Line 6: |
Line 6: |
| Whilst the contribs do their best to make sure there is a simple secure setup, I make no guarantees ! | | Whilst the contribs do their best to make sure there is a simple secure setup, I make no guarantees ! |
| | | |
− | Where possible use RSA keys instead of passwords. | + | Where possible use RSA keys or certificates instead of passwords. |
| | | |
| An alternative solution is https://wiki.contribs.org/OpenVPN_SiteToSite or https://wiki.contribs.org/OpenVPN_Bridge | | An alternative solution is https://wiki.contribs.org/OpenVPN_SiteToSite or https://wiki.contribs.org/OpenVPN_Bridge |
Line 60: |
Line 60: |
| https://github.com/reetp/smeserver-openswan | | https://github.com/reetp/smeserver-openswan |
| | | |
| + | Please note that this version is no longer under development as SME v8 is EOL at the end of March 2017 |
| + | |
| + | It is possible to use Openswan on SME v9 but I do not have the time to maintain the contrib for both versions. |
| + | RedHat have swapped to using Libreswan as their default IPsec implementation. |
| | | |
| = '''For Koozali SME9''' = | | = '''For Koozali SME9''' = |
Line 76: |
Line 80: |
| | | |
| <headertabs /> | | <headertabs /> |
| + | |
| | | |
| ==IPSEC server to server configuration== | | ==IPSEC server to server configuration== |
− | Openswan/IPSEC can be used to setup a secure and permanent VPN connection between a SME Server and another (local or remote) IPSEC enabled device such as a router. | + | |
| + | Libreswan/Openswan/IPSEC can be used to setup a secure and permanent VPN connection between a SME Server and another (local or remote) IPSEC enabled device such as a router. |
| | | |
| Note - if you want to use with an online VPS set the server to server/gateway with a 'dummy' internal network adaptor. | | Note - if you want to use with an online VPS set the server to server/gateway with a 'dummy' internal network adaptor. |
| | | |
| ===Passwords=== | | ===Passwords=== |
| + | |
| It is recommended to create a very strong random password and keep this safe. One way of generating and store a random strong password is explained [http://wiki.contribs.org/Useful_Commands#Generating_strong_random_password '''here'''] | | It is recommended to create a very strong random password and keep this safe. One way of generating and store a random strong password is explained [http://wiki.contribs.org/Useful_Commands#Generating_strong_random_password '''here'''] |
| | | |
− | Alternatively see RSA key section below for much stronger passwords | + | Alternatively see RSA key and Certificate sections below for much stronger passwords |
| + | |
| | | |
| ===Settings=== | | ===Settings=== |
| | | |
− | The contrib has a lot of configurable settings but with the defaults and few details it should just work | + | The contrib has a lot of configurable settings but with the defaults and a few details it should just work. |
| | | |
− | config setprop ipsec status enabled access public
| + | General settings and some defaults are stored in the main config DB |
| | | |
− | Note for ipsec_connections we use 'set' when we create new connection. Thereafter you can modify it with setprop.
| + | config show ipsec |
| | | |
− | Note most people refer to East and West rather than Local and Remote. There is a very good reason for this if you start using RSA keys ! | + | Connection specific settings are stored in a separate DB |
| + | |
| + | db ipsec_connections show |
| + | |
| + | {{Note box|For ipsec_connections we use 'set' when we create a new connection. Thereafter you can modify it with setprop}} |
| + | |
| + | {{Note box|Most people refer to East and West rather than Local and Remote. There is a very good reason for this if you start using RSA keys !}} |
| | | |
| Server East - WAN IP 5.6.7.8 Local IP 192.168.20.1 Subnet 192.168.20.0/24 | | Server East - WAN IP 5.6.7.8 Local IP 192.168.20.1 Subnet 192.168.20.0/24 |
Line 104: |
Line 118: |
| | | |
| signal-event ipsec-update | | signal-event ipsec-update |
| + | |
| | | |
| ===Logs and Debug=== | | ===Logs and Debug=== |
| + | |
| + | {{Warning box| If you are trying to connect Libreswan to other *swan versions using IPsec v2 you may see this in the logs |
| + | "failed to match authenticator" |
| + | which may cause link failures. |
| + | This seems to be an issue with some *swan versions - see this thread for more |
| + | https://lists.libreswan.org/pipermail/swan/2017/001956.html}} |
| | | |
| The following will give you connection details. | | The following will give you connection details. |
Line 132: |
Line 153: |
| For ipsec itself place to look is /var/log/pluto/pluto.log | | For ipsec itself place to look is /var/log/pluto/pluto.log |
| | | |
| + | If you need more debugging you can set plutodebug = all |
| + | |
| + | |
| + | ===RSA Keys=== |
| + | |
| + | For the better security it is recommended to use RSA keys. |
| + | |
| + | There are notes on github as this can be quite lengthy |
| + | |
| + | https://github.com/reetp/smeserver-libreswan/blob/master/IpsecSettings.txt |
| + | |
| + | A basic ipsec_connections entry setup should look this - note it will need a matching setup at the other end): |
| + | |
| + | MyEast=ipsec |
| + | leftsourceip=192.168.20.1 |
| + | leftsubnet=192.168.20.0/24 |
| + | right=1.2.3.4 |
| + | rightsubnet=10.0.0.0/24 |
| + | security=rsasig |
| + | leftid=East |
| + | rightid=West |
| + | leftrsasig=SomeLongPassFromEast |
| + | rightrsasig=SomeLongPasswordFromWest |
| + | status enabled |
| + | |
| + | |
| + | ===Certificates=== |
| + | |
| + | You can now use a CA and PKCS#12 certificates. |
| + | |
| + | There are notes on github as this can be quite lengthy |
| + | |
| + | https://github.com/reetp/smeserver-libreswan/blob/master/ipsec-certificate-notes.txt |
| + | |
| + | A basic ipsec_connections entry setup should look this: |
| + | |
| + | MyEast=ipsec |
| + | leftcert=LocalServer |
| + | leftsourceip=192.168.1.1 |
| + | leftsubnet=192.168.1.0/24 |
| + | right=5.6.7.8 |
| + | rightcert=RemoteServer |
| + | rightsubnet=192.168.100.0/24 |
| + | security=certs |
| + | status=enabled |
| + | |
| + | |
| + | ===DB Keys=== |
| + | |
| + | There are a lot of keys involved in ipsec. |
| | | |
− | If you need more debugging you can set plutodebug = all
| + | Where possible just use the minimum that you require depending on whether you want PSK password / RSA signature / Certificate security |
| + | |
| + | There are notes on github as this can be quite lengthy |
| + | |
| + | https://github.com/reetp/smeserver-libreswan/blob/master/IpsecSettings.txt |
| + | |
| + | Here are the currently available settings and options: |
| + | |
| + | |
| + | ====IPsec settings==== |
| + | |
| + | These settings are generic and can be overwritten on a per connection basis |
| + | |
| + | config ipsec show |
| + | |
| + | Only set with: |
| + | db configuration setprop ipsec $key $property |
| + | |
| + | Setting status enabled/disabled will modify access to private/public |
| + | |
| + | status: Default disabled | enabled |
| + | access: Default private | public |
| + | UDPPorts: Default 500,4500 | Variable |
| + | auto: Default start | add (do not use ondemand or ignore) |
| + | debug: none | all raw crypt parsing emitting control controlmore lifecycle dns dpd klips pfkey natt oppo oppoinfo whackwatch private |
| + | (all generates a LARGE amount of logging so use with care) |
| + | |
| + | |
| + | ====General Settings==== |
| + | |
| + | Overall default settings - these can be in main config db or set per connection in db ipsec_connections |
| + | |
| + | security: secret | rsasig | certs |
| + | ikelifetime: Default 3600s | Variable |
| + | salifetime: Default 28800s | Variable |
| + | dpdaction: Default restart | Variable |
| + | dpddelay: Default 30 | Variable |
| + | dpdtimeout: Default 10 | Variable |
| + | pfs: Default yes | Variable |
| + | connectiontype: Default secret | rassig, certificate |
| + | ike: Default aes-sha1 | variable - see ipsec.conf readme file for more options |
| + | ipsecversion: Default permit | Whether to allow ikev2 - also : insist/propose/yes/never/no |
| + | |
| + | |
| + | ====Per connection settings==== |
| + | |
| + | {{Warning box|Automatically modified - do not change this |
| + | PreviousState: Denotes previous connection state |
| + | }} |
| + | |
| + | Manual keys |
| + | |
| + | db ipsec_connections show |
| + | |
| + | db ipsec_connections setprop ConnectionName $key $property |
| + | |
| + | iptype: Default Empty | stattodyn or dyntostat - are we a static host to dynamic client or vice versa ? - Only required for dynamic clients with static hosts |
| + | connectiontype: Default tunnel | transport/passthrough/drop/reject |
| + | leftrsasig: Default Empty | Your Local rsasignature key |
| + | rightrsasig: Default Empty | Your Remote rsasignature key |
| + | ipsecversion: Default permit | Whether to allow ikev2 - also : insist/propose/yes/never/no |
| + | ike: Default aes-sha1 | Varable |
| + | phase2: Default aes-sha1 | Variable |
| + | mtu: Default Empty | Variable |
| + | left: Default Empty | If Empty then %defaultroute is set. Can be local WAN IP |
| + | leftid: Default Empty | Variable |
| + | leftsourceip: Default Empty | This server local IP |
| + | leftsubnet: Default Empty | This server local subnet |
| + | right: Default Empty | Destination WAN IP |
| + | rightid: Default Empty | Variable |
| + | rightsubnet: Default Empty | Destination subnet |
| + | passwd: Default Empty | Variable |
| + | keyingtries: Default Empty | 0 is default - 'forever' |
| + | leftcert Default Empty | LeftCertName |
| + | rightcert Default Empty | RightCertName |
| | | |
− | === RSA Keys===
| + | For certificates - do not set or leave the following empty: |
| | | |
− | For the better security it is recommended to use RSA keys. There is more on this on the github page https://github.com/reetp/smeserver-libreswan/blob/master/IpsecSettings.txt
| + | leftrsasig: Default Empty - system generates %cert |
| + | rightrsasig: Default Empty - system generates %cert |
| + | leftid: Default Empty - system generates %fromcert |
| + | rightid: Default Empty - system generates %fromcert |
| | | |
| | | |