Version 0.1 (02 May 2018)
Nodegrid comes with all the required tools to run and configure IPSec pre-installed, but IPSec is by default not configured and a few preparation steps on every node need to be performed before the first VPN connection can be tested. This section outlines the individual steps required.
The configuration can currently only be performed through command line tools or automation methods which utilizes the shell. The configuration has to be performed as the root user.
The configuration file for the IPSec service is located in
This file contains the configuration settings for the services and configuration options which might apply to all configurations.
By convention all configuration files into the configuration folder for IPSec
Configurations should be placed into individual files inside the configuration folder. While one configuration file can hold multiple connection, definitions will we use in this How to individual files for all configurations.
All required file names belonging to the connection will by convention start with the connection name.
Example for connection: host-to-host
/etc/ipsec/ipsec.d/host-to-host.conf - configuration file of the connection
/etc/ipsec/ipsec.d/host-to-host.secrets - Secret File which contains a PSK
The IPSec services is fully installed but not yet configured on the Nodegrid solution. To enable the service, perform the following steps. All of these steps only need to perform once on each node.
All steps below assume that they are executed as the root user.
- Configure a valid and unique hostname and domain name. Depending on the Authentication method can these not be changed later.
- Login to the WebUI with an admin user
- Navigate to Network::Settings
- Populate the values for Hostname and Domain Name with appropriate values
- Initiate the NSS DB
- Initialize DB
- Configure Firewall
Nodegrid requires the firewall rules to allow IPSec traffic
- UDP port 500 for the Internet Key Exchange (IKE) protocol
- UDP port 4500 for IKE NAT-Traversal
- Protocol 50 for Encapsulated Security Payload (ESP) IPsec packets
- Protocol 51 for Authenticated Header (AH) IPsec packets (uncommon)
- In case that the node will expose a subnet to the other side IP Forwarding needs to be enabled. This can be done through the WebUI or through the cli as normal user with admin Rights.
- IP forwarding through WebUI
- Login with an admin user and navigate to Network::Settings
- Enable IPv4 or IPv6 Forward as required, by ticking the box
- Save Settings
- IP Forwarding Through CLI
- Navigate to network settings
[admin@ng-east /]# cd /settings/network_settings/
- Enable IP forwarding for IPv4 or IPv6
[admin@ng-east network_settings]# set enable_ipv4_ip_forward=yes
- Commit the change
[+admin@ng-east network_settings]# commit
- Prepare basic kernel networking attributes
- As root user on the shell edit file /etc/sysctl.conf to set reverse path filtering for Ethernet interfaces which will be used for the IPSec tunnel. Set the value either to 0 = disabled or 2 = not strict. By adding the following line to the end of the file.
- Activate the changes
root@ng-west:~# sysctl -p
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.eth1.rp_filter = 1
vm.max_map_count = 262144
kernel.pty.max = 8192
kernel.core_uses_pid = 1
kernel.kptr_restrict = 2
kernel.sysrq = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv4.tcp_challenge_ack_limit = 99999999
net.ipv4.tcp_timestamps = 0
net.ipv6.conf.default.optimistic_dad = 1
net.ipv6.conf.all.optimistic_dad = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 0
Configuration of IPSec
This section outlines the general configuration steps which can be used to configure the desired connection.
- Prepare the Nodegrid. (See this document)
Ensure the that one of authentication methods is prepared
- How to create Pre-shared Keys for IPSec
- How to create RSA Keys for IPSec
- How to Create Certificates for IPSec
- Create an IPSec configuration file and as need a secrets file
- Distribute and exchange configuration files and Keys as required to all nodes
- Test the connection
Host to Host
Host to Site
Site to Site