1. Summary
Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to- host), between a pair of security gateways (subnet-to-subnet), or between a security gateway and a host (subnet-to-host).
Basically, VPN is just one kind of applications of IPSec.
Regarding to MyPBX, it only can be as the IPSec client, and the IPSec embedded on MyPBX is based on the Openswan.
In this passage, we are mainly talking about the scenario of “host-to-host” in “tunnel mode”
Figure 1 IPSec Host-to-host Session
Note: MyPBX supports IPSec VPN feature since version x.19.0.x.
2. Settings
2.1 IPSec VPN Configuration File
“VPN Config”: For the VPN configuration, please consult your IT administrator or make it on your security gateway/ server. And you can also refer to the template file provided by Yeastar.
Get the IPSec VPN Configuration sample file from: http://www.yeastar.com/download/ipsec.tar
Configuration file format: The file format must be .tar format, the file name of *.tar file can use numbers, letters ‘_’and ‘.’. The*.tar file contains two files and one folder: ipsec.conf, ipsec.secrets and folder ipsec.d.
Figure 2 Files in *.tar configuration file
In the ipsec.conf, you could refer to the following parameters. (The line start with “#” can be ignored)
Figure 3 Parameters in ipsec.conf
Basic parameters:
config setup #
nat_traversal=yes # enable the NAT_traversal, basically enabled.
protostack=netkey # define the protostack as netkey.
virtual_private=%v4:192.168.5.0/16,%v4:10.10.10.0/24 # VPN addresses, can be ignored when it is in “host-to-host” scenario.
Client parameters:
conn x509 # client’s name
authby=rsasig # how the two security gateways should authenticate each other. Rsasig is RSA digita signature.
pfs=yes # whether Perfect Forward Secrecy of keys is desired on the connection's keying channel.
type=tunnel # the type of the connection.
auto=add # what operation, if any, should be done automatically at IPsec startup. Add loads a connection without starting it.
rekey=yes # whether a connection should be renegotiated when it is about to expire.
left=%defaultroute # the IP address of the participant's public-network interface or one of several magic values. %defaultroute means the IP address will be filled by the default route. (client’s IP)
leftcert=client.cert # the path to the client's X.509 certificate.
right=192.168.7.12 # server’s IP.
rightcert=vpngateway.cert # the path to the server's X.509 certificate.
The ipsec.secrets is for pre-shared secrets. If %any is used for the remote endpoint it literally means any IP address.
Figure 4 Parameters in ipsec.secrets
In the ipsec.d folder, there 4 folders: cacerts, certs, crls, private. The contents in each subfolder are following.
Cacerts: cacert.pem. # It is X.509 root certificate.
Certs: client.cert, vpngateway.cert. # They are X.509 client certificates.
Crls: crl.pem. # It is X.509 certificate revocation list.
Private: client.key, vpngateway.key. # They are X.509 certificate private keys.
Figure 5 Contents in ipsec.d
2.2 Upload the IPSec Package to MyPBX:
1. Open the MyPBX’s web GUI.
2. Go to System-> Network preferences-> VPN settings->IPSec settings, then check the “Enable IPSec” as “Yes” and click “Choose file”, finally choose the file then click “Upload”.
3. Click “Save” to take effect.
Figure 6 Upload IPSec Package
3. Test and Debug IPSec VPN
On the Network Status page you can’t see the status of IPSec VPN, because the IPSec VPN connection is encrypted.
However, you could do simply make ping test in PuTTy tool and capture PCAP package on MyPBX at the same time (Reports> System logs> Packet Capture Tool). Then check whether there is ESP packet in the PCAP package or not. If yes, the IPSec connection is created successfully.
In the example below, 192.168.10.121 is MyPBX’s IP. IPSec VPN Server/ Gateway’s IP is 192.168.7.12.
Figure 7 Ping Server/ Gateway in PuTTy
Figure 8 Capure PCAP package on MyPBX
Figure 9 Analyze PCAP package via Wireshark
For debug, you could execute the following commands in PuTTy to check.
Check the debug log of IPSec:
cat /var/log/messages
Fgure 10 Debug Log of IPSec
Manually start/ stop the IPsec:
To stop the IPSec:
/usr/libexec/ipsec/setup stop
To start the IPSec:
/usr/libexec/ipsec/setup start
sh /usr/sbin/ipsec auto --up x509 >/dev/null &
0 Comments