit
+
-
If you have entered N when prompted to configure the remote router, the script will save a copy of the remote configuration and display:
+
Proceeding with manual entry...
 +
Please paste the public key from the right side router. Include only the key and NO other characters
 +
When you are finished, press Enter/Return, then press Control-D
-
A copy of the configuration file for the right side router has been saved in: /tmp/ipsec.conf-right
+
:Enter the public RSA key only with no other special characters or values.  The router will automatically remove any line breaks from the input.  If you are pasting the public key from another <brand info="co_short_name" /> router or a FreeSWan implementation, do not include the "pubkey=" when you paste the value. If you are using a standard key, it will look similar to:
-
You must start the IPSec service before your configuration will be active.  Remember to save your configuration to flash, or the changes made in the IPSec configuration file will be lost.
+
0sAQNnhVz28e6wHj0IAJzQQiJOTYKfE/+zJbLr86ZbJjfGNMP4gXLm3pf4XFYLCqH
-
Press enter/return to quit
+
bpYYQoYAq1GJiyTUnXe4k0glELTIqLCoM46U6AwRu9g1hA/NSnHPQD2KF+tlwKGY
-
If the remote router is an ImageStream router or uses a FreeSWan implementation, you
+
G3tD0pu79q6ks+52p7FO8UzdRxUvSYGtP0bs4XQnB1ZeT8g5uyt7ugmlYZh72W5Xe
-
will find a copy of the configuration for that router in the /tmp directory.  A copy of the
+
qR7LCji29h5n2rR64WG385TiNPG60VOmyNHHKzhrR0IDs39hgxezNLW4QeVwb4SX6
-
local router’s configuration, based on your entries, has been saved on the local router.
+
/eYZUXGKv2R56R804OTZ0PyzlYQumMzB/KtUBfbwmAKGBAZTY5ODhwQYVL2LrW/Zg
-
Using this script does not start the IPSec service, nor will it enable the service on boot.
+
3AAyhkn4lvcEfY8sV316H
-
Use the IPSec menu to start or stop IPSec or to enable or disable the service at boot-
+
-
time.
+
-
Note: You must save the settings to the router’s non-volatile flash memory! If the router is rebooted before saving, your changes will be lost!  See the chapter
+
:The key for your routers will be unique and will not match the above example. Press '''Enter''' and then press '''Control-D''' when you are finished entering the key.  The router will then process your input and display the following, based on our example:  
-
“Backup/Restore Menu: Managing Configurations” for more information.
+
 +
Successfully parsed right side public RSA key.
 +
Now creating the tunnel configuration for this router...done
 +
A copy of the configuration file for the right side router has been saved in: /tmp/ipsec.conf-right
 +
 +
You must start the IPSec service before your configuration will be active. 
 +
Remember to save your configuration to flash, or the changes made in the IPSec configuration file will be lost.
 +
 +
Press enter/return to quit
-
===Selecting manual configuration for a VPN tunnel ===
+
:If the remote router is an <brand info="co_short_name" /> router or uses a FreeSwan implementation, you will find a copy of the configuration for that router in the /tmp directory.  A copy of the local router's configuration, based on your entries, has been saved on the local router. Using this script does not start the IPSec service, nor will it enable the service on boot. Use the IPSec menu to start or stop IPSec or to enable or disable the service at boot-time.
-
If you have entered N when prompted to get the remote router’s public RSA key, the router will proceed with manual entry of the VPN tunnel configuration and will display, based on our example above:
+
-
Proceeding with manual entry...
+
-
Please paste the public key from the right side router. Include only the key and NO other characters
+
-
When you are finished, press Enter/Return, then press Control-D
+
-
Enter the public RSA key only with no other special characters or values.  The router  
+
:'''Note: You must save the settings to the router's non-volatile flash memory! If the router is rebooted before saving, your changes will be lost!  See the Chapter 26, "Manual/Backup/Restore Menu: Managing Configurations" for more information.'''
-
will automatically remove any line breaks from the input. If you are pasting the public
+
-
key from another ImageStream router or a FreeSWan implementation, do not include
+
-
the “pubkey=” when you paste the value.  If you are using a standard key, it will look
+
-
similar to:  
+
-
0sAQNnhVz28e6wHj0IAJzQQiJOTYKfE/+zJbLr86ZbJjfGNMP4gXLm3pf4XFYLCqH bpYYQoYAq1GJiyTUnXe4k0glELTIqLCoM46U6AwRu9g1hA/NSnHPQD2KF+tlwKGYO G3tD0pu79q6ks+52p7FO8UzdRxUvSYGtP0bs4XQnB1ZeT8g5uyt7ugmlYZh72W5Xe qR7LCji29h5n2rR64WG385TiNPG60VOmyNHHKzhrR0IDs39hgxezNLW4QeVwb4SX6 /eYZUXGKv2R56R804OTZ0PyzlYQumMzB/KtUBfbwmAKGBAZTY5ODhwQYVL2LrW/Zg 3AAyhkn4lvcEfY8sV316H
+
===Managing the IPSec Service===
 +
:Once you have exited the script by pressing Enter, the router will return you to the IPSec menu:
-
The key for your routers will be unique and will not match the above example. Press
+
      IPSec VPN (Free S/Wan), (stopped)
-
Enter and then press Control-D when you are finished entering the key. The router will then process your input and display, based on our example:
+
      1. Configure IPSec (Free S/Wan)
-
Successfully parsed right side public RSA key.  
+
      2. Generate a new Signature Key
-
Now creating the tunnel configuration for this router...done
+
      3. Configure a basic IPSec VPN
-
A copy of the configuration file for the right side router has been saved in: /tmp/ipsec.conf-right
+
      4. Enable IPSec on boot
-
You must start the IPSec service before your configuration will be active.   Remember to save your configuration to flash, or the changes made in the IPSec configuration file will be lost.  
+
      5. Disable IPSec on boot
 +
      6. Start IPSec  
 +
      7. Stop IPSec  
 +
      0. Service configuration
-
Press enter/return to quit
+
===Enabling IPSec at Boot-time ===
 +
:4. Enable IPSec on boot
-
If the remote router is an ImageStream router or uses a FreeSWan implementation, you
+
:Selecting this menu option enables the IPSec service when the router is booted. This does not start the IPSec service on the router if it is not running, unless the router is rebooted first.  By default, IPSec is disabled on boot. To enable IPSec at boot-time, select this menu option by pressing 2 and '''Enter'''. The router will display the following message:
-
will find a copy of the configuration for that router in the /tmp directory.   A copy of the
+
-
local router’s configuration, based on your entries, has been saved on the local router.
+
-
Using this script does not start the IPSec service, nor will it enable the service on boot.  
+
-
Use the IPSec menu to start or stop IPSec or to enable or disable the service at boot-
+
-
time.  
+
-
Note: You must save the settings to the router’s non-volatile flash memory!  If the router is rebooted before saving, your changes will be lost!  See the chapter
+
      ipsec enabled on boot.  
-
“Backup/Restore Menu: Managing Configurations” for more information.  
+
 +
:If IPSec has already been enabled on boot, the router will display the message:
-
==='''Managing the IPSec service''' ===
+
      ipsec already enabled on boot.  
-
Once you have exited the script by pressing Enter, the router will return you to the IPSec menu:
+
-
IPSec VPN (Free S/Wan), (stopped)
+
-
1. Configure IPSec (Free S/Wan)
+
-
2. Generate a new Signature Key
+
-
3. Configure a basic IPSec VPN
+
-
4. Enable IPSec on boot  
+
-
5. Disable IPSec on boot
+
-
6. Start IPSec
+
-
7. Stop IPSec
+
-
0. Service configuration
+
-
===Enabling IPSec at boot-time ===
+
:The resulting message will only be displayed for a few seconds, and then you will be returned to the SNMP menu.  
-
4. Enable IPSec on boot
+
-
Selecting this menu option enables the IPSec service when the router is booted.  This does not start the IPSec service on the router if it is not running, unless the router is
+
===Disabling IPSec at Boot-time ===
-
rebooted first.  By default, IPSec is disabled on boot.  To enable IPSec at boot-time,
+
:5. Disable IPSec on boot  
-
select this menu option by pressing 2 on the keyboard and pressing Enter. The router will display the message:
+
-
ipsec enabled on boot.
+
-
If IPSec has already been enabled on boot, the router will display the message:  
+
:Selecting this menu option disables the IPSec service when the router is booted.  This does not stop the IPSec service if it is running, unless the router is rebooted first. To disable IPSec on boot, select this menu option by pressing 3 and '''Enter'''.  The router will display the following message:  
-
ipsec already enabled on boot.
+
-
The resulting message will be displayed for a few seconds, and you will be returned to the SNMP menu.  
+
      ipsec disabled on boot.  
-
===Disabling IPSec at boot-time ===
+
:If IPSec has already been disabled on boot, the router will display the message:
-
5. Disable IPSec on boot  
+
-
Selecting this menu option disables the IPSec service when the router is booted.  This does not stop the IPSec service if it is running, unless the router is rebooted first. To disable IPSec on boot, select this menu option by pressing 3 on the keyboard and pressing Enter.  The router will display the message:
+
      ipsec already disabled on boot.  
-
ipsec disabled on boot.  
+
-
If IPSec has already been disabled on boot, the router will display the message:
+
:The resulting message will only be displayed for a few seconds, and then you will be returned to the IPSec menu.  
-
ipsec already disabled on boot.  
+
-
The resulting message will be displayed for a few seconds, and you will be returned to the IPSec menu.  
+
===Starting the IPSec Service ===
 +
:6. Start IPSec
-
===Starting the IPSec service ===
+
:Selecting this menu option starts the IPSec service on the router.  Starting IPSec does not automatically enable the IPSec service when the router is booted. To start the IPSec service, select this menu option by pressing 4 and '''Enter'''.  The router will display the following message:
-
6. Start IPSec  
+
-
Selecting this menu option starts the IPSec service on the router.  Starting IPSec does not automatically enable the IPSec service when the router is booted.  To start the IPSec service, select this menu option by pressing 4 on the keyboard and pressing Enter.  The router will display the message:
+
      Starting ipsec...done.  
-
Starting ipsec...done.  
+
-
The message will be displayed for a few seconds, and you will be returned to the IPSEc menu.  
+
:The message will only be displayed for a few seconds, and then you will be returned to the IPSEc menu.  
 +
===Stopping the IPSec Service===
 +
:7. Stopping IPSec
 +
:Selecting this menu option stops the IPSec service on the router.  Stopping IPSec does not automatically disable the IPSec service when the router is booted.  To stop the IPSec service, select this menu option by pressing 5 and '''Enter'''.  The router will display the following message:
-
===Stopping the IPSec service===
+
      Stopping ipsec...done.  
-
7. Stopping IPSec
+
-
Selecting this menu option stops the IPSec service on the router.  Stopping IPSec does not automatically disable the IPSec service when the router is booted.  To stop the
+
:The message will only be displayed for a few seconds, and then you will be returned to the IPSec menu.  
-
IPSec service, select this menu option by pressing 5 on the keyboard and pressing
+
-
Enter.  The router will display the message:
+
-
Stopping ipsec...done.  
+
-
The message will be displayed for a few seconds, and you will be returned to the IPSec menu.  
+
===Returning to the Service Configuration Menu===
 +
:0. Service configuration
 +
:Selecting this menu option returns you to the "Service configuration" menu. To return to the Service configuration menu, press 0 and '''Enter'''.  The router will display the Service configuration menu:
 +
 +
      Service configuration
 +
      1. System scheduler (cron), (running)
 +
      2. Dialout PPP, (stopped)
 +
      3. IPSec VPN (Free S/Wan), (stopped)
 +
      4. NetFlow exporter (nprobe), (stopped)
 +
      5. network interfaces (sand), (running)
 +
      6. sconsole (mgetty), (running)
 +
      7. snmp (net-snmp), (stopped)
 +
      8. ssh (OpenSSH), (running)
 +
      0. Configuration menu
-
===Returning to the Service configuration menu===
+
===Changes for 4.4===
-
0. Service configuration
+
:The 4.4 release uses a newer version of OpenSwan with the kernel 2.6 native transform implementation for IPSec.
 +
:Use ipsec setup --status to check on tunnel establishment and ip xfrm policy and ip xfrm state to check on transforms.
 +
:The ipsec.conf configuration file will need some changes when upgrading from 4.2 to 4.4.
 +
:*Add '''version 2''' above config setup line.
 +
:*Change interfaces="ipsec0=xxx" to interfaces="%defaultroute" as we don't use klips anymore so there is no ipsec0 interface.
 +
:*Remove '''plutostart''' and '''plutoload''' commands from the config setup because they've been deprecated.
 +
:*Be sure to add authby=secret in sections where it isn't specified unless you have it in a default section since this is no longer the default authorization mode.
 +
:*Check NAT rules to ensure you're not nat'ing traffic that should be IPSec transformed. The 4.2 release used an ipsec0 interface but the 2.6 kernel adds routes via the normal default gateway so it is possible that your nat rules will start matching traffic under 4.4 that they didn't match under 4.2. The easiest solution is to add accept rules for the IPSec subnets above the SNAT rules.
-
Selecting this menu option returns you to the “Service configuration” menu. To return to the Service configuration menu, press 0 on the keyboard and press Enter. The router will display the Service configuration menu:  
+
Version 4.2 ipsec.conf:
 +
config setup
 +
        interfaces="ipsec0=Ethernet0"
 +
        klipsdebug=none
 +
        plutodebug=none
 +
        plutostart=%search
 +
        plutoload=%search
 +
        uniqueids=yes
 +
        plutowait=no
-
Service configuration
+
Version 4.4 ipsec.conf:
-
1. System scheduler (cron), (running)
+
version 2
-
2. Dialout PPP, (stopped)
+
config setup
-
3. IPSec VPN (Free S/Wan), (stopped)
+
        interfaces="%defaultroute"
-
4. NetFlow exporter (nprobe), (stopped)
+
        klipsdebug=none
-
5. network interfaces (sand), (running)
+
        plutodebug=none
-
6. sconsole (mgetty), (running)
+
        uniqueids=yes
-
7. snmp (net-snmp), (stopped)
+
        plutowait=no
-
8. ssh (OpenSSH), (running)
+
-
0. Configuration menu
+

Latest revision as of 19:55, 27 January 2012

This chapter describes how to configure the IPSec Virtual Private Network (VPN) service on the ImageStream Router. IPSec is a Internet Protocol Security. It uses strong cryptography to provide both authentication and encryption services. Authentication ensures that packets are from the proper sender and have not been altered in transit. Encryption prevents unauthorized reading of packet contents.
These services allow you to build secure tunnels through untrusted networks, such as a public Frame Relay network or Internet backbone network. All traffic passing through the untrusted network is encrypted by the IPSec gateway and decrypted by the gateway at the other end. The result is Virtual Private Network or VPN. This is a network which is effectively private even though it includes machines at several different sites connected by an insecure network. This chapter outlines a simple network-to-network connection.


IPSec VPN.png


More advanced configurations are possible. This chapter includes the following topics:
  • Configuring the IPSec VPN service
  • Enabling the IPSec VPN service at boot-time
  • Disabling the IPSec VPN service at boot-time
  • Starting the IPSec VPN service
  • Stopping the IPSec VPN service
After logging in, the main menu is displayed (your menu may look slightly different):
     ISis-Router main menu 
     1. Configuration menu 
     2. Show interface status 
     3. Advanced 
     4. Router software management 
     5. Backup/Restore 
     6. halt/reboot 
     0. Log off 
Select menu option 1, Configuration menu, and press Enter to configure the router. The Configuration menu should appear (your menu may look slightly different):
     Configuration menu 
     1. AAA (Password) Configuration 
     2. Global configuration 
     3. Network interface configuration 
     4. Firewall and QOS configuration 
     5. Service configuration 
     6. Dynamic routing configuration 
     7. Save configuration to flash 
     0. ISis-Router main menu 
Select menu optioin 5, Service configuration, and press Enter to configure the router's service configuration settings. The Service configuration menu will be displayed (again, your menu may look slightly different):
     Service configuration 
     1. System scheduler (cron), (running) 
     2. Dialout PPP, (stopped) 
     3. IPSec VPN (Free S/Wan), (stopped) 
     4. NetFlow exporter (nprobe), (stopped) 
     5. network interfaces (sand), (running) 
     6. sconsole (mgetty), (running) 
     7. snmp (net-snmp), (stopped) 
     8. ssh (OpenSSH), (running) 
     0. Configuration menu 
Select menu option 4, IPSec VPN, and press Enter to configure the router's IPSec VPN settings. The IPSec VPN menu will be displayed (again, your menu may look slightly different):
     IPSec VPN (Free S/Wan), (stopped) 
     1. Configure IPSec (Free S/Wan) 
     2. Generate a new Signature Key 
     3. Configure a basic IPSec VPN 
     4. Enable IPSec on boot 
     5. Disable IPSec on boot 
     6. Start IPSec 
     7. Stop IPSec 
     0. Service configuration 
To configure the network-to-network VPN connection, you will need two IPSec-capable gateways with static IP addresses. The IP addresses must be the addresses connecting the gateways to the unsecure network. For example, on a router with a LAN connected to Ethernet0 and a WAN connection through Serial0, the static IP address would be the IP address of the Serial0 device. You will also need a network behind each gateway with non-overlapping IP ranges. Generally, this will be a LAN or a device that connects the gateway to a private, secure network.
Refer to the VPN diagram above or Glossary if you do not understand the terms used in the table below. Before attempting to complete your VPN configuration, you should have the following information ready:

Contents

IPSEC VPN Pre-Configuration Information

IPSec VPN Pre-Configuration Information
Ensure that you have the following information ready before you start configuring the VPN.
Parameter Where to find Description
Left Side VPN device Network Diagram The Router on the left side of the VPN tunnel diagram. This router will always be the "left: side endpoint for the purposes of configuring a VPN connection
Right Side VPN device Network Diagram The on the right side of the VPN tunnel diagram. This router will always be the "right" side endpoint for the purposes of configuring a VPN connection
Left and Right Side Network devices Network Diagram The LAN or WAN interfaces used as the endpoints of the VPN tunnel. These devices are typically the WAN or LAN devices closest to the external network and not internal LAN or WAN devices
Left and Right Side IP addresses Line Provider or Network Administrator The left and right side IP addresses will be IP addresses of the left and right side network devices used for the VPN tunnel endpoints
Left and Right Side Next Hop address Line Provider or Network Administrator The left and right side next hop address will be the gateway addresses for the VPN tunnel endpoints
Left and Right Side Subnets Network Diagram or Network Administrator The left and right side subnets will be the networks to be connected across the VPN tunnel. These subnets must be non-overlapping

Using the Built-in Automated Script to Configure a VPN Tunnel

To configure a simple IPSec VPN, select menu option 3, Configure a basic IPSec VPN, and pressEnter. This will start an interactive script that displays the following:
Now generating a key for this host (May take some time)...done. 
Please see the ImageStream Technical Support Web site 
or the ImageStream Router Installation Guide 
for details on the information requested by this script. 
The router will have generated a signature key used to authenticate the VPN connection. The router will then display the following:
Will this router be the [L]eft or [R]ight side tunnel endpoint (L/r) ? 
Enter the correct side for this router. The left and right side designations are not relative to the router. This router will always be either the left side or right side router. Use your network diagram to determine whether this router will act as the left or right side router. For example, if you want to configure this router as the left side router, enter L and Enter at this prompt.
The router will then ask you to confirm your choice. In the example below, we have accepted the default configuration and set this router as the left side router:
This router will be configured as the left side for this IPSec configuration.   Is this correct (Y/n) : 
If these values are correct, press 'Y' or leave the entry blank and press Enter. If you have made a mistake, press 'N' and Enter and the router will reprompt you for the information.
If you pressed 'Y' or 'Enter the following script will be displayed:
Retrieving the public RSA key for this router...done 
The router will retrieve the public signature key generated earlier. This key will be used in the IPSec configuration file and as part of the authentication process with the other router.
The router will then display:
What interface will this router use as the VPN device (default: Ethernet0) ? 
At this prompt, enter the interface you want to use as the VPN device. Typically, this will be the device closest to the upstream Internet connection on your network. You can press Enter to accept the default value, or enter a device name. For example, to use Serial0 as the VPN device, enter Serial0 at this prompt and press Enter.
The router will then ask you to confirm your choice. In the example below, we have set Serial0 as the VPN device:
This router will use Serial0 as the VPN device for this IPSec configuration.   Is this correct (Y/n) : 
If these values are correct, press 'Y' or leave the entry blank and press Enter. If you have made a mistake, press 'N' and Enter and the router will reprompt you for the information.
If you pressed 'Y' or Enter, the following script will be displayed:
What is the IP address of Serial0 used for IPSec? 
Enter the primary or secondary IP address used for the VPN tunnel endpoint. For example, to use 192.168.8.1 as the IP address for this side, enter 192.168.8.1 at this prompt and press Enter.
The router will then ask you to confirm your choice. In the example below, we have entered 192.168.8.1:
This router will use 192.168.8.1 as the IP address for this IPSec configuration.   Is this correct (Y/n) : 
If these values are correct, press 'Y' or leave the entry blank and press Enter. If you have made a mistake, press 'N' and Enter and the router will reprompt you for the information.
If you pressed 'Y' or Enter, the following script will be displayed:
What is the next hop address for this router? 
Enter the gateway IP address for this VPN tunnel endpoint. This address should be the one used by the router when traffic leaves the router for the other VPN tunnel endpoint. For example, to use 192.168.8.2 as the IP address for this side, enter 192.168.8.2 at this prompt and press Enter.
The router will then ask you to confirm your choice. In the example below, we have entered 192.168.8.2:
This router will use 192.168.8.2 as the next hop address for this IPSec configuration.   Is this correct (Y/n) : 
If these values are correct, press 'Y' or leave the entry blank and press Enter. If you have made a mistake, press 'N' and Enter and the router will reprompt you for the information.
The following script will then displayed:
What is the subnet on this router that is to be accessible across the VPN? 

For the next question, please enter the value in the format of "ipnetwork/bitmask" 

For example, the Class C 192.168.1.x would be entered as 192.168.1.0/24. 

Enter the subnet on this router to be accessible across the VPN : 
Enter the subnet address for this side of the VPN tunnel. This subnet should be the network you want to make accessible from the other side of the VPN tunnel. For example, to use 192.168.1.0/24 as the subnet for this side, enter 192.168.1.0/24 at this prompt and press Enter.
The router will then ask you to confirm your choice. In the example below, we have entered 192.168.1.0/24:
This router will use 192.168.1.0/24 as the subnet on this router to be accessible across the VPN.
  Is this correct (Y/n) : 
If these values are correct, press 'Y' or leave the entry blank and press Enter. If you have made a mistake, press 'N' and Enter and the router will reprompt you for the information.
Once you have entered the correct values for the first side, the router will then prompt you for the information on the other side of the VPN tunnel. Again, remember that the left and right side designations are not relative to the router. The left side router will always be the left side router and vice versa.
If enter 'Y' or pressed Enter the router will display:
Next, we will enter the values for the right side router... 
The router will then prompt you for the identical information for the other side of the VPN tunnel. Please refer to the above section for assistance in answering the questions.
Once you have entered the values for the other endpoint, the router, based on our example, will display:
If the right side router is ImageStream, do you want to attempt to get the right side router's public RSA key automatically? (Y/n) : 
If the remote router is ImageStream, you can configure it for the IPSec VPN connection automatically. To use this feature, the router you are configuring must have a network connection to the remote router and the remote router must have a signature key already generated. If you want to attempt to get the remote router's public key, press 'Y' or leave the entry blank and press Enter. If the remote router is not ImageStream, or if you do not have access or a connection to it, press 'N' and Enter and the script will not attempt to automatically configure the remote router.

Auto Configuring a VPN Tunnel on a Remote ImageStream Router

If you have entered Y or left the entry blank and pressed Enter when prompted to get the remote router's public RSA key, the router will prompt you for the IP address of the remote router:
Enter the IP address of the right side router : 
Enter the IP address of the remote router. This address must be accessible to the local router, and the remote router must have SSH enabled and accessible. If you enter an address that is not accessible, or your connection hangs, you will have an opportunity to terminate the connection. In the example below, we have entered 192.168.100.140 as the remote router:
Attempting to contact the right side router... 
Press Control-\ at any time to interrupt the connection process. Attempting to contact the right side router.
You will be prompted for the password... 
Warning: Permanently added '192.168.100.140' (RSA) to the list of known hosts. 
root@192.168.100.140's password: 
Enter the password for the remote router and press Enter. The script will then download the remote router's RSA signature key for use in the VPN configuration process. The router will then display following, based on our example:
ipsec.secrets	100% |***	***|	3814	00:00
Retrieving the public RSA key for the right side router...done Successfully retrieved public RSA key. 
Now creating the tunnel configuration for this router...done 
If there is an error retrieving the key, either because an incorrect IP address was given or the "ipsec.secrets" file was not located, the router will display the following:
Unable to locate the IPSec keyfile on the right side router. You must generate a key on the remote router! 
Would you like to try again? (Y/n) : 
You can generate an RSA signature key on the remote router, or check the connection to the remote router and try again by pressing 'Y' or by leaving the entry blank and pressing Enter. Pressing 'N' and Enter will put the router in manual configuration mode. Please see the section below on manual configuration of a VPN tunnel.
The router will then prompt you to configure the remote ImageStream router, assuming that the RSA signature key was retrieved successfully:
The right side router is an ImageSteam router.   Do you want to attempt to configure the right side router also? (Y/n) : 
If you want to attempt to configure the remote router for the VPN tunnel, press 'Y' or leave the entry blank and press Enter. If you do not want to configure the remote router, press 'N' and Enter and the script will not attempt to automatically configure the remote router.
If you pressed 'Y' or Enter the router will then display the following, based on our example:
Now creating the tunnel configuration for the right side router...done 
Attempting to contact the right side router.   You will be prompted for the password... 
Press Control-\ at any time to interrupt the connection process. root@192.168.100.140's password: 
Enter the password for the remote router and press Enter. The script will then upload the proper VPN configuration file to the remote router. The router will then display:
ipsec.conf-right	100% |***	*|	1581	00:00
Successfully copied the configuration file to the right side router. 

You must start the IPSec service before your configuration will be active.   
Remember to save your configuration to flash, or the changes made in the IPSec configuration file will be lost. 

Press enter/return to quit 
If you have entered 'N' when prompted to configure the remote router, the script will save a copy of the remote configuration and display:
A copy of the configuration file for the right side router has been saved in: /tmp/ipsec.conf-right 

You must start the IPSec service before your configuration will be active.   
Remember to save your configuration to flash, or the changes made in the IPSec configuration file will be lost. 

Press enter/return to quit 
If the remote router is an ImageStream router or uses a FreeSwan implementation, you will find a copy of the configuration for that router in the /tmp directory. A copy of the local router's configuration, based on your entries, has been saved on the local router. Using this script does not start the IPSec service, nor will it enable the service on boot. Use the IPSec menu to start or stop IPSec or to enable or disable the service at boot- time.
Note: You must save the settings to the router's non-volatile flash memory! If the router is rebooted before saving, your changes will be lost! See the Chapter 26, "Manual/Backup/Restore Menu: Managing Configurations" for more information.

Selecting manual configuration for a VPN tunnel

If you have entered 'N' when prompted to get the remote router's public RSA key, the router will proceed with manual entry of the VPN tunnel configuration and will display the following, based on our example above:
Proceeding with manual entry... 
Please paste the public key from the right side router. Include only the key and NO other characters 
When you are finished, press Enter/Return, then press Control-D 
Enter the public RSA key only with no other special characters or values. The router will automatically remove any line breaks from the input. If you are pasting the public key from another ImageStream router or a FreeSWan implementation, do not include the "pubkey=" when you paste the value. If you are using a standard key, it will look similar to:
0sAQNnhVz28e6wHj0IAJzQQiJOTYKfE/+zJbLr86ZbJjfGNMP4gXLm3pf4XFYLCqH
bpYYQoYAq1GJiyTUnXe4k0glELTIqLCoM46U6AwRu9g1hA/NSnHPQD2KF+tlwKGY
G3tD0pu79q6ks+52p7FO8UzdRxUvSYGtP0bs4XQnB1ZeT8g5uyt7ugmlYZh72W5Xe
qR7LCji29h5n2rR64WG385TiNPG60VOmyNHHKzhrR0IDs39hgxezNLW4QeVwb4SX6
/eYZUXGKv2R56R804OTZ0PyzlYQumMzB/KtUBfbwmAKGBAZTY5ODhwQYVL2LrW/Zg
3AAyhkn4lvcEfY8sV316H 
The key for your routers will be unique and will not match the above example. Press Enter and then press Control-D when you are finished entering the key. The router will then process your input and display the following, based on our example:
Successfully parsed right side public RSA key. 
Now creating the tunnel configuration for this router...done 
A copy of the configuration file for the right side router has been saved in: /tmp/ipsec.conf-right 

You must start the IPSec service before your configuration will be active.   
Remember to save your configuration to flash, or the changes made in the IPSec configuration file will be lost. 

Press enter/return to quit 
If the remote router is an ImageStream router or uses a FreeSwan implementation, you will find a copy of the configuration for that router in the /tmp directory. A copy of the local router's configuration, based on your entries, has been saved on the local router. Using this script does not start the IPSec service, nor will it enable the service on boot. Use the IPSec menu to start or stop IPSec or to enable or disable the service at boot-time.
Note: You must save the settings to the router's non-volatile flash memory! If the router is rebooted before saving, your changes will be lost! See the Chapter 26, "Manual/Backup/Restore Menu: Managing Configurations" for more information.

Managing the IPSec Service

Once you have exited the script by pressing Enter, the router will return you to the IPSec menu:
     IPSec VPN (Free S/Wan), (stopped) 
     1. Configure IPSec (Free S/Wan) 
     2. Generate a new Signature Key 
     3. Configure a basic IPSec VPN 
     4. Enable IPSec on boot 
     5. Disable IPSec on boot 
     6. Start IPSec 
     7. Stop IPSec 
     0. Service configuration

Enabling IPSec at Boot-time

4. Enable IPSec on boot
Selecting this menu option enables the IPSec service when the router is booted. This does not start the IPSec service on the router if it is not running, unless the router is rebooted first. By default, IPSec is disabled on boot. To enable IPSec at boot-time, select this menu option by pressing 2 and Enter. The router will display the following message:
     ipsec enabled on boot. 
If IPSec has already been enabled on boot, the router will display the message:
     ipsec already enabled on boot. 
The resulting message will only be displayed for a few seconds, and then you will be returned to the SNMP menu.

Disabling IPSec at Boot-time

5. Disable IPSec on boot
Selecting this menu option disables the IPSec service when the router is booted. This does not stop the IPSec service if it is running, unless the router is rebooted first. To disable IPSec on boot, select this menu option by pressing 3 and Enter. The router will display the following message:
     ipsec disabled on boot. 
If IPSec has already been disabled on boot, the router will display the message:
     ipsec already disabled on boot. 
The resulting message will only be displayed for a few seconds, and then you will be returned to the IPSec menu.

Starting the IPSec Service

6. Start IPSec
Selecting this menu option starts the IPSec service on the router. Starting IPSec does not automatically enable the IPSec service when the router is booted. To start the IPSec service, select this menu option by pressing 4 and Enter. The router will display the following message:
     Starting ipsec...done. 
The message will only be displayed for a few seconds, and then you will be returned to the IPSEc menu.

Stopping the IPSec Service

7. Stopping IPSec
Selecting this menu option stops the IPSec service on the router. Stopping IPSec does not automatically disable the IPSec service when the router is booted. To stop the IPSec service, select this menu option by pressing 5 and Enter. The router will display the following message:
     Stopping ipsec...done. 
The message will only be displayed for a few seconds, and then you will be returned to the IPSec menu.

Returning to the Service Configuration Menu

0. Service configuration
Selecting this menu option returns you to the "Service configuration" menu. To return to the Service configuration menu, press 0 and Enter. The router will display the Service configuration menu:
     Service configuration 
     1. System scheduler (cron), (running) 
     2. Dialout PPP, (stopped) 
     3. IPSec VPN (Free S/Wan), (stopped) 
     4. NetFlow exporter (nprobe), (stopped) 
     5. network interfaces (sand), (running) 
     6. sconsole (mgetty), (running) 
     7. snmp (net-snmp), (stopped) 
     8. ssh (OpenSSH), (running) 
     0. Configuration menu

Changes for 4.4

The 4.4 release uses a newer version of OpenSwan with the kernel 2.6 native transform implementation for IPSec.
Use ipsec setup --status to check on tunnel establishment and ip xfrm policy and ip xfrm state to check on transforms.
The ipsec.conf configuration file will need some changes when upgrading from 4.2 to 4.4.
  • Add version 2 above config setup line.
  • Change interfaces="ipsec0=xxx" to interfaces="%defaultroute" as we don't use klips anymore so there is no ipsec0 interface.
  • Remove plutostart and plutoload commands from the config setup because they've been deprecated.
  • Be sure to add authby=secret in sections where it isn't specified unless you have it in a default section since this is no longer the default authorization mode.
  • Check NAT rules to ensure you're not nat'ing traffic that should be IPSec transformed. The 4.2 release used an ipsec0 interface but the 2.6 kernel adds routes via the normal default gateway so it is possible that your nat rules will start matching traffic under 4.4 that they didn't match under 4.2. The easiest solution is to add accept rules for the IPSec subnets above the SNAT rules.

Version 4.2 ipsec.conf:

config setup
        interfaces="ipsec0=Ethernet0"
        klipsdebug=none
        plutodebug=none
        plutostart=%search
        plutoload=%search
        uniqueids=yes
        plutowait=no

Version 4.4 ipsec.conf:

version 2
config setup
        interfaces="%defaultroute"
        klipsdebug=none
        plutodebug=none
        uniqueids=yes
        plutowait=no
Personal tools
Router software releases