Editing
VPN configuration on organization level
Jump to navigation
Jump to search
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
Apoyar Network & VPN Structur --------------------------------- We have 2 ESX host, 1 Disk array these provides access to VM’s We have separate server Vcentre, which is a physical server and provides - management over vpshere - access to VM’s We have firewall called Juniper (2 firewall), if one fails other starts Also we have Clavister, which has same level as Juniper. Clavister has better support for different types of VPN It supports 3 types of VPN - L2TP - IPsec (used to connect customers) - OpenVPN Connecting any of Apoyar server -------------------------------- Weather we are connecting through OpenVPN or L2TP, we always getting through Clavister. For connecting using OpenVPN, we just need AD logins If we are connecting as L2TP user, it uses passphrase If we are connecting from any AWS console VM, it uses certificate Certificates on AWS RMG server ------------------------------------ Login to rmg.aws.apoyar • Cd /etc/isakmpd • cd ca • ls ca.crt (this is the certificate authority of mother or father certificate) It is only saved on clavister (one copy) Also on each AWS console machine, its only get compared not sent To see contents of certificates • openssl x509 -in cert.crt -noout -text To check local certificate • cd.. /certs/ • openssl x509 -in local.crt -noout –text To compare cert, key and request • openssl x509 -noout -modulus -in zebssl.crt | openssl md5 && openssl rsa -noout -modulus -in zebssl.key | openssl md5 && openssl req -noout -modulus -in zebssl.csr | openssl md5 These certificates contain the information related to • Issuer • Customer • Expiry • DNS Apoyar network access by clients ---------------------------------- Wise Geary also have clavister (Newer version), but not same as Edge router in HYD Office Apoyar clavister can access Apoyar(Apoyar machine’s), and Apoyar(Apoyar machine’s) also can access Apoyar Clavister Clavitser can access WG (Physical clavister machine), but WG can not access clavister back AWS and Azure console machines(server’s) are Virtual OpenBSD machines (Most secure OS), they can access Apoyar network through L2TP with certificate authentication We have our own Certificate Authority (CA) on server called phobos.apoyar at /home/neal/certs/ We have two certs - 1) main cert 2) client cert (Child) When clients try to connect clavister, clavister ask for cert and compare with main cert and then if it confirms the same issuing authority with main cert, it allows the clients. Below are the three commands for cert • openssl x509 • openssl req • openssl rsa (for private keys) Generated Clients Cert (WG) We can see generated clients cert at • cd /home/neal/certs/generated/ • ls We can see the cert content using below command • openssl x509 –in firewall.wg.crt –noout –text Cert content will show the cert security measures as below Sha256 security - Higher lever cert - generate traffic and take 10 sec longer to connect CN – Common Name It follows the certain naming convention VPN Connection Creation ----------------------------------- When we create cert for VPN, there are always two places to look, like for AWS on rmg.aws.apoyar we can check at below two locations • cd /etc/isakmpd/certs/ • ls We can see content of cert using below command • openssl x509 local.cert –noout –text and setting will be in ipsec file at below location, we can see using below command • cat /etc/ipsec.conf DNS in local.crt and srcid in ipsec.conf file should be same When OpenBSD creates connection, it sends cert When firewall.apoyar which will be in clavister finds out this, it checks weather it is matching or not, if it’s matching then only VPN connection get started. Accessing Apoyar Clavister ---------------------------------- Go to below URL https://pfa.apoyar.net Login with Admin logins Once logged in, to see the tunnels created go to - Network - IPsec (Under VPN & Tunnels) Here u can see all the tunnels created Also to check IPsec status, go to - Status - IPsec (Under Sub Systems) Note – Same as Apoyar, WG Clavister we can access using below URL’s https://pfa.wise-geary.co.uk – Public Access https://pfa.wise.apoyar – Internal Access Apoyar Certificate’s ------------------------ We are not using public certificates anymore, we are using our own pool and we are generating the certificates. We can see those certificate status in Nagios, service groups (under SSL Expiry)
Summary:
Please note that all contributions to Apoyar Wiki may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see
Apoyar Wiki:Copyrights
for details).
Do not submit copyrighted work without permission!
Cancel
Editing help
(opens in new window)
Navigation menu
Personal tools
Not logged in
Talk
Contributions
Create account
Log in
Namespaces
Page
Discussion
British English
Views
Read
Edit
View history
More
Search
Navigation
Main page
Apoyar Infrastructure
Active Directory
Recent changes
Random page
Upload file
Tools
What links here
Related changes
Special pages
Page information