Line 6: |
Line 6: |
| Whilst the contribs do their best to make sure there is a simple secure setup, I make no guarantees ! | | Whilst the contribs do their best to make sure there is a simple secure setup, I make no guarantees ! |
| | | |
− | Where possible use RSA keys instead of passwords. | + | Where possible use RSA keys or certificates instead of passwords. |
| | | |
| An alternative solution is https://wiki.contribs.org/OpenVPN_SiteToSite or https://wiki.contribs.org/OpenVPN_Bridge | | An alternative solution is https://wiki.contribs.org/OpenVPN_SiteToSite or https://wiki.contribs.org/OpenVPN_Bridge |
| | | |
− | Where possible avoid the use of PPTP as it was cracked a long time ago and is very easy to read }} | + | Where possible avoid the use of PPTP as it was cracked a long time ago and is very easy to read |
| + | |
| + | With IKE v2 it is possible to allow dial in clients. |
| + | |
| + | For older dial clients you can also look at https://wiki.contribs.org/Smeserver-libreswan-xl2tpd |
| + | }} |
| | | |
| === Version === | | === Version === |
− | ====SME8==== | + | ====Koozali SME v8==== |
| | | |
| <div style="background: #EFE9E9; border: 1px solid #AAA; padding: 5px; padding-bottom: 17px; margin: 5px; width: 97%"> | | <div style="background: #EFE9E9; border: 1px solid #AAA; padding: 5px; padding-bottom: 17px; margin: 5px; width: 97%"> |
Line 22: |
Line 27: |
| <div>Please use the version of openswan in the ReetP repo as below</div> | | <div>Please use the version of openswan in the ReetP repo as below</div> |
| </div> | | </div> |
− | {{ #smeversion: smeserver-openswan}}
| + | |
− | ====SME9==== | + | |
| + | ====Koozali SME v9==== |
| {{ #smeversion: libreswan}} | | {{ #smeversion: libreswan}} |
| {{ #smeversion: smeserver-libreswan}} | | {{ #smeversion: smeserver-libreswan}} |
Line 47: |
Line 53: |
| | | |
| ==Installation== | | ==Installation== |
− | = '''For Koozali SME8''' = | + | = For Koozali SME10 = |
| + | For Koozali SME Server 10, the latest stable Libreswan can be found in the default repo's |
| + | |
| + | Note that the contrib is currently in test so to install: |
| + | yum install smeserver-extrarepositories-libreswan -y |
| + | db yum_repositories setprop libreswan status enabled Priority 10 |
| + | signal-event yum-modify |
| + | yum --enablerepo=smecontribs,smetest install smeserver-libreswan |
| + | |
| + | Configuration options and notes are here (check the latest branch): |
| + | =For Koozali SME8= |
| For Koozali SME Server 8 you will need the [https://wiki.contribs.org/User:ReetP ReetP] repo to install openswan | | For Koozali SME Server 8 you will need the [https://wiki.contribs.org/User:ReetP ReetP] repo to install openswan |
| + | {{:Reetspetit|transcludesection=SME9}} |
| + | |
| + | signal-event yum-modify |
| | | |
− | yum --enablerepo=smecontribs,epel,reetp install smeserver-openswan | + | Note that the contrib is currently in test so to install: |
| + | yum --enablerepo=smetest,reetp install smeserver-openswan |
| | | |
| Configuration options and notes are here (check the latest branch): | | Configuration options and notes are here (check the latest branch): |
Line 56: |
Line 76: |
| https://github.com/reetp/smeserver-openswan | | https://github.com/reetp/smeserver-openswan |
| | | |
| + | Please note that this version is no longer under development as SME v8 is EOL at the end of March 2017 |
| + | |
| + | It is possible to use Openswan on SME v9 but I do not have the time to maintain the contrib for both versions. |
| + | RedHat have swapped to using Libreswan as their default IPsec implementation. |
| | | |
− | = '''For Koozali SME9''' = | + | = For Koozali SME9 = |
− | For Koozali SME Server 9, Libreswan can be found in the default repo's, so to install Libreswan simply enter the following command: | + | For Koozali SME Server 9, the latest stable Libreswan can be found in the default repo's |
| | | |
− | yum --enablerepo=smecontribs,epel install smeserver-libreswan | + | Note that the contrib is currently in test so to install: |
| + | yum --enablerepo=smetest install smeserver-libreswan |
| | | |
| Configuration options and notes are here (check the latest branch): | | Configuration options and notes are here (check the latest branch): |
Line 66: |
Line 91: |
| https://github.com/reetp/smeserver-libreswan | | https://github.com/reetp/smeserver-libreswan |
| | | |
− | {{Note box|I usually have the the latest version of libreswan in my own repo https://wiki.contribs.org/User:ReetP | + | {{Note box|You can get the latest version of libreswan itself here }} |
| + | |
| + | /sbin/e-smith/db yum_repositories set libreswan repository \ |
| + | BaseURL https://download.libreswan.org/binaries/rhel/6/x86_64/ \ |
| + | EnableGroups no \ |
| + | GPGCheck yes \ |
| + | GPGKey https://download.libreswan.org/binaries/RPM-GPG-KEY-libreswan \ |
| + | Name LibreSwan \ |
| + | Visible yes \ |
| + | status disabled \ |
| + | |
| + | signal-event yum-modify |
| | | |
− | Use at your own risk !}}
| + | yum --enablerepo=libreswan install libreswan |
| | | |
| <headertabs /> | | <headertabs /> |
| | | |
− | ==IPSEC server to server configuration==
| + | |
− | Openswan/IPSEC can be used to setup a secure and permanent VPN connection between a SME Server and another (local or remote) IPSEC enabled device such as a router. | + | =IPSEC server to server configuration= |
| + | |
| + | Libreswan/Openswan/IPSEC can be used to setup a secure and permanent VPN connection between a SME Server and another (local or remote) IPSEC enabled device such as a router. |
| | | |
| Note - if you want to use with an online VPS set the server to server/gateway with a 'dummy' internal network adaptor. | | Note - if you want to use with an online VPS set the server to server/gateway with a 'dummy' internal network adaptor. |
| | | |
| ===Passwords=== | | ===Passwords=== |
| + | |
| It is recommended to create a very strong random password and keep this safe. One way of generating and store a random strong password is explained [http://wiki.contribs.org/Useful_Commands#Generating_strong_random_password '''here'''] | | It is recommended to create a very strong random password and keep this safe. One way of generating and store a random strong password is explained [http://wiki.contribs.org/Useful_Commands#Generating_strong_random_password '''here'''] |
| | | |
− | Alternatively see RSA key section below for much stronger passwords | + | Alternatively see RSA key and Certificate sections below for much stronger passwords |
| + | |
| + | |
| + | ===Setup PSK Passwords=== |
| + | |
| + | The contrib has a lot of configurable settings but with the defaults and a few details it should just work. |
| + | |
| + | General settings and some defaults are stored in the main config DB |
| | | |
− | ===Settings===
| + | config show ipsec |
| | | |
− | The contrib has a lot of configurable settings but with the defaults and few details it should just work
| + | Connection specific settings are stored in a separate DB |
| | | |
− | config setprop ipsec status enabled access public | + | db ipsec_connections show |
| | | |
− | Note for ipsec_connections we use 'set' when we create new connection. Thereafter you can modify it with setprop. | + | {{Note box|For ipsec_connections we use 'set' when we create a new connection. Thereafter you can modify it with setprop}} |
| | | |
− | Note most people refer to East and West rather than Local and Remote. There is a very good reason for this if you start using RSA keys ! | + | {{Note box|Most people refer to East and West rather than Local and Remote. There is a very good reason for this if you start using RSA keys !}} |
| | | |
| Server East - WAN IP 5.6.7.8 Local IP 192.168.20.1 Subnet 192.168.20.0/24 | | Server East - WAN IP 5.6.7.8 Local IP 192.168.20.1 Subnet 192.168.20.0/24 |
Line 99: |
Line 145: |
| | | |
| signal-event ipsec-update | | signal-event ipsec-update |
| + | |
| + | |
| + | |
| + | ===Setup RSA Keys=== |
| + | |
| + | For the better security it is recommended to use RSA keys. |
| + | |
| + | There are notes on github as this can be quite lengthy |
| + | |
| + | https://github.com/reetp/smeserver-libreswan/blob/master/IpsecSettings.txt |
| + | |
| + | A basic ipsec_connections entry setup should look this - note it will need a matching setup at the other end): |
| + | |
| + | MyEast=ipsec |
| + | leftsourceip=192.168.20.1 |
| + | leftsubnet=192.168.20.0/24 |
| + | right=1.2.3.4 |
| + | rightsubnet=10.0.0.0/24 |
| + | security=rsasig |
| + | leftid=East |
| + | rightid=West |
| + | leftrsasig=SomeLongPassFromEast |
| + | rightrsasig=SomeLongPasswordFromWest |
| + | status enabled |
| + | |
| + | |
| + | ===Setup Certificates=== |
| + | |
| + | You can now use a CA and PKCS#12 certificates. |
| + | |
| + | There are notes on github as this can be quite lengthy |
| + | |
| + | https://github.com/reetp/smeserver-libreswan/blob/master/ipsec-certificate-notes.txt |
| + | |
| + | A basic ipsec_connections entry setup should look this: |
| + | |
| + | MyEast=ipsec |
| + | leftcert=LocalServer |
| + | leftsourceip=192.168.1.1 |
| + | leftsubnet=192.168.1.0/24 |
| + | right=5.6.7.8 |
| + | rightcert=RemoteServer |
| + | rightsubnet=192.168.100.0/24 |
| + | security=certs |
| + | status=enabled |
| + | |
| + | |
| + | ===DB Keys=== |
| + | |
| + | There are a lot of keys involved in ipsec. |
| + | |
| + | Where possible just use the minimum that you require depending on whether you want PSK password / RSA signature / Certificate security |
| + | |
| + | There are notes on github as this can be quite lengthy |
| + | |
| + | https://github.com/reetp/smeserver-libreswan/blob/master/IpsecSettings.txt |
| + | |
| + | Here are the currently available settings and options: |
| + | |
| + | |
| + | ====IPsec settings==== |
| + | |
| + | These settings are generic and can be overwritten on a per connection basis |
| + | |
| + | config ipsec show |
| + | |
| + | Only set with: |
| + | db configuration setprop ipsec $key $property |
| + | |
| + | Setting status enabled/disabled will modify access to private/public |
| + | |
| + | status: Default disabled | enabled |
| + | access: Default private | public |
| + | UDPPorts: Default 500,4500 | Variable |
| + | auto: Default start | add (do not use ondemand or ignore) |
| + | debug: none | all raw crypt parsing emitting control controlmore lifecycle dns dpd klips pfkey natt oppo oppoinfo whackwatch private |
| + | (all generates a LARGE amount of logging so use with care) |
| + | |
| + | |
| + | ====General Settings==== |
| + | |
| + | Overall default settings - these can be in main config db or set per connection in db ipsec_connections |
| + | |
| + | security: secret | rsasig | certs |
| + | ikelifetime: Default 3600s | Variable |
| + | salifetime: Default 28800s | Variable |
| + | dpdaction: Default restart | Variable |
| + | dpddelay: Default 30 | Variable |
| + | dpdtimeout: Default 10 | Variable |
| + | pfs: Default yes | Variable |
| + | connectiontype: Default secret | rassig, certificate |
| + | ike: Default aes-sha1 | Variable - see ipsec.conf readme file for more options - sample: aes256-sha2;dh14 or aes256-sha2;modp2048 |
| + | ipsecversion: Default permit | Whether to allow ikev2 - also : insist/propose/yes/never/no |
| + | |
| + | ====Per connection settings==== |
| + | |
| + | {{Warning box|Automatically modified - do not change this |
| + | PreviousState: Denotes previous connection state |
| + | }} |
| + | |
| + | Manual keys |
| + | |
| + | db ipsec_connections show |
| + | |
| + | db ipsec_connections setprop ConnectionName $key $property |
| + | |
| + | iptype: Default Empty | stattodyn or dyntostat - are we a static host to dynamic client or vice versa ? - Only required for dynamic clients with static hosts |
| + | connectiontype: Default tunnel | transport/passthrough/drop/reject |
| + | leftrsasig: Default Empty | Your Local rsasignature key |
| + | rightrsasig: Default Empty | Your Remote rsasignature key |
| + | ipsecversion: Default permit | Whether to allow ikev2 - also : insist/propose/yes/never/no |
| + | ike: Default aes-sha1 | Variable - sample: aes256-sha2;dh14 or aes256-sha2;modp2048 |
| + | phase2: Default aes-sha1 | Variable - sample: aes256-sha2;dh14 or aes256-sha2;modp2048 |
| + | mtu: Default Empty | Variable |
| + | left: Default Empty | If Empty then %defaultroute is set. Can be local WAN IP |
| + | leftid: Default Empty | Variable |
| + | leftsourceip: Default Empty | This server local IP |
| + | leftsubnet: Default Empty | This server local subnet |
| + | right: Default Empty | Destination WAN IP |
| + | rightid: Default Empty | Variable |
| + | rightsubnet: Default Empty | Destination subnet |
| + | passwd: Default Empty | Variable |
| + | keyingtries: Default Empty | 0 is default - 'forever' |
| + | leftcert Default Empty | LeftCertName |
| + | rightcert Default Empty | RightCertName |
| + | |
| + | For certificates - do not set or leave the following empty: |
| + | |
| + | leftrsasig: Default Empty - system generates %cert |
| + | rightrsasig: Default Empty - system generates %cert |
| + | leftid: Default Empty - system generates %fromcert |
| + | rightid: Default Empty - system generates %fromcert |
| | | |
| ===Logs and Debug=== | | ===Logs and Debug=== |
| + | |
| + | {{Warning box| If you are trying to connect Libreswan to other *swan versions using IPsec v2 you may see this in the logs |
| + | "failed to match authenticator" |
| + | which may cause link failures. |
| + | This seems to be an issue with some *swan versions - see this thread for more |
| + | https://lists.libreswan.org/pipermail/swan/2017/001956.html}} |
| | | |
| The following will give you connection details. | | The following will give you connection details. |
Line 121: |
Line 305: |
| You may find masq needs a restart sometimes | | You may find masq needs a restart sometimes |
| | | |
− | /etc/init.d/masq restart | + | /etc/init.d/masq restart |
| | | |
| Check /var/log/iptables/current to see if packets are getting blocked. | | Check /var/log/iptables/current to see if packets are getting blocked. |
| | | |
| For ipsec itself place to look is /var/log/pluto/pluto.log | | For ipsec itself place to look is /var/log/pluto/pluto.log |
− |
| |
| | | |
| If you need more debugging you can set plutodebug = all | | If you need more debugging you can set plutodebug = all |
− |
| |
− | === RSA Keys===
| |
− |
| |
− | For the better security it is recommended to use RSA keys. There is more on this on the github page https://github.com/reetp/smeserver-libreswan/blob/master/IpsecSettings.txt
| |
| | | |
| | | |
Line 146: |
Line 325: |
| {{#bugzilla:columns=id,product,version,status,summary |sort=id |order=desc |component=smeserver-libreswan|noresultsmessage="No open bugs found."}} | | {{#bugzilla:columns=id,product,version,status,summary |sort=id |order=desc |component=smeserver-libreswan|noresultsmessage="No open bugs found."}} |
| | | |
− | ==Other articles in this category==
| + | =Other articles in this category= |
| {{#ask: [[Category:VPN]]}} | | {{#ask: [[Category:VPN]]}} |
| | | |