Configuring CryptoPro IPsec VPN with GOST Encryption
Good day% username%! Everyone knows that the Federal Law of the Russian Federation No. 152 dictates to us that we must use certified means to protect PD. There was a task to ensure the security of the channel under Federal Law 152 for remote connection of clients. For this, a VPN server with CryptoPro IPsec and GOST certificates were used.
Instruction inside.
Before setting up the services and connections on the server and client machines, you must install CryptoPro CSP and CryptoPro IPSec on them!
We configure the VPN server on Windows Server 2012 R2
')
Open the Server Manager snap-in and use the Role-based or feature-based installation through the Add Roles Wizard.
Next, select the server from the server pool.
At the step of selecting roles, choose the role of Remote Access.
Step Features are skipped without making changes. At the step of selecting the services to include in the role, select the DirectAccess and VPN (RAS) service.
After selecting a service, a window will open to add additional components associated with the selected service. We agree with their installation by clicking Add Features.
The Web Server Role (IIS) role will be added to the Add Roles Wizard. We skip the corresponding step of the Web Server Role (IIS) wizard and the dependent Role Services options with the default settings and start the installation process, after which a link to the Remote Access wizard of the Remote Access service will be available.
The RAS Configuration Wizard can be invoked by clicking on the appropriate link here, or later from the Server Manager snap-in:
Since the setting of DirectAccess in the context of our task is not needed, in the wizard window we select the option VPN only - Deploy VPN only.
Configuring the Routing and Remote Access service
From the Control Panel, open the Administrative Tools \ Routing and Remote Access snap-in, select the server name and open the context menu. Select the item Configure and Enable Routing and Remote Access.
Since we only need VPN choose.
Choose a VPN.
Next, specify the external interface that has access to the Internet, to which remote clients will connect.
We configure the range of addresses for clients.
We indicate that we do not use the RADIUS server.
We agree with the launch of the service. After startup, you need to configure user authentication methods.
We issue GOST certificates in CryptoPro UTS 2.0 for VPN.
In order for IPSec to work with us, we need:
And so, we will create two IPSec client IPSec server templates in the TC Manager.
Add the Client Authentication parameter (1.3.6.1.5.5.7.3.2) to the IPSec client template configuration. IP security IKE intermediate (1.3.6.1.5.5.8.2.2).
The IPSec server template is the same with the Server Authentication parameter (1.3.6.1.5.5.7.3.3.1).
After the work done in the Management Console, we create users to request and generate a certificate.
Next, we request a certificate for the created users. When you request, you must specify the template that we created.
Choose a storage location (container) for the private key.
After nervous jerking with the mouse (this is necessary for the HRO), we set the password for the container.
Now we need to export the certificate to a closed container.
After copying the certificate, you must copy the entire container to a file for transfer to the remote client's AWS. We export using CryptoPro CSP in pfx format.
Using the same algorithm, we create a certificate for the server using only a different template and install them using the CryptoPro CSP certificates snap-in. Do not forget about the root certificate that should be in the Trusted Root Certification Authorities.
Configuring the IP Security Policy on the server
Step times.
Step two.
Step three.
On the Authentication Methods tab, add the Root Certificate.
Using the same algorithm, we configure the IP security policy on each remote AWP.
The correctness of the certificate installation and IPSec health check, as well as error logging, can be checked using the CryptoPro IPSec cp_ipsec_info.exe utility. After clicking the Update list menu, you will see a list of installed certificates. On against the installed certificate should be ticked to confirm that everything is fine with it.
Configuring VPN connection to server
Connection is configured as standard but with minor changes.
It seems to have told all the nuances, if there are comments or suggestions I will listen with joy!
Instruction inside.
Before setting up the services and connections on the server and client machines, you must install CryptoPro CSP and CryptoPro IPSec on them!
We configure the VPN server on Windows Server 2012 R2
')
Open the Server Manager snap-in and use the Role-based or feature-based installation through the Add Roles Wizard.
Next, select the server from the server pool.
At the step of selecting roles, choose the role of Remote Access.
Step Features are skipped without making changes. At the step of selecting the services to include in the role, select the DirectAccess and VPN (RAS) service.
After selecting a service, a window will open to add additional components associated with the selected service. We agree with their installation by clicking Add Features.
The Web Server Role (IIS) role will be added to the Add Roles Wizard. We skip the corresponding step of the Web Server Role (IIS) wizard and the dependent Role Services options with the default settings and start the installation process, after which a link to the Remote Access wizard of the Remote Access service will be available.
The RAS Configuration Wizard can be invoked by clicking on the appropriate link here, or later from the Server Manager snap-in:
Since the setting of DirectAccess in the context of our task is not needed, in the wizard window we select the option VPN only - Deploy VPN only.
Configuring the Routing and Remote Access service
From the Control Panel, open the Administrative Tools \ Routing and Remote Access snap-in, select the server name and open the context menu. Select the item Configure and Enable Routing and Remote Access.
Since we only need VPN choose.
Choose a VPN.
Next, specify the external interface that has access to the Internet, to which remote clients will connect.
We configure the range of addresses for clients.
We indicate that we do not use the RADIUS server.
We agree with the launch of the service. After startup, you need to configure user authentication methods.
We issue GOST certificates in CryptoPro UTS 2.0 for VPN.
In order for IPSec to work with us, we need:
- CA Root Certificate
- Server certificate
- Client certificate
And so, we will create two IPSec client IPSec server templates in the TC Manager.
Add the Client Authentication parameter (1.3.6.1.5.5.7.3.2) to the IPSec client template configuration. IP security IKE intermediate (1.3.6.1.5.5.8.2.2).
The IPSec server template is the same with the Server Authentication parameter (1.3.6.1.5.5.7.3.3.1).
After the work done in the Management Console, we create users to request and generate a certificate.
Next, we request a certificate for the created users. When you request, you must specify the template that we created.
Choose a storage location (container) for the private key.
After nervous jerking with the mouse (this is necessary for the HRO), we set the password for the container.
Now we need to export the certificate to a closed container.
After copying the certificate, you must copy the entire container to a file for transfer to the remote client's AWS. We export using CryptoPro CSP in pfx format.
Using the same algorithm, we create a certificate for the server using only a different template and install them using the CryptoPro CSP certificates snap-in. Do not forget about the root certificate that should be in the Trusted Root Certification Authorities.
Configuring the IP Security Policy on the server
Step times.
Step two.
Step three.
On the Authentication Methods tab, add the Root Certificate.
Using the same algorithm, we configure the IP security policy on each remote AWP.
The correctness of the certificate installation and IPSec health check, as well as error logging, can be checked using the CryptoPro IPSec cp_ipsec_info.exe utility. After clicking the Update list menu, you will see a list of installed certificates. On against the installed certificate should be ticked to confirm that everything is fine with it.
Configuring VPN connection to server
Connection is configured as standard but with minor changes.
It seems to have told all the nuances, if there are comments or suggestions I will listen with joy!
Source: https://habr.com/ru/post/328770/
All Articles