Difference between revisions of "Libreswan"

From SME Server
Jump to navigationJump to search
m (Formatting WIP!!)
Line 1: Line 1:
 +
{{WIP box}}
  
='''IPSec OpenSwan VPN to connect Servers'''=
+
__TOC__
'''Author/Contribitor: John Crisp'''
+
==About==
 +
[[File:openswan.jpg]]
  
'''Revised: 15th Sept 2014'''
 
  
Summary: The purpose of this howto is to guide you through the procedure to connect servers using OpenSwan VPN to connect via IPSEC.
+
Openswan is an IPsec implementation for Linux. It has support for most of the extensions (RFC + IETF drafts) related to IPsec, including IKEv2, X.509 Digital Certificates, NAT Traversal, and many others.
  
I actually use it so my Draytek routers can connect to my online Koozali SME VPS machine. This works on Koozali SME v8 and v9 with the unit in server-gateway mode.
 
  
On the online VPS it has a 'dummy' internal network adaptor but works fine with this.
+
==Installation==
 +
There are different installation instructions for SME8 and SME9:
  
==Setup==
 
===SME Server 9.0===
 
yum install openswan
 
  
===SME Server 8.1===
+
===SME Server 8===
On v8 you need to find the following package, or newer :
+
For SME Server 8, at least openswan-2.6.38-1.x86_64.rpm is required. However, this version is not to be found in the default repo's, nor any of the additional repo's.
 
+
A trusted copy of Openswan for SME8 can be found [http://www.reetspetit.com/smeserver/5/repoview/index.html '''here'''].
openswan-2.6.38-1.x86_64.rpm
+
After you have downloaded the above file, you can install it by issueing the following command:
 +
yum localinstall openswan-2.6.38-1.x86_64.rpm
 +
===SME Server 9===
 +
For SME Server 9, the Openswan can be found in the default repo's, so to install Openswan on SME Server 9, simply enter the following command: yum install openswan
  
You can grab a copy here : http://www.reetspetit.com/smeserver/5/repoview/index.html
 
  
I can't remember if I built that myself or got it somewhere as it seems quite elusive. If I can find the source I will build a src rpm.
+
===Openswan as a SME Server service===
 +
To make the Openswan service start at boot time we need to issue the following commands as root: ln -s /etc/rc.d/init.d/e-smith-service /etc/rc7.d/S99ipsec chkconfig ipsec on config set ipsec service config setprop ipsec status enabled
  
Then:
+
This makes ipsec service start at boot time and you can disable/enable the ipsec service at will.  
yum localinstall openswan-2.6.38-1.x86_64.rpm
 
  
You will need a link in etc/rc.d/rc7.d so the service starts :
 
S99ipsec -> /etc/rc.d/init.d/e-smith-service
 
  
Alternatively to do it the Koozali SME way :
+
===SME Server firewall configuration===
Create db entry:
+
Since Openswan/ipsec is all about security and private connections, the SME Server firewall rules play a crucial part of a correct configuration.
  
db configuration set ipsec service status enabled
 
db configuration show ipsec
 
    ipsec=service
 
    status=enabled
 
   
 
ln -s /etc/rc.d/init.d/e-smith-service /etc/rc.d/rc7.d/S99ipsec
 
 
You can now enable and disble the service accordingly.
 
 
===Firewall===
 
 
We need a new template fragment to allow ipsec through the firewall
 
We need a new template fragment to allow ipsec through the firewall
  
Line 81: Line 69:
 
  # echo 0 > /proc/sys/net/ipv4/conf/ppp0/accept_redirects
 
  # echo 0 > /proc/sys/net/ipv4/conf/ppp0/accept_redirects
  
===OpenSwan Configuration===
+
 
 +
==Ipsec server to server configuration==
 +
Openswan/ipsec can be used to setup a secue and permanent VPN connection between a SME Server and another IPSEC enabled device such as a router.
 +
 
 +
Here is an example:
 +
 
 +
 
 +
On the online VPS it has a 'dummy' internal network adaptor but works fine with this.
 +
 
 
Here is a sample of my /etc/ipsec.conf with some added notes.
 
Here is a sample of my /etc/ipsec.conf with some added notes.
 +
 
LEFT side is your server. RIGHT side is your router.
 
LEFT side is your server. RIGHT side is your router.
  
Line 122: Line 119:
  
 
===Passwords===
 
===Passwords===
 +
 
The following file needs to be looked after and should be set chmod 0600
 
The following file needs to be looked after and should be set chmod 0600
  

Revision as of 07:43, 15 September 2014

Warning.png Work in Progress:
This page is a Work in Progress. The contents off this page may be in flux, please have a look at this page history the to see list of changes.


About

Openswan.jpg


Openswan is an IPsec implementation for Linux. It has support for most of the extensions (RFC + IETF drafts) related to IPsec, including IKEv2, X.509 Digital Certificates, NAT Traversal, and many others.


Installation

There are different installation instructions for SME8 and SME9:


SME Server 8

For SME Server 8, at least openswan-2.6.38-1.x86_64.rpm is required. However, this version is not to be found in the default repo's, nor any of the additional repo's. A trusted copy of Openswan for SME8 can be found here. After you have downloaded the above file, you can install it by issueing the following command:

yum localinstall openswan-2.6.38-1.x86_64.rpm

SME Server 9

For SME Server 9, the Openswan can be found in the default repo's, so to install Openswan on SME Server 9, simply enter the following command: yum install openswan


Openswan as a SME Server service

To make the Openswan service start at boot time we need to issue the following commands as root: ln -s /etc/rc.d/init.d/e-smith-service /etc/rc7.d/S99ipsec chkconfig ipsec on config set ipsec service config setprop ipsec status enabled

This makes ipsec service start at boot time and you can disable/enable the ipsec service at will.


SME Server firewall configuration

Since Openswan/ipsec is all about security and private connections, the SME Server firewall rules play a crucial part of a correct configuration.

We need a new template fragment to allow ipsec through the firewall

touch /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/15AllowIPsec

Add the following code :

# IPsec ports
/sbin/iptables -A INPUT -i $OUTERIF -p udp --sport 500 --dport 500 -j ACCEPT 
/sbin/iptables -t mangle -A PREROUTING -i $OUTERIF -p 50 -j MARK --set-mark 1  
/sbin/iptables -A INPUT -i $OUTERIF -m mark --mark 1 -j ACCEPT 
/sbin/iptables -A FORWARD -i $OUTERIF -m mark --mark 1 -j ACCEPT 
/sbin/iptables -A INPUT -i $OUTERIF -m mark --mark 2 -j ACCEPT 
/sbin/iptables -A FORWARD -i $OUTERIF -m mark --mark 2 -j ACCEPT 
/sbin/iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT 
expand-template /etc/rc.d/init.d/masq
service masq restart

We also need to disable redirects. I have the following code in a file called Disable_Redirects.sh and a link to it in /etc/rc.d/rc.local

#!/bin/bash
# For OpenSwan
# Disable send redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/lo/send_redirects
# echo 0 > /proc/sys/net/ipv4/conf/ppp0/send_redirects
# Disable accept redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/eth1/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/lo/accept_redirects
# echo 0 > /proc/sys/net/ipv4/conf/ppp0/accept_redirects


Ipsec server to server configuration

Openswan/ipsec can be used to setup a secue and permanent VPN connection between a SME Server and another IPSEC enabled device such as a router.

Here is an example:


On the online VPS it has a 'dummy' internal network adaptor but works fine with this.

Here is a sample of my /etc/ipsec.conf with some added notes.

LEFT side is your server. RIGHT side is your router.

# /etc/ipsec.conf
# basic configuration
#auto = 'start' for both ways or 'add' for incoming only

version 2.0 config setup

# Debug-logging controls:  "none" for (almost) none, "all" for lots.
#klipsdebug=none
plutodebug=none
interfaces=%defaultroute
oe=no
protostack=netkey
syslog=syslog.debug
# syslog=syslog.warning
virtual_private=%v4:192.168.0.0/24,   # Here you add the local/internal network of your server
nat_traversal=yes   # if required - probably yes
# Connection settings
# Router to Server
conn draytek-wan1 # Your connection name
type=tunnel
authby=secret
auto=start   # n.b. "auto = start" for ipsec to try and make a connection or "auto = add" to accept incoming
ikelifetime=28800s
keylife=3600s
left=%defaultroute
leftsourceip=192.168.98.1  # This is the IP address of your internal ethernet connection on your server
leftsubnet=192.168.98.0/24 # This is your local network on your server
pfs=yes  # If require
dpdaction=restart
dpddelay=30
dpdtimeout=10
right=1.2.3.4  # This is the WAN IP address of your router that is connecting in
rightsubnet=192.168.0.0/24	# This is the local network behind the router at the far end
# More incoming connections here

Passwords

The following file needs to be looked after and should be set chmod 0600

# /etc/ipsec.secrets
# Format is 
# Incoming_IP Local_IP: PSK "Your#Strong#Password"
1.2.3.4 %any: PSK "Your#Strong#Password"
host.dnsalias.org %any: PSK "Your#Strong#Password"
1.2.3.4 192.168.98.1: PSK "Your#Strong#Password"
%any 192.168.98.1: PSK "Your#Strong#Password"

A reboot should get everythign going.

Now set up your router. Create a new IPSEC VPN connection with the correct credentials and it shoudl connect up.

Check /var/log/secure for debug messages, and once you are happy, change the debug settings in ipsec.conf from debug to warning.

If you need more debugging you can set plutodebug = all