Ipcop

From Blackcannon wiki

Scenario

We have 2 IPCop boxes, both are running the latest version as of this writing – 1.4.2

We want to make an IPSec VPN between the 2 internal networks protected by the 2 IPCop boxes.


Table of contents
1 Network diagram
2 Preparation
3 Generate Root/Host Certificates
4 Upload the CA Certificates
5 Create connections
6 Done

Network diagram

GREEN1 -- ipcop1 ------------- Internet --------------------- ipcop2 -- GREEN2


  • GREEN1 is 192.168.1.0/24
  • ipcop1 has a public IP address of 24.24.24.1 with a public name of ipcop1.ipcop1.org. The specific IP address does not matter as long as both sides resolve it correctly.
  • GREEN2 is 192.168.102.0/24
  • ipcop2 has a public IP address of 24.24.24.2 with a public name of ipcop2.ipcop2.org
  • The hostnames of both IPCop boxes are different. They are NOT ipcop1.ipcop1.org and ipcop2.ipcop2.org.


Detailed step-by-step instructions follow

Preparation

1. On ipcop1: 

        1. reset VPN settings if necessary (hitting the “Reset” button on the VPN page deletes all certificates
           and connections that might have been previously created)
        2. set “Local VPN Hostname/IP” to ipcop1.ipcop1.org, check “Enabled” and hit Save
        3. reboot ipcop1 (just in case)

2. On ipcop2: 

        1. reset VPN settings if necessary (hitting the “Reset” button on the VPN page deletes all certificates
           and connections that might have been previously created)
        2. set “Local VPN Hostname/IP” to ipcop2.ipcop2.org, check “Enabled” and hit Save
        3. reboot ipcop2 (just in case)

Generate Root/Host Certificates

3. On ipcop1: Hit the “Generate Root/Host Certificates” button and fill the following values: 

        1. ipcop1 as the “Organization name”
        2. ipcop1.ipcop1.org as the “IPCop's Hostname” (this will be already filled for you)
        3. Specify your Country
        4. hit the “Generate Root/Host Certificates” button. This will generate the certificates (it might take a
           while) and will take you back to the VPN configuration page.
        5. Click the “Download Root Certificate” button (icon like a floppy disk). You will be prompted for the
           file name to save. The default file name is cacert.pem. Just so there is no confusion change the name   
           to cacert.1.pem
        6. Click the “Download Host Certificate” button (the icon below). You will be prompted for the file name 
           to save. The default file name is hostcert.pem. Just so there is no confusion change the name to    
           hostcert.1.pem

4. On ipcop2: Hit the “Generate Root/Host Certificates” button and fill the following values: 

        1. ipcop2 as the “Organization name”
        2. ipcop2.ipcop2.org as the “IPCop's Hostname” (this will be already filled for you)
        3. Specify your Country
        4. hit the “Generate Root/Host Certificates” button. This will generate the certificates (it might take a
           while) and will take you back to the VPN configuration page.
        7. Click the “Download Root Certificate” button (icon like a floppy disk). You will be prompted for the 
           file name to save. The default file name is cacert.pem. Just so there is no confusion change the name  
           to cacert.2.pem
        5. Click the “Download Host Certificate” button (the icon below). You will be prompted for the file name
           to save. The default file name is hostcert.pem. Just so there is no confusion change the name to  
           hostcert.2.pem

Upload the CA Certificates

In this step you are letting the 2 IPCop boxes know about the other CA (Certificate Authority), so that they can trust the certificates issued by the other box.

5. On ipcop1: 

        1. Fill ipcop2 as the “CA name”
        2. Browse and select the cacert.2.pem file
        3. hit the “Upload CA Certificate” button. This will upload the CA certificate from ipcop2 to ipcop1 and 
           it will show it as the 3rd row in the “Certificate Authorities” (bottom) section.

6. On ipcop2: 

        1. Fill ipcop1 as the “CA name”
        2. Browse and select the cacert.1.pem file
        3. hit the “Upload CA Certificate” button. This will upload the CA certificate from ipcop1 to ipcop2 and 
           it will show it as the 3rd row in the “Certificate Authorities” (bottom) section.

Create connections

7. On ipcop1: Hit the “Add” button in the middle panel. On the next screen select “Net-to-Net Virtual Private Network” for the “Connection type” and fill the following values: 

        1. ipcop2 as the “Name”
        2. left as the “IPCop side”
        3. 192.168.1.0/255.255.255.0 as the “Local subnet”
        4. ipcop2.ipcop2.org as the “Remote Host/IP”
        5. 192.168.102.0/255.255.255.0 as the “Remote subnet”
        6. In the “Authentication” section select “ Upload a certificate”. Check “Upload a certificate” and 
           browse to the hostcert.2.pem file.
        7. Finally hit the “Save” button

8. On ipcop2 (everything is reversed): Hit the “Add” button in the middle panel. On the next screen select “Net-to-Net Virtual Private Network” for the “Connection type” and fill the following values: 

        1. ipcop1 as the “Name”
        2. right as the “IPCop side”
        3. 192.168.102.0/255.255.255.0 as the “Local subnet”
        4. ipcop1.ipcop1.org as the “Remote Host/IP”
        5. 192.168.1.0/255.255.255.0 as the “Remote subnet”
        6. In the “Authentication” section select “ Upload a certificate”. Check “Upload a certificate” and 
           browse to the hostcert.1.pem file.
        7. Finally hit the “Save” button

Done

Retrieved from "http://blackcannon.org/wiki/index.php/Ipcop"