Difference between revisions of "Libreswan"

From SME Server
Jump to navigationJump to search
Line 66: Line 66:
 
Here is an example:
 
Here is an example:
  
 +
Note - if you want to use with an online VPS set the server to server/gateway with a 'dummy' internal network adaptor.
  
On the online VPS it has a 'dummy' internal network adaptor but works fine with this.
 
  
Here is a sample of my /etc/ipsec.conf with some added notes.
+
===Passwords===
 +
It is recommended to create a very strong random password and keep this safe. One way of generating and store a random strong password is explained [http://wiki.contribs.org/Useful_Commands#Generating_strong_random_password '''here''']
  
LEFT side is your server. RIGHT side is your router.
+
===Setting===
  
# /etc/ipsec.conf
+
The contrib has a lot of configurable settings but with the defaults and few details it should just work
# basic configuration
 
#auto = 'start' for both ways or 'add' for incoming only
 
  
version 2.0
+
config setprop ipsec status enabled access public
config setup
 
  
# Debug-logging controls:  "none" for (almost) none, "all" for lots.
+
Note for ipsec_connections we use 'set' when we create new connection. Thereafter you can modify it with setprop
#klipsdebug=none
 
plutodebug=none
 
interfaces=%defaultroute
 
oe=no
 
protostack=netkey
 
syslog=syslog.debug
 
# syslog=syslog.warning
 
virtual_private=%v4:192.168.0.0/24,  # Here you add the local/internal network of your server
 
nat_traversal=yes  # if required - probably yes
 
# Connection settings
 
# Router to Server
 
conn draytek-wan1 # Your connection name
 
type=tunnel
 
authby=secret
 
auto=start  # n.b. "auto = start" for ipsec to try and make a connection or "auto = add" to accept incoming
 
ikelifetime=28800s
 
keylife=3600s
 
left=%defaultroute
 
leftsourceip=192.168.98.1  # This is the IP address of your internal ethernet connection on your server
 
leftsubnet=192.168.98.0/24 # This is your local network on your server
 
pfs=yes  # If require
 
dpdaction=restart
 
dpddelay=30
 
dpdtimeout=10
 
right=1.2.3.4  # This is the WAN IP address of your router that is connecting in
 
rightsubnet=192.168.0.0/24 # This is the local network behind the router at the far end
 
# More incoming connections here
 
  
===Passwords===
+
Local - WAN IP 5.6.7.8 Local IP 192.168.20.1 Subnet 192.168.20.0/24
It is recommended to create a very strong random password and keep this safe. One way of generating and store a random strong password is explained [http://wiki.contribs.org/Useful_Commands#Generating_strong_random_password '''here''']
+
db ipsec_connections set MyEast ipsec status enabled leftsourceip 192.168.20.1 leftsubnet 192.168.20.0/24 right 1.2.3.4 rightsubnet 10.0.0.0/24 passwd MyPassWd
 +
 
 +
Remote - WAN IP 1.2.3.4 Local IP 10.0.0.1 Subnet 10.0.0.0/24
 +
db ipsec_connections set MyWest ipsec status enabled leftsourceip 10.0.0.1 leftsubnet 10.0.0.0/24 right 5.6.7.8 rightsubnet 192.168.20.0/24 passwd MyPassWd
 +
 
 +
signal-event ipsec-update
 +
 
 +
Check /var/log/pluto/pluto.log
 +
ipsec whack --status
 +
ipsec verify (may be some warnings - severity depends on what they are)
 +
 
 +
For the better security it is recommended to use RSA keys. There is more on this on the github page https://github.com/reetp/smeserver-libreswan/blob/master/IpsecSettings.txt
 +
 
 +
If you modify a connection use
  
The following file needs to be looked after and should be set chmod 0600
+
signal-event ipsec-update
  
# /etc/ipsec.secrets
+
For a restart of ipsec use
# Format is
 
# Incoming_IP Local_IP: PSK "Your#Strong#Password"
 
1.2.3.4 %any: PSK "Your#Strong#Password"
 
host.dnsalias.org %any: PSK "Your#Strong#Password"
 
1.2.3.4 192.168.98.1: PSK "Your#Strong#Password"
 
%any 192.168.98.1: PSK "Your#Strong#Password"
 
  
 +
service ipsec restart
  
 
==Verifying configuration==
 
==Verifying configuration==

Revision as of 15:13, 22 June 2016

Is this article helpful to you?
Please consider donating or volunteering
Thank you!

Version

SME8

Centos 5:
openswan
Please use the version of openswan in the ReetP repo as below
smeserver-openswan
The latest version of smeserver-openswan is available in the SME repository, click on the version number(s) for more information.


SME9

Alpha 10:
Contrib 9:
libreswan
The latest version of libreswan is available in the SME repository, click on the version number(s) for more information.


Devel 10:
Devel 9:
Contrib 9:
smeserver-libreswan
The latest version of smeserver-libreswan is available in the SME repository, click on the version number(s) for more information.


About

Openswan.jpg

Openswan is a free implementation of IPsec& IKE for Linux. IPsec is the Internet Protocol Security and uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks. Everything passing through the untrusted net is encrypted by the ipsec gateway machine and decrypted by the gateway at the other end of the tunnel.The resulting tunnel is a virtual private network or VPN.

Libreswan is a free software implementation of the most widely supported and standarized VPN protocol based on ("IPsec") and the Internet Key Exchange ("IKE"). These standards are produced and maintained by the Internet Engineering Task Force ("IETF").

Note that Libreswan will become the default ipsec installation from CentOS 6.8

https://libreswan.org/wiki/HOWTO:_openswan_to_libreswan_migration

  • Credits: John Crisp
  • Discuss: This How-to can be discussed on the forums here


For v9 you can simply install as follows

yum --enablerepo=smecontribs,epel install smeserver-libreswan

Configuration options and notes are here (check the latest branch):

https://github.com/reetp/smeserver-libreswan


For v8 you will additionally need the ReetP repo to install openswan

yum --enablerepo=smecontribs,epel,reetp install smeserver-openswan

Configuration options and notes are here (check the latest branch):

https://github.com/reetp/smeserver-openswan

Installation

[edit]

For SME Server 8, at least openswan-2.6.38-1.x86_64.rpm is required. However, this version is not to be found in the default repo's, nor any of the additional repo's. A trusted copy of Openswan for SME8 can be found here. (This is only for 64bit systems!)

After you have downloaded the above file, you can install it by issuing the following command:

yum localinstall openswan-2.6.38-1.x86_64.rpm

For SME Server 9, the Openswan can be found in the default repo's, so to install Openswan on SME Server 9, simply enter the following command:

yum install openswan

IPSEC server to server configuration

Openswan/IPSEC can be used to setup a secue and permanent VPN connection between a SME Server and another (local or remote) IPSEC enabled device such as a router.

Here is an example:

Note - if you want to use with an online VPS set the server to server/gateway with a 'dummy' internal network adaptor.


Passwords

It is recommended to create a very strong random password and keep this safe. One way of generating and store a random strong password is explained here

Setting

The contrib has a lot of configurable settings but with the defaults and few details it should just work

config setprop ipsec status enabled access public

Note for ipsec_connections we use 'set' when we create new connection. Thereafter you can modify it with setprop

Local - WAN IP 5.6.7.8 Local IP 192.168.20.1 Subnet 192.168.20.0/24

db ipsec_connections set MyEast ipsec status enabled leftsourceip 192.168.20.1 leftsubnet 192.168.20.0/24 right 1.2.3.4 rightsubnet 10.0.0.0/24 passwd MyPassWd

Remote - WAN IP 1.2.3.4 Local IP 10.0.0.1 Subnet 10.0.0.0/24

db ipsec_connections set MyWest ipsec status enabled leftsourceip 10.0.0.1 leftsubnet 10.0.0.0/24 right 5.6.7.8 rightsubnet 192.168.20.0/24 passwd MyPassWd
signal-event ipsec-update

Check /var/log/pluto/pluto.log

ipsec whack --status
ipsec verify (may be some warnings - severity depends on what they are)

For the better security it is recommended to use RSA keys. There is more on this on the github page https://github.com/reetp/smeserver-libreswan/blob/master/IpsecSettings.txt

If you modify a connection use

signal-event ipsec-update

For a restart of ipsec use

service ipsec restart

Verifying configuration

To verify your configuration give the following command:

ipsec verify

A reboot should get everything going.


Now set up your router. Create a new IPSEC VPN connection with the correct credentials and it should connect up.

Check /var/log/secure for debug messages, and once you are happy, change the debug settings in ipsec.conf from debug to warning.

If you need more debugging you can set plutodebug = all

Bug report

SME8 OpenSwan IPSEC is listed in the bugtracker contribs section. Please report all bugs, new feature requests and documentation issues there.

"No open bugs found."

SME9 LibreSwan IPSEC is listed in the bugtracker contribs section. Please report all bugs, new feature requests and documentation issues there.

IDProductVersionStatusSummary (4 tasks)
12109SME Contribs10.0CONFIRMEDNFR reuse existing entries in manager code
11405SME Contribs10betaRESOLVEDInitial Import in SME 10 [smeserver-libreswan]
10661SME Contribs9.2CONFIRMEDNew file to adjust redirects in /etc/sysctl.d
9305SME Contribs9.1CONFIRMEDTrouble configuring kernel settings for ipsec contrib

Other articles in this category

Ipsec, Libreswan, Libreswan-xl2tpd, OpenVPN, OpenVPN Bridge, OpenVPN Bridge/fr, OpenVPN Routed, OpenVPN SiteToSite, SME Server wishlist, SoftEther VPN, Softethervpn-server, VPN, Wireguard