Titan – AN47: IPSEC – Client-Server IKEv1 – Authentication with PSK

/in /by
¿Buscas alguna otra cosa?
< Back to Knowledge Base

Scenario Details

You need to implement a secure network between 3 PLCs, so that they can communicate with each other. For this, an IPSec tunnel will be created, where a Titan router connected to the PLC3 will act as the IPSec Master. This Titan router will have a SIM card with a fixed IP address 88.28.221.24. Titan routers connected to PLC2 and PLC3 will play the role of IPSec Client. The following diagram shows the connection diagram with the relevant IP address scheme of all devices.

Description of the Example

In this example, Secret Key Authentication (PSK) will be used.

Configuration and Previous Requirements

The basic requirement to be able to carry out the application is that the SIM card inserted in the Titan router that will act as IPSec Server must have a public and static IP address. This is necessary to be able to access remotely from the other Titan routers connected to the public Internet. Also make sure that all the Titans have the correct time, since the generation and validity management of the certificates needs it.

Titan Router IPSEC (SERVER) Configuration

The “Enabled” box at the beginning of this configuration page must be activated and the “SAVE CONFIG” button must be pressed.

As the next step, since the IPSec service of the Titan router is based on strongswan, the files “ipsec.conf” and “ipsec.secrets” must be configured. The easiest thing is to go to the examples at the bottom of the page and get the example that is closest to what you want to configure. In the case of this application note, Example 5 is chosen (since we are configuring the Server), by clicking (downloading) the corresponding files “ipsec.conf” and “ipsec.secrets”, which we will open with a notepad to get your content.

This content must be adapted to the scenario and inserted in the appropriate box. For “ipsec.conf”:

Note that the final file has been modified with respect to example 5, adding 2 connections for “client1” and “client2” and their corresponding subnets. Also the default connection parameters with “conn% default”.

And for “ipsec.secrets” (previously you must click on the legend “Show/Hide” to show the box) it will be set as password “mypass”.

And then the “SAVE CONFIG” button will be pressed, which will save the content of both files in the internal memory of the Titan router. Finally, if the IPSec service was not started when the router was started (that is, the “Enabled” box was not active), the router must be completely rebooted (“Other>Reboot” menu). If the IPSec service was already started (“Enabled” box active), you can only press the “RESTART IPSEC” button to restart the IPSec service with the new configuration without having to restart the router completely, a much faster option.

After restarting the router or pressing the “RESTART IPSEC” button (if the service was already active), the status of the IPSEC connection will appear as follows. If the Status box is blank, the service may not have started yet. Wait a few seconds and press the “REFRESH” button.

Titan Router IPSEC (CLIENT) Configuration

In this section the Titan router will be configured with the IPSec client role that is connected to PLC1. The configuration of the second Titan acting with the same role, connected to PLC2, is completely analogous.

In the “VPN>IPSec” section, check the “Enabled” box at the beginning of this configuration page and press the “SAVE CONFIG” button.

After that, since the IPSec service of the Titan router is based on strongswan, the files “ipsec.conf” and “ipsec.secrets” must be configured. The easiest thing is to go to the examples at the bottom of the page and get the example that is closest to what you want to configure. In the case of this application note, Example 7 is chosen (since we are configuring the Client), by clicking (downloading) the corresponding files “ipsec.conf” and “ipsec.secrets”, which we will open with a notepad to get your content.

This content must be adapted to the scenario and inserted in the appropriate box. For “ipsec.conf”:

Remember that in “right” you must indicate the public IP of the Titan that acts as IPSec Master, which in the case of this example is 88.28.54.84. Note also that in leftid, the value must be “@ client1” since this is configured for Client1 in the file “ipsec.conf” of the Titan IPSec server. And for “ipsec.secrets” (previously you must click on the legend “Show/Hide” to show the box) we put the password “mypass”.

And then the “SAVE CONFIG” button will be pressed, which will save the content of both files in the internal memory of the Titan router. Finally, if the IPSec service was not started when the router was started (that is, the “Enabled” box was not active), the router must be completely rebooted (“Other>Reboot” menu). If the IPSec service was already started (“Enabled” box active), you can only press the “RESTART IPSEC” button to restart the IPSec service with the new configuration without having to restart the router completely, a much faster option.

After restarting the router or pressing the “RESTART IPSEC” button (if the service was already active), the status of the IPSEC connection will appear as follows. If the Status box is blank, the service may not have started yet. Wait a few seconds and press the “REFRESH” button. If everything works fine, you should see a screen like the following:

At this point the PLC1 (client) and PLC3 (server) could already interact with each other through a secure IPSec tunnel. For example, a PING could be made from PLC1 to PLC3 and vice versa. Repeat the same setup procedure for the titan router connected to PLC2.