Line 1: |
Line 1: |
| + | {{WIP box}} |
| | | |
− | ='''IPSec OpenSwan VPN to connect Servers'''= | + | __TOC__ |
− | '''Author/Contribitor: John Crisp'''
| + | ==About== |
| + | [[File:openswan.jpg]] |
| | | |
− | '''Revised: 15th Sept 2014'''
| |
| | | |
− | Summary: The purpose of this howto is to guide you through the procedure to connect servers using OpenSwan VPN to connect via IPSEC.
| + | Openswan is an IPsec implementation for Linux. It has support for most of the extensions (RFC + IETF drafts) related to IPsec, including IKEv2, X.509 Digital Certificates, NAT Traversal, and many others. |
| | | |
− | I actually use it so my Draytek routers can connect to my online Koozali SME VPS machine. This works on Koozali SME v8 and v9 with the unit in server-gateway mode.
| |
| | | |
− | On the online VPS it has a 'dummy' internal network adaptor but works fine with this.
| + | ==Installation== |
| + | There are different installation instructions for SME8 and SME9: |
| | | |
− | ==Setup==
| |
− | ===SME Server 9.0===
| |
− | yum install openswan
| |
| | | |
− | ===SME Server 8.1=== | + | ===SME Server 8=== |
− | On v8 you need to find the following package, or newer :
| + | For SME Server 8, at least openswan-2.6.38-1.x86_64.rpm is required. However, this version is not to be found in the default repo's, nor any of the additional repo's. |
− | | + | A trusted copy of Openswan for SME8 can be found [http://www.reetspetit.com/smeserver/5/repoview/index.html '''here''']. |
− | openswan-2.6.38-1.x86_64.rpm | + | After you have downloaded the above file, you can install it by issueing the following command: |
| + | yum localinstall openswan-2.6.38-1.x86_64.rpm |
| + | ===SME Server 9=== |
| + | For SME Server 9, the Openswan can be found in the default repo's, so to install Openswan on SME Server 9, simply enter the following command: yum install openswan |
| | | |
− | You can grab a copy here : http://www.reetspetit.com/smeserver/5/repoview/index.html
| |
| | | |
− | I can't remember if I built that myself or got it somewhere as it seems quite elusive. If I can find the source I will build a src rpm.
| + | ===Openswan as a SME Server service=== |
| + | To make the Openswan service start at boot time we need to issue the following commands as root: ln -s /etc/rc.d/init.d/e-smith-service /etc/rc7.d/S99ipsec chkconfig ipsec on config set ipsec service config setprop ipsec status enabled |
| | | |
− | Then:
| + | This makes ipsec service start at boot time and you can disable/enable the ipsec service at will. |
− | yum localinstall openswan-2.6.38-1.x86_64.rpm
| |
| | | |
− | You will need a link in etc/rc.d/rc7.d so the service starts :
| |
− | S99ipsec -> /etc/rc.d/init.d/e-smith-service
| |
| | | |
− | Alternatively to do it the Koozali SME way :
| + | ===SME Server firewall configuration=== |
− | Create db entry:
| + | Since Openswan/ipsec is all about security and private connections, the SME Server firewall rules play a crucial part of a correct configuration. |
| | | |
− | db configuration set ipsec service status enabled
| |
− | db configuration show ipsec
| |
− | ipsec=service
| |
− | status=enabled
| |
− |
| |
− | ln -s /etc/rc.d/init.d/e-smith-service /etc/rc.d/rc7.d/S99ipsec
| |
− |
| |
− | You can now enable and disble the service accordingly.
| |
− |
| |
− | ===Firewall===
| |
| We need a new template fragment to allow ipsec through the firewall | | We need a new template fragment to allow ipsec through the firewall |
| | | |
Line 81: |
Line 69: |
| # echo 0 > /proc/sys/net/ipv4/conf/ppp0/accept_redirects | | # echo 0 > /proc/sys/net/ipv4/conf/ppp0/accept_redirects |
| | | |
− | ===OpenSwan Configuration=== | + | |
| + | ==Ipsec server to server configuration== |
| + | Openswan/ipsec can be used to setup a secue and permanent VPN connection between a SME Server and another IPSEC enabled device such as a router. |
| + | |
| + | Here is an example: |
| + | |
| + | |
| + | On the online VPS it has a 'dummy' internal network adaptor but works fine with this. |
| + | |
| Here is a sample of my /etc/ipsec.conf with some added notes. | | Here is a sample of my /etc/ipsec.conf with some added notes. |
| + | |
| LEFT side is your server. RIGHT side is your router. | | LEFT side is your server. RIGHT side is your router. |
| | | |
Line 122: |
Line 119: |
| | | |
| ===Passwords=== | | ===Passwords=== |
| + | |
| The following file needs to be looked after and should be set chmod 0600 | | The following file needs to be looked after and should be set chmod 0600 |
| | | |