Difference between revisions of "Ipsec"

From SME Server
Jump to navigationJump to search
m
Line 122: Line 122:
 
----
 
----
 
[[Category:Howto]]
 
[[Category:Howto]]
 +
[[Category:Administration:VPN]]

Revision as of 15:16, 10 May 2010

Extracted from http://forums.contribs.org/index.php?topic=36033.0


IPSec Network-to-Network VPN SME Server 7.1 HOWTO

Author(s): Lloyd Keen, David Biczo

Revised: 7th March 2007

Summary: The purpose of this howto is to guide you through the procedure to connect two private subnets, both behind servers running SME Server version 7.1 in server/gateway mode via an encrypted tunnel using IPsec (sometimes referred to as NETKEY or Kernel IPsec). Both servers have static IP’s on the external interface using PPPoE or bridged Ethernet. NETKEY under linux 2.6 works a bit different to Ipsec under linux 2.4, the most obvious difference being that there is no visible ipsecx device as such. This document serves as a guide only, it worked for us but YMMV. As usual “all care but no responsibility taken”. Comments and suggestions are welcome. If you don’t feel comfortable following the procedure described below, then I have written a script which will prompt you for the required settings and automate the process for you. You can download the script here. This script is written for my personal use - if you can get any benefit from it - great, but if it doesn't work then you're on your own. You can download the script from here: [1]


SECTION A:

Procedure smeserverA:

#mcedit /etc/sysconfig/network-scripts/ifcfg-ipsec0 

and enter the following information:

TYPE=IPSEC 
ONBOOT=no 
IKE_METHOD=PSK 
SRCNET=192.168.aa.0/24 (smeserverA’s LAN address) 
DSTNET=192.168.bb.0/24 (smeserverB’s LAN address) 
SRCGW=xxx.xxx.xxx.xxx (smeserverA’s Gateway address) 
DST=xxx.xxx.xxx.xxx (replace xxx’s with smeserverB’s external static IP) 

Now add the preshared key into /etc/sysconfig/network-scripts/keys-ipsec0

#mcedit /etc/sysconfig/network-scripts/keys-ipsec0 

and add the following line:

IKE_PSK=my_shared_secret 

Procedure smeserverB:

#mcedit /etc/sysconfig/network-scripts/ifcfg-ipsec0 

and enter the following information:

TYPE=IPSEC 
ONBOOT=no 
IKE_METHOD=PSK 
SRCNET=192.168.bb.0/24 (smeserverB’s LAN address) 
DSTNET=192.168.aa.0/24 (smeserverA’s LAN address) 
SRCGW=xxx.xxx.xxx.xxx (smeserverB’s Gateway address) 
DST=xxx.xxx.xxx.xxx (replace xxx’s with smeserverA’s external static IP) 

Then add the preshared key into etc/sysconfig/network-scripts/keys-ipsec0

#mcedit /etc/sysconfig/network-scripts/keys-ipsec0 

and add the following line:

IKE_PSK=my_shared_secret 

NOTE: If you have a PPPoE connection you don't want the interface to come up at boot time (ONBOOT=no). You need IPSec to come up AFTER the ppp interface. You can address this issue by modifying /etc/ppp/ip-up.local and /etc/ppp/ip-down.local scripts as described later in this document. If you have a bridged Ethernet connection then you can set this option to ONBOOT=yes.

Now open up the server-manager on both servers and add the appropriate network settings into the "Local Networks" panel. For example on smeserverA you would enter the following values:

  • Network Address: 192.168.bb.1
  • Subnet Mask: 255.255.255.0
  • Router 192.168.aa.1
  • And on smeserverB you would enter the following:
  • Network Address: 192.168.aa.1
  • Subnet Mask: 255.255.255.0
  • Router 192.168.bb.1



SECTION B:

This section contains information on modifying the firewall and installing modified scripts to fix routing issues.

#mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/ 
#cd /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/ 
#mcedit 15AllowIPsec  

and add the following:

/sbin/iptables -A INPUT -i $OUTERIF -p udp --sport 500 --dport 500 -j ACCEPT 
/sbin/iptables -t mangle -A PREROUTING -i $OUTERIF -p 50 -j MARK --set-mark 1 
/sbin/iptables -A INPUT -i $OUTERIF -m mark --mark 1 -j ACCEPT 
/sbin/iptables -A FORWARD -i $OUTERIF -m mark --mark 1 -j ACCEPT 
/sbin/iptables -t mangle -A PREROUTING -i $OUTERIF -p 51 -j MARK --set-mark 2 
/sbin/iptables -A INPUT -i $OUTERIF -m mark --mark 2 -j ACCEPT 
/sbin/iptables -A FORWARD -i $OUTERIF -m mark --mark 2 -j ACCEPT  

Make sure to leave a blank line at the top of the file and a carriage return at the end of the file, then do:

#/sbin/e-smith/expand-template /etc/rc.d/init.d/masq 
#/etc/init.d/masq restart 

There appears to be a bug in the way ifup-ipsec and ifdown-ipsec sets up the routing so you will need to install modified versions of these scripts from here [2]. For more information about this bug see [3]. There is some minor code duplication in the scripts, but it works. If you have any comments or suggestions we’d be glad to hear them. Any changes made in the scripts have been documented where applicable.

#cd /etc/sysconfig/network-scripts 
#mv ifup-ipsec ifup-ipsec.old 
#mv ifdown-ipsec ifdown-ipsec.old 
#wget http://www.comnetel.com/sme7_ipsec/ifup-ipsec 
#wget http://www.comnetel.com/sme7_ipsec/ifdown-ipsec 

If you have a bridged Ethernet connection you can skip the next section and either reboot or bring up the tunnel with the following command:

#/sbin/ifup ipsec0 


SECTION C:

Only complete this section if you have a PPPoE connection on the external interface. And finally as mentioned previously in this document, we need to add a command to bring up the tunnel automatically at boot time. Modify /etc/ppp/ip-up.local

#mkdir –p /etc/e-smith/templates-custom/etc/ppp/ip-up.local 
#cd /etc/e-smith/templates-custom/etc/ppp/ip-up.local 
#mcedit 40ipup15ipsec 

and add the following code to the file:

case $IPPARAM in 
    pppoe) 
    /sbin/ifdown ipsec0 
    sleep 5 
    /sbin/ifup ipsec0 
                 ;; 
    *) 
esac 

Then expand the template

#expand-template /etc/ppp/ip-up.local 

Modify /etc/ppp/ip-down.local

#mkdir –p /etc/e-smith/templates-custom/etc/ppp/ip-down.local 
#cd /etc/e-smith/templates-custom/etc/ppp/ip-down.local 
#mcedit 40ipdown15ipsec 

and add the following code into this file:

 IPPARAM=$6 
 case $IPPARAM in 
    pppoe) 
    /sbin/ifdown ipsec0 
                 ;; 
    *) 
 esac 

Then expand the template

#expand-template /etc/ppp/ip-down.local 

Reboot or bring up the tunnel with the following command:

#/sbin/ifup ipsec0

Regards, Lloyd & David