Difference between revisions of "Libreswan"

From SME Server
Jump to navigationJump to search
Line 8: Line 8:
 
Summary: The purpose of this howto is to guide you through the procedure to connect servers using OpenSwan VPN to connect via IPSEC.
 
Summary: The purpose of this howto is to guide you through the procedure to connect servers using OpenSwan VPN to connect via IPSEC.
  
I actually use it so my Draytek routers can connect to my online Koozali SME VPS machine
+
I actually use it so my Draytek routers can connect to my online Koozali SME VPS machine. This works on Koozali SME v8 and v9 with the unit in server-gateway mode.
 
 
This works on Koozali SME v8 and v9 with the unit in server-gateway mode.
 
  
 
On the online VPS it has a 'dummy' internal network adaptor but works fine with this.
 
On the online VPS it has a 'dummy' internal network adaptor but works fine with this.
Line 18: Line 16:
 
yum install openswan
 
yum install openswan
  
===SME Server 8.1
+
===SME Server 8.1===
 
On v8 you need to find the following package, or newer :
 
On v8 you need to find the following package, or newer :
  
 
openswan-2.6.38-1.x86_64.rpm
 
openswan-2.6.38-1.x86_64.rpm
  
You can grab a copy here :
+
You can grab a copy here : http://www.reetspetit.com/smeserver/5/repoview/index.html
 
 
http://www.reetspetit.com/smeserver/5/repoview/index.html
 
  
 
I can't remember if I built that myself or got it somewhere as it seems quite elusive. If I can find the source I will build a src rpm.
 
I can't remember if I built that myself or got it somewhere as it seems quite elusive. If I can find the source I will build a src rpm.
  
Then  
+
Then":
 
+
yum localinstall openswan-2.6.38-1.x86_64.rpm
yum localinstall openswan-2.6.38-1.x86_64.rpm
 
  
 
You will need a link in etc/rc.d/rc7.d so the service starts :
 
You will need a link in etc/rc.d/rc7.d so the service starts :
 
+
S99ipsec -> /etc/rc.d/init.d/e-smith-service
S99ipsec -> /etc/rc.d/init.d/e-smith-service
 
 
 
  
 
Alternatively to do it the Koozali SME way :
 
Alternatively to do it the Koozali SME way :
 
 
Create db entry:
 
Create db entry:
  
db configuration set ipsec service status enabled
+
db configuration set ipsec service status enabled
 
+
db configuration show ipsec
db configuration show ipsec
 
 
     ipsec=service
 
     ipsec=service
 
     status=enabled
 
     status=enabled
 
      
 
      
ln -s /etc/rc.d/init.d/e-smith-service /etc/rc.d/rc7.d/S99ipsec
+
ln -s /etc/rc.d/init.d/e-smith-service /etc/rc.d/rc7.d/S99ipsec
  
 
You can now enable and disble the service accordingly.
 
You can now enable and disble the service accordingly.
 
  
 
===Firewall===
 
===Firewall===
 
 
We need a new template fragment to allow ipsec through the firewall
 
We need a new template fragment to allow ipsec through the firewall
  
touch /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/15AllowIPsec
+
touch /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/15AllowIPsec
  
 
Add the following code :
 
Add the following code :
  
# IPsec ports
+
# IPsec ports
 
+
/sbin/iptables -A INPUT -i $OUTERIF -p udp --sport 500 --dport 500 -j ACCEPT  
/sbin/iptables -A INPUT -i $OUTERIF -p udp --sport 500 --dport 500 -j ACCEPT  
+
/sbin/iptables -t mangle -A PREROUTING -i $OUTERIF -p 50 -j MARK --set-mark 1   
/sbin/iptables -t mangle -A PREROUTING -i $OUTERIF -p 50 -j MARK --set-mark 1   
+
/sbin/iptables -A INPUT -i $OUTERIF -m mark --mark 1 -j ACCEPT  
/sbin/iptables -A INPUT -i $OUTERIF -m mark --mark 1 -j ACCEPT  
+
/sbin/iptables -A FORWARD -i $OUTERIF -m mark --mark 1 -j ACCEPT  
/sbin/iptables -A FORWARD -i $OUTERIF -m mark --mark 1 -j ACCEPT  
+
/sbin/iptables -A INPUT -i $OUTERIF -m mark --mark 2 -j ACCEPT  
/sbin/iptables -A INPUT -i $OUTERIF -m mark --mark 2 -j ACCEPT  
+
/sbin/iptables -A FORWARD -i $OUTERIF -m mark --mark 2 -j ACCEPT  
/sbin/iptables -A FORWARD -i $OUTERIF -m mark --mark 2 -j ACCEPT  
+
/sbin/iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT  
/sbin/iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT  
 
 
 
expand-template /etc/rc.d/init.d/masq
 
  
service masq restart
+
expand-template /etc/rc.d/init.d/masq
 +
service masq restart
  
 
We also need to disable redirects.
 
We also need to disable redirects.
 
 
I have the following code in a file called Disable_Redirects.sh and a link to it in /etc/rc.d/rc.local
 
I have the following code in a file called Disable_Redirects.sh and a link to it in /etc/rc.d/rc.local
  
#!/bin/bash
+
#!/bin/bash
# For OpenSwan
+
# For OpenSwan
# Disable send redirects
+
# Disable send redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
+
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects
+
echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects
+
echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects
+
echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/lo/send_redirects
+
echo 0 > /proc/sys/net/ipv4/conf/lo/send_redirects
# echo 0 > /proc/sys/net/ipv4/conf/ppp0/send_redirects
+
# echo 0 > /proc/sys/net/ipv4/conf/ppp0/send_redirects
 
+
# Disable accept redirects
# Disable accept redirects
+
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
+
echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects
+
echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects
+
echo 0 > /proc/sys/net/ipv4/conf/eth1/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/eth1/accept_redirects
+
echo 0 > /proc/sys/net/ipv4/conf/lo/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/lo/accept_redirects
+
# echo 0 > /proc/sys/net/ipv4/conf/ppp0/accept_redirects
# echo 0 > /proc/sys/net/ipv4/conf/ppp0/accept_redirects
 
 
 
  
 
===OpenSwan Configuration===
 
===OpenSwan Configuration===
 
 
Here is a sample of my /etc/ipsec.conf with some added notes.
 
Here is a sample of my /etc/ipsec.conf with some added notes.
 
 
LEFT side is your server. RIGHT side is your router.
 
LEFT side is your server. RIGHT side is your router.
  
# /etc/ipsec.conf
+
# /etc/ipsec.conf
# basic configuration
+
# basic configuration
 
+
#auto = 'start' for both ways or 'add' for incoming only
#auto = 'start' for both ways or 'add' for incoming only
 
  
 
version 2.0
 
version 2.0
 
 
config setup
 
config setup
# Debug-logging controls:  "none" for (almost) none, "all" for lots.
 
#klipsdebug=none
 
plutodebug=none
 
interfaces=%defaultroute
 
oe=no
 
protostack=netkey
 
syslog=syslog.debug
 
# syslog=syslog.warning
 
virtual_private=%v4:192.168.0.0/24,  # Here you add the local/internal network of your server
 
nat_traversal=yes  # if required - probably yes
 
 
# Connection settings
 
 
# Router to Server
 
conn draytek-wan1 # Your connection name
 
type=tunnel
 
authby=secret
 
auto=start  # n.b. "auto = start" for ipsec to try and make a connection or "auto = add" to accept incoming
 
ikelifetime=28800s
 
keylife=3600s
 
left=%defaultroute
 
leftsourceip=192.168.98.1  # This is the IP address of your internal ethernet connection on your server
 
leftsubnet=192.168.98.0/24 # This is your local network on your server
 
pfs=yes  # If require
 
dpdaction=restart
 
dpddelay=30
 
dpdtimeout=10
 
right=1.2.3.4  # This is the WAN IP address of your router that is connecting in
 
rightsubnet=192.168.0.0/24 # This is the local network behind the router at the far end
 
 
# More incoming connections here.....
 
  
 +
# Debug-logging controls:  "none" for (almost) none, "all" for lots.
 +
#klipsdebug=none
 +
plutodebug=none
 +
interfaces=%defaultroute
 +
oe=no
 +
protostack=netkey
 +
syslog=syslog.debug
 +
# syslog=syslog.warning
 +
virtual_private=%v4:192.168.0.0/24,  # Here you add the local/internal network of your server
 +
nat_traversal=yes  # if required - probably yes
 +
# Connection settings
 +
# Router to Server
 +
conn draytek-wan1 # Your connection name
 +
type=tunnel
 +
authby=secret
 +
auto=start  # n.b. "auto = start" for ipsec to try and make a connection or "auto = add" to accept incoming
 +
ikelifetime=28800s
 +
keylife=3600s
 +
left=%defaultroute
 +
leftsourceip=192.168.98.1  # This is the IP address of your internal ethernet connection on your server
 +
leftsubnet=192.168.98.0/24 # This is your local network on your server
 +
pfs=yes  # If require
 +
dpdaction=restart
 +
dpddelay=30
 +
dpdtimeout=10
 +
right=1.2.3.4  # This is the WAN IP address of your router that is connecting in
 +
rightsubnet=192.168.0.0/24 # This is the local network behind the router at the far end
 +
# More incoming connections here
  
 
===Passwords===
 
===Passwords===
 
 
The following file needs to be looked after and should be set chmod 0600
 
The following file needs to be looked after and should be set chmod 0600
  
# /etc/ipsec.secrets
+
# /etc/ipsec.secrets
# Format is  
+
# Format is  
# Incoming_IP Local_IP: PSK "Your#Strong#Password"
+
# Incoming_IP Local_IP: PSK "Your#Strong#Password"
 
+
1.2.3.4 %any: PSK "Your#Strong#Password"
1.2.3.4 %any: PSK "Your#Strong#Password"
+
host.dnsalias.org %any: PSK "Your#Strong#Password"
host.dnsalias.org %any: PSK "Your#Strong#Password"
+
1.2.3.4 192.168.98.1: PSK "Your#Strong#Password"
1.2.3.4 192.168.98.1: PSK "Your#Strong#Password"
+
%any 192.168.98.1: PSK "Your#Strong#Password"
%any 192.168.98.1: PSK "Your#Strong#Password"
 
  
 
A reboot should get everythign going.
 
A reboot should get everythign going.
Line 164: Line 139:
  
 
Check /var/log/secure for debug messages, and once you are happy, change the debug settings in ipsec.conf from debug to warning.
 
Check /var/log/secure for debug messages, and once you are happy, change the debug settings in ipsec.conf from debug to warning.
 +
 
If you need more debugging you can set plutodebug = all
 
If you need more debugging you can set plutodebug = all
 
 
  
 
[[Category:Contrib:HowTo]]
 
[[Category:Contrib:HowTo]]
 
[[Category:Administration:VPN]]
 
[[Category:Administration:VPN]]

Revision as of 03:27, 15 September 2014

IPSec OpenSwan VPN to connect Servers HOWTO

Author/Contribitor: John Crisp

Revised: 15th Sept 2014

Summary: The purpose of this howto is to guide you through the procedure to connect servers using OpenSwan VPN to connect via IPSEC.

I actually use it so my Draytek routers can connect to my online Koozali SME VPS machine. This works on Koozali SME v8 and v9 with the unit in server-gateway mode.

On the online VPS it has a 'dummy' internal network adaptor but works fine with this.

Setup

SME Server 9.0

yum install openswan

SME Server 8.1

On v8 you need to find the following package, or newer :

openswan-2.6.38-1.x86_64.rpm

You can grab a copy here : http://www.reetspetit.com/smeserver/5/repoview/index.html

I can't remember if I built that myself or got it somewhere as it seems quite elusive. If I can find the source I will build a src rpm.

Then":

yum localinstall openswan-2.6.38-1.x86_64.rpm

You will need a link in etc/rc.d/rc7.d so the service starts :

S99ipsec -> /etc/rc.d/init.d/e-smith-service

Alternatively to do it the Koozali SME way : Create db entry:

db configuration set ipsec service status enabled
db configuration show ipsec
   ipsec=service
   status=enabled
   
ln -s /etc/rc.d/init.d/e-smith-service /etc/rc.d/rc7.d/S99ipsec

You can now enable and disble the service accordingly.

Firewall

We need a new template fragment to allow ipsec through the firewall

touch /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/15AllowIPsec

Add the following code :

# IPsec ports
/sbin/iptables -A INPUT -i $OUTERIF -p udp --sport 500 --dport 500 -j ACCEPT 
/sbin/iptables -t mangle -A PREROUTING -i $OUTERIF -p 50 -j MARK --set-mark 1  
/sbin/iptables -A INPUT -i $OUTERIF -m mark --mark 1 -j ACCEPT 
/sbin/iptables -A FORWARD -i $OUTERIF -m mark --mark 1 -j ACCEPT 
/sbin/iptables -A INPUT -i $OUTERIF -m mark --mark 2 -j ACCEPT 
/sbin/iptables -A FORWARD -i $OUTERIF -m mark --mark 2 -j ACCEPT 
/sbin/iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT 
expand-template /etc/rc.d/init.d/masq
service masq restart

We also need to disable redirects. I have the following code in a file called Disable_Redirects.sh and a link to it in /etc/rc.d/rc.local

#!/bin/bash
# For OpenSwan
# Disable send redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/lo/send_redirects
# echo 0 > /proc/sys/net/ipv4/conf/ppp0/send_redirects
# Disable accept redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/eth1/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/lo/accept_redirects
# echo 0 > /proc/sys/net/ipv4/conf/ppp0/accept_redirects

OpenSwan Configuration

Here is a sample of my /etc/ipsec.conf with some added notes. LEFT side is your server. RIGHT side is your router.

# /etc/ipsec.conf
# basic configuration
#auto = 'start' for both ways or 'add' for incoming only

version 2.0 config setup

# Debug-logging controls:  "none" for (almost) none, "all" for lots.
#klipsdebug=none
plutodebug=none
interfaces=%defaultroute
oe=no
protostack=netkey
syslog=syslog.debug
# syslog=syslog.warning
virtual_private=%v4:192.168.0.0/24,   # Here you add the local/internal network of your server
nat_traversal=yes   # if required - probably yes
# Connection settings
# Router to Server
conn draytek-wan1 # Your connection name
type=tunnel
authby=secret
auto=start   # n.b. "auto = start" for ipsec to try and make a connection or "auto = add" to accept incoming
ikelifetime=28800s
keylife=3600s
left=%defaultroute
leftsourceip=192.168.98.1  # This is the IP address of your internal ethernet connection on your server
leftsubnet=192.168.98.0/24 # This is your local network on your server
pfs=yes  # If require
dpdaction=restart
dpddelay=30
dpdtimeout=10
right=1.2.3.4  # This is the WAN IP address of your router that is connecting in
rightsubnet=192.168.0.0/24	# This is the local network behind the router at the far end
# More incoming connections here

Passwords

The following file needs to be looked after and should be set chmod 0600

# /etc/ipsec.secrets
# Format is 
# Incoming_IP Local_IP: PSK "Your#Strong#Password"
1.2.3.4 %any: PSK "Your#Strong#Password"
host.dnsalias.org %any: PSK "Your#Strong#Password"
1.2.3.4 192.168.98.1: PSK "Your#Strong#Password"
%any 192.168.98.1: PSK "Your#Strong#Password"

A reboot should get everythign going.

Now set up your router. Create a new IPSEC VPN connection with the correct credentials and it shoudl connect up.

Check /var/log/secure for debug messages, and once you are happy, change the debug settings in ipsec.conf from debug to warning.

If you need more debugging you can set plutodebug = all