Professional Documents
Culture Documents
za Your Java and Linux Experts Page 1 of 11
Jumping Bean (www.jumpingbean.co.za) is a South African based, opensource, company
specializing in Java/PHP applications and Linux/Open Source support. Many of our
consultants are off site so we needed to enable them to connect to our internal network
via VPN to fill out timesheets etc. We used to use OpenVPN but wanted to try out IPSEC.
This document is intended to help others successfully connect Linux clients via IPSEC to
IPCOP server.
The document has two main section:
● Configuring IPCOP Server and
● Linux Client Setup
License
This documentation is provided under the GNU GPL.
The only issue we had was setting up the connections. We needed to enable the
“roadwarrior virtual ip” option under the advanced tab. (See below).
www.JumpingBean.co.za IPCOP Linux Setup
www.JumpingBean.co.za Your Java and Linux Experts Page 2 of 11
Global Settings
The first thing to fill out is the “Global Settings” panel. Under Global Setting you need to fill
out:
● Local vpn hostname/ip address: The hostname or public IP of your
firewall, (if this is incorrect you may get no RASSIG policy errors)
● Enabled: Click enabled to enable the VPN
● Enable on Green/Red/Orange: This is the network you wish to VPN
into.
Certificate Authorities
Next setup the certificate authority (CA). This is necessary if you are going to use
www.JumpingBean.co.za IPCOP Linux Setup
www.JumpingBean.co.za Your Java and Linux Experts Page 3 of 11
certificates, as opposed to shared secrets, for your users to connect. Using ca certificates
is more secure and, in my opinion, the only way to go.
Click on the “Generate Root/Host Certificates” button. This will generate the certificates
automatically. You will be prompted for information about the certificates. I did not take
screenshots of this part but it is quiet straight forward.
Usually the most crucial field to get right is the “common name” or “cn” entry. Some ssl
validators complain if the common name does not match the hostname so make it the
same as your public hostname. It may work if it doesn't match but past experience has
taught that ssl authentication can fail if they dont match. Better to just eliminate this
possibility by making sure they match. After generating the certificate your screen should
look like the one below.
www.JumpingBean.co.za IPCOP Linux Setup
www.JumpingBean.co.za Your Java and Linux Experts Page 4 of 11
The process creates a root (ca) certificate, used to sign connection and host certificates
and a host certificate. Notice the blue floppy disk icon. You will use it later to download
both the root (ca) certificate and the host certificate when setting up the client.
Select hosttonet Virtual Private Network (roadwarrior) in the screen that follows.
You will then be presented with a screen asking for the details of the connection you are
trying to create. This is pretty straight forward. The name field may be anything but we use
the employee number for consistency. Fill in the network and subnet of the network you
are trying to connect to (i.e. Green/orange or red.). This must match the actual subnet of
the network you are connecting to otherwise the connection will not work.
www.JumpingBean.co.za IPCOP Linux Setup
www.JumpingBean.co.za Your Java and Linux Experts Page 5 of 11
During the setup you will be asked to enter a passphrase. This is used to encrypt your
certificate. Please remember the phrase you used as you will need it later.
The key thing to do here, if you are setting up roadwarrior access, is to click on the
“Advance” button. You will be presented with the screen below. It is important to enable
the “roadwarrior virtual IP” option. If you don't your roadwarrior users will not be able to
connect. You should also enable “Perfect Forward Security” if you say pfs= yes in your
/etc/ipsec.conf file on the client machine. (see client setup)
www.JumpingBean.co.za IPCOP Linux Setup
www.JumpingBean.co.za Your Java and Linux Experts Page 6 of 11
After setting up the client connection your screen should look like this.
www.JumpingBean.co.za IPCOP Linux Setup
www.JumpingBean.co.za Your Java and Linux Experts Page 7 of 11
Notice the blue floppy disk icon. You will use this to download the connection certificate
later.
To setup the client you need to download the connection certificate, ca certificate and
firewall host certificate from IPCOP. You can do this by clicking on the disc icon next to the
entry on the VPN page. Save them somewhere easy to access.
Extract your public certificate
www.JumpingBean.co.za IPCOP Linux Setup
www.JumpingBean.co.za Your Java and Linux Experts Page 8 of 11
openssl pkcs12 clcerts nodes nokeys in /certs/client.p12 out client.pem
You will need to enter the password you locked your certificate with when you set them up
in IPCOP.
Enter Import Password:
MAC verified OK
Extract your secret private key
openssl pkcs12 nodes nocerts in /certs/client.p12 out client.key
Enter the pass phrase you encrypted the cert with.
Enter Import Password:
MAC verified OK
You then need to copy the certificates to the locations below.
Copy the client.pem file to /etc/ipsec.d/certs
Copy the client.key fiel to /etc/ipsec.d/private
Copy the hostkey.pem (the firewalls host certificate) to /etc/ipsec.d/certs (downloaded from
ipcop)
Copy the cacert.pem file to /etc/ipsec.d/cacerts/ (downloaded from ipcop)
You may now delete the pkcs12 format certificate.
You now need to setup your ipsec.conf file. This is the file I use on clients below.
# /etc/ipsec.conf Openswan IPsec configuration file
#
# Manual: ipsec.conf.5
#
www.JumpingBean.co.za IPCOP Linux Setup
www.JumpingBean.co.za Your Java and Linux Experts Page 9 of 11
# Please place your own config files in /etc/ipsec.d/ ending in .conf
# conforms to second version of ipsec.conf specification
# basic configuration
version 2.0
config setup
# Debuglogging controls: "none" for (almost) none, "all" for lots.
klipsdebug=all
#plutodebug="control parsing"
plutodebug=all
nat_traversal=yes
interfaces="%defaultroute"
include /etc/ipsec.d/no_oe.conf
conn <connection_name> ===> change this to something useful.
authby=rsasig
pfs=yes ===> make sure you clicked the perfect forward security option when
creating this connection on IPCOP
compress=yes
auto=add
left=%defaultroute
leftcert=/etc/ipsec.d/certs/client.pem
right=<public ip address of your ipcop firewall> ==> change this
rightcert=/etc/ipsec.d/certs/hostcert.pem
rightsubnet=192.168.10.0/255.255.255.0 ===> The subnet range. Same as the one
you setup during the connection creation above.)
rightrsasigkey=%cert
leftrsasigkey=%cert
You need to setup your /etc/ipsec.secrets file as follows:
: RSA /etc/ipsec.d/private/client.key
You should now be able to connect via VPN to your office. You may have to start ipsec
www.JumpingBean.co.za IPCOP Linux Setup
www.JumpingBean.co.za Your Java and Linux Experts Page 10 of 11
/etc/init.d/ipsec start
Give it a minute to initialise then go
ipsec auto –up <connection name> ===> must match the connection name used in
ipsec.conf
Troubleshooting:
If you are experiencing problems I suggest watching the syslog messages. You should
select the debug options under “Global Setting” on IPCOP's VPN control panel to get
verbose error messages. I usually ssh into the IPCOP box and then go
tail f /var/log/messages
On the client side it depends if the messages are written to /var/log/messages of
/var/log/secure. On fedora it is
tail f /var/log/secure
This will usually give you an idea of what the problem is. On the client machine you can
also run:
ipsec verify
I get the following output.
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec onpath [OK]
Linux Openswan U2.4.4/K2.6.171.2187_FC5 (netkey)
Checking for IPsec support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) [FAILED]
hostname: Unknown host
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [FAILED]
Checking for 'ip' command [OK]
www.JumpingBean.co.za IPCOP Linux Setup
www.JumpingBean.co.za Your Java and Linux Experts Page 11 of 11
Checking for 'iptables' command [OK]
Checking for 'setkey' command for NETKEY IPsec stack support [OK]
Opportunistic Encryption Support [DISABLED]
IP forwarding does not need to be enabled unless you have machine behind the vpn
server. The issue about around /etc/ipsec.secrets can be ignored.
Some of the log messages I got while setting things up.
: initial Main Mode message received on XXX.XXX.XXX.XX:500 but no connection has
been authorized with policy=RSASIG
This was due to the left=IP address in the file /etc/ipsec.conf on IPCOP being set
incorrectly. In the “Global Setting” on the main control panel for VPN setup on the IPCOP
machine make sure that the “Local vpn hostname/ip address” setting is set to the public ip
of the IPCOP server. In our case I use the machines FQDN but our internal DNS server
resolves this to a different (orange) address internally as opposed to the public DNS
servers. We do this so we don't have to type different URLs when we out of the office as
opposed to in the office. :). I fixed the problem by entering the public IP address.
The other problem we faced was enabling the “virtual ip” on the ipcop server under the
connection setup's advanced options. Until we did this we got error messages about no
match being found.
Conclusion
I hope this helps others.
www.JumpingBean.co.za IPCOP Linux Setup