Outline
This page introduces a setting example of connecting between the Edge Gateway devices via IPsec.
Preconditions
It is recommended to have knowledge on the following items:
- Basic knowledge of the CLI of Edge Gateway
- Basic network knowledge
Table of contents
- Configuration
- STEP1: Setting the devices
- STEP2: Connection
Configuration
Encrypt packet data between the Edge Gateways with IPsec.
Edge Gateway 1 does not have a global IP address and is connected to the Internet via a broadband router. On the other hand, Edge Gateway 2 has a global IP address.
Broadband router
- IP address on the WAN side: aa.aa.aa.aa (*)
- IP address on the LAN side: 192.168.1.1
*Replace the IP address with the one delivered form ISP, etc.
Edge Gateway 1
- Firmware: Ver 1.2.3
- IP address on the WAN side: 192.168.1.197(eth0)
- IP address on the LAN side: 192.168.0.254(br0)
PC 1 for checking communication
- OS: Windows 10
- IP address: 192.168.0.4
Edge Gateway 2
- Firmware: Ver 1.2.3
- IP address on the WAN side: bb.bb.bb.bb (PPPoE) (*)
- IP address on the LAN side: 192.168.2.1(br0)
*Replace the IP address with the one delivered form ISP, etc.
PC 2 for checking communication
- IP address: 192.168.2.50
- OS: Windows 10
Authentication method
- Use the IKE Version2
- AES-CBC 256bits
- SHA1 HMAC
Encryption method
- Pre-shared key: password123
STEP1: Setting the devices
Setting Edge Gateway 1
Setting the interface
In configuration mode, set the IP address for eth0.
amnimo(cfg)# interface eth0
amnimo(cfg-interface-eth0)#
amnimo(cfg-interface-eth0)# address 192.168.1.197/24← IP address on the WAN side of Edge Gateway 1
amnimo(cfg-interface-eth0)# exit
amnimo(cfg)#
The IP address of br0 is set to 192.168.0.254 by default. Therefore, it is unnecessary to configure special settings.
For how to change the IP address, refer to "エッジゲートウェイシリーズ CLIユーザーズマニュアル (amnimo.com)".
Setting the default route
amnimo(cfg)# routing static default
amnimo(cfg-rts-default)# to 0.0.0.0/24
amnimo(cfg-rts-default)# via 192.168.1.1← IP address on the LAN side of the broadband router
amnimo(cfg-rts-default)# interface eth0 ← Set to eth0
amnimo(cfg-rts-default)# exit
IKE settings
Transit to configuration mode, and configure the settings as follows:
amnimo(cfg)# ipsec ike ike01 ← Specify the setting name. (In this example, ike01 is specified as a name.)
amnimo(cfg-ips-ike-{ike01})# local address 192.168.1.197← IP address on the WAN side of Edge Gateway 1
amnimo(cfg-ips-ike-{ike01})# remote address bb.bb.bb.bb ← IP address on the WAN side of Edge Gateway 2
amnimo(cfg-ips-ike-{ike01})# authentication pre-shard-key
Enter new password: password123← Pre-shared key
Retype new password: password123← Enter it again for confirmation.
amnimo(cfg-ips-ike-{ike01})# exit
Check the settings in IKE mode.
amnimo(cfg-ips-ike-{ike01})# show c
local address 192.168.1.197
remote address bb.bb.bb.bb
version 2
mobike
authentication pre-shard-key secret cGFzc3dvcmQxMjM=
mode main
fragmentation
retry 3
lifetime 3h
dpd interval 30s
dpd timeout 150s
SA settings
Similarly, configure the settings in configuration mode as follows:
amnimo(cfg)# ipsec sa sa01 ← Specify the setting name. (In this example, sa01 is specified as a name.)
amnimo(cfg-ips-sa-{sa01})# enable
amnimo(cfg-ips-sa-{sa01})# key-exchange ike ike01 ← Specify the IKE name used for key exchange.
amnimo(cfg-ips-sa-{sa01})# transform encryption aes256 integrity sha1 ← Specify the authentication method.
amnimo(cfg-ips-sa-{sa01})# negotiation-mode initiate ← Establish a connection from here.
amnimo(cfg-ips-sa-{sa01})# local subnet 192.168.0.0/24 ← br0 subnet of Edge Gateway 1
amnimo(cfg-ips-sa-{sa01})# remote subnet 192.168.2.0/24 ← br0 subnet of Edge Gateway 2
amnimo(cfg-ips-sa-{sa01})# exit
In SA mode, check the settings.
amnimo(cfg)#ipsec sa sa01
amnimo(cfg-ips-sa-{sa01})# show c
enable
key-exchange ike ike01
negotiation-mode initiate
rekey
type esp
mode tunnel
anti-replay
transform encryption aes256 integrity sha1 pfs 2
lifetime 1h
local subnet 192.168.0.0/24
remote subnet 192.168.2.0/24
Save the settings. (Please note that if you do not save the settings, they will be deleted when rebooting the Edge Gateway device.)
amnimo(cfg)# config file save
startup-config file already exists. Do you want to overwrite? (y/N): y
Setting PC 1 for checking communication
Setting the IP address
- IP address: 192.168.0.4
Setting the default gateway
- Default gateway: 192.168.0.254
*For Windows 10, you can check the status of the interface connected to the Edge Gateway device from [Control Panel] - [Network and Internet] - [Network Connection].
Setting Edge Gateway 2
Setting the interface
In configuration mode, set the IP address for br0.
amnimo(cfg)# interface br0
amnimo(cfg-interface-br0)#
amnimo(cfg-interface-br0)# address 192.168.2.1/24← IP address on the LAN side of Edge Gateway 2
amnimo(cfg-interface-br0)# exit
amnimo(cfg)#
Configuring a PPPoE connection
In configuration mode, configure a PPPoE connection.
amnimo(cfg)# ppp peer amnimo-ppp
amnimo(cfg-pp-amnimo-ppp)# username pppoeuser ←Set the authentication use name.
amnimo(cfg-pp-amnimo-ppp)# password <Enter>
Enter new password: ←Enter the authentication password.
Retype new password: ←Enter it again for confirmation.
amnimo(cfg-pp-amnimo-ppp)# exit
amnimo(cfg)#
Establishing a PPP connection
In administrator mode or configuration mode, execute a PPP connection.
amnimo# pppoe connect ppp0
*For details on PPP connection , refer to "CLI ユーザーズマニュアル -6.1 PPP の設定をする".
IKE settings
Transit to configuration mode, and configure the settings as follows:
amnimo(cfg)# ipsec ike ike01 ← Specify the setting name. (In this example, ike01 is specified as a name.)
amnimo(cfg-ips-ike-{ike01})# local address bb.bb.bb.bb ← IP address on the WAN side of Edge Gateway 2
amnimo(cfg-ips-ike-{ike01})# remote address any← Do not specify the access source.
amnimo(cfg-ips-ike-{ike01})# authentication pre-shard-key
Enter new password: password123← Pre-shared key
Retype new password: password123← Enter it again for confirmation.
amnimo(cfg-ips-ike-{ike01})# exit
Check the settings in IKE mode.
amnimo(cfg-ips-ike-{ike01})# show c
local address bb.bb.bb.bb
remote address any
version 2
mobike
authentication pre-shard-key secret cGFzc3dvcmQxMjM=
mode main
fragmentation
retry 3
lifetime 3h
dpd interval 30s
dpd timeout 150s
SA settings
Similarly, configure the settings in configuration mode as follows:
amnimo(cfg)# ipsec sa sa01 ← Specify the setting name. (In this example, sa01 is specified as a name.)
amnimo(cfg-ips-sa-{sa01})# enable
amnimo(cfg-ips-sa-{sa01})# key-exchange ike ike01 ← Specify the IKE name used for key exchange.
amnimo(cfg-ips-sa-{sa01})# transform encryption aes256 integrity sha1 ← Specify the authentication method.
amnimo(cfg-ips-sa-{sa01})# negotiation-mode hold ← Do not establish a connection from here.
amnimo(cfg-ips-sa-{sa01})# local subnet 192.168.2.0/24 ← br0 subnet of Edge Gateway 2
amnimo(cfg-ips-sa-{sa01})# remote subnet 192.168.0.0/24 ← br0 subnet of Edge Gateway 1
amnimo(cfg-ips-sa-{sa01})# exit
In SA mode, check the settings.
amnimo(cfg-ips-sa-{sa01})# show c
enable
key-exchange ike ike01
negotiation-mode hold
rekey
type esp
mode tunnel
anti-replay
transform encryption aes256 integrity sha1 pfs 2
lifetime 1h
local subnet 192.168.2.0/24
remote subnet 192.168.0.0/24
Save the settings. (Please note that if you do not save the settings, they will be deleted when rebooting the Edge Gateway device.)
amnimo(cfg)# config file save
startup-config file already exists. Do you want to overwrite? (y/N): y
Setting PC 2 for checking communication
Setting the IP address
- IP address: 192.168.2.50
Setting the default gateway
-
Default gateway: 192.168.2.1
*For Windows 10, you can check the status of the interface connected to the Edge Gateway device from[Control Panel] - [Network and Internet] - [Network Connection].
STEP2: Connection
Starting an IPsec connection
Check the status of IPsec for Edge Gateway 1. If "ESTABLISHED" is displayed as follows, a connection between the Edge Gateways will have been established.
amnimo(cfg)# show ipsec status
Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.19.145-00788-g94f928acd636, aarch64):
uptime: 29 minutes, since Aug 31 10:53:54 2021
malloc: sbrk 3207168, mmap 532480, used 1314384, free 1892784
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 7
loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem gcrypt af-alg fips-prf gmp curve25519 chapoly xcbc cmac hmac ctr ccm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity counters
Listening IP addresses:
192.168.1.197
192.168.0.254
Connections:
sa01: 192.168.1.197...bb.bb.bb.bb IKEv2
sa01: local: [192.168.1.197] uses pre-shared key authentication
sa01: remote: [182.168.26.239] uses pre-shared key authentication
sa01: child: 192.168.0.0/24 === 192.168.2.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
sa01[2]: ESTABLISHED28 minutes ago, 192.168.1.197[192.168.1.197]...bb.bb.bb.bb[bb.bb.bb.bb]
sa01[2]: IKEv2 SPIs: 3f1e0315e64b746a_i* 0350b080b91cbf5f_r, pre-shared key reauthentication in 2 hours
sa01[2]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA2_256/MODP_2048
sa01{2}: INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: c1e343cd_i cc86f0dc_o
sa01{2}: AES_CBC_256/HMAC_SHA1_96, 19452 bytes_i (369 pkts, 9s ago), 29068 bytes_o (372 pkts, 9s ago), rekeying in 14 minutes
sa01{2}: 192.168.0.0/24 === 192.168.2.0/24
Additional information
If establishing a connection has not been started, start it with the following command:
amnimo(cfg)# ipsec connect sa01
STEP3: Checking communication
Notes
If Ping communication cannot be established, the network settings of each device may be affecting it. Check the following points in advance for the device used for checking communication.
- Has the firewall been disabled?
- Have the routing settings been configured correctly?
- Has the default gateway been set correctly?
- Is ICMP allowed?
*If communication cannot be established even after trying the above, disable the other interfaces such as WiFi.
Checking Ping communication
Perform a ping test from PC 1 (192.168.0.4) for checking communication to PC 2 (IP:192.168.2.50) for checking communication.
C:\Users\test>ping 192.168.2.50
Send a ping to 192.168.2.50 Data of 32 bytes:
Response from 192.168.2.50: Number of bytes = 32 hours = 98ms TTL=126
Response from 192.168.2.50: Number of bytes = 32 hours = 70ms TTL=126
Response from 192.168.2.50: Number of bytes = 32 hours = 128ms TTL=126
Response from 192.168.2.50: Number of bytes = 32 hours = 119ms TTL=126
ping statistics of 192.168.2.50:
Packet count: Send = 4, Receive = 4, Lost = 0 (Loss of 0%),
Approximate round trip time (milliseconds):
Minimum = 70ms, Maximum = 128ms, Average = 103ms
Similarly, perform a ping test from PC 2 (IP:192.168.2.50) for checking communication to PC 1 (192.168.0.4) for checking communication to confirm that communication has been established.
Checking with the Edge Gateways
For each of the Edge Gateways, run the show ipsec status command and confirm that the packet count has increased before and after the ping.
Before the Ping
amnimo(cfg)# show ipsec status
Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.19.145-00788-g94f928acd636, aarch64):
uptime: 29 minutes, since Aug 31 10:53:54 2021
malloc: sbrk 3207168, mmap 532480, used 1314384, free 1892784
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 7
loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem gcrypt af-alg fips-prf gmp curve25519 chapoly xcbc cmac hmac ctr ccm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity counters
Listening IP addresses:
192.168.1.197
192.168.0.254
Connections:
sa01: 192.168.1.197...182.168.26.239 IKEv2
sa01: local: [192.168.1.197] uses pre-shared key authentication
sa01: remote: [182.168.26.239] uses pre-shared key authentication
sa01: child: 192.168.0.0/24 === 192.168.2.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
sa01[2]: ESTABLISHED 28 minutes ago, 192.168.1.197[192.168.1.197]...182.168.26.239[182.168.26.239]
sa01[2]: IKEv2 SPIs: 3f1e0315e64b746a_i* 0350b080b91cbf5f_r, pre-shared key reauthentication in 2 hours
sa01[2]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA2_256/MODP_2048
sa01{2}: INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: c1e343cd_i cc86f0dc_o
sa01{2}: AES_CBC_256/HMAC_SHA1_96, 19452 bytes_i (369 pkts, 9s ago), 29068 bytes_o (372 pkts, 9s ago), rekeying in 14 minutes
sa01{2}: 192.168.0.0/24 === 192.168.2.0/24
After the Ping
amnimo(cfg)# show ipsec status
Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.19.145-00788-g94f928acd636, aarch64):
uptime: 30 minutes, since Aug 31 10:53:54 2021
malloc: sbrk 3207168, mmap 532480, used 1316576, free 1890592
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 7
loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem gcrypt af-alg fips-prf gmp curve25519 chapoly xcbc cmac hmac ctr ccm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity counters
Listening IP addresses:
192.168.1.197
192.168.0.254
Connections:
sa01: 192.168.1.197...182.168.26.239 IKEv2
sa01: local: [192.168.1.197] uses pre-shared key authentication
sa01: remote: [182.168.26.239] uses pre-shared key authentication
sa01: child: 192.168.0.0/24 === 192.168.2.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
sa01[2]: ESTABLISHED 30 minutes ago, 192.168.1.197[192.168.1.197]...182.168.26.239[182.168.26.239]
sa01[2]: IKEv2 SPIs: 3f1e0315e64b746a_i* 0350b080b91cbf5f_r, pre-shared key reauthentication in 2 hours
sa01[2]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA2_256/MODP_2048
sa01{2}: INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: c1e343cd_i cc86f0dc_o
sa01{2}: AES_CBC_256/HMAC_SHA1_96, 20808 bytes_i (394 pkts, 4s ago), 30928 bytes_o (397 pkts, 4s ago), rekeying in 12 minutes
sa01{2}: 192.168.0.0/24 === 192.168.2.0/24
Comments
0 comments
Please sign in to leave a comment.