IPSec

IPSec (IP Security) is a generic standardized VPN solution. Compared to OpenVPN, encryption and authentication are already done on the OSI layer 3 as an extension to the IP protocol. Therefore IPsec must be implemented in the IP stack which is part of the kernel. Since IPSec is a standardized protocol it is compatible to most vendors that implement IPSec. Compared to OpenVPN IPSec's configuration and administration is due to its complexity usually quite difficult and due to it's design some situations are impossible to handle compared to OpenVPN, especially if you have to cope with NAT. However, Endian Firewall implements an easy to use adminstration interface with different authentication possibilities. We strongly encourage you to use IPSec only if you need to because of interoperability purposes. Use OpenVPN wherever you can, especially if NAT is in the game.

Methods of Authentication

It is necessary to have a pre-shared key/password/pass phrase or an X.509 certificate before trying to configure a Roadwarrior or Net-to-Net VPN connection. These are methods of authentication, which identify the user trying to access the VPN. They will be required in the VPN configuration stage.

Pre-shared Key

The pre-shared key authentication method or PSK is a very simple method that allows VPN connections to be set up quickly. For this method, you enter an authentication phrase. This can be any character string — similar to a password. This phrase must be available for authentication on Endian Firewall and on the VPN client.

The PSK method involves less steps than certificate authentication. It can be used to test connectivity of a VPN and to become familiar with the procedure of establishing a VPN connection. Experienced users may wish to progress straight to the section called “Generate Root/Host Certificates” before trying to configure a roadwarrior or a net-to-net VPN connection.

The pre-shared key method should not be used with Roadwarrior connections as all roadwarriors must use the same pre-shared key.

Note

The clocks on either end of the EFW VPN tunnel should be up to date before configuring a VPN.

X.509 Certificates

X.509 certificates are a very secure way of connecting VPN servers. To implement X.509 certificates you must either generate or setup the certificates on Endian Firewall or use another certification authority on your network.

X.509 Terminology

X.509 certificates on Endian Firewall and many other implementations are manipulated and controlled by OpenSSL. SSL, or the Secure Sockets Layer, has its own terminology.

X.509 certificates, depending on their type, may contain public and private encryption keys, pass phrases and information about the entity they refer to. These certificates are meant to be validated by Certification Authorities (Certificate Authorities) or CAs. When used by web browsers, the CA certificates of major, pay for, CAs are compiled into the browsers. To validate a host certificate, the certificate is passed to the appropriate CA to perform validation. On private networks or unique hosts, the CA may reside on a local host. In EFWs case, this is the Endian Firewall, itself.

Certification signing requests are requests for signing unsigned X.509 certificates that are passed to CAs. The CAs in turn generate an X.509 certificate by signing the request. These are returned to the requesting entity as valid X.509 certificates. These signed certificates will then obviously be known to the CA.

You will see that X.509 certificates and requests can be stored on your hard drive in three different formats, usually identified by their extensions. PEM format is the default for OpenSSL. It can contain all the information associated with certificates in printable format. DER format contains just the key information and no extra X.509 information. This is the default format for most browsers. PEM format wraps headers around DER format keys. PKCS#12, PFK or P12 certificates contain the same information as PEM files in binary format. Using the openssl command, PEM and PKCS#12 files can be transformed into the respectively other format.

To use a certificate, you must import it into the other side's CA, too. The IPSec implementation on Endian Firewall contains its own built in CA. CAs may run on roadwarrior's machines too.

If the roadwarrior's IPSec implementation does not have CA capabilities, you can generate a certificate request, import it into EFW so that EFW's CA can sign it. Then you have to export the resulting certificate and import it into the originating roadwarrior's IPSec software.

Global Settings

Figure 8.20. VPN global settings

VPN global settings

Enter the VPN server details, either its fully qualified domain name or the public IP address of the RED interface. If you are using a dynamic DNS service, you should use your dynamic DNS name here.

VPNs and Dynamic DNS

If your ISP changes your IP address, be aware that Net-to-Net VPNs may have to be restarted from both ends of the tunnel. Roadwarriors will also have to restart their connections in this case.

Enable the VPN on Endian Firewall by selecting Local VPN Hostname/IP and click on the Save button. The VPN on Blue option will only be visible if you have configured a BLUE network interface card. To enable a VPN over your BLUE wireless connection click on the VPN on BLUE Enabled check box and then click on the Save button.

Connection Status and Control

Figure 8.21. VPN connection status and control window: initial view

VPN connection status and control window: initial view

This box lists each configured connection and its status. For each connection you will see the following information:

Name

The name of the respective connection

Type

The connection type (Net-to-Net or Net-to-Host) with it's authentication type.

Common Name

This field is filled only if certificate authentication will be used. It does contain the value which has been inserted into the remote certificate as common name. Normally this is the hostname of the remote host.

Remark

A short remark to make it easier to identify the connection.

Status

Shows the status of the respective connection. The following values are possible:

CLOSED

the connection is closed.

OPEN

the connection is established.

The next items symbolise the Actions you can do for each respective connection:

Restart icon

By clicking on this icon the connection will be restarted. Use this on both sides if your ip address changes for example.

Enabled checkbox

To enable or disable a connection - click on the Enabled icon for the particular entry you want to enable or disable. The icon changes to an empty box when a connection is disabled. Click on the checkbox to enable it again.

Pencil icon

Click on this icon if you want to edit that particular connection entry.

Trash can icon

By clicking on this icon the connection will be removed.

Warning

The administration interface does not ask you if you really want to remove the connection!

To create a VPN connection use the Add button. The VPN connection page will appear (see the section called “Connection Type”).

Certificate Authorities

This part is needed to create or import Root CA Certificates. The box shows two special marked lines with information about the existing certificates. If you already created or imported the certificates you will see the lines filled with information. On the right you will find two symbols in the Actions column. By clicking the blue information icon you will load a page with the certificate printed out as plain text and as ascii armored output.

Example 8.3. Example plain text certificate output.

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=AF, O=endian, CN=endian CA
        Validity
            Not Before: Apr 30 16:21:28 2006 GMT
            Not After : Mar 11 06:56:08 2022 GMT
        Subject: C=AF, O=endian, CN=endian CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:c2:9f:79:09:84:88:6e:8f:9f:be:50:36:62:2e:
                    25:63:ac:1d:e4:ff:7e:b1:f0:f1:42:c8:a0:a6:33:
                    32:43:56:d0:5a:e1:77:14:ec:ba:f8:44:22:e9:aa:
                    e8:70:19:e1:38:50:28:56:48:a8:7f:a7:eb:0e:a8:
                    27:9a:ba:a4:0a:fb:59:7f:1f:4c:d4:20:78:05:2e:
                    06:2a:5c:f2:6f:70:ee:c2:d2:3b:34:35:80:e8:da:
                    dc:c8:32:34:95:cb:f0:0a:75:04:f6:0b:26:d6:9b:
                    ab:0e:01:60:f0:fe:2a:a6:40:e6:a7:47:e2:71:11:
                    25:71:c4:03:99:d8:fd:07:00:7e:e6:28:12:97:29:
                    3f:ad:68:54:01:8d:ed:26:97:c9:85:8c:32:bf:0b:
                    58:82:2e:38:71:26:58:3c:75:96:27:df:4b:35:0d:
                    f5:aa:c5:5a:e7:f1:73:a1:f0:5e:a2:ab:4b:3f:a7:
                    60:6f:36:55:d6:c5:76:71:23:b6:9b:44:b3:2c:bf:
                    83:b3:cc:17:05:7d:0a:ea:1e:83:28:91:8a:79:6b:
                    ec:45:65:c5:40:cd:e5:43:ec:72:77:74:6c:28:31:
                    fa:b1:49:e8:41:94:93:93:8a:57:14:88:e2:b0:e1:
                    3d:d2:7c:a2:ce:35:85:cc:7b:c9:37:61:47:1d:85:
                    db:d1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
            C7:EE:A4:68:68:A7:A9:4B:1E:95:09:66:84:50:94:0F:7A:FA:B4:62
            X509v3 Authority Key Identifier: 
            keyid:C7:EE:A4:68:68:A7:A9:4B:1E:95:09:66:84:50:94:0F:7A:FA:B4:62
            DirName:/C=AF/O=endian/CN=endian CA
            serial:00

            X509v3 Basic Constraints: 
            CA:TRUE
    Signature Algorithm: md5WithRSAEncryption
        35:a7:2e:5d:66:ef:23:37:36:fe:3a:18:4f:3b:1f:e0:76:bd:
        07:85:6b:06:33:f5:56:15:6b:3b:08:81:0a:5a:f6:32:bb:e1:
        3a:c6:76:94:ac:09:30:6c:82:32:6d:a0:dd:14:a4:5a:27:57:
        6b:86:81:ec:c9:bb:78:cc:79:8b:db:4a:71:8f:94:f8:59:c5:
        8a:a6:f4:9c:c6:c5:8b:24:5d:cd:a8:c6:f1:15:ed:1a:d9:49:
        56:6c:08:9b:8e:d0:08:85:ca:3e:d9:27:70:e2:d4:53:4a:89:
        ce:79:47:c0:2a:7f:96:fc:87:20:11:86:c4:bd:72:a0:f3:50:
        89:d3:a8:3d:0d:90:1e:67:8e:15:02:7b:a4:46:46:20:8c:eb:
        25:cf:d5:1b:25:98:2c:9c:38:90:68:e1:d2:b1:3c:d1:ea:24:
        f9:c0:6b:0d:38:d1:65:73:94:30:9b:a5:ce:d9:c5:86:ca:79:
        b2:bd:9f:82:1a:37:3b:54:2b:72:b5:55:44:ff:ec:f0:f7:6c:
        50:c2:ca:35:f5:86:a3:41:70:46:df:06:ce:5e:3f:07:fa:79:
        a9:01:be:f9:21:ff:a7:e2:bc:ad:9f:a7:04:36:67:ff:19:32:
        e7:47:c7:eb:3e:2d:73:22:31:0c:4d:07:c0:7a:f8:3d:81:e2:
        da:68:1c:48

The blue discette icon allows you to download the certificate as pem encoded file, which you then can import on other devices.

Example 8.4. Example content of an exported CA.

-----BEGIN CERTIFICATE-----
MIIDbDCCAlSgAwIBAgIBADANBgkqhkiG9w0BAQQFADAyMQswCQYDVQQGEwJBRjEP
MA0GA1UEChMGZW5kaWFuMRIwEAYDVQQDEwllbmRpYW4gQ0EwHhcNMDYwNDMwMTYy
MTI4WhcNMjIwMzExMDY1NjA4WjAyMQswCQYDVQQGEwJBRjEPMA0GA1UEChMGZW5k
aWFuMRIwEAYDVQQDEwllbmRpYW4gQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDCn3kJhIhuj5++UDZiLiVjrB3k/36x8PFCyKCmMzJDVtBa4XcU7Lr4
RCLpquhwGeE4UChWSKh/p+sOqCeauqQK+1l/H0zUIHgFLgYqXPJvcO7C0js0NYDo
2tzIMjSVy/AKdQT2CybWm6sOAWDw/iqmQOanR+JxESVxxAOZ2P0HAH7mKBKXKT+t
aFQBje0ml8mFjDK/C1iCLjhxJlg8dZYn30s1DfWqxVrn8XOh8F6iq0s/p2BvNlXW
xXZxI7abRLMsv4OzzBcFfQrqHoMokYp5a+xFZcVAzeVD7HJ3dGwoMfqxSehBlJOT
ilcUiOKw4T3SfKLONYXMe8k3YUcdhdvRAgMBAAGjgYwwgYkwHQYDVR0OBBYEFMfu
pGhop6lLHpUJZoRQlA96+rRiMFoGA1UdIwRTMFGAFMfupGhop6lLHpUJZoRQlA96
+rRioTakNDAyMQswCQYDVQQGEwJBRjEPMA0GA1UEChMGZW5kaWFuMRIwEAYDVQQD
EwllbmRpYW4gQ0GCAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAAOCAQEA
NacuXWbvIzc2/joYTzsf4Ha9B4VrBjP1VhVrOwiBClr2MrvhOsZ2lKwJMGyCMm2g
3RSkWidXa4aB7Mm7eMx5i9tKcY+U+FnFiqb0nMbFiyRdzajG8RXtGtlJVmwIm47Q
CIXKPtkncOLUU0qJznlHwCp/lvyHIBGGxL1yoPNQidOoPQ2QHmeOFQJ7pEZGIIzr
Jc/VGyWYLJw4kGjh0rE80eok+cBrDTjRZXOUMJulztnFhsp5sr2fgho3O1QrcrVV
RP/s8PdsUMLKNfWGo0FwRt8Gzl4/B/p5qQG++SH/p+K8rZ+nBDZn/xky50fH6z4t
cyIxDE0HwHr4PYHi2mgcSA==
-----END CERTIFICATE-----

Generate Root/Host Certificates

Figure 8.22. VPN certificate authorities window: initial view

VPN certificate authorities window: initial view

To create an EFW Certificate Authority or CA, enter your CA's name in the CA Name box. The name should be different than the Endian Firewall machine's host name to avoid confusion. For example, efwa for the CA and efw for the hostname. Then click on the Generate Root/Host Certificates button. The Generate Root/Host Certificates page will appear. Fill out the form and both a X.509 root and host certificate will be generated.

The following describes the items in the form:

Organization Name

The organization name you want to use in the certificate. For example, if your VPN is tying together schools in a school district, you may want to use something like “Some School District.

Endian Firewall's Hostname

This should be the fully qualified domain name of your Endian Firewall. If you are using a dynamic DNS service (see the section called “Dynamic DNS Administrative Web Page”), use it.

Your E-mail Address

Your E-mail address, so that folks can get hold of you.

Your Department

This is the department or suborganization name. Continuing the school district example, this could be XX Elementary School. This is optional.

City

The city or mailing address for your machine. This is optional.

State of Province

The state or province associated with the mailing address.

Country

This pull down selection menu contains every ISO recognized country name. Use it to select the country associated with the certificate.

After completing the form, click on the Generate Root/Host Certificates button to generate the certificates.

If desired, you can generate several root and host certificates on a single Endian Firewall, and then export them to PKCS12 format files, encrypted with a password. You can then email them as attachments to your other sites. Using the Upload PKCS12 file portion of this web page, you can upload and decrypt the certificates on a local Endian Firewall machine. You generate the PKCS12 file on the remote Endian Firewall which owns the CA by creating the connection which is intended for the tunnel to your local Firewall as described in the section called “Host-to-Net Connection”, later in this document. If you select Generate a certificate on the remote side as described in the section called “Authentication”, it will create the file you need here.

Upload a CA certificate

If you already have created a CA certificate on another machine, you can simply upload the certificate file in order to give the local Endian Firewall the chance to verify remote certificates. Simply push the Browse button and choose the CA certificate file. Then finally push the Upload CA Certificate button. Thereafter the CA will be visible within the box above.

Reset configuration

By pressing the Reset button on the front page you will delete the entire VPN configuration from Endian Firewall. This could be necessary for example if you need to remove the CA because you want to create a new one.

Warning

This removes the entire IPSec configuration including Certificates, Keys and Connection configurations.

Add a new connection

Once you pushed the Add button, a page will appear which asks you for the desired connection type. The following describes the further procedure.

Connection Type

Figure 8.23. VPN connection type selection

VPN connection type selection

Select either Host-to-Net (Roadwarrior) for mobile users who need access to the GREEN network or Net-to-Net to grant users on another network access to your GREEN network and to allow users on your GREEN network to access the other network.

Choose the connection type you want to create and click on the Add button.

The next web page that appears contains two sections. The Connection section will differ depending on the connection type you are adding. The Authentication section will be the same.

Host-to-Net Connection

Figure 8.24. VPN Host-to-Net connection input

VPN Host-to-Net connection input

The following descibes each field of the connection configuration box if you selected Host-to-Net connection:

Name

Choose a simple name (lower case only, no spaces) to identify this connection.

Interface

Select the Endian Firewall network interface the roadwarrior will be connecting on, either RED or BLUE. Selecting the RED interface will allow the roadwarrior to connect from the Internet. Selecting the BLUE interface will allow the roadwarrior to connect to the GREEN network from a local wireless network.

Local Subnet

defaults to your GREEN network. If desired, you can create a subnet of your GREEN network to limit roadwarrior access to your GREEN network. Example for this field: 10.1.1.0/255.255.255.0.

Remark

allows you to add an optional remark that will appear in the Endian Firewall VPNs connection window for this connection.

Enabled

Click on the Enabled check box to enable this connection.

Edit advanced settings when done.

Click on the Edit advanced settings when done check box if you need to modify EFW's default settings for IPSec.

Net-to-Net Connection

Figure 8.25. VPN Net-to-Net connection input

VPN Net-to-Net connection input

Note on IPSec Terminology

IPSec uses the terms right and left for the two sides of a connection or tunnel. These terms have no real meaning. IPSec will orient itself based on network addresses and routes. Once it determines which network connection, left or right, to use to get to the other side of a connection, all other right or left parameters follow. Many folks use left for the local side of a connection and right for the remote side. This is not necessary. It is best to think of the terms as “side 1” and “side A” of an old LP record.

The following descibes each field of the connection configuration box if you selected Host-to-Net connection:

Name

Choose a simple name (lower case only with no spaces) to identify this connection.

Endian Firewall side

Choose a side for this Endian Firewall, right or left, that will be used in the IPSec configuration files to identify this Endian Firewall's side of the connection on this machine. The side is a symbolic identification for one side of the vpn tunnel. You are free to choose a side for the local end of the vpn tunnel as long as you use the same side to identify the local firewall on the remote machines configuration.

Local Subnet

defaults to your GREEN network. If desired, you can create a subnet of your GREEN network to limit roadwarrior access to your GREEN network. Example for this field: 10.1.1.0/255.255.255.0.

Remote Host/IP

Enter the static Internet IP address of the remote network's IPSec server. You can also enter the fully qualified domain name of the remote server. If the remote server is using a dynamic DNS service, you may have to restart the VPN if its IP address changes.

Remote subnet

Enter the remote network's network address and subnet mask in the same format as the Local Subnet field. This network must be different from the Local Subnet since IPSec sets up routing table entries to send IP packets to the correct remote network.

Remark

allows you to add an optional remark that will appear in the Endian Firewall VPN's connection window for this connection.

Enabled

Click on the Enabled check box to enable this connection.

Edit advanced settings when done.

Click on the Edit advanced settings when done check box if you need to modify EFW's default settings for IPSec.

Authentication

The second section of the web page deals with authentication. In other words, this is how this Endian Firewall will make sure the tunnel established by both sides of the interface is talking to its opposite number. Endian Firewall has made every effort to support both PSKs and X.509 certificates.

Figure 8.26. VPN authentication input

VPN authentication input

There are four mutually exclusive choices that can be used to authenticate a connection:

Use a Pre-Shared Key

Enter a pass phrase to be used to authenticate the other side of the tunnel. Choose this if you wish a simple Net-to-Net VPN. You can also use PSKs while experimenting in setting up a VPN. Do not use PSKs to authenticate tunnels to roadwarriors.

Upload certificate request

Some roadwarrior IPSec implementations do not have their own CA. If they wish to use IPSec's built in CA, they can generate what is a so called certificate request. This is a partial X.509 certificate that must be signed by CA to be a complete certificate. During certificate request upload, the request is signed and the new certificate will become available on the VPN's main web page.

Upload a certificate

In this case, the peer IPSec has a CA available for use. Both the peer's CA certificate and host certificate must be uploaded.

Generate a certificate

In this case, the IPSec peer will be able to provide an X.509 certificate, but lacks the capacity to even generate a certificate request. In this case, complete the required fields. Optional fields are indicated by red dots. If this certificate is for a Net-to-Net connection, the User's Full Name or System Hostname field may have to be the Internet fully qualified domain name of the peer. The optional organization name is meant to isolate different portions of an organization from access to EFW's full GREEN network by subnetting the Local Subnet in the connection definition portion of this web page. The PKCS12 File Password fields ensure that the host certificates generated cannot be intercepted and compromised while being transmitted to the IPSec peer.

This page was last modified on: $Date: 2006-11-22 23:32:04 +0100 (Wed, 22 Nov 2006) $.