VPN between two IPCOP systems

This is borrowed from http://www.databrokers.net/opensource/ipcop/vpn-to-vpn-detailed-how-to.html

All credit goes to him, I\’m mirroring because I don\’t use this information often, but I have a little fear that some day I might not be able to find it when I need it.

‘, ‘



VPN-to-VPN detailed How-to





Introduction


I
was trying to setup a Net-to-Net VPN between 2 IPCop boxes with no
much success. I was using the Short
Howto on the X.509 VPN
.

The procedure is relatively
simple, but sometimes it gets confusing which side is what. If you
don\’t do everything right, it does not work and it is difficult to
understand what is wrong.

I had to do it 3 times to get it
right. As a result I wrote this detailed step-by-step how-to.

Hope
it is useful for other people.


Iassen Hristov

Scenario


We have 2 IPCop boxes, both are running the latest version as of
this writing – 1.4.2 (this how-to should work for later 1.4 versions as well)

We want to make an IPSec VPN between the 2 internal networks
protected by the 2 IPCop boxes.






Network diagram


GREEN1 — ipcop1 ————- Internet
——————— ipcop2 — GREEN2







  • GREEN1 is 192.168.1.0/24


  • ipcop1 has a public IP address of
    24.24.24.1 with a public name of ipcop1.ipcop1.org.

    The specific IP address does not matter as long as both sides
    resolve it correctly.


  • GREEN2 is 192.168.102.0/24


  • ipcop2 has a public IP address of
    24.24.24.2 with a public name of ipcop2.ipcop2.org


  • The hostnames of both IPCop boxes are different. They are NOT

    ipcop1.ipcop1.org and ipcop2.ipcop2.org.











Detailed
step-by-step instructions


Preparation



  1. On ipcop1:




    1. reset VPN settings if necessary
      (hitting the “Reset” button on the VPN page deletes all
      certificates and connections that might have been previously
      created)


    2. set “Local VPN Hostname/IP”
      to ipcop1.ipcop1.org, check “Enabled” and hit
      Save

    3. reboot ipcop1 (just in case)





  1. On ipcop2:





    1. reset VPN settings if necessary
      (hitting the “Reset” button on the VPN page deletes all
      certificates and connections that might have been previously
      created)

    2. set “Local VPN Hostname/IP”
      to ipcop2.ipcop2.org, check “Enabled” and hit
      Save


    3. reboot ipcop2 (just in case)



Generate Root/Host
Certificates



  1. On ipcop1: Hit the “Generate Root/Host
    Certificates” button and fill the following values:





    1. ipcop1 as the
      “Organization name”

    2. ipcop1.ipcop1.org as the
      “IPCop\’s Hostname” (this will be already filled for
      you)


    3. Specify your Country


    4. hit the “Generate Root/Host
      Certificates” button. This will generate the certificates (it
      might take a while) and will take you back to the VPN configuration
      page.

    5. Click the “Download Root
      Certificate” button (icon like a floppy disk). You will be
      prompted for the file name to save. The default file name is
      cacert.pem. Just so there is no confusion change the name to
      cacert.1.pem


    6. Click the “Download Host Certificate” button
      (the icon below). You will be prompted for the file name to save.
      The default file name is hostcert.pem. Just so there is no
      confusion change the name to hostcert.1.pem




  1. On ipcop2: Hit the “Generate Root/Host
    Certificates” button and fill the following values:





    1. ipcop2 as the
      “Organization name”

    2. ipcop2.ipcop2.org as the
      “IPCop\’s Hostname” (this will be already filled for
      you)


    3. Specify your Country


    4. hit the “Generate Root/Host
      Certificates” button. This will generate the certificates (it
      might take a while) and will take you back to the VPN configuration
      page.

    5. Click the “Download
      Root Certificate” button (icon like a floppy disk). You will
      be prompted for the file name to save. The default file name is
      cacert.pem. Just so there is no confusion change the name to
      cacert.2.pem


    6. Click the “Download Host Certificate”
      button (the icon below). You will be prompted for the file name to
      save. The default file name is hostcert.pem. Just so there
      is no confusion change the name to hostcert.2.pem



Upload the CA Certificates


In this step you are letting the 2
IPCop boxes know about the other CA (Certificate Authority), so that
they can trust the certificates issued by the other box.



  1. On ipcop1:




    1. Fill ipcop2 as the “CA
      name”


    2. Browse and select the
      cacert.2.pem file


    3. hit the “Upload CA Certificate” button. This
      will upload the CA certificate from ipcop2 to ipcop1 and it will
      show it as the 3rd row in the “Certificate
      Authorities” (bottom) section.




  1. On ipcop2:





    1. Fill ipcop1 as the “CA
      name”

    2. Browse and select the
      cacert.1.pem file


    3. hit the “Upload CA Certificate” button. This
      will upload the CA certificate from ipcop1 to ipcop2 and it will
      show it as the 3rd row in the “Certificate
      Authorities” (bottom) section.



Create connections



  1. On ipcop1: Hit the “Add” button in the
    middle panel. On the next screen select “Net-to-Net Virtual
    Private Network” for the “Connection type” and
    fill the following values:




    1. ipcop2 as the “Name”


    2. left as the “IPCop
      side”

    3. 192.168.1.0/255.255.255.0
      as the “Local subnet”


    4. ipcop2.ipcop2.org as the
      “Remote Host/IP”


    5. 192.168.102.0/255.255.255.0

      as the “Remote subnet”


    6. In the “Authentication”
      section select “ Upload a certificate”. Check “Upload
      a certificate” and browse to the hostcert.2.pem file.

    7. Finally hit the “Save” button





  1. On ipcop2 (everything is reversed): Hit the “Add”
    button in the middle panel. On the next screen select “Net-to-Net
    Virtual Private Network” for the “Connection type”

    and fill the following values:





    1. ipcop1 as the “Name”


    2. right as the “IPCop
      side”

    3. 192.168.102.0/255.255.255.0
      as the “Local subnet”


    4. ipcop1.ipcop1.org as the
      “Remote Host/IP”


    5. 192.168.1.0/255.255.255.0

      as the “Remote subnet”


    6. In the “Authentication”
      section select “ Upload a certificate”. Check “Upload
      a certificate” and browse to the hostcert.1.pem file.

    7. Finally hit the “Save” button


      Done






Important note: As some people have pointed out, it is essential to have your clock synchronized to accurate time on both machines, otherwise you might have issues.


Here is one case

> My clock was a few hours ahead, the certs I was generating were yet

> to become valid, and I was getting a very uniformative failure that

> my CA was not available for my host verification.



Revision history of this document

















Description


Author

Date

Version


Initial version

IH

13-Feb-2005

0.1

Added note about time synchronization and version table

IH

05-Sep-2006

0.2