2.7.3. IPsec Configuration Administrative Web Page

To set up a VPN with IPsec, do the following:

  1. Create a Certificate Authority.

  2. Enable IPsec on your chosen interface(s) in the Global Settings section.

  3. Add either a Host-to-Net (Roadwarrior) connection, or a Net-to-Net connection.

  4. Next item...

  5. Next item...

2.7.3.1. Global settings

The first line in the Global Settings box indicates if the IPsec server is stopped or running.

Figure 2.59. Global settings

Global settings section


IPsec on RED.  Check this box to enable the IPsec server for RED.

IPsec on BLUE.  Only visible if you have configured a BLUE interface. Check this box to enable the IPsec server for BLUE.

Public IP or FQDN for RED interface or <%defaultroute>.  Enter the IPsec server details, either its fully qualified domain name or the public IP address of the red interface. If you are using a dynamic DNS service, you should use your dynamic DNS name here.

VPNs and Dynamic DNS

If your ISP changes your IP address, be aware that Net-to-Net VPNs may have to be restarted from both ends of the tunnel. Roadwarriors will also have to restart their connections in this case.

Override default MTU - optional.  The MTU (Maximum Transmission Units) is the maximum datagram size in bytes that can be sent unfragmented over a particular network path.

Delay before launching VPN (seconds).  If you have a fixed public IP on RED then you should keep the value of 0. If you are using a dynamic DNS service, you should use a minimum value of 60 seconds so that the dynamic DNS entry has enough time to be propagate to all DNS servers.

Restart net-to-net vpn when remote peer IP changes...  Restart net-to-net vpn when remote peer IP address changes (dyndns). This helps Dead Peer Detection (DPD). Content to be written...

PLUTO DEBUG.  Several debugging options that can help troubleshoot. Use with care, the many additional logmessages can often be confusing.

2.7.3.2. Connection Status and Control

Figure 2.60. Connection status and control window: Initial View

Connection status screen


To create an IPsec VPN connection use the Add button. The VPN connection type page will appear.

2.7.3.3.  Connection Type

Figure 2.61. Connection Type Selection

Connection Type screen


Select either Host-to-Net VPN (Roadwarrior) for mobile users who need access to the GREEN network or Net-to-Net VPN to allow users on another network access to your GREEN network and to allow users on your GREEN network access to the other network.

Choose the connection type you wish to create and click on the Add button.

The next page that appears contains two sections. The Connection section will be different depending on the connection type you are adding. The Authentication section will be the same.

2.7.3.4.  Host-to-Net Connection

Figure 2.62. Host-to-Net Connection

Host-to-Net Connection screen


Name A simple name (lowercase only, with no spaces) to identify this connection.

Enabled Tick the Enabled checkbox to enable this connection.

Host IP Address Content to be written...

Remote Host/IP - optional.  Enter the static Internet IP address of the remote network's IPsec server. You can also enter the fully qualified domain name of the remote server. If the remote server is using a dynamic DNS service, you may have to restart IPsec if its IP address changes. There are several scripts available on the IPCop news groups that will do this for you.

Local Subnet Local Subnet defaults to your GREEN network. If desired, you can create a subnet of your GREEN network to limit roadwarrior access to your GREEN network.

Local ID - optional.  Content to be written...

Remote ID - optional.  Content to be written...

Dead Peer Detection action Choose from clear, hold or restart.

Openswan recommend in their README.DPD file that hold be used for statically defined tunnels, and clear be used for roadwarrior tunnels.

Remark - optional.  The Remark field allows you to add an optional comment that will appear in the IPCop VPNs connection window for this connection.

Edit advanced settings when done Tick the Edit advanced settings when done checkbox if you need to modify IPCop's default settings for IPsec.

2.7.3.5.  Net-to-Net Connection

Figure 2.63. Net-to-Net Connection

Net-to-Net Connection section


Name Choose a simple name (lowercase only, with no spaces) to identify this connection.

Enabled Tick the Enabled checkbox to enable this connection.

Host IP Address Content to be written...

Remote Host/IP Enter the static Internet IP address of the remote network's IPsec server. You can also enter the fully qualified domain name of the remote server. If the remote server is using a dynamic DNS service, you may have to restart IPsec if its IP address changes. There are several scripts available on the IPCop news groups that will do this for you.

Local Subnet Local Subnet defaults to your GREEN network. If desired, you can create a subnet of your GREEN network to limit access to your GREEN network.

Remote subnet Enter the remote network's network address and subnet mask in the same format as the Local Subnet field. This network must be different from the Local Subnet since IPsec sets up routing table entries to send IP packets to the correct remote network.

Local ID - optional Content to be written...

Remote ID - optional Content to be written...

Dead Peer Detection action Choose from clear, hold or restart.

Openswan recommend in their README.DPD file that hold be used for statically defined tunnels, and clear be used for roadwarrior tunnels.

Operation at IPsec startup Choose from add, route or start.

Remark - optional The Remark field allows you to add an optional comment that will appear in the IPCop VPNs connection window for this connection.

Edit advanced settings when done Tick the Edit advanced settings when done checkbox if you need to modify IPCop's default settings for IPsec.

2.7.3.6.  Authentication

The second section of the web page deals with authentication. In other words, this is how this IPCop will make sure the tunnel established by both sides of the interface is talking to its opposite number. IPCop has made every effort to support both PSKs and X.509 certificates. There are four mutually exclusive choices that can be used to authenticate a connection.

Figure 2.64. Authentication

Authentication upper section


Use a Pre-Shared Key Enter a pass phrase to be used to authenticate the other side of the tunnel. Chose this if you wish a simple Net-to-Net VPN. You can also use PSKs while experimenting in setting up a VPN. Do not use PSKs to authenticate tunnels to roadwarriors.

Upload certificate request Some roadwarrior IPsec implementations do not have their own CA. If they wish to use IPsec's built in CA, they can generate what is called a certificate request. This is a partial X.509 certificate that must be signed by CA to be a complete certificate. During certificate request upload, the request is signed and the new certificate will become available on the VPNs main web page.

Upload a certificate In this case, the peer IPsec has a CA available for use. Both the peer's CA certificate and host certificate must be uploaded.

Figure 2.65. Authentication continued

Authentication lower section


Generate a certificate In this case, the IPsec peer will be able to provide an X.509 certificate, but lacks the capacity to even generate a certificate request. In this case, complete the required fields. Optional fields are indicated by red dots. If this certificate is for a Net-to-Net connection, the User's Full Name or System Hostname field may need to be the Internet fully qualified domain name of the peer. The optional organization name is meant to isolate different portions of an organization from access to IPCop's full GREEN network by subnetting the Local Subnet in the connection definition portion of this web page. The PKCS12 File Password fields ensure that the host certificates generated cannot be intercepted and compromised while being transmitted to the IPsec peer.