Difference between revisions of "Ipsec"
(7 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
− | + | Extracted from http://forums.contribs.org/index.php?topic=36033.0 | |
+ | {{Note box|This HowTo is superceded with Libreswan | ||
− | Author(s): Lloyd Keen, David Biczo | + | https://wiki.contribs.org/Libreswan_IPSEC}} |
+ | |||
+ | |||
+ | ='''IPSec Network-to-Network VPN SME Server 7.1 HOWTO'''= | ||
+ | |||
+ | '''Author(s): Lloyd Keen, David Biczo''' | ||
− | Revised: 7th March 2007 | + | '''Revised: 7th March 2007''' |
Summary: The purpose of this howto is to guide you through the procedure to connect two private subnets, both behind servers running SME Server version 7.1 in server/gateway mode via an encrypted tunnel using IPsec (sometimes referred to as NETKEY or Kernel IPsec). Both servers have static IP’s on the external interface using PPPoE or bridged Ethernet. NETKEY under linux 2.6 works a bit different to Ipsec under linux 2.4, the most obvious difference being that there is no visible ipsecx device as such. This document serves as a guide only, it worked for us but YMMV. As usual “all care but no responsibility taken”. Comments and suggestions are welcome. If you don’t feel comfortable following the procedure described below, then I have written a script which will prompt you for the required settings and automate the process for you. You can download the script here. This script is written for my personal use - if you can get any benefit from it - great, but if it doesn't work then you're on your own. You can download the script from here: [http://www.comnetel.com/sme7_ipsec/ipsec_install.sh] | Summary: The purpose of this howto is to guide you through the procedure to connect two private subnets, both behind servers running SME Server version 7.1 in server/gateway mode via an encrypted tunnel using IPsec (sometimes referred to as NETKEY or Kernel IPsec). Both servers have static IP’s on the external interface using PPPoE or bridged Ethernet. NETKEY under linux 2.6 works a bit different to Ipsec under linux 2.4, the most obvious difference being that there is no visible ipsecx device as such. This document serves as a guide only, it worked for us but YMMV. As usual “all care but no responsibility taken”. Comments and suggestions are welcome. If you don’t feel comfortable following the procedure described below, then I have written a script which will prompt you for the required settings and automate the process for you. You can download the script here. This script is written for my personal use - if you can get any benefit from it - great, but if it doesn't work then you're on your own. You can download the script from here: [http://www.comnetel.com/sme7_ipsec/ipsec_install.sh] | ||
Line 117: | Line 123: | ||
Reboot or bring up the tunnel with the following command: | Reboot or bring up the tunnel with the following command: | ||
#/sbin/ifup ipsec0 | #/sbin/ifup ipsec0 | ||
− | Regards, Lloyd | + | Regards, Lloyd & David |
+ | |||
+ | ==Other articles in this category== | ||
+ | {{#ask: [[Category:VPN]]}} | ||
+ | |||
---- | ---- | ||
[[Category:Howto]] | [[Category:Howto]] | ||
+ | [[Category:Administration:VPN]] | ||
+ | [[Category:VPN]] |
Latest revision as of 10:01, 7 July 2017
Extracted from http://forums.contribs.org/index.php?topic=36033.0
IPSec Network-to-Network VPN SME Server 7.1 HOWTO
Author(s): Lloyd Keen, David Biczo
Revised: 7th March 2007
Summary: The purpose of this howto is to guide you through the procedure to connect two private subnets, both behind servers running SME Server version 7.1 in server/gateway mode via an encrypted tunnel using IPsec (sometimes referred to as NETKEY or Kernel IPsec). Both servers have static IP’s on the external interface using PPPoE or bridged Ethernet. NETKEY under linux 2.6 works a bit different to Ipsec under linux 2.4, the most obvious difference being that there is no visible ipsecx device as such. This document serves as a guide only, it worked for us but YMMV. As usual “all care but no responsibility taken”. Comments and suggestions are welcome. If you don’t feel comfortable following the procedure described below, then I have written a script which will prompt you for the required settings and automate the process for you. You can download the script here. This script is written for my personal use - if you can get any benefit from it - great, but if it doesn't work then you're on your own. You can download the script from here: [1]
SECTION A:
Procedure smeserverA:
#mcedit /etc/sysconfig/network-scripts/ifcfg-ipsec0
and enter the following information:
TYPE=IPSEC ONBOOT=no IKE_METHOD=PSK SRCNET=192.168.aa.0/24 (smeserverA’s LAN address) DSTNET=192.168.bb.0/24 (smeserverB’s LAN address) SRCGW=xxx.xxx.xxx.xxx (smeserverA’s Gateway address) DST=xxx.xxx.xxx.xxx (replace xxx’s with smeserverB’s external static IP)
Now add the preshared key into /etc/sysconfig/network-scripts/keys-ipsec0
#mcedit /etc/sysconfig/network-scripts/keys-ipsec0
and add the following line:
IKE_PSK=my_shared_secret
Procedure smeserverB:
#mcedit /etc/sysconfig/network-scripts/ifcfg-ipsec0
and enter the following information:
TYPE=IPSEC ONBOOT=no IKE_METHOD=PSK SRCNET=192.168.bb.0/24 (smeserverB’s LAN address) DSTNET=192.168.aa.0/24 (smeserverA’s LAN address) SRCGW=xxx.xxx.xxx.xxx (smeserverB’s Gateway address) DST=xxx.xxx.xxx.xxx (replace xxx’s with smeserverA’s external static IP)
Then add the preshared key into etc/sysconfig/network-scripts/keys-ipsec0
#mcedit /etc/sysconfig/network-scripts/keys-ipsec0
and add the following line:
IKE_PSK=my_shared_secret
NOTE: If you have a PPPoE connection you don't want the interface to come up at boot time (ONBOOT=no). You need IPSec to come up AFTER the ppp interface. You can address this issue by modifying /etc/ppp/ip-up.local and /etc/ppp/ip-down.local scripts as described later in this document. If you have a bridged Ethernet connection then you can set this option to ONBOOT=yes.
Now open up the server-manager on both servers and add the appropriate network settings into the "Local Networks" panel. For example on smeserverA you would enter the following values:
- Network Address: 192.168.bb.1
- Subnet Mask: 255.255.255.0
- Router 192.168.aa.1
- And on smeserverB you would enter the following:
- Network Address: 192.168.aa.1
- Subnet Mask: 255.255.255.0
- Router 192.168.bb.1
SECTION B:
This section contains information on modifying the firewall and installing modified scripts to fix routing issues.
#mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/ #cd /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/ #mcedit 15AllowIPsec
and add the following:
/sbin/iptables -A INPUT -i $OUTERIF -p udp --sport 500 --dport 500 -j ACCEPT /sbin/iptables -t mangle -A PREROUTING -i $OUTERIF -p 50 -j MARK --set-mark 1 /sbin/iptables -A INPUT -i $OUTERIF -m mark --mark 1 -j ACCEPT /sbin/iptables -A FORWARD -i $OUTERIF -m mark --mark 1 -j ACCEPT /sbin/iptables -t mangle -A PREROUTING -i $OUTERIF -p 51 -j MARK --set-mark 2 /sbin/iptables -A INPUT -i $OUTERIF -m mark --mark 2 -j ACCEPT /sbin/iptables -A FORWARD -i $OUTERIF -m mark --mark 2 -j ACCEPT
Make sure to leave a blank line at the top of the file and a carriage return at the end of the file, then do:
#/sbin/e-smith/expand-template /etc/rc.d/init.d/masq #/etc/init.d/masq restart
There appears to be a bug in the way ifup-ipsec and ifdown-ipsec sets up the routing so you will need to install modified versions of these scripts from here [2]. For more information about this bug see [3]. There is some minor code duplication in the scripts, but it works. If you have any comments or suggestions we’d be glad to hear them. Any changes made in the scripts have been documented where applicable.
#cd /etc/sysconfig/network-scripts #mv ifup-ipsec ifup-ipsec.old #mv ifdown-ipsec ifdown-ipsec.old #wget http://www.comnetel.com/sme7_ipsec/ifup-ipsec #wget http://www.comnetel.com/sme7_ipsec/ifdown-ipsec
If you have a bridged Ethernet connection you can skip the next section and either reboot or bring up the tunnel with the following command:
#/sbin/ifup ipsec0
SECTION C:
Only complete this section if you have a PPPoE connection on the external interface. And finally as mentioned previously in this document, we need to add a command to bring up the tunnel automatically at boot time. Modify /etc/ppp/ip-up.local
#mkdir –p /etc/e-smith/templates-custom/etc/ppp/ip-up.local #cd /etc/e-smith/templates-custom/etc/ppp/ip-up.local #mcedit 40ipup15ipsec
and add the following code to the file:
case $IPPARAM in pppoe) /sbin/ifdown ipsec0 sleep 5 /sbin/ifup ipsec0 ;; *) esac
Then expand the template
#expand-template /etc/ppp/ip-up.local
Modify /etc/ppp/ip-down.local
#mkdir –p /etc/e-smith/templates-custom/etc/ppp/ip-down.local #cd /etc/e-smith/templates-custom/etc/ppp/ip-down.local #mcedit 40ipdown15ipsec
and add the following code into this file:
IPPARAM=$6 case $IPPARAM in pppoe) /sbin/ifdown ipsec0 ;; *) esac
Then expand the template
#expand-template /etc/ppp/ip-down.local
Reboot or bring up the tunnel with the following command:
#/sbin/ifup ipsec0
Regards, Lloyd & David
Other articles in this category
Ipsec, Libreswan, Libreswan-xl2tpd, OpenVPN, OpenVPN Bridge, OpenVPN Bridge/fr, OpenVPN Routed, OpenVPN SiteToSite, SME Server wishlist, SoftEther VPN, Softethervpn-server, VPN, Wireguard