Changes

6,034 bytes added , 04:25, 15 July 2022

no edit summary

Line 6: Line 6:

Whilst the contribs do their best to make sure there is a simple secure setup, I make no guarantees !

−

Where possible use RSA keys instead of passwords.

Where possible use RSA keys or certificates instead of passwords.

An alternative solution is https://wiki.contribs.org/OpenVPN_SiteToSite or https://wiki.contribs.org/OpenVPN_Bridge

−

Where possible avoid the use of PPTP as it was cracked a long time ago and is very easy to read }}

Where possible avoid the use of PPTP as it was cracked a long time ago and is very easy to read

With IKE v2 it is possible to allow dial in clients.

For older dial clients you can also look at https://wiki.contribs.org/Smeserver-libreswan-xl2tpd

}}

=== Version ===

−

====~~SME8~~====

====Koozali SME v8====

Line 22: Line 27:

<div>Please use the version of openswan in the ReetP repo as below</div>

</div>

−

~~{{ #smeversion: smeserver-openswan}}~~

−

====~~SME9~~====

====Koozali SME v9====

Line 47: Line 53:

==Installation==

−

= '''For Koozali SME8~~'''~~ =

= For Koozali SME10 =

For Koozali SME Server 10, the latest stable Libreswan can be found in the default repo's

Note that the contrib is currently in test so to install:

yum install smeserver-extrarepositories-libreswan -y

db yum_repositories setprop libreswan status enabled Priority 10

signal-event yum-modify

yum --enablerepo=smecontribs,smetest install smeserver-libreswan

Configuration options and notes are here (check the latest branch):

=For Koozali SME8=

For Koozali SME Server 8 you will need the [https://wiki.contribs.org/User:ReetP ReetP] repo to install openswan

signal-event yum-modify

−

yum --enablerepo=~~smecontribs,epel~~,reetp install smeserver-openswan

Note that the contrib is currently in test so to install:

yum --enablerepo=smetest,reetp install smeserver-openswan

Configuration options and notes are here (check the latest branch):

Line 56: Line 76:

https://github.com/reetp/smeserver-openswan

Please note that this version is no longer under development as SME v8 is EOL at the end of March 2017

It is possible to use Openswan on SME v9 but I do not have the time to maintain the contrib for both versions.

RedHat have swapped to using Libreswan as their default IPsec implementation.

−

= ~~'''~~For Koozali SME9~~'''~~ =

= For Koozali SME9 =

−

For Koozali SME Server 9, Libreswan can be found in the default repo's~~, so to install Libreswan simply enter the following command:~~

For Koozali SME Server 9, the latest stable Libreswan can be found in the default repo's

−

yum --enablerepo=~~smecontribs,epel~~ install smeserver-libreswan

Note that the contrib is currently in test so to install:

yum --enablerepo=smetest install smeserver-libreswan

Configuration options and notes are here (check the latest branch):

Line 66: Line 91:

https://github.com/reetp/smeserver-libreswan

−

{{Note box|~~I usually have the~~ the latest version of libreswan ~~in my own repo~~ https://~~wiki~~.~~contribs~~.org/~~User~~:~~ReetP~~

{{Note box|You can get the latest version of libreswan itself here }}

/sbin/e-smith/db yum_repositories set libreswan repository \

BaseURL https://download.libreswan.org/binaries/rhel/6/x86_64/ \

EnableGroups no \

GPGCheck yes \

GPGKey https://download.libreswan.org/binaries/RPM-GPG-KEY-libreswan \

Name LibreSwan \

Visible yes \

status disabled \

signal-event yum-modify

−

~~Use at your own risk !}}~~

yum --enablerepo=libreswan install libreswan

−

==IPSEC server to server configuration==

−

Openswan/IPSEC can be used to setup a secure and permanent VPN connection between a SME Server and another (local or remote) IPSEC enabled device such as a router.

=IPSEC server to server configuration=

Libreswan/Openswan/IPSEC can be used to setup a secure and permanent VPN connection between a SME Server and another (local or remote) IPSEC enabled device such as a router.

Note - if you want to use with an online VPS set the server to server/gateway with a 'dummy' internal network adaptor.

===Passwords===

It is recommended to create a very strong random password and keep this safe. One way of generating and store a random strong password is explained [http://wiki.contribs.org/Useful_Commands#Generating_strong_random_password '''here''']

−

Alternatively see RSA key ~~section~~ below for much stronger passwords

Alternatively see RSA key and Certificate sections below for much stronger passwords

===Setup PSK Passwords===

The contrib has a lot of configurable settings but with the defaults and a few details it should just work.

General settings and some defaults are stored in the main config DB

−

~~===Settings===~~

config show ipsec

−

~~The contrib has~~ a ~~lot of configurable settings but with the defaults and few details it should just work~~

Connection specific settings are stored in a separate DB

−

~~config setprop ipsec status enabled access public~~

db ipsec_connections show

−

Note ~~for~~ ipsec_connections we use 'set' when we create new connection. Thereafter you can modify it with setprop.

{{Note box|For ipsec_connections we use 'set' when we create a new connection. Thereafter you can modify it with setprop}}

−

Note ~~most~~ people refer to East and West rather than Local and Remote. There is a very good reason for this if you start using RSA keys !

{{Note box|Most people refer to East and West rather than Local and Remote. There is a very good reason for this if you start using RSA keys !}}

Server East - WAN IP 5.6.7.8 Local IP 192.168.20.1 Subnet 192.168.20.0/24

Line 99: Line 145:

signal-event ipsec-update

===Setup RSA Keys===

For the better security it is recommended to use RSA keys.

There are notes on github as this can be quite lengthy

https://github.com/reetp/smeserver-libreswan/blob/master/IpsecSettings.txt

A basic ipsec_connections entry setup should look this - note it will need a matching setup at the other end):

MyEast=ipsec

leftsourceip=192.168.20.1

leftsubnet=192.168.20.0/24

right=1.2.3.4

rightsubnet=10.0.0.0/24

security=rsasig

leftid=East

rightid=West

leftrsasig=SomeLongPassFromEast

rightrsasig=SomeLongPasswordFromWest

status enabled

===Setup Certificates===

You can now use a CA and PKCS#12 certificates.

There are notes on github as this can be quite lengthy

https://github.com/reetp/smeserver-libreswan/blob/master/ipsec-certificate-notes.txt

A basic ipsec_connections entry setup should look this:

MyEast=ipsec

leftcert=LocalServer

leftsourceip=192.168.1.1

leftsubnet=192.168.1.0/24

right=5.6.7.8

rightcert=RemoteServer

rightsubnet=192.168.100.0/24

security=certs

status=enabled

===DB Keys===

There are a lot of keys involved in ipsec.

Where possible just use the minimum that you require depending on whether you want PSK password / RSA signature / Certificate security

There are notes on github as this can be quite lengthy

https://github.com/reetp/smeserver-libreswan/blob/master/IpsecSettings.txt

Here are the currently available settings and options:

====IPsec settings====

These settings are generic and can be overwritten on a per connection basis

config ipsec show

Only set with:

db configuration setprop ipsec $key $property

Setting status enabled/disabled will modify access to private/public

status: Default disabled | enabled

access: Default private | public

UDPPorts: Default 500,4500 | Variable

auto: Default start | add (do not use ondemand or ignore)

debug: none | all raw crypt parsing emitting control controlmore lifecycle dns dpd klips pfkey natt oppo oppoinfo whackwatch private

(all generates a LARGE amount of logging so use with care)

====General Settings====

Overall default settings - these can be in main config db or set per connection in db ipsec_connections

security: secret | rsasig | certs

ikelifetime: Default 3600s | Variable

salifetime: Default 28800s | Variable

dpdaction: Default restart | Variable

dpddelay: Default 30 | Variable

dpdtimeout: Default 10 | Variable

pfs: Default yes | Variable

connectiontype: Default secret | rassig, certificate

ike: Default aes-sha1 | Variable - see ipsec.conf readme file for more options - sample: aes256-sha2;dh14 or aes256-sha2;modp2048

ipsecversion: Default permit | Whether to allow ikev2 - also : insist/propose/yes/never/no

====Per connection settings====

{{Warning box|Automatically modified - do not change this

PreviousState: Denotes previous connection state

}}

Manual keys

db ipsec_connections show

db ipsec_connections setprop ConnectionName $key $property

iptype: Default Empty | stattodyn or dyntostat - are we a static host to dynamic client or vice versa ? - Only required for dynamic clients with static hosts

connectiontype: Default tunnel | transport/passthrough/drop/reject

leftrsasig: Default Empty | Your Local rsasignature key

rightrsasig: Default Empty | Your Remote rsasignature key

ipsecversion: Default permit | Whether to allow ikev2 - also : insist/propose/yes/never/no

ike: Default aes-sha1 | Variable - sample: aes256-sha2;dh14 or aes256-sha2;modp2048

phase2: Default aes-sha1 | Variable - sample: aes256-sha2;dh14 or aes256-sha2;modp2048

mtu: Default Empty | Variable

left: Default Empty | If Empty then %defaultroute is set. Can be local WAN IP

leftid: Default Empty | Variable

leftsourceip: Default Empty | This server local IP

leftsubnet: Default Empty | This server local subnet

right: Default Empty | Destination WAN IP

rightid: Default Empty | Variable

rightsubnet: Default Empty | Destination subnet

passwd: Default Empty | Variable

keyingtries: Default Empty | 0 is default - 'forever'

leftcert Default Empty | LeftCertName

rightcert Default Empty | RightCertName

For certificates - do not set or leave the following empty:

leftrsasig: Default Empty - system generates %cert

rightrsasig: Default Empty - system generates %cert

leftid: Default Empty - system generates %fromcert

rightid: Default Empty - system generates %fromcert

===Logs and Debug===

{{Warning box| If you are trying to connect Libreswan to other *swan versions using IPsec v2 you may see this in the logs

"failed to match authenticator"

which may cause link failures.

This seems to be an issue with some *swan versions - see this thread for more

https://lists.libreswan.org/pipermail/swan/2017/001956.html}}

The following will give you connection details.

Line 121: Line 305:

You may find masq needs a restart sometimes

−

/etc/init.d/masq restart

Check /var/log/iptables/current to see if packets are getting blocked.

For ipsec itself place to look is /var/log/pluto/pluto.log

−

If you need more debugging you can set plutodebug = all

−

~~=== RSA Keys===~~

−

~~For the better security it is recommended to use RSA keys. There is more on this on the github page https://github.com/reetp/smeserver-libreswan/blob/master/IpsecSettings.txt~~

Line 146: Line 325:

{{#bugzilla:columns=id,product,version,status,summary |sort=id |order=desc |component=smeserver-libreswan|noresultsmessage="No open bugs found."}}

−

==Other articles in this category==

=Other articles in this category=

Unnilennium

Super Admin, Wiki & Docs Team, Bureaucrats, Interface administrators, Administrators

3,250

edits

Retrieved from "https://wiki.koozali.org/Special:MobileDiff/31940...41420"

Changes

Libreswan (view source)

Revision as of 04:25, 15 July 2022

Navigation menu

Search