How to Configure IPSec Site to Site Tunnel with Certificate
Version 0.1 (02 May 2018)
Overview
Site to Site Configurations are further extension to host to site configurations. Communication is in this case expanded between multiple subnet on both sites of the connection. Subnet and communication IP addresses are defined with leftsourceip, rightsourceip and leftsubnets and rightsubnets.
Site to Site with Certificate
Required tasks:
- Prepare both nodes (see: How to Prepare a Nodegrid Node for IPSec)
- Get the required Certificate File for both nodes (see: How to Create Certificates for IPSec)
- Root CA certificate as .crt file
- Certificate for both nodes in .crt format
- Certificate and private key for both nodes in pkcs#12 format
- zpeca.crt
- ng-east.crt
- ng-west.crt
- ng-east.p12
- ng-west.p12
- Import the Root CertificateNote: Example executed on the west node.
- Import Intermediate Certificate Authorities if that exist
- Import the private key and certificate specific to this node
- Import the remote node certificates
- Create connection configuration file in /etc/ipsec/ipsec.d/ directory as root user
- Copy the configuration file only to the other node. The Secret File does not need to be copied in this case
- Restart IPSec service on both nodes
- Confirm that the tunnel was established
- Short information
- More Detailed information
root@ng-west:/etc/ipsec/ipsec.d# ipsec whack --trafficstatus 006 #4: "site-to-site-cert", type=ESP, add_time=0, inBytes=252, outBytes=252, id='C=US, ST=California, L=Fremont, CN=ng-east' 006 #3: "site-to-site-cert", type=ESP, add_time=1524106315, inBytes=0, outBytes=0, id='C=US, ST=California, L=Fremont, CN=ng-east'
root@ng-west:~# ipsec whack --status |grep host-to-site-cert ……………. 000 #4: "site-to-site-cert":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27850s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate 000 #4: "site-to-site-cert" esp.8f05c62c@192.168.58.4 esp.33385f41@192.168.50.4 tun.0@192.168.58.4 tun.0@192.168.50.4 ref=0 refhim=0 Traffic: ESPin=252B ESPout=252B! ESPmax=4194303B 000 #1: "site-to-site-cert":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2409s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate 000 #3: "site-to-site-cert":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 28316s; isakmp#2; idle; import:not set 000 #3: "site-to-site-cert" esp.759f48b6@192.168.58.4 esp.62dcc0e@192.168.50.4 tun.0@192.168.58.4 tun.0@192.168.50.4 ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B 000 #2: "site-to-site-cert":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 3116s; lastdpd=-1s(seq in:0 out:0); idle; import:not set
- Short information
Example:
Format:
certutil -A -i -n "" -t "CT,," -d sql:/etc/ipsec/ipsec.d/
Example:
root@ng-west:~# certutil -A -i zpeca.crt -n "zpeca" -t "CT,," -d sql:/etc/ipsec/ipsec.d/
Format:
certutil -A -i -n "" -t ",," -d sql:/etc/ipsec/ipsec.d/
Example:
root@ng-west:~# certutil -A -i euzpeca.crt -n "euzpeca" -t "CT,," -d sql:/etc/ipsec/ipsec.d/
Format:
ipsec import -n -d sql:/etc/ipsec/ipsec.d/
Example:
root@ng-west:~# ipsec import ng-west.p12 -n ng-west -d sql:/etc/ipsec/ipsec.d/ Enter password for PKCS12 file: pk12util: PKCS12 IMPORT SUCCESSFUL
Format:
certutil -A -i -n "" -t "P,," -d sql:/etc/ipsec/ipsec.d/
Example:
root@ng-west:~# certutil -A -i ng-east.crt -n "ng-east" -t "P,," -d sql:/etc/ipsec/ipsec.d/
| Fields | Values | Comments |
|---|---|---|
| Connection name | <String> | |
| leftid | %fromcert | The leftid will be populated from the certificate |
| left | <IP or FQDN> of the West/Left host | Additional to an actual IP address can the following values be used. These are resolved when the service starts. %defaultgateway %eth0 |
| leftsourceip | <INTERNAL IP TO BE USED> | IP address if the west node which should be used for the tunnel communication. This IP should belong the leftsubnet. |
| leftsubnets | <LIST OF SUBNETS> | One or multiple subnet can be defined, for each subnet an individual tunnel will be created |
| leftrsasigkey | %cert | Uses the RSA key of the Certificate |
| leftcert | <IDENTIFIER> | Certificate Identifier |
| rightid | %fromcert | The rightid will be populated from the certificate |
| right | <IP or FQDN> of the East/Right host | Additional to an actual IP address can the following values be used. These are resolved when the service starts. %defaultgateway %eth0 |
| rightsourceip | <INTERNAL IP TO BE USED> | IP address if the east node which should be used for the tunnel communication. This IP should belong the rightsubnet. |
| rightsubnets | <LIST OF SUBNETS> | One or multiple subnet can be defined, for each subnet a individual tunnel will be created |
| rightrsasigkey | %cert | Uses the RSA key of the Certificate |
| rightcert | <IDENTIFIER> | Certificate Identifier |
| auto | start | The setting regulates when the IPSec tunnel will be established. Following values are accepted: add (manual start), start (starts with the service), ondemand (will be established if traffic exists), ignore (connection will be ignored and not used) |
| connaddrfamily | ipv4 | Possiable values are ipv4 or ipv6 |
Format:
conn
connaddrfamily=ipv4
auto=
leftid=%fromcert
left=FQDN>
leftsourceip=
leftsubnet={MASK> MASK>}
leftrsasigkey=%cert
leftcert=
rightid=%fromcert
right=FQDN>
rightsourceip=
rightsubnet={MASK> MASK>}
rightrsasigkey=%cert
rightcert=
Example /etc/ipsec/ipsec.d/site-to-site-cert.conf
conn site-to-site-cert
connaddrfamily=ipv4
auto=start
leftid=%fromcert
left=192.168.50.4
leftsourceip=192.168.59.4
leftsubnets={192.168.59.0/24}
leftrsasigkey=%cert
leftcert=ng-west
rightid=%fromcert
right=192.168.58.4
rightsourceip=192.168.60.4
rightsubnets={192.168.60.0/24 192.168.61.0/24}
rightrsasigkey=%cert
rightcert=ng-east
root@ng-west:~# ipsec restart Redirecting to: /etc/init.d/ipsec stop Shutting down pluto IKE daemon 002 shutting down Redirecting to: /etc/init.d/ipsec start Starting pluto IKE daemon for IPsec: . root@ng-west:~#
Related Articles
How to Configure IPSec Host to Site Tunnel with Certificate
Version 0.1 (02 May 2018) Overview Host to Site configurations are very similar to Host to Host configurations, especially the authentication methods are the same. Added changes to the configurations are the values for rightsourceip and rightsubnets. ...IPsec tunnel to AWS VPC with Certificates
IPsec tunnel to AWS VPC with Certificates tested on: 5.2.1, 6.0.5 AWS VPC configuration Create Certificates AWS supports multiple ways to create and manage certificates. This guide utilized AWS Certificate Manager, read AWS documentation on how the ...How to Create Certificates for IPSec
Reversion 0.2 (30 Jun 2021) Overview Certificates offer the best level of security for an IPSec tunnel, as the Certificate Authority (CA) can control trust relationships and revoke certificates to specific units or users. The Nodegrid IPSec ...How to Configure IPSec Site to Site Tunnel with Pre-Shared Key
Version 0.1 (02 May 2018) Overview Site to Site Configurations are further extension to host to site configurations. Communication is in this case expanded between multiple subnet on both sites of the connection. Subnet and communication IP addresses ...How to Configure IPSec Site to Site Tunnel with RSA Keys
Version 0.1 (02 May 2018) Overview Site to Site Configurations are further extension to host to site configurations. Communication is in this case expanded between multiple subnet on both sites of the connection. Subnet and communication IP addresses ...