Ipsec x.509 roaming client example – RuggedCom RuggedRouter RX1100 User Manual
Page 156
16. Configuring IPsec VPN
Revision 1.14.3
156
RX1000/RX1100™
41 #3093: "openswantest" STATE_MAIN_R3 (sent MR3, ISAKMP SA established);
EVENT_SA_REPLACE in 1050s; newest ISAKMP
42 #2997: "openswantest" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in
19773s; newest IPSEC; eroute owner
43 #2997: "openswantest" [email protected] [email protected]
[email protected] [email protected].
The “IPsec Status” button produces a window of text similar to that of the above figure (except that
line numbers have been inserted for purposes of illustration).
The first group (lines 1-5) describes configured interfaces.
The second group (lines 7-17) describes ESP capabilities. In this group we can see encryption
capabilities (lines 7-13) and authentication capabilities (lines 14-17). At least one set of values must
match between the left- and right-hand side VPN devices. This is also frequently referred to as the
Phase 2 parameters, because the data encryption process is the second and final thing to occur in
establishing a VPN.
The third group (lines 18-28) describes IKE capabilities and defines the various encrypted key
exchange algorithms and their parameters. At least one set of values must match between the left- and
right-hand side VPN devices. This is also frequently referred to as the Phase 1 parameters, because
the key exchange process is the first thing to occur in establishing a VPN.
The fourth group (lines 30-39) describe connection describe VPN connections (here “openswantest”).
The first line is particularly useful since it indicates the connection addresses, subnets and that the
connection is active (“erouted”). If there are no entries, then the VPN hasn't been established at all. If
there are entries, but no STATE_QUICK_R2 (IPsec SA established) lines then the IPSec parameters
are configured, but the tunnel hasn't been established. This can be normal, tunnels become active
once the Phase 1 and Phase 2 security associations are created, and this usually only occurs after
traffic is flowing. The associations then get torn down after a timeout period.
16.2.10. IPSec X.509 Roaming Client Example
This example details how to set up IPSec connections using X.509 certificates on the router. The router
will provide an IPSec gateway to a number of remote clients that connect via an Internet connection.
Each of the clients will fetch an IP address locally from a DHCP server, and it is assumed (but not
required) that network address translation will be applied at the client end. Each of the clients should
“appear” on the local network on a specific IP address. In this example the clients are laptop PCs.
Figure 16.11. IPSec X.509 Roaming Client Example