IpCop ver 1.4.1 and Zerina 0.9.5b: create a vpn net-to-net connection with a Debian box

Posted on by

2928-934xFew days ago I was working on a old IPCOP Firewall setup: my goal was to connect the local LAN to another LAN in another office in a different location.
In the other site the firewall is a Debian-based (Debian+Firehol) device, and it is behind a NAT.

Situation
LAN site 1 (192.168.0.0/24) – IPCOP – WAN – Router/NAT – Debian+Firehol – LAN site 2 (10.18.10.0/24)

IpCop is equipped with Zerina for roadwarrior openvpn connections. Using Zerina it is impossible to setup to create a site-to-site (or net-to-net) vpn connection.

In other words: “Net-to-Net VPNs can only be created using IPsec. OpenVPN Net-to-Net is not yet implemented” (taken from IpCop Documentation).

The other problem is that in the other site Debian is behind a NAT, and for this reason it is impossible to use ipsec via strongswan or similar to connect to IpCop (or at least I’ve never managed to make them work) !

But… I needed a solution……….. Only for some weeks…. after that we will change all the devices….

I then had a great idea, I want to share with you, as perhaps it might be useful to someone else !

Warning: This is a terrible idea and I can’t believe I’m actually going to suggest it. But… it works…….

The idea was to create in IpCop another openvpn server that works in a different port. Pls see the next step.

In the IpCop setup.
1) Create a new openvpn cert for roadwarrior in IpCop/Zerina (in my case this new cert is named vpnTelefonia)
2) Create a new file /var/ipcop/ovpn/serverTel.conf

dev tun1
tun-mtu 1400
proto udp
port [REMOTE IP ADDRESS] 1196
tls-server
ca /var/ipcop/ovpn/ca/cacert.pem
cert /var/ipcop/ovpn/certs/servercert.pem
key /var/ipcop/ovpn/certs/serverkey.pem
dh /var/ipcop/ovpn/ca/dh1024.pem
ifconfig 10.90.10.1 10.90.10.2
route 10.18.10.0 255.255.255.0 10.90.10.2
status-version 1
status /var/log/ovpnserver.log 30
cipher BF-CBC
max-clients 100
tls-verify /var/ipcop/ovpn/verify
crl-verify /var/ipcop/ovpn/crls/cacrl.pem
user nobody
group nobody
persist-key
persist-tun
verb 3

Att: 10.18.10.0 255.255.255.0 is the network address in site2: you have to change accordingly.

3) In the file /etc/rc.d/rc.local add the next line (to start this new openvpn server on reboot)

openvpn --daemon --config /var/ipcop/ovpn/serverTel.conf

4) Add a rules that permit connection to WAN side to the port 1196/UDP
5) Reboot: at the end to check if all works you can launch the next from command line and verify that OpenVpn is listening on 1196/UDP

netstat -lpn

In Debian side.
6) Install openvpn
7) Put in /etc/openvpn the files taken from IpCop (vpnTelefonia.p12 and vpnTelefonia.conf).
8) Modify /etc/openvpn/vpnTelefonia.conf and add the next lines

..
ifconfig 10.90.10.2 10.90.10.1
route 192.168.0.0 255.255.255.0 10.90.10.1

Final result.

tls-client
client
dev tun
proto udp
tun-mtu 1400
remote <remote ip address> 1196
port 1196
pkcs12 vpnTelefonia.p12
ifconfig 10.90.10.2 10.90.10.1
route 192.168.0.0 255.255.255.0 10.90.10.1
cipher BF-CBC
verb 3
ns-cert-type server
log /var/log/openvpn-client.log

Att: 192.168.10.0 255.255.255.0 is the network address in site1: you have to change accordingly.

9) Modify Firehol rule in /etc/firehol/firehol.conf

....
interface tun0 vpnTel
policy accept

router vpnTel2lan inface tun0 outface eth0
route all accept

router lan2vpnTel inface eth0 outface tun0
route all accept
....

There ‘been helpful?

Email, RSS Follow