Changes

From SME Server
Jump to navigationJump to search
4,876 bytes added ,  17:34, 25 January 2017
no edit summary
Line 6: Line 6:  
Whilst the contribs do their best to make sure there is a simple secure setup, I make no guarantees !
 
Whilst the contribs do their best to make sure there is a simple secure setup, I make no guarantees !
   −
Where possible use RSA keys instead of passwords.
+
Where possible use RSA keys or certificates instead of passwords.
 
   
 
   
 
An alternative solution is https://wiki.contribs.org/OpenVPN_SiteToSite or https://wiki.contribs.org/OpenVPN_Bridge  
 
An alternative solution is https://wiki.contribs.org/OpenVPN_SiteToSite or https://wiki.contribs.org/OpenVPN_Bridge  
Line 60: Line 60:  
https://github.com/reetp/smeserver-openswan
 
https://github.com/reetp/smeserver-openswan
    +
Please note that this version is no longer under development as SME v8 is EOL at the end of March 2017
 +
 +
It is possible to use Openswan on SME v9 but I do not have the time to maintain the contrib for both versions.
 +
RedHat have swapped to using Libreswan as their default IPsec implementation.
    
= '''For Koozali SME9''' =
 
= '''For Koozali SME9''' =
Line 76: Line 80:     
<headertabs />
 
<headertabs />
 +
    
==IPSEC server to server configuration==
 
==IPSEC server to server configuration==
Openswan/IPSEC can be used to setup a secure and permanent VPN connection between a SME Server and another (local or remote) IPSEC enabled device such as a router.
+
 
 +
Libreswan/Openswan/IPSEC can be used to setup a secure and permanent VPN connection between a SME Server and another (local or remote) IPSEC enabled device such as a router.
    
Note - if you want to use with an online VPS set the server to server/gateway with a 'dummy' internal network adaptor.
 
Note - if you want to use with an online VPS set the server to server/gateway with a 'dummy' internal network adaptor.
    
===Passwords===
 
===Passwords===
 +
 
It is recommended to create a very strong random password and keep this safe. One way of generating and store a random strong password is explained [http://wiki.contribs.org/Useful_Commands#Generating_strong_random_password '''here''']
 
It is recommended to create a very strong random password and keep this safe. One way of generating and store a random strong password is explained [http://wiki.contribs.org/Useful_Commands#Generating_strong_random_password '''here''']
   −
Alternatively see RSA key section below for much stronger passwords
+
Alternatively see RSA key and Certificate sections below for much stronger passwords
 +
 
    
===Settings===
 
===Settings===
   −
The contrib has a lot of configurable settings but with the defaults and few details it should just work
+
The contrib has a lot of configurable settings but with the defaults and a few details it should just work.
   −
config setprop ipsec status enabled access public
+
General settings and some defaults are stored in the main config DB
   −
Note for ipsec_connections we use 'set' when we create new connection. Thereafter you can modify it with setprop.
+
config show ipsec
   −
Note most people refer to East and West rather than Local and Remote. There is a very good reason for this if you start using RSA keys !
+
Connection specific settings are stored in a separate DB
 +
 
 +
db ipsec_connections show
 +
 
 +
{{Note box|For ipsec_connections we use 'set' when we create a new connection. Thereafter you can modify it with setprop}}
 +
 
 +
{{Note box|Most people refer to East and West rather than Local and Remote. There is a very good reason for this if you start using RSA keys !}}
    
Server East - WAN IP 5.6.7.8 Local IP 192.168.20.1 Subnet 192.168.20.0/24
 
Server East - WAN IP 5.6.7.8 Local IP 192.168.20.1 Subnet 192.168.20.0/24
Line 104: Line 118:     
  signal-event ipsec-update
 
  signal-event ipsec-update
 +
    
===Logs and Debug===
 
===Logs and Debug===
 +
 +
{{Warning box| If you are trying to connect Libreswan to other *swan versions using IPsec v2 you may see this in the logs
 +
"failed to match authenticator"
 +
which may cause link failures.
 +
This seems to be an issue with some *swan versions - see this thread for more
 +
https://lists.libreswan.org/pipermail/swan/2017/001956.html}}
    
The following will give you connection details.  
 
The following will give you connection details.  
Line 132: Line 153:  
For ipsec itself place to look is /var/log/pluto/pluto.log
 
For ipsec itself place to look is /var/log/pluto/pluto.log
    +
If you need more debugging you can set plutodebug = all
 +
 +
 +
===RSA Keys===
 +
 +
For the better security it is recommended to use RSA keys.
 +
 +
There are notes on github as this can be quite lengthy
 +
 +
https://github.com/reetp/smeserver-libreswan/blob/master/IpsecSettings.txt
 +
 +
A basic ipsec_connections entry setup should look this - note it will need a matching setup at the other end):
 +
 +
MyEast=ipsec
 +
    leftsourceip=192.168.20.1
 +
    leftsubnet=192.168.20.0/24
 +
    right=1.2.3.4
 +
    rightsubnet=10.0.0.0/24
 +
    security=rsasig
 +
    leftid=East
 +
    rightid=West
 +
    leftrsasig=SomeLongPassFromEast
 +
    rightrsasig=SomeLongPasswordFromWest
 +
    status enabled
 +
 +
 +
===Certificates===
 +
 +
You can now use a CA and PKCS#12 certificates.
 +
 +
There are notes on github as this can be quite lengthy
 +
 +
https://github.com/reetp/smeserver-libreswan/blob/master/ipsec-certificate-notes.txt
 +
 +
A basic ipsec_connections entry setup should look this:
 +
 +
MyEast=ipsec
 +
    leftcert=LocalServer
 +
    leftsourceip=192.168.1.1
 +
    leftsubnet=192.168.1.0/24
 +
    right=5.6.7.8
 +
    rightcert=RemoteServer
 +
    rightsubnet=192.168.100.0/24
 +
    security=certs
 +
    status=enabled
 +
 +
 +
===DB Keys===
 +
 +
There are a lot of keys involved in ipsec.
   −
If you need more debugging you can set plutodebug = all
+
Where possible just use the minimum that you require depending on whether you want PSK password / RSA signature / Certificate security
 +
 
 +
There are notes on github as this can be quite lengthy
 +
 
 +
https://github.com/reetp/smeserver-libreswan/blob/master/IpsecSettings.txt
 +
 
 +
Here are the currently available settings and options:
 +
 
 +
 
 +
====IPsec settings====
 +
 
 +
These settings are generic and can be overwritten on a per connection basis
 +
 
 +
config ipsec show
 +
 
 +
Only set with:
 +
db configuration setprop ipsec $key $property
 +
 
 +
Setting status enabled/disabled will modify access to private/public
 +
 
 +
status: Default disabled | enabled
 +
access: Default private | public
 +
UDPPorts: Default 500,4500 | Variable
 +
auto: Default start | add (do not use ondemand or ignore)
 +
debug: none | all raw crypt parsing emitting control controlmore lifecycle dns dpd klips pfkey natt oppo oppoinfo whackwatch private
 +
(all generates a LARGE amount of logging so use with care)
 +
 
 +
 
 +
====General Settings====
 +
 
 +
Overall default settings - these can be in main config db or set per connection in db ipsec_connections
 +
 
 +
security: secret | rsasig | certs
 +
ikelifetime: Default 3600s | Variable
 +
salifetime: Default 28800s | Variable
 +
dpdaction: Default restart | Variable
 +
dpddelay: Default 30 | Variable
 +
dpdtimeout: Default 10 | Variable
 +
pfs: Default yes | Variable
 +
connectiontype: Default secret | rassig, certificate
 +
ike: Default aes-sha1 | variable - see ipsec.conf readme file for more options
 +
ipsecversion: Default permit | Whether to allow ikev2 - also : insist/propose/yes/never/no
 +
 
 +
 
 +
====Per connection settings====
 +
 
 +
{{Warning box|Automatically modified - do not change this
 +
PreviousState: Denotes previous connection state
 +
}}
 +
 
 +
Manual keys
 +
 
 +
db ipsec_connections show
 +
 
 +
db ipsec_connections setprop ConnectionName $key $property
 +
 
 +
iptype: Default Empty | stattodyn or dyntostat - are we a static host to dynamic client or vice versa ? - Only required for dynamic clients with static hosts
 +
connectiontype: Default tunnel | transport/passthrough/drop/reject
 +
leftrsasig: Default Empty | Your Local rsasignature key
 +
rightrsasig: Default Empty | Your Remote rsasignature key
 +
ipsecversion: Default permit | Whether to allow ikev2 - also : insist/propose/yes/never/no
 +
ike: Default aes-sha1 | Varable
 +
phase2: Default aes-sha1 | Variable
 +
mtu: Default Empty | Variable
 +
left: Default Empty | If Empty then %defaultroute is set. Can be local WAN IP
 +
leftid: Default Empty | Variable
 +
leftsourceip:  Default Empty | This server local IP
 +
leftsubnet:  Default Empty | This server local subnet
 +
right: Default Empty | Destination WAN IP
 +
rightid: Default Empty | Variable
 +
rightsubnet: Default Empty | Destination subnet
 +
passwd: Default Empty | Variable
 +
keyingtries: Default Empty | 0 is default - 'forever'
 +
leftcert Default Empty | LeftCertName
 +
rightcert Default Empty | RightCertName
   −
=== RSA Keys===
+
For certificates - do not set or leave the following empty:
   −
For the better security it is recommended to use RSA keys. There is more on this on the github page https://github.com/reetp/smeserver-libreswan/blob/master/IpsecSettings.txt
+
leftrsasig: Default Empty - system generates %cert
 +
rightrsasig: Default Empty - system generates %cert
 +
leftid: Default Empty - system generates %fromcert
 +
rightid: Default Empty - system generates %fromcert
     

Navigation menu