Setup of DMVPN on Alpine linux: Difference between revisions
Clandmeter (talk | contribs) (→HUB) |
Clandmeter (talk | contribs) No edit summary |
||
Line 68: | Line 68: | ||
{{note|You will need a modified version of Strongswan by fabled which you can find in Alpine Linux Git repository}} | {{note|You will need a modified version of Strongswan by fabled which you can find in Alpine Linux Git repository}} | ||
=== | === HUB === | ||
{{cat|/etc/swanctl/swanctl.conf|<nowiki>connections { | {{cat|/etc/swanctl/swanctl.conf|<nowiki>connections { | ||
Line 81: | Line 81: | ||
certs = spoke1.pem | certs = spoke1.pem | ||
auth = pub.key | auth = pub.key | ||
id = | id = hub.vpn.domain.tld | ||
} | } | ||
remote { | remote { | ||
auth = pub.key | auth = pub.key | ||
} | } | ||
children { | children { | ||
Line 101: | Line 100: | ||
}} | }} | ||
=== | === Spoke 1 === | ||
{{cat|/etc/swanctl/swanctl.conf|<nowiki>connections { | {{cat|/etc/swanctl/swanctl.conf|<nowiki>connections { | ||
Line 114: | Line 113: | ||
certs = spoke1.pem | certs = spoke1.pem | ||
auth = pub.key | auth = pub.key | ||
id = | id = spoke1.vpn.domain.tld | ||
} | } | ||
remote { | remote { | ||
auth = pub.key | auth = pub.key | ||
id = hub.vpn.domain.tld | |||
} | } | ||
children { | children { | ||
Line 132: | Line 132: | ||
}</nowiki> | }</nowiki> | ||
}} | }} | ||
== Generate PKI certificates == | == Generate PKI certificates == |
Revision as of 11:32, 2 November 2015
Setting up mGRE tunnel
We start by adding mGRE tunnels to our network configuration.
Contents of /etc/networking/interfaces
Setting up IPSec VPN
To encrypt this tunnel, and the traffic in it, we will use strongswan ipsec with its vici plugin. The vici plugin provides VICI, the Versatile IKE Configuration Interface. As its name indicates, it provides an interface for external applications to not only configure, but also to control and monitor the IKE daemon charon. for this we also need a modified version of Strongswan which is the default Strongswan in Alpine Linux.
apk add strongswan
Template
Template taken from other wiki docs.
Contents of /etc/swanctl/swanctl.conf
HUB
Contents of /etc/swanctl/swanctl.conf
Spoke 1
Contents of /etc/swanctl/swanctl.conf
Generate PKI certificates
First, generate a private key, the default generates a 2048 bit RSA key
ipsec pki --gen > caKey.der
Now self-sign a CA certificate using the generated key:
ipsec pki --self --in caKey.der --dn "C=CH, O=strongSwan, CN=strongSwan CA" --ca > caCert.der
Adjust the distinguished name (DN) to your needs, it will be included in all issued certificates.
For each peer, i.e. for all VPN clients and VPN gateways in your network, generate an individual private key and issue a matching certificate using your new CA:
ipsec pki --gen > peerKey.der ipsec pki --pub --in peerKey.der | ipsec pki --issue --cacert caCert.der --cakey caKey.der --san host.vpn.example.tld --dn "C=CH, O=strongSwan, CN=peer" > peerCert.der
Certificate Revocation Lists (CRL)
In case end entity certificates have to be revoked, Certificate Revocation Lists (CRLs) may be generated with the ipsec pki --signcrl command:
ipsec pki --signcrl --cacert caCert.der --cakey caKey.der --reason superseded --cert peerCert.der > crl.der
Install certificates
On each peer store the following certificates and keys in the /etc/ipsec.d/ subdirectory tree:
/etc/ipsec.d/private/peerKey.der holds the private key of the given peer. /etc/ipsec.d/certs/peerCert.der holds the end entity certificate of the given peer. /etc/ipsec.d/cacerts/caCert.der holds the CA certificate which issued and signed all peer certificates.