Generate x.509 certificates, Vpn networking parameters, Client configuration – RuggedCom RuggedRouter RX1100 User Manual

16. Configuring IPsec VPN

Revision 1.14.3

157

RX1000/RX1100™

Select A Certificate Authority

Begin by constructing the required certificates. You may construct the certificates using a
RuggedRouter or a third party tool. The device that is used to build the certificates is known as the
certificate authority. There are advantages and disadvantages to using the router itself as the authority.
It is convenient to use if it is the only router in the network and many clients will be connecting to
it. On the other hand, if the router holds the certificate authority and is compromised, all certificates
must be constructed again.

Ensure that the Certificate Authority generates certificates with a reasonable life and generates keys
of at least 1024 bits in length.

16.2.10.1. Generate X.509 Certificates

Use the authority to produce a certificate authority public certification (cacert) and a certificate for each
of the clients and a certificate for the router. The certificate authority will require some information that
is shared by all certificates (e.g. a Country Name (C), a State Or Province Name (S), an Organization
name (O)) and some per-client information (e.g. a Common Name (CN) and an Email address (E)).
Together this information forms the Distinguished Name (DN) and is used by the router and client
to validate each other.

16.2.10.2. VPN Networking Parameters

The first step is to identify the key parameters required. The router public gateway (here
[email protected]) and its gateway interface (w1ppp) must be known. The local network subnet
(10.0.0.0/8) and each clients' internal network address (here 10.0.1.1) must be known. All client
addresses should be assigned from a subnet of the local network (e.g. 10.0.1.0/24). A number of
encryption parameters should be decided upon depending upon the client capabilities. Avoid selecting
3DES if possible due to its high overhead.

16.2.10.3. Client Configuration

Depending upon the client, you may be required to produce the certificate in a P12 format, and may
be required to include an “export” password as well. This password will be required to be known be
the personnel that configure the client in order to import the certificate.

Install the client IPSec software and import the cacert and the clients own certificate and key.
Configure the client with the router public gateway, the clients internal network address and the desired
encryption parameters. At this point the client should be able to use its Internet connection to ping
the public gateway.

16.2.10.4. Router IPSec Configuration

Transfer the cacert and the router's certificate to the router. If your authority prepares a Certificate
Revocation List (CRL), you will want to transfer that as well.

The cacert file should be renamed cacert.pem and installed in /etc/ipsec.d/cacerts/.

The CRL file should be renamed to crl.pem and installed in /etc/ipsec.d/crls/.

The router's certificate must be installed in /etc/ipsec.d/certs/. It's public key file (e.g. router.key)
must be installed in /etc/ipsec.d/private/ and a line ': RSA router.key "Password"' (where Password