Brocade SSL-VPN Client Bundler on Vyatta

In Brocade Vyatta version VSE6.7R6, Brocade introduce a new feature called SSL VPN Client Bundler. This SSL VPN feature is based on OpenVPN.

Brocade SSL-VPN Client Bundler enables the Vyatta system to generate image bundles that facilitate the setup of SSL-VPN client connections. Bundles include the up-to-date SSL-VPN client configuration that is required to connect to the server, including the required Transport Layer Security (TLS) certificate authority (CA) certificate that is used by the server.

The bundle can be found in the folder:

  • For Windows: /config/auth/vpn/ssl-vpn/client-bundle/vtunX/windows
  • For Linux: /config/auth/vpn/ssl-vpn/client-bundle/vtunX/linux

Note: vtunX is openVPN tunnel interface.

Today, i will show you how to make use of this feature on Softlayer Vyatta gateway step by step.

Step 0

Create the certificate for the SSL VPN using your CA and upload the CA certificate, DH file, SSL VPN certificate and private key to /config/auth/

vyatta@vyatta01:/config/auth$ ls -al

total 32

drwxrwsr-x 1 root   vyattacfg 4096 May 26 11:47 .

drwxrwsr-x 1 root   vyattacfg 4096 May 12 07:57 ..

-rw-r–r– 1 vyatta vyattacfg 1216 May 26 11:06 ca.crt

-rw-r–r– 1 vyatta vyattacfg  245 May 26 11:07 dh1024.pem

-rw-r–r– 1 vyatta vyattacfg 3885 May 26 11:46 sslvpn.crt

-rw-r–r– 1 vyatta vyattacfg  891 May 26 11:46 sslvpn.key

Step 1 (optional)

Service-User Web Portal allows end users to obtain the SSL-VPN client bundles by themselves. The portal is available by default from the following public-interface address of the Vyatta system:

https://<VyattaIP>/service

You can enable Service-User Web Portal the CLI below:

vyatta@vyatta01# set services https service-user

Of course you can distribute the bundle to your end users if you prefer to do that. In this case, you don’t need to enable this Service-User Web Portal.

Step 2: Generate the Client Bundle.

In our configuration exampe, we use the following parameters for our VPN configuration:

Hash: sha256

Encryption: aes128

Transport protocol: TCP

Transport port: 8443

SSL VPN Client IP: 172.16.10.0/24

We create the client bundle for windows, linux systems plus generic (this generic option will only create an OVPN file for you. You have to get the client by youself.)

set interfaces openvpn vtun10 client-bundle ‘generic’

set interfaces openvpn vtun10 client-bundle ‘linux’

set interfaces openvpn vtun10 client-bundle ‘windows’

set interfaces openvpn vtun10 ‘client-cert-not-required’

set interfaces openvpn vtun10 description ‘SSLVPN-test’

set interfaces openvpn vtun10 encryption ‘aes128’

set interfaces openvpn vtun10 hash ‘sha256’

set interfaces openvpn vtun10 local-host ‘x.x.x.x’

set interfaces openvpn vtun10 local-port ‘8443’

set interfaces openvpn vtun10 mode ‘server’

set interfaces openvpn vtun10 protocol ‘tcp-passive’

set interfaces openvpn vtun10 server subnet ‘172.16.10.0/24’

set interfaces openvpn vtun10 tls ca-cert-file ‘/config/auth/ca.crt’

set interfaces openvpn vtun10 tls cert-file ‘/config/auth/sslvpn.crt’

set interfaces openvpn vtun10 tls dh-file ‘/config/auth/dh1024.pem’

set interfaces openvpn vtun10 tls key-file ‘/config/auth/sslvpn.key’

Note: The client-cert-not-required variable must be set to allow SSL-VPN clients to connect using username and password without a TLS client certificate that is specific to an end user. Even if client certificates were created, they are not included in any SSL-VPN client bundles.

Step 3: Define SSL VPN users

Here I define a user call jojo

set resources service-users local user jojo auth plaintext-password xxxxxx

Step 4: Associate the user with the OpenVPN

set interfaces openvpn vtun10 auth local user ‘jojo’

Now you are able to begin to get your SSL VPN bundle and use SSL VPN.laugh

You can go to the Service-User Web Portal (https://vyattaip/service).  Login in the service-User Web Portal with your username and password

sslbundle1

Download your bundle: here click windows in the download tab.

sslbundle2

After the download is completed, accept the Securtiy warning and run the app

sslbundle3

Install SSL VPN client (next then next)

sslbundle4

After the client installtion is finised, Open SSL VPN client and type in your username/password

sslbundle5

After youclick OK, you will be connected to the SSL VPN in a few of seconds like the below.

sslbundle7

You can check the SSL VPN log of your SSL connection if you see any issue.

sslbundle6

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s