Looking for something else?
Titan – AN46: IPSEC – Server IKEv1 – Authentication with certificate
Table of Contents
From two locations it is intended to remotely access the configuration of a Titan 4G router and the configuration of a PLC that is connected to the Ethernet port of said Titan router. All this through a secure IPSec type connection. It is intended to use digital certificate authentication.
Description of the Example
Basically with this example it is intended to create an IPSec VPN from a pair of PCs (where each one has an IPSec Client software such as TheGreenBow which is used in this example) against a remote Titan 4G router that will act as an IPSec Server on the which in turn has a PLC connected to its Ethernet port. Each IPSec client must authenticate to the server with its valid client digital certificate.
Configuration and Previous Requirements
The basic requirement to be able to carry out the application is that the SIM card inserted in the Titan router that will act as IPSec Server must have a public and static IP address. This is necessary to be able to access remotely from a PC connected to the public internet. Also make sure that all the Titans have the correct time, since the generation and validity management of the certificates needs it.
Router Titan IPSEC Configuration
The first thing to do is go to the VPN>IPSEC menu. For the planned configuration we will need the certificates ca-cert.pem, and server-cert.pem. Obviously also your private keys ca-key.pem and server-key.pem. You will also need a pair of client certificates and their private keys “client1-cert.pem”, “client1-key.pem”, “client2-cert.pem”, “client2-key.pem”.
At this point there are two possibilities. 1. If these certificates are available, they can be uploaded manually from the section marked in red:
2. If certificates are not available, the Titan router has a button that will create them. When you press the button, all certificates will be generated automatically. The process can take up to 5 minutes to finish. Press the REFRESH button to check the status of the process.
In this example, we use the second option to automatically generate all certificates. To do this, press the GENERATE ALL SERVER CERTIFICATES AUTOMATICALLY button. After completing the process successfully, this will be the result:
Once you have the necessary certificates, you must proceed to the configuration of the VPN itself. To do this, check the “Enabled” box at the beginning of this configuration page and press the “SAVE CONFIG” button.
Finally, since the IPSec service of the Titan router is based on strongswan, the files “ipsec.conf” and “ipsec.secrets” must be configured. The easiest thing is to go to the examples at the bottom of the page and get the example that is closest to what you want to configure. In the case of this application note, Example 6 is chosen, by clicking (downloading) the corresponding files ipsec.conf and ipsec.secrets, which we will open with a notepad to obtain their content.
Said content must be adapted to the example and inserted in the appropriate boxes. For ipsec.conf:
And for ipsec.secrets (previously you must click on the Show/Hide legend to show the box):
And then the SAVE CONFIG button will be pressed, which will save the content of both files in the internal memory of the Titan router. Finally, if when the router was started up the IPSec service was not started (that is, the “Enabled” box was not active), the router must be completely rebooted (“Other>Reboot” menu. Enabled ”active), only the“ RESTART IPSEC ”button can be pressed to restart the IPSec service with the new configuration without having to restart the router completely, a much faster option.
After restarting the router or pressing the “RESTART IPSEC” button (if the service was already active), the status of the IPSEC connection will appear as follows. If the Status box is blank, the service may not have started yet. Wait a few seconds and press the REFRESH button.
IPSEC Client Configuration
In this example the popular TheGreenBow PC software will be used as the IPSec client software to connect against the Titan router. Below are some screenshots with the basic configuration of each section. This configuration refers to IPSec client PC 1. The configuration of IPSec client PC 2 is completely analogous.
1. In the “Authentication” section of the IKEv1 type connection, the public IP address of the Titan router must be indicated (in the case of this example it is 188.8.131.52) and the authentication method is by digital certificate.
2. In the “Certificate” section, the client certificate to use and the CA certificate must be specified. These certificates can be downloaded from the Titan router itself, as they were generated in the previous point.
That is, it will be necessary to download the files “ca-cert.pem”, “client1-cert.pem”, “client1-key.pem” for PC1 and the files “ca-cert.pem”, “client2-cert. pem , client2-key.pem for PC2.
In the Certificate tab, the certificates in PEM format are selected.
If the import is successful, the certificate to use will be displayed.
And automatically in the tab Protocol the Local ID will appear selected with the CN that has just been imported. In this example it is intended that the Titan (IPSec Server) assign the IP address to the clients (as can be seen in the file ipsec.conf, where PC1 will be assigned the IP 10.10.10.1). Therefore you must select the Mode Config option.
Now it is possible to open the IPSec tunnel by clicking with the right button of the mouse on the connection and pressing the option “Open tunnel” as shown in the following screen, where the network used by the Titan IPSec server will be configured (192.168.1.0 / 255.255.255.0).
If the connection has been made successfully, it only remains to check the connectivity, that is, that from the IPSec 1 client PC it is possible to access both the Titan router (IP: 192.168.1.2) and the PLC that hangs from it (IP: 192.168.1.200). For this it is possible to carry out a few simple PINGs.
Ping the Titan router through the IPSec VPN from PC1:
Ping the PLC through the IPSec VPN from PC1: