Difference between revisions of "Libreswan"
m (Formatting WIP!!) |
m (→SME Server 9) |
||
| Line 19: | Line 19: | ||
yum localinstall openswan-2.6.38-1.x86_64.rpm | yum localinstall openswan-2.6.38-1.x86_64.rpm | ||
===SME Server 9=== | ===SME Server 9=== | ||
| − | For SME Server 9, the Openswan can be found in the default repo's, so to install Openswan on SME Server 9, simply enter the following command: yum install openswan | + | For SME Server 9, the Openswan can be found in the default repo's, so to install Openswan on SME Server 9, simply enter the following command: |
| − | + | yum install openswan | |
===Openswan as a SME Server service=== | ===Openswan as a SME Server service=== | ||
Revision as of 08:45, 15 September 2014
About
Openswan is an IPsec implementation for Linux. It has support for most of the extensions (RFC + IETF drafts) related to IPsec, including IKEv2, X.509 Digital Certificates, NAT Traversal, and many others.
Installation
There are different installation instructions for SME8 and SME9:
SME Server 8
For SME Server 8, at least openswan-2.6.38-1.x86_64.rpm is required. However, this version is not to be found in the default repo's, nor any of the additional repo's. A trusted copy of Openswan for SME8 can be found here. After you have downloaded the above file, you can install it by issueing the following command:
yum localinstall openswan-2.6.38-1.x86_64.rpm
SME Server 9
For SME Server 9, the Openswan can be found in the default repo's, so to install Openswan on SME Server 9, simply enter the following command:
yum install openswan
Openswan as a SME Server service
To make the Openswan service start at boot time we need to issue the following commands as root: ln -s /etc/rc.d/init.d/e-smith-service /etc/rc7.d/S99ipsec chkconfig ipsec on config set ipsec service config setprop ipsec status enabled
This makes ipsec service start at boot time and you can disable/enable the ipsec service at will.
SME Server firewall configuration
Since Openswan/ipsec is all about security and private connections, the SME Server firewall rules play a crucial part of a correct configuration.
We need a new template fragment to allow ipsec through the firewall
touch /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/15AllowIPsec
Add the following code :
# IPsec ports /sbin/iptables -A INPUT -i $OUTERIF -p udp --sport 500 --dport 500 -j ACCEPT /sbin/iptables -t mangle -A PREROUTING -i $OUTERIF -p 50 -j MARK --set-mark 1 /sbin/iptables -A INPUT -i $OUTERIF -m mark --mark 1 -j ACCEPT /sbin/iptables -A FORWARD -i $OUTERIF -m mark --mark 1 -j ACCEPT /sbin/iptables -A INPUT -i $OUTERIF -m mark --mark 2 -j ACCEPT /sbin/iptables -A FORWARD -i $OUTERIF -m mark --mark 2 -j ACCEPT /sbin/iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
expand-template /etc/rc.d/init.d/masq service masq restart
We also need to disable redirects. I have the following code in a file called Disable_Redirects.sh and a link to it in /etc/rc.d/rc.local
#!/bin/bash # For OpenSwan # Disable send redirects echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects echo 0 > /proc/sys/net/ipv4/conf/lo/send_redirects # echo 0 > /proc/sys/net/ipv4/conf/ppp0/send_redirects # Disable accept redirects echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/eth1/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/lo/accept_redirects # echo 0 > /proc/sys/net/ipv4/conf/ppp0/accept_redirects
Ipsec server to server configuration
Openswan/ipsec can be used to setup a secue and permanent VPN connection between a SME Server and another IPSEC enabled device such as a router.
Here is an example:
On the online VPS it has a 'dummy' internal network adaptor but works fine with this.
Here is a sample of my /etc/ipsec.conf with some added notes.
LEFT side is your server. RIGHT side is your router.
# /etc/ipsec.conf # basic configuration #auto = 'start' for both ways or 'add' for incoming only
version 2.0 config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots. #klipsdebug=none plutodebug=none interfaces=%defaultroute oe=no protostack=netkey syslog=syslog.debug # syslog=syslog.warning virtual_private=%v4:192.168.0.0/24, # Here you add the local/internal network of your server nat_traversal=yes # if required - probably yes # Connection settings # Router to Server conn draytek-wan1 # Your connection name type=tunnel authby=secret auto=start # n.b. "auto = start" for ipsec to try and make a connection or "auto = add" to accept incoming ikelifetime=28800s keylife=3600s left=%defaultroute leftsourceip=192.168.98.1 # This is the IP address of your internal ethernet connection on your server leftsubnet=192.168.98.0/24 # This is your local network on your server pfs=yes # If require dpdaction=restart dpddelay=30 dpdtimeout=10 right=1.2.3.4 # This is the WAN IP address of your router that is connecting in rightsubnet=192.168.0.0/24 # This is the local network behind the router at the far end # More incoming connections here
Passwords
The following file needs to be looked after and should be set chmod 0600
# /etc/ipsec.secrets # Format is # Incoming_IP Local_IP: PSK "Your#Strong#Password" 1.2.3.4 %any: PSK "Your#Strong#Password" host.dnsalias.org %any: PSK "Your#Strong#Password" 1.2.3.4 192.168.98.1: PSK "Your#Strong#Password" %any 192.168.98.1: PSK "Your#Strong#Password"
A reboot should get everythign going.
Now set up your router. Create a new IPSEC VPN connection with the correct credentials and it shoudl connect up.
Check /var/log/secure for debug messages, and once you are happy, change the debug settings in ipsec.conf from debug to warning.
If you need more debugging you can set plutodebug = all
