Manuals / RuggedCom / Computer Equipment / Network Router

RuggedCom RX1100 Generate X.509 Certificates, VPN Networking Parameters Client Configuration

Models: RX1000 RX1100

1 284
Download 284 pages 36.63 Kb
Page 137
Image 137

Chapter 12 – Configuring An IPsec VPN

Generate X.509 Certificates

Use the authority to produce a certificate authority public certification (cacert) and a certificate for each of the clients and a certificate for the router. The certificate authority will require some information that is shared by all certificates (e.g. a Country Name (C), a State Or Province Name (S), an Organization name (O)) and some per-client information (e.g. a Common Name (CN) and an Email address (E)). Together this information forms the Distinguished Name (DN) and is used by the router and client to validate each other.

VPN Networking Parameters

The first step is to identify the key parameters required. The router public gateway (here vpn@xyz.com) and its gateway interface (w1ppp) must be known. The local network subnet (10.0.0.0/8) and each clients' internal network address (here 10.0.1.1) must be known. All client addresses should be assigned from a subnet of the local network (e.g. 10.0.1.0/24). A number of encryption parameters should be decided upon depending upon the client capabilities. Avoid selecting 3DES if possible due to its high overhead.

Client Configuration

Depending upon the client, you may be required to produce the certificate in a P12 format, and may be required to include an “export” password as well. This password will be required to be known be the personnel that configure the client in order to import the certificate.

Install the client IPSec software and import the cacert and the clients own certificate and key. Configure the client with the router public gateway, the clients internal network address and the desired encryption parameters. At this point the client should be able to use its Internet connection to ping the public gateway.

Router IPSec Configuration

Transfer the cacert and the router's certificate to the router. If your authority prepares a Certificate Revocation List (CRL), you will want to transfer that as well.

The cacert file should be renamed cacert.pem and installed in /etc/ipsec.d/cacerts/. The CRL file should be renamed to crl.pem and installed in /etc/ipsec.d/crls/.

The router's certificate must be installed in /etc/ipsec.d/certs/. It's public key file (e.g. router.key) must be installed in /etc/ipsec.d/private/ and a line ': RSA router.key "Password"' (where Password is the pass phrase that was used to generate the certificate) must be added to the end of the /etc/ipsec.secrets file.

Note: The Maintenance Menu, Upload/Download Files sub-menu provides a method to transfer the files directly to the indicated directories.

Enable IPSec from the Bootup and Shutdown menu. Visit the IPSec VPN menu and generate a public key.

Visit the Server Configuration menu and associate the ipsec0 interface with the desired interface the connection will arrive on (here w1ppp).

Create a connection for the clients. Set the parameters as follows:

RuggedCom

135

Page 136 Page 138
Page 137
Image 137
RuggedCom RX1100 Generate X.509 Certificates, VPN Networking Parameters Client Configuration, Router IPSec Configuration
Page 136 Page 138