Difference between revisions of "Libreswan"
From SME Server
Jump to navigationJump to search| Line 8: | Line 8: | ||
Summary: The purpose of this howto is to guide you through the procedure to connect servers using OpenSwan VPN to connect via IPSEC. | Summary: The purpose of this howto is to guide you through the procedure to connect servers using OpenSwan VPN to connect via IPSEC. | ||
| − | I actually use it so my Draytek routers can connect to my online Koozali SME VPS machine | + | I actually use it so my Draytek routers can connect to my online Koozali SME VPS machine. This works on Koozali SME v8 and v9 with the unit in server-gateway mode. |
| − | |||
| − | This works on Koozali SME v8 and v9 with the unit in server-gateway mode. | ||
On the online VPS it has a 'dummy' internal network adaptor but works fine with this. | On the online VPS it has a 'dummy' internal network adaptor but works fine with this. | ||
| Line 18: | Line 16: | ||
yum install openswan | yum install openswan | ||
| − | ===SME Server 8.1 | + | ===SME Server 8.1=== |
On v8 you need to find the following package, or newer : | On v8 you need to find the following package, or newer : | ||
openswan-2.6.38-1.x86_64.rpm | openswan-2.6.38-1.x86_64.rpm | ||
| − | You can grab a copy here : | + | You can grab a copy here : http://www.reetspetit.com/smeserver/5/repoview/index.html |
| − | |||
| − | http://www.reetspetit.com/smeserver/5/repoview/index.html | ||
I can't remember if I built that myself or got it somewhere as it seems quite elusive. If I can find the source I will build a src rpm. | I can't remember if I built that myself or got it somewhere as it seems quite elusive. If I can find the source I will build a src rpm. | ||
| − | Then | + | Then": |
| − | + | yum localinstall openswan-2.6.38-1.x86_64.rpm | |
| − | yum localinstall openswan-2.6.38-1.x86_64.rpm | ||
You will need a link in etc/rc.d/rc7.d so the service starts : | You will need a link in etc/rc.d/rc7.d so the service starts : | ||
| − | + | S99ipsec -> /etc/rc.d/init.d/e-smith-service | |
| − | S99ipsec -> /etc/rc.d/init.d/e-smith-service | ||
| − | |||
Alternatively to do it the Koozali SME way : | Alternatively to do it the Koozali SME way : | ||
| − | |||
Create db entry: | Create db entry: | ||
| − | db configuration set ipsec service status enabled | + | db configuration set ipsec service status enabled |
| − | + | db configuration show ipsec | |
| − | db configuration show ipsec | ||
ipsec=service | ipsec=service | ||
status=enabled | status=enabled | ||
| − | ln -s /etc/rc.d/init.d/e-smith-service /etc/rc.d/rc7.d/S99ipsec | + | ln -s /etc/rc.d/init.d/e-smith-service /etc/rc.d/rc7.d/S99ipsec |
You can now enable and disble the service accordingly. | You can now enable and disble the service accordingly. | ||
| − | |||
===Firewall=== | ===Firewall=== | ||
| − | |||
We need a new template fragment to allow ipsec through the firewall | We need a new template fragment to allow ipsec through the firewall | ||
| − | touch /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/15AllowIPsec | + | touch /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/15AllowIPsec |
Add the following code : | Add the following code : | ||
| − | # IPsec ports | + | # IPsec ports |
| − | + | /sbin/iptables -A INPUT -i $OUTERIF -p udp --sport 500 --dport 500 -j ACCEPT | |
| − | /sbin/iptables -A INPUT -i $OUTERIF -p udp --sport 500 --dport 500 -j ACCEPT | + | /sbin/iptables -t mangle -A PREROUTING -i $OUTERIF -p 50 -j MARK --set-mark 1 |
| − | /sbin/iptables -t mangle -A PREROUTING -i $OUTERIF -p 50 -j MARK --set-mark 1 | + | /sbin/iptables -A INPUT -i $OUTERIF -m mark --mark 1 -j ACCEPT |
| − | /sbin/iptables -A INPUT -i $OUTERIF -m mark --mark 1 -j ACCEPT | + | /sbin/iptables -A FORWARD -i $OUTERIF -m mark --mark 1 -j ACCEPT |
| − | /sbin/iptables -A FORWARD -i $OUTERIF -m mark --mark 1 -j ACCEPT | + | /sbin/iptables -A INPUT -i $OUTERIF -m mark --mark 2 -j ACCEPT |
| − | /sbin/iptables -A INPUT -i $OUTERIF -m mark --mark 2 -j ACCEPT | + | /sbin/iptables -A FORWARD -i $OUTERIF -m mark --mark 2 -j ACCEPT |
| − | /sbin/iptables -A FORWARD -i $OUTERIF -m mark --mark 2 -j ACCEPT | + | /sbin/iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT |
| − | /sbin/iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT | ||
| − | |||
| − | |||
| − | service masq restart | + | expand-template /etc/rc.d/init.d/masq |
| + | service masq restart | ||
We also need to disable redirects. | We also need to disable redirects. | ||
| − | |||
I have the following code in a file called Disable_Redirects.sh and a link to it in /etc/rc.d/rc.local | I have the following code in a file called Disable_Redirects.sh and a link to it in /etc/rc.d/rc.local | ||
| − | #!/bin/bash | + | #!/bin/bash |
| − | # For OpenSwan | + | # For OpenSwan |
| − | # Disable send redirects | + | # Disable send redirects |
| − | echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects | + | echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects |
| − | echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects | + | echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects |
| − | echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects | + | echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects |
| − | echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects | + | echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects |
| − | echo 0 > /proc/sys/net/ipv4/conf/lo/send_redirects | + | echo 0 > /proc/sys/net/ipv4/conf/lo/send_redirects |
| − | # echo 0 > /proc/sys/net/ipv4/conf/ppp0/send_redirects | + | # echo 0 > /proc/sys/net/ipv4/conf/ppp0/send_redirects |
| − | + | # Disable accept redirects | |
| − | # Disable accept redirects | + | echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects |
| − | echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects | + | echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects |
| − | echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects | + | echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects |
| − | echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects | + | echo 0 > /proc/sys/net/ipv4/conf/eth1/accept_redirects |
| − | echo 0 > /proc/sys/net/ipv4/conf/eth1/accept_redirects | + | echo 0 > /proc/sys/net/ipv4/conf/lo/accept_redirects |
| − | echo 0 > /proc/sys/net/ipv4/conf/lo/accept_redirects | + | # echo 0 > /proc/sys/net/ipv4/conf/ppp0/accept_redirects |
| − | # echo 0 > /proc/sys/net/ipv4/conf/ppp0/accept_redirects | ||
| − | |||
===OpenSwan Configuration=== | ===OpenSwan Configuration=== | ||
| − | |||
Here is a sample of my /etc/ipsec.conf with some added notes. | Here is a sample of my /etc/ipsec.conf with some added notes. | ||
| − | |||
LEFT side is your server. RIGHT side is your router. | LEFT side is your server. RIGHT side is your router. | ||
| − | # /etc/ipsec.conf | + | # /etc/ipsec.conf |
| − | # basic configuration | + | # basic configuration |
| − | + | #auto = 'start' for both ways or 'add' for incoming only | |
| − | #auto = 'start' for both ways or 'add' for incoming only | ||
version 2.0 | version 2.0 | ||
| − | |||
config setup | config setup | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| + | # Debug-logging controls: "none" for (almost) none, "all" for lots. | ||
| + | #klipsdebug=none | ||
| + | plutodebug=none | ||
| + | interfaces=%defaultroute | ||
| + | oe=no | ||
| + | protostack=netkey | ||
| + | syslog=syslog.debug | ||
| + | # syslog=syslog.warning | ||
| + | virtual_private=%v4:192.168.0.0/24, # Here you add the local/internal network of your server | ||
| + | nat_traversal=yes # if required - probably yes | ||
| + | # Connection settings | ||
| + | # Router to Server | ||
| + | conn draytek-wan1 # Your connection name | ||
| + | type=tunnel | ||
| + | authby=secret | ||
| + | auto=start # n.b. "auto = start" for ipsec to try and make a connection or "auto = add" to accept incoming | ||
| + | ikelifetime=28800s | ||
| + | keylife=3600s | ||
| + | left=%defaultroute | ||
| + | leftsourceip=192.168.98.1 # This is the IP address of your internal ethernet connection on your server | ||
| + | leftsubnet=192.168.98.0/24 # This is your local network on your server | ||
| + | pfs=yes # If require | ||
| + | dpdaction=restart | ||
| + | dpddelay=30 | ||
| + | dpdtimeout=10 | ||
| + | right=1.2.3.4 # This is the WAN IP address of your router that is connecting in | ||
| + | rightsubnet=192.168.0.0/24 # This is the local network behind the router at the far end | ||
| + | # More incoming connections here | ||
===Passwords=== | ===Passwords=== | ||
| − | |||
The following file needs to be looked after and should be set chmod 0600 | The following file needs to be looked after and should be set chmod 0600 | ||
| − | # /etc/ipsec.secrets | + | # /etc/ipsec.secrets |
| − | # Format is | + | # Format is |
| − | # Incoming_IP Local_IP: PSK "Your#Strong#Password" | + | # Incoming_IP Local_IP: PSK "Your#Strong#Password" |
| − | + | 1.2.3.4 %any: PSK "Your#Strong#Password" | |
| − | 1.2.3.4 %any: PSK "Your#Strong#Password" | + | host.dnsalias.org %any: PSK "Your#Strong#Password" |
| − | host.dnsalias.org %any: PSK "Your#Strong#Password" | + | 1.2.3.4 192.168.98.1: PSK "Your#Strong#Password" |
| − | 1.2.3.4 192.168.98.1: PSK "Your#Strong#Password" | + | %any 192.168.98.1: PSK "Your#Strong#Password" |
| − | %any 192.168.98.1: PSK "Your#Strong#Password" | ||
A reboot should get everythign going. | A reboot should get everythign going. | ||
| Line 164: | Line 139: | ||
Check /var/log/secure for debug messages, and once you are happy, change the debug settings in ipsec.conf from debug to warning. | Check /var/log/secure for debug messages, and once you are happy, change the debug settings in ipsec.conf from debug to warning. | ||
| + | |||
If you need more debugging you can set plutodebug = all | If you need more debugging you can set plutodebug = all | ||
| − | |||
| − | |||
[[Category:Contrib:HowTo]] | [[Category:Contrib:HowTo]] | ||
[[Category:Administration:VPN]] | [[Category:Administration:VPN]] | ||
Revision as of 04:27, 15 September 2014
IPSec OpenSwan VPN to connect Servers HOWTO
Author/Contribitor: John Crisp
Revised: 15th Sept 2014
Summary: The purpose of this howto is to guide you through the procedure to connect servers using OpenSwan VPN to connect via IPSEC.
I actually use it so my Draytek routers can connect to my online Koozali SME VPS machine. This works on Koozali SME v8 and v9 with the unit in server-gateway mode.
On the online VPS it has a 'dummy' internal network adaptor but works fine with this.
Setup
SME Server 9.0
yum install openswan
SME Server 8.1
On v8 you need to find the following package, or newer :
openswan-2.6.38-1.x86_64.rpm
You can grab a copy here : http://www.reetspetit.com/smeserver/5/repoview/index.html
I can't remember if I built that myself or got it somewhere as it seems quite elusive. If I can find the source I will build a src rpm.
Then":
yum localinstall openswan-2.6.38-1.x86_64.rpm
You will need a link in etc/rc.d/rc7.d so the service starts :
S99ipsec -> /etc/rc.d/init.d/e-smith-service
Alternatively to do it the Koozali SME way : Create db entry:
db configuration set ipsec service status enabled db configuration show ipsec ipsec=service status=enabled ln -s /etc/rc.d/init.d/e-smith-service /etc/rc.d/rc7.d/S99ipsec
You can now enable and disble the service accordingly.
Firewall
We need a new template fragment to allow ipsec through the firewall
touch /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/15AllowIPsec
Add the following code :
# IPsec ports /sbin/iptables -A INPUT -i $OUTERIF -p udp --sport 500 --dport 500 -j ACCEPT /sbin/iptables -t mangle -A PREROUTING -i $OUTERIF -p 50 -j MARK --set-mark 1 /sbin/iptables -A INPUT -i $OUTERIF -m mark --mark 1 -j ACCEPT /sbin/iptables -A FORWARD -i $OUTERIF -m mark --mark 1 -j ACCEPT /sbin/iptables -A INPUT -i $OUTERIF -m mark --mark 2 -j ACCEPT /sbin/iptables -A FORWARD -i $OUTERIF -m mark --mark 2 -j ACCEPT /sbin/iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
expand-template /etc/rc.d/init.d/masq service masq restart
We also need to disable redirects. I have the following code in a file called Disable_Redirects.sh and a link to it in /etc/rc.d/rc.local
#!/bin/bash # For OpenSwan # Disable send redirects echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects echo 0 > /proc/sys/net/ipv4/conf/lo/send_redirects # echo 0 > /proc/sys/net/ipv4/conf/ppp0/send_redirects # Disable accept redirects echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/eth1/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/lo/accept_redirects # echo 0 > /proc/sys/net/ipv4/conf/ppp0/accept_redirects
OpenSwan Configuration
Here is a sample of my /etc/ipsec.conf with some added notes. LEFT side is your server. RIGHT side is your router.
# /etc/ipsec.conf # basic configuration #auto = 'start' for both ways or 'add' for incoming only
version 2.0 config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots. #klipsdebug=none plutodebug=none interfaces=%defaultroute oe=no protostack=netkey syslog=syslog.debug # syslog=syslog.warning virtual_private=%v4:192.168.0.0/24, # Here you add the local/internal network of your server nat_traversal=yes # if required - probably yes # Connection settings # Router to Server conn draytek-wan1 # Your connection name type=tunnel authby=secret auto=start # n.b. "auto = start" for ipsec to try and make a connection or "auto = add" to accept incoming ikelifetime=28800s keylife=3600s left=%defaultroute leftsourceip=192.168.98.1 # This is the IP address of your internal ethernet connection on your server leftsubnet=192.168.98.0/24 # This is your local network on your server pfs=yes # If require dpdaction=restart dpddelay=30 dpdtimeout=10 right=1.2.3.4 # This is the WAN IP address of your router that is connecting in rightsubnet=192.168.0.0/24 # This is the local network behind the router at the far end # More incoming connections here
Passwords
The following file needs to be looked after and should be set chmod 0600
# /etc/ipsec.secrets # Format is # Incoming_IP Local_IP: PSK "Your#Strong#Password" 1.2.3.4 %any: PSK "Your#Strong#Password" host.dnsalias.org %any: PSK "Your#Strong#Password" 1.2.3.4 192.168.98.1: PSK "Your#Strong#Password" %any 192.168.98.1: PSK "Your#Strong#Password"
A reboot should get everythign going.
Now set up your router. Create a new IPSEC VPN connection with the correct credentials and it shoudl connect up.
Check /var/log/secure for debug messages, and once you are happy, change the debug settings in ipsec.conf from debug to warning.
If you need more debugging you can set plutodebug = all
