VPN configuration on organization level
Apoyar Network & VPN Structur
We have 2 ESX host, 1 Disk array these provides access to VM’s
We have separate server Vcentre, which is a physical server and provides
- management over vpshere
- access to VM’s
We have firewall called Juniper (2 firewall), if one fails other starts
Also we have Clavister, which has same level as Juniper. Clavister has better support for different types of VPN
It supports 3 types of VPN
- L2TP
- IPsec (used to connect customers)
- OpenVPN
Connecting any of Apoyar server
Weather we are connecting through OpenVPN or L2TP, we always getting through Clavister.
For connecting using OpenVPN, we just need AD logins
If we are connecting as L2TP user, it uses passphrase
If we are connecting from any AWS console VM, it uses certificate
Certificates on AWS RMG server
Login to rmg.aws.apoyar
• Cd /etc/isakmpd
• cd ca
• ls
ca.crt (this is the certificate authority of mother or father certificate)
It is only saved on clavister (one copy)
Also on each AWS console machine, its only get compared not sent
To see contents of certificates
• openssl x509 -in cert.crt -noout -text
To check local certificate
• cd.. /certs/
• openssl x509 -in local.crt -noout –text
To compare cert, key and request
• openssl x509 -noout -modulus -in zebssl.crt | openssl md5 && openssl rsa -noout -modulus -in zebssl.key | openssl md5 && openssl req -noout -modulus -in zebssl.csr | openssl md5
These certificates contain the information related to
• Issuer
• Customer
• Expiry
• DNS
Apoyar network access by clients
Wise Geary also have clavister (Newer version), but not same as Edge router in HYD Office
Apoyar clavister can access Apoyar(Apoyar machine’s), and Apoyar(Apoyar machine’s) also can access Apoyar Clavister
Clavitser can access WG (Physical clavister machine), but WG can not access clavister back
AWS and Azure console machines(server’s) are Virtual OpenBSD machines (Most secure OS), they can access Apoyar network through L2TP with certificate authentication
We have our own Certificate Authority (CA) on server called phobos.apoyar at /home/neal/certs/
We have two certs -
1) main cert
2) client cert (Child)
When clients try to connect clavister, clavister ask for cert and compare with main cert and then if it confirms the same issuing authority with main cert, it allows the clients.
Below are the three commands for cert
• openssl x509
• openssl req
• openssl rsa (for private keys)
Generated Clients Cert (WG)
We can see generated clients cert at
• cd /home/neal/certs/generated/
• ls
We can see the cert content using below command
• openssl x509 –in firewall.wg.crt –noout –text
Cert content will show the cert security measures as below
Sha256 security
- Higher lever cert
- generate traffic and take 10 sec longer to connect
CN – Common Name
It follows the certain naming convention
VPN Connection Creation
When we create cert for VPN, there are always two places to look, like for AWS on rmg.aws.apoyar we can check at below two locations
• cd /etc/isakmpd/certs/
• ls
We can see content of cert using below command
• openssl x509 local.cert –noout –text
and setting will be in ipsec file at below location, we can see using below command
• cat /etc/ipsec.conf
DNS in local.crt and srcid in ipsec.conf file should be same
When OpenBSD creates connection, it sends cert
When firewall.apoyar which will be in clavister finds out this, it checks weather it is matching or not, if it’s matching then only VPN connection get started.
Accessing Apoyar Clavister
Go to below URL
Login with Admin logins
Once logged in, to see the tunnels created go to
- Network
- IPsec (Under VPN & Tunnels)
Here u can see all the tunnels created
Also to check IPsec status, go to
- Status
- IPsec (Under Sub Systems)
Note – Same as Apoyar, WG Clavister we can access using below URL’s
https://pfa.wise-geary.co.uk – Public Access
https://pfa.wise.apoyar – Internal Access
Apoyar Certificate’s
We are not using public certificates anymore, we are using our own pool and we are generating the certificates.
We can see those certificate status in Nagios, service groups (under SSL Expiry)