How to Prepare a Nodegrid Node for IPSec

How to Prepare a Nodegrid Node for IPSec

Version 0.1 (02 May 2018)

Overview

Nodegrid comes with all the required tools to run and configure IPSec pre-installed, but IPSec is by default not configured and a few preparation steps on every node need to be performed before the first VPN connection can be tested. This section outlines the individual steps required.

The configuration can currently only be performed through command line tools or automation methods which utilizes the shell. The configuration has to be performed as the root user.

The configuration file for the IPSec service is located in
/etc/ipsec/ipsec.conf

This file contains the configuration settings for the services and configuration options which might apply to all configurations.

By convention all configuration files into the configuration folder for IPSec
/etc/ipsec/ipsec.d/

Configurations should be placed into individual files inside the configuration folder. While one configuration file can hold multiple connection, definitions will we use in this How to individual files for all configurations.
All required file names belonging to the connection will by convention start with the connection name.

Example for connection: host-to-host
/etc/ipsec/ipsec.d/host-to-host.conf  - configuration file of the connection
/etc/ipsec/ipsec.d/host-to-host.secrets        - Secret File which contains a PSK

Prepare Nodegrid

The IPSec services is fully installed but not yet configured on the Nodegrid solution. To enable the service, perform the following steps. All of these steps only need to perform once on each node.

All steps below assume that they are executed as the root user.

  1. Configure a valid and unique hostname and domain name. Depending on the Authentication method can these not be changed later.
    1. WebUI
    1. Login to the WebUI with an admin user
    2. Navigate to Network::Settings

    3. Populate the values for Hostname and Domain Name with appropriate values

  2. Initiate the NSS DB
    1. Initialize DB
    2. root@ng-east:~#ipsec initnss
  3. Configure Firewall
  4. Nodegrid requires the firewall rules to allow IPSec traffic

    1. UDP port 500 for the Internet Key Exchange (IKE) protocol
    2. UDP port 4500 for IKE NAT-Traversal
    3. Protocol 50 for Encapsulated Security Payload (ESP) IPsec packets
    4. Protocol 51 for Authenticated Header (AH) IPsec packets (uncommon)
  5. In case that the node will expose a subnet to the other side IP Forwarding needs to be enabled. This can be done through the WebUI or through the cli as normal user with admin Rights.
    1. IP forwarding through WebUI
      1. Login with an admin user and navigate to Network::Settings

      2. Enable IPv4 or IPv6 Forward as required, by ticking the box

      3. Save Settings
    2. IP Forwarding Through CLI
      1. Navigate to network settings
      2. [admin@ng-east /]# cd /settings/network_settings/
      3. Enable IP forwarding for IPv4 or IPv6
      4. [admin@ng-east network_settings]# set enable_ipv4_ip_forward=yes
      5. Commit the change
      6. [+admin@ng-east network_settings]# commit
    3. Prepare basic kernel networking attributes
      1. As root user on the shell edit file /etc/sysctl.conf to set reverse path filtering for Ethernet interfaces which will be used for the IPSec tunnel. Set the value either to 0 = disabled or 2 = not strict. By adding the following line to the end of the file.
      2. Format:

        net.ipv4.conf..rp_filter=0

        Example:

        net.ipv4.conf.eth1.rp_filter=0
      3. Activate the changes
      4. root@ng-west:~# sysctl -p
        net.ipv4.conf.default.rp_filter = 1
        net.ipv4.conf.all.rp_filter = 1
        net.ipv4.conf.eth1.rp_filter = 1
        vm.max_map_count = 262144
        kernel.pty.max = 8192
        kernel.core_uses_pid = 1
        kernel.kptr_restrict = 2
        kernel.sysrq = 0
        net.ipv4.conf.all.accept_redirects = 0
        net.ipv4.conf.default.accept_redirects = 0
        net.ipv6.conf.all.accept_redirects = 0
        net.ipv6.conf.default.accept_redirects = 0
        net.ipv4.tcp_challenge_ack_limit = 99999999
        net.ipv4.tcp_timestamps = 0
        net.ipv6.conf.default.optimistic_dad = 1
        net.ipv6.conf.all.optimistic_dad = 1
        net.ipv4.conf.all.send_redirects = 0
        net.ipv4.conf.default.accept_source_route = 0
        net.ipv4.ip_forward = 1
        net.ipv6.conf.all.forwarding = 0

Configuration of IPSec

This section outlines the general configuration steps which can be used to configure the desired connection.

  1. Prepare the Nodegrid. (See this document)
  2. Ensure the that one of authentication methods is prepared
    1. How to create Pre-shared Keys for IPSec
    2. How to create RSA Keys for IPSec
    3. How to Create Certificates for IPSec
  3. Create an IPSec configuration file and as need a secrets file
  4. Distribute and exchange configuration files and Keys as required to all nodes
  5. Test the connection

Configuration Examples

Host to Host

Host to Site

Site to Site


    • Related Articles

    • How to configure IPSec Host to Site tunnel with Pre-Shared Key

      Version 0.1 (02 May 2018) Overview Host to Site configurations are very similar to Host to Host configurations, especially the authentication methods are the same. Added changes to the configurations are the values for rightsourceip and rightsubnets. ...
    • How to Configure IPSec Site to Site Tunnel with Pre-Shared Key

      Version 0.1 (02 May 2018) Overview Site to Site Configurations are further extension to host to site configurations. Communication is in this case expanded between multiple subnet on both sites of the connection. Subnet and communication IP addresses ...
    • How to create Pre-shared Keys for IPSec

      Version 0.1 (02 May 2018) Prepare Pre-shared Keys In case Pre-shared Key will be used to authenticate IPSec tunnels, they need to be created on a Nodegrid system before they can be used. To create a Pre-Shared key on a Nodegrid use the below steps. ...
    • How to Configure IPSec Host to Host Tunnel with Pre-Shared Key

      Version 0.1 (02 May 2018) Overview Host to Host configurations allow two nodes to establish a tunnel between them. The encrypted communication will be limited just to the two nodes involved. Figure 11: Host to Host Configuration Example Details Host ...
    • How to Configure IPSec Host to Site tunnel with RSA Keys

      Version 0.1 (02 May 2018)  Overview Host to Site configurations are very similar to Host to Host configurations, especially the authentication methods are the same. Added changes to the configurations are the values for rightsourceip and ...