3,704
edits
Changes
Jump to navigation
Jump to search
mLine 1:
Line 1: + − + − '''Author/Contribitor: John Crisp'''+ + − '''Revised: 15th Sept 2014''' − Summary: The purpose of this howto is to guide you through the procedure to connect servers using OpenSwan VPN to connect via IPSEC.+ − I actually use it so my Draytek routers can connect to my online Koozali SME VPS machine. This works on Koozali SME v8 and v9 with the unit in server-gateway mode. − On the online VPS it has a 'dummy' internal network adaptor but works fine with this.+ + − ==Setup== − ===SME Server 9.0=== − yum install openswan − + − On v8 you need to find the following package, or newer :+ − + − + + + + − You can grab a copy here : http://www.reetspetit.com/smeserver/5/repoview/index.html − I can't remember if I built that myself or got it somewhere as it seems quite elusive. If I can find the source I will build a src rpm.+ + − Then:+ − yum localinstall openswan-2.6.38-1.x86_64.rpm − You will need a link in etc/rc.d/rc7.d so the service starts : − S99ipsec -> /etc/rc.d/init.d/e-smith-service − Alternatively to do it the Koozali SME way :+ − Create db entry:+ − db configuration set ipsec service status enabled − db configuration show ipsec − ipsec=service − status=enabled − − ln -s /etc/rc.d/init.d/e-smith-service /etc/rc.d/rc7.d/S99ipsec − − You can now enable and disble the service accordingly. − − ===Firewall=== Line 81:
Line 69: − + + + + + + + + + + Line 122:
Line 119: +
Formatting WIP!!
{{WIP box}}
='''IPSec OpenSwan VPN to connect Servers'''=
__TOC__
==About==
[[File:openswan.jpg]]
Openswan is an IPsec implementation for Linux. It has support for most of the extensions (RFC + IETF drafts) related to IPsec, including IKEv2, X.509 Digital Certificates, NAT Traversal, and many others.
==Installation==
There are different installation instructions for SME8 and SME9:
===SME Server 8.1===
===SME Server 8===
For SME Server 8, at least openswan-2.6.38-1.x86_64.rpm is required. However, this version is not to be found in the default repo's, nor any of the additional repo's.
A trusted copy of Openswan for SME8 can be found [http://www.reetspetit.com/smeserver/5/repoview/index.html '''here'''].
openswan-2.6.38-1.x86_64.rpm
After you have downloaded the above file, you can install it by issueing the following command:
yum localinstall openswan-2.6.38-1.x86_64.rpm
===SME Server 9===
For SME Server 9, the Openswan can be found in the default repo's, so to install Openswan on SME Server 9, simply enter the following command: yum install openswan
===Openswan as a SME Server service===
To make the Openswan service start at boot time we need to issue the following commands as root: ln -s /etc/rc.d/init.d/e-smith-service /etc/rc7.d/S99ipsec chkconfig ipsec on config set ipsec service config setprop ipsec status enabled
This makes ipsec service start at boot time and you can disable/enable the ipsec service at will.
===SME Server firewall configuration===
Since Openswan/ipsec is all about security and private connections, the SME Server firewall rules play a crucial part of a correct configuration.
We need a new template fragment to allow ipsec through the firewall
We need a new template fragment to allow ipsec through the firewall
# echo 0 > /proc/sys/net/ipv4/conf/ppp0/accept_redirects
# echo 0 > /proc/sys/net/ipv4/conf/ppp0/accept_redirects
===OpenSwan Configuration===
==Ipsec server to server configuration==
Openswan/ipsec can be used to setup a secue and permanent VPN connection between a SME Server and another IPSEC enabled device such as a router.
Here is an example:
On the online VPS it has a 'dummy' internal network adaptor but works fine with this.
Here is a sample of my /etc/ipsec.conf with some added notes.
Here is a sample of my /etc/ipsec.conf with some added notes.
LEFT side is your server. RIGHT side is your router.
LEFT side is your server. RIGHT side is your router.
===Passwords===
===Passwords===
The following file needs to be looked after and should be set chmod 0600
The following file needs to be looked after and should be set chmod 0600