This is TikiWiki v1.9.9 -Sirius- © 2002–2007 by the Tiki community Mon 06 of Sep, 2010 [00:46 UTC]
Menu [hide]
Home
Categories
Toggle Wiki
Wiki Home
Last Changes
Rankings
List pages
Orphan pages
Sandbox
Toggle Image Galleries
Galleries
Rankings
Rankings
Toggle File Galleries
List galleries
Tikiwiki Assistant
Thank you for installing Tikiwiki!
Click the :: options in the Menu for more options. Please, also see TikiMovies for more setup details.

VPN Router Configuration

print
Previous page Parent page Next page TOC
TOC  >  VPN Router Configuration

VPN Router Configuration


  1. Install OpenWRT RC 0.9
    1. Download the WHITE RUSSIAN 0.9 SquashFS firmware
      http://downloads.openwrt.org/whiterussian/0.9/default/openwrt-wrt54g-squashfs.bin
    2. Install the new firmware (Replace the Linksys firmware with the 3rd party, open-source, OpenWRT firmware.
    3. The default username and password for the Linksys firmware is admin/admin.

  2. Configure basic settings from the web interface
    1. Set the root password
    2. Change the hostname from OpenWRT to username
    3. Set boot_wait to enabled.
    4. Set the LAN IP address range according to the Excel spreadsheet listing users and IP ranges.
    5. Set the subnet mask to 255.255.255.128
    6. Release and renew the IP Address of the computer connected to the router’s LAN interface.
    7. Set the Wireless SSID to username
    8. Set the Channel to Auto or a channel likely to have the least interference.
    9. Set the Wireless Encryption to WPA.
      1. Check WPA1
      2. Check RC4 (TKIP)
    10. Set the Wireless Encryption password to “password”.
    11. Remember that wireless will not work with WPA until after the nas package is installed and the router is rebooted.
    12. Disable the wireless interface from the web console when you setup the QoS router. (Wireless will not be used on the VPN router.)
    13. Disable encryption from the web console when you setup the QoS router. (Router will not run nas when encryption is disabled.)

  3. Set the static route to the QoS router.
    1. nvram set lan_static_route=192.168.nnn.128:255.255.255.128:192.168.nnn.126:1:vlan0 (WRT54GL)
    2. nvram set lan_static_route=192.168.nnn.128:255.255.255.128:192.168.nnn.126:1:eth0 (WRTSL54GS)
    3. (static_route=ip:netmask:gatewayip:metric:interface)
    4. nvram commit

  4. Fix a problem with dnsmasq (DHCP)
    1. nvram set dhcp_lease=12h; nvram commit; echo Done.

  5. Install additional software packages
    1. Install the openswan package
    2. Install the ez-ipupdate package
    3. Install the nas package on routers with more than 4Mb flash.
    4. Install Rudy’s QoS script from the command shell.
      ipkg install http://files.eschauzier.org/qos-re_1.05_all.ipk
    5. Install the openssh-sftp-server package when using devices with more than 4Mb Flash

  6. Copy a few of the static configuration files to the router. (Files that will be the same for every router.)

    Copy files from the template directory. The template directory for the VPN router (these instructions) is named username.dyndns.infoNNa where a signifies router A.

    Use WinSCP to copy files to the router. Make sure you select SCP as the protocol instead of SFTP. SCP slow to startup initially. Give SCP several minutes to startup before you give up.

    Use FileZilla with SFTP if the SFTP package was installed.
    1. /etc/dnscheck.awk
    2. /etc/dnsmasq.conf
    3. /etc/dnspeers.conf
    4. /etc/dyninit.awk
    5. /etc/dynlookup
      1. chmod 755 /etc/dynlookup
    6. /etc/dynlookup2
      1. chmod 755 /etc/dynlookup2
    7. /etc/dyntunnels
      1. chmod 755 /etc/dyntunnels
    8. /etc/qos.conf
    9. /etc/TZ
      1. Leave the time zone set to “EST5EDT” (Eastern Daylight Time). This will make it easier to schedule the cron jobs across time zones. The phones get their time from the corporate IP PBX and have their own time zone settings.
    10. /etc/updatecrls
      1. chmod 755 updatecrls
    11. /etc/crontabs/root
    12. /etc/hotplug.d/iface/10-ez-ipupdate
      1. chmod 755 /etc/hotplug.d/iface/10-ez-ipupdate
    13. /etc/hotplug.d/iface/20-qos
      1. chmod 755 /etc/hotplug.d/iface/20-qos
    14. /etc/init.d/S10boot
      1. chmod 755 /etc/init.d/S10boot
    15. /etc/init.d/S51setdate
      1. chmod 755 /etc/init.d/S51setdate
    16. /etc/init.d/S52rdate
      1. chmod 755 /etc/init.d/S52rdate
    17. /etc/init.d/S55dnstable
      1. chmod 755 /etc/init.d/S55dnstable
    18. /etc/init.d/S65qos-start
      1. chmod 755 /etc/init.d/S65qos-start
    19. /etc/init.d/S99done
      1. chmod 755 /etc/init.d/S99done
    20. /etc/ipsec.d/scripts/newlease4ipsec.sh
      1. chmod 755 /etc/ipsec.d/scripts/newlease4ipsec.sh
    21. /etc/ipsec.d/scripts/ipsec-restart.sh
      1. chmod 755 /etc/ipsec.d/scripts/ipsec-restart.sh
    22. Edit the root crontab file at /etc/crontabs/root
      1. Add a line to run the ipsec-restart.sh once a day at the time listed in the Excel spreadsheet. The time is based on the Subnet mask number. (192.168.130.0 would run at 1am, 192.168.131.0 would run at 1:06am, 192.168.132.0 would run at 1:12am, and so on.) It is important that the routers do not restart at the same time.
      2. “0 48 * * * /etc/ipsec.d/ipsec-restart.sh” is the line to restart the router on the 192.168.128.0 subnet.
      3. Enter “crontab root” to update cron after editing the crontab file.

  7. Copy template files from the template directory to a working directory for each new user. The template directory should be located on a server. (Care should be taken to maintain a central source library.) The working directory should be on a computer with access to the internal interface of the router.

    TextPad is a good shareware program for editing the configuration files. Make sure you save the files in Unix format.

    Template Directory: soho-user-m.dyndns.info\etc\

    New User: username.dyndns.info\etc\

    1. Copy the following files
      1. \etc\ipsec.conf
      2. \etc\ipsec.secrets
      3. \etc\ez-ipupdate.conf
      4. \etc\firewall.user
      5. \etc\dyndns.info.peers.conf

    2. Edit \etc\ipsec.conf

      Consider doing a search and replace on the string “template_username” to “username” and “template_subnet” to “router_subnet”. (Example: Replace soho-user-m with soho-user-a and 236 with 224)

      Change template_username to username in the conn lines.

      Change template_username to username in right=, rightid=, and rightcert=.

      Change the subnet address in the rightsubnet= and rightsourceip= lines.
       
    3. Edit \etc\ipsec.secrets

      Change template_username to username in the key name. Change the password.
       
    4. Edit \etc\ez-ipupdate.conf
      Change the host= line from template_username to username
      Verify that the username and password are correct in the user= line.
       
    5. Edit \etc\firewall.user
       
      Change the third octet in the post-routing rule. “iptables –t nat –A postrouting_rule –d 192.168.224.0/24 –j ACCEPT” Change 140 to one of the other peer subnets for testing. This rule is probably not needed. I want to do a little more testing before removing it from the config file and documentation.

      There are three lines in the \etc\firewall.user file that affect the VPN.

      I am considering moving to a version of the firewall.user file that requires changing which line is commented out instead of changing the IP address in the post-routing rule. Further testing is needed. Early testing shows that the post-routing rule has no affect. At the very least, a static custom version of the firewall.user file is still required for the VPN to work.
       
  8. Edit \etc\dyndns.info.peers.conf
    1. Replace the second line in the file with the full name of the person receiving the new router.
    2. Replace the third line in the file with newusername.dyndns.info. Username is the username of the person receiving the router.
    3. Uncomment the section named “conn net-username--net-username”. There is only one section with the same username to the left and right of “--“. (Uncomment net-soho-user-m--net-soho-user-m to continue with the example.)
    4. Search Replace All soho-user-m with newusername. The conn section headings all start with “conn net-username-—net-username” where the first username is the username of the owner of the router. The first username in the conn section heading is the same for all of the conn section headings in the dyndns.info.peers.conf file. The second username in the conn section heading is the username of the owner of the remote router.
    5. Replace All will replace the wrong values in two sections.
      1. Do not replace username when it appears in the right half of the conn line.
      2. Do not replace username when it appears in right=, rightcert=, or rightid=.
    6. Search and Replace All nnn in leftsubnet=192.168.nnn.0/24 with the subnet address assigned to newusername.
    7. Replace nnn in leftsourceip=192.168.nnn.1 with the subnet address assigned to username.
      1. Replacing all of the nnn in the third octect will result in one incorrect replacement. The rightsubnet= line will need to be corrected in one of the lines.
    8. After replacing the first username in the section heading, one of the conn sections will have the same username listed twice. Comment out this section.
    9. Copy the files to the router.
       
  9. Create User Certificates on the Location-A and Location-B Firewalls

    Create two sets of certificates per user. The first set of certificates will be created on the Location-A Firewall. The second set of certificates will be created on the Location-B firewall.

    Check Point creates pkcs12 certificate files that contain the public key, private key, and CA key. We will use OpenSSL to extract the private key from the pkcs12 file. We will use OpenSSL to extract the public key along with an extra copy of the CA key from the pkcs12 file. We will use the vi text editor to delete the extra CA key from the public key file.

    The public / private key pair will be copied to the appropriate directories on the router.

    All of the public keys created from the Location-A firewall will be copied to the /etc/ipsec.d/private/location-a/ directory on all of the SOHO VPN Routers.
     
    1. Create the following directories and sub directories in the working directory. (Create the directories on the laptop connected to the router. The certificates will be saved in these directories before being copied to the router.)

      /etc/ipsec.d/
      /etc/ipsec.d/cacerts/
      /etc/ipsec.d/certs/
      /etc/ipsec.d/certs/location-a
      /etc/ipsec.d/certs/location-b
      /etc/ipsec.d/crls/
      /etc/ipsec.d/private/
      /etc/ipsec.d/private/location-a
      /etc/ipsec.d/private/location-b
       
    2. Connect to the Certificate Authority Web Site (See the FirstTime? instructions to enable the ICA Management web site at Check Point Preparation. See Check Point Certificates for detailed instructions to create certificates.

      The default security rules require you to access the Management web site from a local subnet. Use an SSH tunnel if necessary.)

      Location-A Firewall-1/VPN-1:
      https://location-a.com:18265/

      Location-B Firewall-1/VPN-1:
      https://location-b.com:18265/
       
      ica2.gif- ICA Management Tool, Create Certificates
      Figure 1: ICA Management Tool, Create Certificates
       
      ica-form.gif- ICA Management Tool, Create Certificates, Form to Construct the DN
      Figure 2: ICA Management Tool, Create Certificates, Form to Construct the DN
       
    3. Select Create Certificates on the Left (See Figure 1)
    4. Select Form to Open the Certificate window (See Figure 1)
    5. Enter the fully qualified dynamic DNS in the Name and Domain field. (See Figure 2)
    6. Enter the company name in the Company Field (See Figure 2)
    7. Complete the City, State, and Country fields. The City, State, and Country should reflect the location of the company headquarters. (See Figure 2)
    8. Make sure all of the “Add Alt Name” boxes are checked. (See Figure 2)
    9. Click Done (See Figure 2)
    10. Select the Generate radio button (See Figure 1)
    11. Enter “password” in the password field. (See Figure 1)
      1. Click Go (See Figure 1)
    12. Save the file with the users domain name.
    13. Save the file to the /etc/ipsec.d/certs/location-a or /etc/ipsec.d/certs/location-b directory created earlier.
       
  10. Convert the certificates into a format that can be used by Openswan. Convert the .p12 Check Point certificates to .pem certificates for use by Openswan. Use OpenSSL to convert the certificates.
    1. Extract the key from the pkcs12 certificate file created with the Check Point ICA Management web site.
      1. openssl pkcs12 –in username.dyndns.info.p12 –nocerts –out username.dyndns.info.key
      2. Enter password when OpenSSL asks for the password. You will need to enter password three times.
    2. Extract the personal certificate from the pkcs12 certificate file.
      1. Openssl pkcs12 –in username.dyndns.info.p12 –clcerts –nokeys –out username.dyndns.info.pem
      2. Enter password when asked for a password.
    3. Use the vi editor to remove the CA certificate from the personal certificate you just created. Delete everything from line 1 “Bag Attributes” up to and including “----END CERTIFICATE----“.
      1. You can enter 23dd in VI to delete the first 23 lines. Make sure you do not delete too much.

       
  11. Copy the CRL files to the working directory
    1. Copy the Location-A CRL files from the source directory to /etc/ipsec.d/crls.
    2. Rename the CRL files location-a.ICA_CRL0.pem and location-b.ICA_CRL1.pem
    3. Copy the Location-B CRL files from the source directory to /etc/ipsec.d/certs.
    4. Rename the CRL files location-b.ICA_CRL0.pem and location-b.ICA_CRL1.pem
       
  12. Run the updatecrls script to download new CRL files. (CheckPoint CRL’s are valid for one week by default. New CRL’s are issued when 60% of the CRL validity has passed or when a certificate is revoked.)
     
  13. Copy the Gateway CA Certificates to /etc/ipsec.d/cacerts.
    1. Copy location-a-ca to /etc/ipsec.d/cacerts
    2. Copy location-b-ca to /etc/ipsec.d/cacerts

     
  14. Copy the Gateway Certificates to the working directories.
    1. Copy location-a.pem to /etc/ipsec.d/certs/location-a
    2. Copy location-b.pem to /etc/ipsec.d/certs/location-b

     
  15. Copy the Personal Certificates to /etc/ipsec.d/certs
    1. Copy the Location-A Personal Certificate to /etc/ipsec.d/certs/location-a
    2. Copy the Location-B Personal Certificate to /etc/ipsec.d/certs/location-b

     
  16. Copy the Personal Private Keys to /etc/ipsec.d/private
    1. Copy the Location-A Private Key to /etc/ipsec.d/private/location-a
    2. Copy the Location-B Private Key to /etc/ipsec.d/private/location-b

     
  17. Upload the new files to the Linksys (OpenWRT) Router.
     
  18. Configure QoS on the router by editing the /etc/qos.conf file.
    1. Test the speed of the Internet Connection with DSLReports Java speed test tool.
      1. The test must be performed from the location where the router will be used.
      2. The test must be performed when the test is the only traffic going over the line.
      3. The test must be performed at a time of day that will give average results. It is better to perform the test several times during the day and use the lowest upload and download from all of the tests.
    2. Multiply the test results by .9 to reduce the result by 10%
    3. Enter the results in the UPLOAD= and DOWNLOAD= lines.

     
  19. Remember that the VPN router should only have two active connections when used with a QoS router. Wireless is disabled when used with a QoS router.
    1. BR0 (LAN) to the QoS Router’s VLAN1 (WAN)
    2. VLAN1 (WAN) to your ISP’s cable or DSL router.

Created by: system last modification: Thursday 10 of May, 2007 [21:53:37 UTC] by kpalmer

source
history
similar
discuss
Powered by Tikiwiki Powered by PHP Powered by Smarty Powered by ADOdb Made with CSS Powered by RDF powered by The PHP Layers Menu System
RSS Wiki RSS Image Galleries RSS File Galleries RSS Forums
[ Execution time: 0.59 secs ]   [ Memory usage: 7.75MB ]   [ GZIP Disabled ]   [ Server load: 0.00 ]