VPN-to-VPN detailed How-to

Introduction

I was trying to setup a Net-to-Net VPN between 2 IPCop boxes with no much success. I was using the Short Howto on the X.509 VPN.

The procedure is relatively simple, but sometimes it gets confusing which side is what. If you don't do everything right, it does not work and it is difficult to understand what is wrong.

I had to do it 3 times to get it right. As a result I wrote this detailed step-by-step how-to.

Hope it is useful for other people.

---
Iassen Hristov

Scenario

We have 2 IPCop boxes, both are running the latest version as of this writing – 1.4.2 (this how-to should work for later 1.4 versions as well)

We want to make an IPSec VPN between the 2 internal networks protected by the 2 IPCop boxes.

Network diagram

GREEN1 -- ipcop1 ------------- Internet --------------------- ipcop2 -- GREEN2

GREEN1 is 192.168.1.0/24
ipcop1 has a public IP address of 24.24.24.1 with a public name of ipcop1.ipcop1.org. The specific IP address does not matter as long as both sides resolve it correctly.
GREEN2 is 192.168.102.0/24
ipcop2 has a public IP address of 24.24.24.2 with a public name of ipcop2.ipcop2.org
The hostnames of both IPCop boxes are different. They are NOT ipcop1.ipcop1.org and ipcop2.ipcop2.org.

Detailed step-by-step instructions

Preparation

On ipcop1:

reset VPN settings if necessary (hitting the “Reset” button on the VPN page deletes all certificates and connections that might have been previously created)
set “Local VPN Hostname/IP” to ipcop1.ipcop1.org, check “Enabled” and hit Save
reboot ipcop1 (just in case)

On ipcop2:

reset VPN settings if necessary (hitting the “Reset” button on the VPN page deletes all certificates and connections that might have been previously created)
set “Local VPN Hostname/IP” to ipcop2.ipcop2.org, check “Enabled” and hit Save
reboot ipcop2 (just in case)

Generate Root/Host Certificates

On ipcop1: Hit the “Generate Root/Host Certificates” button and fill the following values:

ipcop1 as the “Organization name”
ipcop1.ipcop1.org as the “IPCop's Hostname” (this will be already filled for you)
Specify your Country
hit the “Generate Root/Host Certificates” button. This will generate the certificates (it might take a while) and will take you back to the VPN configuration page.
Click the “Download Root Certificate” button (icon like a floppy disk). You will be prompted for the file name to save. The default file name is cacert.pem. Just so there is no confusion change the name to cacert.1.pem
Click the “Download Host Certificate” button (the icon below). You will be prompted for the file name to save. The default file name is hostcert.pem. Just so there is no confusion change the name to hostcert.1.pem

On ipcop2: Hit the “Generate Root/Host Certificates” button and fill the following values:

ipcop2 as the “Organization name”
ipcop2.ipcop2.org as the “IPCop's Hostname” (this will be already filled for you)
Specify your Country
hit the “Generate Root/Host Certificates” button. This will generate the certificates (it might take a while) and will take you back to the VPN configuration page.
Click the “Download Root Certificate” button (icon like a floppy disk). You will be prompted for the file name to save. The default file name is cacert.pem. Just so there is no confusion change the name to cacert.2.pem
Click the “Download Host Certificate” button (the icon below). You will be prompted for the file name to save. The default file name is hostcert.pem. Just so there is no confusion change the name to hostcert.2.pem

Upload the CA Certificates

In this step you are letting the 2 IPCop boxes know about the other CA (Certificate Authority), so that they can trust the certificates issued by the other box.

On ipcop1:

Fill ipcop2 as the “CA name”
Browse and select the cacert.2.pem file
hit the “Upload CA Certificate” button. This will upload the CA certificate from ipcop2 to ipcop1 and it will show it as the 3^rd row in the “Certificate Authorities” (bottom) section.

On ipcop2:

Fill ipcop1 as the “CA name”
Browse and select the cacert.1.pem file
hit the “Upload CA Certificate” button. This will upload the CA certificate from ipcop1 to ipcop2 and it will show it as the 3^rd row in the “Certificate Authorities” (bottom) section.

Create connections

On ipcop1: Hit the “Add” button in the middle panel. On the next screen select “Net-to-Net Virtual Private Network” for the “Connection type” and fill the following values:

ipcop2 as the “Name”
left as the “IPCop side”
192.168.1.0/255.255.255.0 as the “Local subnet”
ipcop2.ipcop2.org as the “Remote Host/IP”
192.168.102.0/255.255.255.0 as the “Remote subnet”
In the “Authentication” section select “ Upload a certificate”. Check “Upload a certificate” and browse to the hostcert.2.pem file.
Finally hit the “Save” button

On ipcop2 (everything is reversed): Hit the “Add” button in the middle panel. On the next screen select “Net-to-Net Virtual Private Network” for the “Connection type” and fill the following values:

ipcop1 as the “Name”
right as the “IPCop side”
192.168.102.0/255.255.255.0 as the “Local subnet”
ipcop1.ipcop1.org as the “Remote Host/IP”
192.168.1.0/255.255.255.0 as the “Remote subnet”
In the “Authentication” section select “ Upload a certificate”. Check “Upload a certificate” and browse to the hostcert.1.pem file.
Finally hit the “Save” button

Done

Important note: As some people have pointed out, it is essential to have your clock synchronized to accurate time on both machines, otherwise you might have issues.
Here is one case
> My clock was a few hours ahead, the certs I was generating were yet
> to become valid, and I was getting a very uniformative failure that
> my CA was not available for my host verification.

Revision history of this document

Description Author Date Version

Initial version IH 13-Feb-2005 0.1

Added note about time synchronization and version table IH 05-Sep-2006 0.2

Description	Author	Date	Version
Initial version	IH	13-Feb-2005	0.1
Added note about time synchronization and version table	IH	05-Sep-2006	0.2