| Line 66: |
Line 66: |
| | Here is an example: | | Here is an example: |
| | | | |
| | + | Note - if you want to use with an online VPS set the server to server/gateway with a 'dummy' internal network adaptor. |
| | | | |
| − | On the online VPS it has a 'dummy' internal network adaptor but works fine with this.
| |
| | | | |
| − | Here is a sample of my /etc/ipsec.conf with some added notes.
| + | ===Passwords=== |
| | + | It is recommended to create a very strong random password and keep this safe. One way of generating and store a random strong password is explained [http://wiki.contribs.org/Useful_Commands#Generating_strong_random_password '''here'''] |
| | | | |
| − | LEFT side is your server. RIGHT side is your router.
| + | ===Setting=== |
| | | | |
| − | # /etc/ipsec.conf
| + | The contrib has a lot of configurable settings but with the defaults and few details it should just work |
| − | # basic configuration
| |
| − | #auto = 'start' for both ways or 'add' for incoming only
| |
| | | | |
| − | version 2.0
| + | config setprop ipsec status enabled access public |
| − | config setup | |
| | | | |
| − | # Debug-logging controls: "none" for (almost) none, "all" for lots.
| + | Note for ipsec_connections we use 'set' when we create new connection. Thereafter you can modify it with setprop |
| − | #klipsdebug=none
| |
| − | plutodebug=none
| |
| − | interfaces=%defaultroute
| |
| − | oe=no
| |
| − | protostack=netkey
| |
| − | syslog=syslog.debug
| |
| − | # syslog=syslog.warning
| |
| − | virtual_private=%v4:192.168.0.0/24, # Here you add the local/internal network of your server
| |
| − | nat_traversal=yes # if required - probably yes
| |
| − | # Connection settings
| |
| − | # Router to Server
| |
| − | conn draytek-wan1 # Your connection name
| |
| − | type=tunnel
| |
| − | authby=secret
| |
| − | auto=start # n.b. "auto = start" for ipsec to try and make a connection or "auto = add" to accept incoming
| |
| − | ikelifetime=28800s
| |
| − | keylife=3600s
| |
| − | left=%defaultroute
| |
| − | leftsourceip=192.168.98.1 # This is the IP address of your internal ethernet connection on your server
| |
| − | leftsubnet=192.168.98.0/24 # This is your local network on your server
| |
| − | pfs=yes # If require
| |
| − | dpdaction=restart
| |
| − | dpddelay=30
| |
| − | dpdtimeout=10
| |
| − | right=1.2.3.4 # This is the WAN IP address of your router that is connecting in
| |
| − | rightsubnet=192.168.0.0/24 # This is the local network behind the router at the far end
| |
| − | # More incoming connections here
| |
| | | | |
| − | ===Passwords===
| + | Local - WAN IP 5.6.7.8 Local IP 192.168.20.1 Subnet 192.168.20.0/24 |
| − | It is recommended to create a very strong random password and keep this safe. One way of generating and store a random strong password is explained [http://wiki.contribs.org/Useful_Commands#Generating_strong_random_password '''here''']
| + | db ipsec_connections set MyEast ipsec status enabled leftsourceip 192.168.20.1 leftsubnet 192.168.20.0/24 right 1.2.3.4 rightsubnet 10.0.0.0/24 passwd MyPassWd |
| | + | |
| | + | Remote - WAN IP 1.2.3.4 Local IP 10.0.0.1 Subnet 10.0.0.0/24 |
| | + | db ipsec_connections set MyWest ipsec status enabled leftsourceip 10.0.0.1 leftsubnet 10.0.0.0/24 right 5.6.7.8 rightsubnet 192.168.20.0/24 passwd MyPassWd |
| | + | |
| | + | signal-event ipsec-update |
| | + | |
| | + | Check /var/log/pluto/pluto.log |
| | + | ipsec whack --status |
| | + | ipsec verify (may be some warnings - severity depends on what they are) |
| | + | |
| | + | For the better security it is recommended to use RSA keys. There is more on this on the github page https://github.com/reetp/smeserver-libreswan/blob/master/IpsecSettings.txt |
| | + | |
| | + | If you modify a connection use |
| | | | |
| − | The following file needs to be looked after and should be set chmod 0600
| + | signal-event ipsec-update |
| | | | |
| − | # /etc/ipsec.secrets
| + | For a restart of ipsec use |
| − | # Format is
| |
| − | # Incoming_IP Local_IP: PSK "Your#Strong#Password"
| |
| − | 1.2.3.4 %any: PSK "Your#Strong#Password"
| |
| − | host.dnsalias.org %any: PSK "Your#Strong#Password"
| |
| − | 1.2.3.4 192.168.98.1: PSK "Your#Strong#Password"
| |
| − | %any 192.168.98.1: PSK "Your#Strong#Password"
| |
| | | | |
| | + | service ipsec restart |
| | | | |
| | ==Verifying configuration== | | ==Verifying configuration== |
