|
|
| (One intermediate revision by the same user not shown) |
| Line 1: |
Line 1: |
| Apoyar Network & VPN Structure
| |
| --------------------------------
| |
|
| |
|
|
| |
|
| |
|
| |
| We have 2 ESX host, 1 Disk array these provides access to VM’s
| |
|
| |
| We have separate server Vcentre, which is a physical server and provides
| |
|
| |
| - management over vpshere
| |
|
| |
| - access to VM’s
| |
|
| |
| We have firewall called Juniper (2 firewall), if one fails other starts
| |
|
| |
| Also we have Clavister, which has same level as Juniper. Clavister has better support for different types of VPN
| |
|
| |
| It supports 3 types of VPN
| |
|
| |
| - L2TP
| |
|
| |
| - IPsec (used to connect customers)
| |
|
| |
| - OpenVPN
| |
|
| |
|
| |
| Connecting any of Apoyar server
| |
| --------------------------------
| |
|
| |
| Weather we are connecting through OpenVPN or L2TP, we always getting through Clavister.
| |
|
| |
| For connecting using OpenVPN, we just need AD logins
| |
|
| |
| If we are connecting as L2TP user, it uses passphrase
| |
|
| |
| If we are connecting from any AWS console VM, it uses certificate
| |
|
| |
|
| |
| Certificates on AWS RMG server
| |
| ------------------------------
| |
|
| |
| Login to rmg.aws.apoyar
| |
|
| |
| • Cd /etc/isakmpd
| |
|
| |
| • cd ca
| |
|
| |
| • ls
| |
|
| |
| ca.crt (this is the certificate authority of mother or father certificate)
| |
|
| |
| It is only saved on clavister (one copy)
| |
|
| |
| Also on each AWS console machine, its only get compared not sent
| |
|
| |
|
| |
|
| |
|
| |
|
| |
| To see contents of certificates
| |
|
| |
| • openssl x509 -in cert.crt -noout -text
| |
|
| |
| To check local certificate
| |
|
| |
| • cd.. /certs/
| |
|
| |
| • openssl x509 -in local.crt -noout –text
| |
|
| |
| To compare cert, key and request
| |
|
| |
| • openssl x509 -noout -modulus -in zebssl.crt | openssl md5 && openssl rsa -noout -modulus -in zebssl.key | openssl md5 && openssl req -noout -modulus -in zebssl.csr | openssl md5
| |
|
| |
| These certificates contain the information related to
| |
|
| |
| • Issuer
| |
|
| |
| • Customer
| |
|
| |
| • Expiry
| |
|
| |
| • DNS
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
| Apoyar network access by clients
| |
| ----------------------------------
| |
|
| |
| Wise Geary also have clavister (Newer version), but not same as Edge router in HYD Office
| |
|
| |
| Apoyar clavister can access Apoyar(Apoyar machine’s), and Apoyar(Apoyar machine’s) also can access Apoyar Clavister
| |
|
| |
| Clavitser can access WG (Physical clavister machine), but WG can not access clavister back
| |
|
| |
| AWS and Azure console machines(server’s) are Virtual OpenBSD machines (Most secure OS), they can access Apoyar network through L2TP with certificate authentication
| |
|
| |
| We have our own Certificate Authority (CA) on server called phobos.apoyar at /home/neal/certs/
| |
|
| |
| We have two certs -
| |
|
| |
| 1) main cert
| |
|
| |
| 2) client cert (Child)
| |
|
| |
|
| |
| When clients try to connect clavister, clavister ask for cert and compare with main cert and then if it confirms the same issuing authority with main cert, it allows the clients.
| |
|
| |
| Below are the three commands for cert
| |
|
| |
| • openssl x509
| |
|
| |
| • openssl req
| |
|
| |
| • openssl rsa (for private keys)
| |
|
| |
| Generated Clients Cert (WG)
| |
|
| |
| We can see generated clients cert at
| |
|
| |
| • cd /home/neal/certs/generated/
| |
|
| |
| • ls
| |
|
| |
| We can see the cert content using below command
| |
|
| |
| • openssl x509 –in firewall.wg.crt –noout –text
| |
|
| |
| Cert content will show the cert security measures as below
| |
|
| |
| Sha256 security
| |
|
| |
| - Higher lever cert
| |
|
| |
| - generate traffic and take 10 sec longer to connect
| |
|
| |
| CN – Common Name
| |
|
| |
| It follows the certain naming convention
| |
|
| |
|
| |
|
| |
|
| |
|
| |
| VPN Connection Creation
| |
| ------------------------
| |
|
| |
|
| |
| When we create cert for VPN, there are always two places to look, like for AWS on rmg.aws.apoyar we can check at below two locations
| |
|
| |
| • cd /etc/isakmpd/certs/
| |
|
| |
| • ls
| |
|
| |
| We can see content of cert using below command
| |
|
| |
| • openssl x509 local.cert –noout –text
| |
|
| |
| and setting will be in ipsec file at below location, we can see using below command
| |
|
| |
| • cat /etc/ipsec.conf
| |
|
| |
| DNS in local.crt and srcid in ipsec.conf file should be same
| |
|
| |
| When OpenBSD creates connection, it sends cert
| |
|
| |
| When firewall.apoyar which will be in clavister finds out this, it checks weather it is matching or not, if it’s matching then only VPN connection get started.
| |
|
| |
|
| |
| Accessing Apoyar Clavister
| |
| --------------------------
| |
|
| |
|
| |
| Go to below URL
| |
|
| |
| https://pfa.apoyar.net
| |
|
| |
| Login with Admin logins
| |
|
| |
| Once logged in, to see the tunnels created go to
| |
|
| |
| - Network
| |
|
| |
| - IPsec (Under VPN & Tunnels)
| |
|
| |
| Here u can see all the tunnels created
| |
|
| |
|
| |
| Also to check IPsec status, go to
| |
|
| |
| - Status
| |
|
| |
| - IPsec (Under Sub Systems)
| |
|
| |
|
| |
| Note – Same as Apoyar, WG Clavister we can access using below URL’s
| |
|
| |
| https://pfa.wise-geary.co.uk – Public Access
| |
|
| |
| https://pfa.wise.apoyar – Internal Access
| |
|
| |
| Apoyar Certificate’s
| |
| ---------------------
| |
|
| |
|
| |
| We are not using public certificates anymore, we are using our own pool and we are generating the certificates.
| |
|
| |
| We can see those certificate status in Nagios, service groups (under SSL Expiry)
| |