Net2Net IPsec VPN using IPFire

By | October 29, 2016

Overview

The purpose of this tutorial is to go over the steps necessary to create an IPsec VPN connection between two fixed locations. The IPFire documentation refers to this as a “Net2Net” connection. To demonstrate this, we will connect a ProfitBricks Virtual Data Center provisioned in the US/LAS (Las Vegas) region with one provisioned in DE/FKB (Karlsruhe). The IPFire implementation of IPSec utilizes strongSwan. The configuration of the IPsec connection will be handled using the IPFire Web-based GUI.

Getting Started

Provision two Virtual Data Centers with an IPFire server setup in each one. Set a reserved (static) ip address on RED/NIC 1 and have an internal LAN connected to GREEN/NIC 2. You will want to be sure that the internal networks utilize a unique addressing scheme. In this example we have 172.16.1.0/24 in US/LAS and 172.16.2.0/24 in DE/FKB, both as class C networks, using 255.255.255.0 as the subnet mask.

| Property                               | Firewall 1      | Firewall 2       |
| -------------------------------------- | --------------- | ---------------- |
| Hostname                               | ipfire.tutorial | ipfire2.tutorial |
| Location                               | US/LAS          | DE/FKB           |
| RED / NIC1 (Reserved Static Public IP) | 162.254.27.246* | 78.137.101.248*  |
| GREEN / NIC2 (Static or DHCP)          | 172.16.1.1      | 172.16.2.1       |

* Do NOT use this value, you will have to reserve your own static IP address in the DCD.

Here is an example layout in the Data Center Designer (DCD).

IPFire2 DCD layout

The second server, labeled “IntBox”, is not strictly necessary. However, we will utilize it later to test that a machine on the internal network can be reached successfully across the IPSec VPN.

We can refer to the Install IPFire Linux Firewall tutorial for details on getting IPFire configured at each location. The example there is mostly valid despite being about a year old at this point. The version of IPFire has changed along with minor changes to line numbers referred to in the IPFire configuration files. If you happen to experience an issue following that tutorial, please post a comment so that we can look into it further.

Unless you want to provision a server with a GUI on the internal network at both locations, you will need to pay attention to the instructions for allowing access to the IPFire Web GUI (https://IP_ADDRESS_OR_HOSTNAME:444) on the RED interface.

In the original Install IPFire Linux Firewall tutorial we suggested NOT enabling DHCP on the IPFire GREEN/internal interface. If you want to enable it to avoid having to manually set a static IP address on an internal test server, such as “IntBox”, make sure to toggle the “DHCP” option on the internal server’s network tab in the DCD. This will allow the server to accept a DHCP offer from the IPFire firewall instead of taking one from ProfitBricks.

DCD toggle DHCP

The checkbox is obscured by the “help” text “Toggle DHCP here in case you want to run your own DHCP.” in the screenshot above.

Just to reiterate, this is only necessary if you want to avoid having to set a static IP on a test server that is behind the IPFire firewall. That minor bit of administrative time would be replaced with having to configure DHCP on the IPFire firewall during or after setup.

Generate Certificates

Go ahead and connect to the Web GUI of each IPFire server. For the tutorial, they are called ipfire.tutorial and ipfire2.tutorial. Connect to https://YOUR.IPFIRE.IP.ADDRESS:444, authenticate, and then navigate to Services->IPsec. In an unconfigured state, it should resemble this screenshot, with your IP/hostname showing in the “Public IP or FQDN…” box.

IPSec Unconfigured

Press the Generate root/host certificates button in the lower right corner to bring up the web form used to generate a pair of certificates. On our ipfire2.tutorial install, it looks like:

Generate Certificates

For the Organization Name: box, enter something useful and descriptive. We will use “IPFire Tutorial” and “IPFire2 Tutorial” respectively. We will leave the prefilled value for IPFire’s Hostname in place. Lets add in some useful values for City and Country. In this case, we will enter information that matches the Virtual Data Center location of these two IPFire installations. This will help us keep the certificates organized. For ipfire.tutorial, we will enter Las Vegas and select United States for the country. For ipfire2.tutorial, we will enter Karlsruhe and select Germany for the country. Press the Generate root/host certificates button in the center of the screen to proceed with generating the certificates. We are taken back to the IPsec screen and now have populated values for “Root certificate” and “Host Certificate” in the Certificate Authorities and -Keys section.

Generated Certificates

Generated IPFire2 Certificates

Install Certificates

At this point we have four certificates. A Root and Host certificate for each of the two IPFire servers. Use the disk icon to save the certificates to your local system with a descriptive name. Something along the lines of:

ipfirelasvegasroot.pem
ipfirelasvegashost.pem

and:

ipfire2karlsruheroot.pem
ipfire2karlsruhehost.pem

We need to upload these each of these certificates to the IPFire system on the opposite side of the connection. We will do this with the Root certificate now, and the Host certificate will be uploaded later in the IPsec configuration process. This is not overly complicated, we just have to stay organized so we get the right certificate in the right place.

We will start by uploading the Root certificate for the Karlsruhe location to the IPFire install in Las Vegas. To do this, press the Choose File button in the lower center of the IPsec configuration screen. Select the ipfire2karlsruheroot.pem file from your local system. That file name will appear next to the button once you’ve uploaded it. Now enter IPFire2Karlsruhe, or another appropriate descriptive name, into the in the required CA name: field and then press the Upload CA certificate button in the lower right corner of the web UI.

Upload IPFire2 Root Certificate to IPFire

When it finishes, we will see that the Certificate Authorities and -Keys section has new entry in it.

Uploaded IPFire2 Root Certificate

Repeat the process on the second IPFire server, IPFire2.tutorial, but this time make sure and upload the ipfirelasvegasroot.pemfile.

Configure IPsec

Now that we have the Root certificates in place on each system, we can proceed to configure the IPsec connection. This needs to be done on each side of the connection. On ipfire.tutorial navigate to Services->IPsec and look for an Add button in the Connection Status and -Control section. Press the Add button to enter the Connection Type screen:

IPsec Add Connection Default

Change the radio button selector to Net-to-Net Virtual Private Network and then press the Add button:

IPsec Add Connection Select Net2Net

In its unconfigured state, the new connection screen should resemble this:

IPsec Add Connection Select Net2Net Unconfigured

On ipfire.tutorial we need to configure the following values in the Connection section:

  • Set Name to IPFire2Karlsruhe.
  • Enter the appropriate value for Remote host/IP, this would be the hostname or IP of IPFire server at the opposite side of the connection.
  • Enter the appropriate value for Remote subnet, this would be the IP range that is protected by the IPFire server at the opposite side of the connection. In this tutorial we set it to 172.16.2.0/24.
  • Check the box for Edit advanced settings when done.

In the Authentication section, we are paying attention to the Upload a certificate line.

  • Press the Choose File button and select the ipfire2karlsruhehost.pem file from your local system.

The completed screen on ipfire.tutorial should resemble:

IPsec Add Connection Select Net2Net Configured

Press the Save button in the lower center of that screen.

Since we select the check box for Edit advanced settings when done, we are whisked away to:

IPsec Add Connection Select Net2Net Configured Advanced

These advanced settings let us fine tune the way the IPsec connection is established. Since this is a Net2Net VPN and we have full control over both sides of the connection, we configure the connection however we please. There is no need to support a number of different ciphers and settings. Instead, we can just pick a single set of values and configure them to be exactly the same on both sides.

The following screenshot shows a set of reasonable and safe values adopt and is sufficient for this tutorial. When you proceed to implement an IPsec VPN in a production environment, please consider doing some additional research as to what values your organization should utilize. There are certain ciphers included in the list (for compatibility) which are no longer considered secure and should be avoided!

IPsec Add Connection Select Net2Net Configured Advanced Adjusted

The specific list of changes made are:

  • Under Encryption both IKE and ESP have only 256 bit AES-CBC selected.
  • The only value set for Integrity is SHA2 512 bit.
  • The only value set for Grouptype is ECP-224 (Brainpool).
  • The checkbox for IKE+ESP: Use only proposed settings should be checked.

Press the Save button in the lower right corner of the screen to proceed.

IPsec Add Connection Select Net2Net Configured IPFire

Go ahead and repeat the steps we just went through on ipfire2.tutorial or whatever name you used for the IPFire server on the other side of the connection. When both sides are configured, confirm that the Enabled checkbox is selected in the Global Settingssection, and also for the specific connection listed in Connection Status and -Control.

Test the Connection

If everything was configured properly, we should be rewarded with a Status of Connected when looking at the IPsec screen on each of the firewalls.

IPFire Connection Success

and:

IPFire2 Connection Success

From a server connected to the GREEN or internal network in the Las Vegas location, we should be able to complete a ping test to a server connected to the GREEN network in the Karlsruhe location.

This server has an IP on the 172.16.1.0/24 network in Las Vegas:

$ ip addr show eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 02:01:81:59:6c:2a brd ff:ff:ff:ff:ff:ff
    inet 172.16.1.10/32 brd 172.16.1.10 scope global eth0
       valid_lft forever preferred_lft forever

It is able to successfully ping the IntBox server at 172.16.2.50 in Karlsruhe:

$ ping 172.16.2.50
PING 172.16.2.50 (172.16.2.50) 56(84) bytes of data.
64 bytes from 172.16.2.50: icmp_seq=1 ttl=62 time=163 ms
64 bytes from 172.16.2.50: icmp_seq=2 ttl=62 time=163 ms
64 bytes from 172.16.2.50: icmp_seq=3 ttl=62 time=163 ms

Troubleshoot

IPFire has logs related to IPsec connections available. Navigate to Logs and choose the bottom menu option System Logs. Then in the Settings section, use the drop-down menu to select IPSec and press the Update button. The Log section will be populated with recent events. These may help you determine what the issue is, or give you something useful as a search term.

IPFire System Log IPSec

You may find the information available in the IPFire Wiki to be helpful.

Summary

We have successfully demonstrated how to establish an IPsec VPN connection between two IPFire firewall installations.

Please do not leave access to the IPFire web GUI accessible to the public for any longer than necessary. Once you have the IPFire server configured, please seriously consider disabling the access rule.

Remember that you can do this by commenting out the rule we added to /etc/init.d/firewall and running /etc/init.d/firewall restart.

You are welcome to provide feedback via the comments section here, or open a discussion in the Community section of this site. Thanks for following along!

Сomments аrchive