Difference between revisions of "Libreswan"

From SME Server
Jump to navigationJump to search
m (make dir first)
 
(56 intermediate revisions by 3 users not shown)
Line 1: Line 1:
{{WIP box}}
+
{{usefulnote}}
 
__TOC__
 
__TOC__
 +
 +
{{Warning box| Note that you should try and learn as much as you can about VPN, Ipsec, and Security in general before playing with this. You risk leaving your server exposed to the bad guys.
 +
 +
Whilst the contribs do their best to make sure there is a simple secure setup, I make no guarantees !
 +
 +
Where possible use RSA keys or certificates instead of passwords.
 +
 +
An alternative solution is https://wiki.contribs.org/OpenVPN_SiteToSite or https://wiki.contribs.org/OpenVPN_Bridge
 +
 +
Where possible avoid the use of PPTP as it was cracked a long time ago and is very easy to read
 +
 +
With IKE v2 it is possible to allow dial in clients.
 +
 +
For older dial clients you can also look at https://wiki.contribs.org/Smeserver-libreswan-xl2tpd
 +
}}
 +
 +
=== Version ===
 +
====Koozali SME v8====
 +
 +
<div style="background: #EFE9E9; border: 1px solid #AAA; padding: 5px; padding-bottom: 17px; margin: 5px; width: 97%">
 +
<div style="float:right; background: #EFE9E9; border: 1px solid #AAA; padding: 5px; margin-left: 5px">   
 +
  <div style="font-size: 80%"><b>Centos 5:</b></div>   
 +
  <div style="font-size: 120%; font-weight: bold">[http://www.reetspetit.com/smeserver/5/repoview/openswan.html OpenSwan]</div>  </div>
 +
  <div style="font-size: 120%; font-weight: bold;">openswan</div>
 +
  <div>Please use the version of openswan in the ReetP repo as below</div>
 +
</div>
 +
 +
 +
====Koozali SME v9====
 +
{{ #smeversion: libreswan}}
 +
{{ #smeversion: smeserver-libreswan}}
 +
 
==About==
 
==About==
 +
 +
==Openswan==
 
[[File:openswan.jpg]]
 
[[File:openswan.jpg]]
  
[http://www.openswan.org Openswan] is a free implementation of IPsec& IKE for Linux.  IPsec is the Internet Protocol Security and uses strong cryptography to provide both authentication and encryption services.  These services allow you to build secure tunnels through untrusted networks.  Everything passing through the untrusted net is encrypted by the ipsec gateway machine and decrypted by the gateway at the other end of the tunnel.The resulting tunnel is a virtual private network or VPN.
+
[http://www.openswan.org Openswan] is a free implementation of IPsec & IKE for Linux.  IPsec is the Internet Protocol Security and uses strong cryptography to provide both authentication and encryption services.  These services allow you to build secure tunnels through untrusted networks.  Everything passing through the untrusted net is encrypted by the ipsec gateway machine and decrypted by the gateway at the other end of the tunnel.The resulting tunnel is a virtual private network or VPN.
 +
 
 +
==Libreswan==
 +
 
 +
[http://www.libreswan.org Libreswan] is a free software implementation of the most widely supported and standarized VPN protocol based on ("IPsec") and the Internet Key Exchange ("IKE"). These standards are produced and maintained by the Internet Engineering Task Force ("IETF").
 +
 
 +
Note that Libreswan will become the default ipsec installation from CentOS 6.8
 +
 
 +
https://libreswan.org/wiki/HOWTO:_openswan_to_libreswan_migration
  
 
* Credits: John Crisp
 
* Credits: John Crisp
Line 11: Line 53:
  
 
==Installation==
 
==Installation==
= SME Server 8 =
+
= For Koozali SME10 =
For SME Server 8, at least openswan-2.6.38-1.x86_64.rpm is required. However, this version is not to be found in the default repo's, nor any of the additional repo's.
+
For Koozali SME Server 10, the latest stable Libreswan can be found in the default repo's
A trusted copy of Openswan for SME8 can be found [http://www.reetspetit.com/smeserver/5/repoview/index.html '''here''']. (This is only for 64bit systems!)
+
 
 +
Note that the contrib is currently in test so to install:
 +
yum install smeserver-extrarepositories-libreswan -y
 +
db yum_repositories setprop libreswan status enabled Priority 10
 +
signal-event yum-modify
 +
yum --enablerepo=smecontribs,smetest install smeserver-libreswan
 +
 
 +
Configuration options and notes are here (check the latest branch):
 +
=For Koozali SME8=
 +
For Koozali SME Server 8 you will need the [https://wiki.contribs.org/User:ReetP ReetP] repo to install openswan
 +
{{:Reetspetit|transcludesection=SME9}}
 +
 
 +
signal-event yum-modify
 +
 
 +
Note that the contrib is currently in test so to install:
 +
yum --enablerepo=smetest,reetp install smeserver-openswan
 +
 
 +
Configuration options and notes are here (check the latest branch):
 +
 
 +
https://github.com/reetp/smeserver-openswan
 +
 
 +
Please note that this version is no longer under development as SME v8 is EOL at the end of March 2017
 +
 
 +
It is possible to use Openswan on SME v9 but I do not have the time to maintain the contrib for both versions.
 +
RedHat have swapped to using Libreswan as their default IPsec implementation.
 +
 
 +
= For Koozali SME9 =
 +
For Koozali SME Server 9, the latest stable Libreswan can be found in the default repo's
 +
 
 +
Note that the contrib is currently in test so to install:
 +
yum --enablerepo=smetest install smeserver-libreswan
 +
 
 +
Configuration options and notes are here (check the latest branch):
 +
 
 +
https://github.com/reetp/smeserver-libreswan
 +
 
 +
{{Note box|You can get the latest version of libreswan itself here }}
 +
 
 +
/sbin/e-smith/db yum_repositories set libreswan repository \
 +
BaseURL https://download.libreswan.org/binaries/rhel/6/x86_64/ \
 +
EnableGroups no \
 +
GPGCheck yes \
 +
GPGKey https://download.libreswan.org/binaries/RPM-GPG-KEY-libreswan \
 +
Name LibreSwan \
 +
Visible yes \
 +
status disabled \
 +
 
 +
signal-event yum-modify
 +
 
 +
yum --enablerepo=libreswan install libreswan
 +
 
 +
<headertabs />
 +
 
 +
 
 +
=IPSEC server to server configuration=
 +
 
 +
Libreswan/Openswan/IPSEC can be used to setup a secure and permanent VPN connection between a SME Server and another (local or remote) IPSEC enabled device such as a router.
 +
 
 +
Note - if you want to use with an online VPS set the server to server/gateway with a 'dummy' internal network adaptor.
 +
 
 +
===Passwords===
 +
 
 +
It is recommended to create a very strong random password and keep this safe. One way of generating and store a random strong password is explained [http://wiki.contribs.org/Useful_Commands#Generating_strong_random_password '''here''']
 +
 
 +
Alternatively see RSA key and Certificate sections below for much stronger passwords
 +
 
 +
 
 +
===Setup PSK Passwords===
 +
 
 +
The contrib has a lot of configurable settings but with the defaults and a few details it should just work.
 +
 
 +
General settings and some defaults are stored in the main config DB
 +
 
 +
config show ipsec
 +
 
 +
Connection specific settings are stored in a separate DB
 +
 
 +
db ipsec_connections show
 +
 
 +
{{Note box|For ipsec_connections we use 'set' when we create a new connection. Thereafter you can modify it with setprop}}
 +
 
 +
{{Note box|Most people refer to East and West rather than Local and Remote. There is a very good reason for this if you start using RSA keys !}}
 +
 
 +
Server East - WAN IP 5.6.7.8 Local IP 192.168.20.1 Subnet 192.168.20.0/24
 +
db ipsec_connections set MyEast ipsec status enabled leftsourceip 192.168.20.1 leftsubnet 192.168.20.0/24 right 1.2.3.4 rightsubnet 10.0.0.0/24 passwd MyPassWd
 +
 
 +
Server West- WAN IP 1.2.3.4 Local IP 10.0.0.1 Subnet 10.0.0.0/24
 +
db ipsec_connections set MyWest ipsec status enabled leftsourceip 10.0.0.1 leftsubnet 10.0.0.0/24 right 5.6.7.8 rightsubnet 192.168.20.0/24 passwd MyPassWd
 +
 
 +
signal-event ipsec-update
 +
 
 +
 
 +
 
 +
===Setup RSA Keys===
 +
 
 +
For the better security it is recommended to use RSA keys.
 +
 
 +
There are notes on github as this can be quite lengthy
 +
 
 +
https://github.com/reetp/smeserver-libreswan/blob/master/IpsecSettings.txt
 +
 
 +
A basic ipsec_connections entry setup should look this - note it will need a matching setup at the other end):
 +
 
 +
MyEast=ipsec
 +
    leftsourceip=192.168.20.1
 +
    leftsubnet=192.168.20.0/24
 +
    right=1.2.3.4
 +
    rightsubnet=10.0.0.0/24
 +
    security=rsasig
 +
    leftid=East
 +
    rightid=West
 +
    leftrsasig=SomeLongPassFromEast
 +
    rightrsasig=SomeLongPasswordFromWest
 +
    status enabled
 +
 
 +
 
 +
===Setup Certificates===
 +
 
 +
You can now use a CA and PKCS#12 certificates.
 +
 
 +
There are notes on github as this can be quite lengthy
 +
 
 +
https://github.com/reetp/smeserver-libreswan/blob/master/ipsec-certificate-notes.txt
 +
 
 +
First setup the certificate store
 +
 
 +
ipsec checknss
 +
 
 +
Import the cert
 +
 
 +
ipsec import mycertificate.p12
 +
 
 +
Check the store
 +
 
 +
certutil -L -d sql:/etc/ipsec.d
 +
 
 +
A basic ipsec_connections entry setup should look this:
 +
 
 +
MyEast=ipsec
 +
    leftcert=LocalServer
 +
    leftsourceip=192.168.1.1
 +
    leftsubnet=192.168.1.0/24
 +
    right=5.6.7.8
 +
    rightcert=RemoteServer
 +
    rightsubnet=192.168.100.0/24
 +
    security=certs
 +
    status=enabled
 +
 
 +
===DB Keys===
 +
 
 +
There are a lot of keys involved in ipsec.
 +
 
 +
Where possible just use the minimum that you require depending on whether you want PSK password / RSA signature / Certificate security
 +
 
 +
There are notes on github as this can be quite lengthy
 +
 
 +
https://github.com/reetp/smeserver-libreswan/blob/master/IpsecSettings.txt
  
After you have downloaded the above file, you can install it by issuing the following command:
+
Here are the currently available settings and options:
yum localinstall openswan-2.6.38-1.x86_64.rpm
 
  
= SME Server 9 =
 
For SME Server 9, the Openswan can be found in the default repo's, so to install Openswan on SME Server 9, simply enter the following command:
 
yum install openswan
 
<headertabs/>
 
===Openswan as a SME Server service===
 
To make the Openswan service start at boot time we need to issue the following commands as root:
 
ln -s /etc/rc.d/init.d/e-smith-service /etc/rc7.d/S99ipsec
 
chkconfig ipsec on
 
config set ipsec service
 
config setprop ipsec status enabled
 
This makes ipsec service start at boot time and you can disable/enable the ipsec service at will.
 
  
===SME Server firewall configuration===
+
====IPsec settings====
Since Openswan/ipsec is all about security and private connections, the SME Server firewall rules play a crucial part of a correct configuration.
 
  
We need a new template fragment to allow ipsec through the firewall
+
These settings are generic and can be overwritten on a per connection basis
mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq
 
nano -w /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/15AllowIPsec
 
  
Add the following code :
+
config ipsec show
  
# IPsec ports
+
Only set with:
/sbin/iptables -A INPUT -i $OUTERIF -p udp --sport 500 --dport 500 -j ACCEPT
+
db configuration setprop ipsec $key $property
/sbin/iptables -t mangle -A PREROUTING -i $OUTERIF -p 50 -j MARK --set-mark 1 
 
/sbin/iptables -A INPUT -i $OUTERIF -m mark --mark 1 -j ACCEPT
 
/sbin/iptables -A FORWARD -i $OUTERIF -m mark --mark 1 -j ACCEPT
 
/sbin/iptables -A INPUT -i $OUTERIF -m mark --mark 2 -j ACCEPT
 
/sbin/iptables -A FORWARD -i $OUTERIF -m mark --mark 2 -j ACCEPT
 
/sbin/iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
 
  
expand-template /etc/rc.d/init.d/masq
+
Setting status enabled/disabled will modify access to private/public
service masq restart
 
  
We also need to disable redirects.
+
status: Default disabled | enabled
{{Note box | The below script will work for SME8 but NOT necessarily for SME9! Since in SME9 the NIC's have no longer fixed names like eth0 and eth1. We need to come up with an auto detect scipt. See experimental section below for an 'universal' approach for both SME8 and SME9. Feedback in the forum appreciated.}}
+
access: Default private | public
 +
UDPPorts: Default 500,4500 | Variable
 +
auto: Default start | add (do not use ondemand or ignore)
 +
debug: none | all raw crypt parsing emitting control controlmore lifecycle dns dpd klips pfkey natt oppo oppoinfo whackwatch private
 +
(all generates a LARGE amount of logging so use with care)
  
I have the following code in a file called Disable_Redirects.sh and a link to it in /etc/rc.d/rc.local
 
  
#!/bin/bash
+
====General Settings====
# For OpenSwan
 
# Disable send redirects
 
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
 
echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects
 
echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects
 
echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects
 
echo 0 > /proc/sys/net/ipv4/conf/lo/send_redirects
 
# echo 0 > /proc/sys/net/ipv4/conf/ppp0/send_redirects
 
# Disable accept redirects
 
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
 
echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects
 
echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects
 
echo 0 > /<sub>Subscript text</sub>proc/sys/net/ipv4/conf/eth1/accept_redirects
 
echo 0 > /proc/sys/net/ipv4/conf/lo/accept_redirects
 
# echo 0 > /proc/sys/net/ipv4/conf/ppp0/accept_redirects
 
  
 +
Overall default settings - these can be in main config db or set per connection in db ipsec_connections
  
----
+
security: secret | rsasig | certs
{{Note box|Experimental code to disable redirects for both SME8 and SME9}}
+
ikelifetime: Default 3600s | Variable
This is experimental. Please provide your feedback in the forums.
+
salifetime: Default 28800s | Variable
 +
dpdaction: Default restart | Variable
 +
dpddelay: Default 30 | Variable
 +
dpdtimeout: Default 10 | Variable
 +
pfs: Default yes | Variable
 +
connectiontype: Default secret | rassig, certificate
 +
ike: Default aes-sha1 | Variable - see ipsec.conf readme file for more options - sample: aes256-sha2;dh14 or aes256-sha2;modp2048
 +
ipsecversion: Default permit | Whether to allow ikev2 - also : insist/propose/yes/never/no
  
To disable redirects (port forwarding) within the IPsec tnnels, we have to create a custom template that will disable these at boot time. To create the custom template execute the following commands as root (simplefied):
+
====Per connection settings====
mkdir -p /etc/e-smith/templates/templates-custom/etc/sysctl.conf
 
nano -w /etc/e-smith/templates/templates-custom/etc/sysctl.conf/net.ipv4.ip_deny_redirects
 
Then copy the below contents so you can paste them into the above custom template:
 
# SME Server Openswan specifics
 
# Send redirects, No!
 
net.ipv4.conf.all.send_redirects = 0
 
net.ipv4.conf.default.send_redirects = 0
 
# Accept packets with SRR option? No!
 
net.ipv4.conf.all.accept_source_route = 0
 
# Accept Redirects? No!
 
net.ipv4.conf.all.accept_redirects = 0
 
net.ipv4.conf.all.secure_redirects = 0
 
Now we need to expand the newly created custome template:
 
expand-template /etc/sysctl.conf
 
and make them effective:
 
sysctl -p
 
Another way to disable/enable redirects on all interfaces on the fly from the console as root would be:
 
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $f; done
 
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f; done
 
for f in /proc/sys/net/ipv4/conf/*/secure_redirects; do echo 0 > $f; done
 
(these last commands will work for sure on both SME8 and SME9, but that's not the sustainable SME Server way that will stick on reboots, updates and upgrades.)
 
  
end of experimental section
+
{{Warning box|Automatically modified - do not change this
----
+
PreviousState: Denotes previous connection state
 +
}}
  
==IPSEC server to server configuration==
+
Manual keys
Openswan/IPSEC can be used to setup a secue and permanent VPN connection between a SME Server and another (local or remote) IPSEC enabled device such as a router.
 
  
Here is an example:
+
db ipsec_connections show
  
 +
db ipsec_connections setprop ConnectionName $key $property
  
On the online VPS it has a 'dummy' internal network adaptor but works fine with this.
+
iptype: Default Empty | stattodyn or dyntostat - are we a static host to dynamic client or vice versa ? - Only required for dynamic clients with static hosts
 +
connectiontype: Default tunnel | transport/passthrough/drop/reject
 +
leftrsasig: Default Empty | Your Local rsasignature key
 +
rightrsasig: Default Empty | Your Remote rsasignature key
 +
ipsecversion: Default permit | Whether to allow ikev2 - also : insist/propose/yes/never/no
 +
ike: Default aes-sha1 | Variable - sample: aes256-sha2;dh14 or aes256-sha2;modp2048
 +
phase2: Default aes-sha1 | Variable - sample: aes256-sha2;dh14 or aes256-sha2;modp2048
 +
mtu: Default Empty | Variable
 +
left: Default Empty | If Empty then %defaultroute is set. Can be local WAN IP
 +
leftid: Default Empty | Variable
 +
leftsourceip:  Default Empty | This server local IP
 +
leftsubnet:  Default Empty | This server local subnet
 +
right: Default Empty | Destination WAN IP
 +
rightid: Default Empty | Variable
 +
rightsubnet: Default Empty | Destination subnet
 +
passwd: Default Empty | Variable
 +
keyingtries: Default Empty | 0 is default - 'forever'
 +
leftcert Default Empty | LeftCertName
 +
rightcert Default Empty | RightCertName
  
Here is a sample of my /etc/ipsec.conf with some added notes.
+
For certificates - do not set or leave the following empty:
  
LEFT side is your server. RIGHT side is your router.
+
leftrsasig: Default Empty - system generates %cert
 +
rightrsasig: Default Empty - system generates %cert
 +
leftid: Default Empty - system generates %fromcert
 +
rightid: Default Empty - system generates %fromcert
  
# /etc/ipsec.conf
+
===Logs and Debug===
# basic configuration
 
#auto = 'start' for both ways or 'add' for incoming only
 
  
version 2.0
+
{{Warning box| If you are trying to connect Libreswan to other *swan versions using IPsec v2 you may see this in the logs
config setup
+
"failed to match authenticator"
 +
which may cause link failures.
 +
This seems to be an issue with some *swan versions - see this thread for more
 +
https://lists.libreswan.org/pipermail/swan/2017/001956.html}}
  
# Debug-logging controls:  "none" for (almost) none, "all" for lots.
+
The following will give you connection details.  
  #klipsdebug=none
+
  ipsec whack --status
plutodebug=none
 
interfaces=%defaultroute
 
oe=no
 
protostack=netkey
 
syslog=syslog.debug
 
# syslog=syslog.warning
 
virtual_private=%v4:192.168.0.0/24,  # Here you add the local/internal network of your server
 
nat_traversal=yes  # if required - probably yes
 
# Connection settings
 
# Router to Server
 
conn draytek-wan1 # Your connection name
 
type=tunnel
 
authby=secret
 
auto=start  # n.b. "auto = start" for ipsec to try and make a connection or "auto = add" to accept incoming
 
ikelifetime=28800s
 
keylife=3600s
 
left=%defaultroute
 
leftsourceip=192.168.98.1  # This is the IP address of your internal ethernet connection on your server
 
leftsubnet=192.168.98.0/24 # This is your local network on your server
 
pfs=yes  # If require
 
dpdaction=restart
 
dpddelay=30
 
dpdtimeout=10
 
right=1.2.3.4  # This is the WAN IP address of your router that is connecting in
 
rightsubnet=192.168.0.0/24 # This is the local network behind the router at the far end
 
# More incoming connections here
 
  
===Passwords===
+
You should get this if the connection made : 'IPsec SA established'
 +
 
 +
The following check your configuration (may be some warnings - severity depends on what they are):
 +
 
 +
ipsec verify
 +
 
 +
If you modify a connection use
 +
 
 +
signal-event ipsec-update
 +
 
 +
For a restart of ipsec use
  
The following file needs to be looked after and should be set chmod 0600
+
service ipsec restart
  
# /etc/ipsec.secrets
+
You may find masq needs a restart sometimes
# Format is
 
# Incoming_IP Local_IP: PSK "Your#Strong#Password"
 
1.2.3.4 %any: PSK "Your#Strong#Password"
 
host.dnsalias.org %any: PSK "Your#Strong#Password"
 
1.2.3.4 192.168.98.1: PSK "Your#Strong#Password"
 
%any 192.168.98.1: PSK "Your#Strong#Password"
 
  
A reboot should get everything going.
+
/etc/init.d/masq restart
  
Now set up your router.
+
Check /var/log/iptables/current to see if packets are getting blocked.
Create a new IPSEC VPN connection with the correct credentials and it should connect up.
 
  
Check /var/log/secure for debug messages, and once you are happy, change the debug settings in ipsec.conf from debug to warning.
+
For ipsec itself place to look is /var/log/pluto/pluto.log
  
 
If you need more debugging you can set plutodebug = all
 
If you need more debugging you can set plutodebug = all
 +
 +
 +
=== Bug report ===
 +
SME8 OpenSwan IPSEC is listed in the [http://bugs.contribs.org/enter_bug.cgi?product=SME%20Contribs&component=smeserver-openswan bugtracker contribs section].
 +
Please report all bugs, new feature requests and documentation issues there.
 +
 +
{{#bugzilla:columns=id,product,version,status,summary |sort=id |order=desc |component=smeserver-openswan|noresultsmessage="No open bugs found."}}
 +
 +
SME9 LibreSwan IPSEC is listed in the [http://bugs.contribs.org/enter_bug.cgi?product=SME%20Contribs&component=smeserver-libreswan bugtracker contribs section].
 +
Please report all bugs, new feature requests and documentation issues there.
 +
 +
{{#bugzilla:columns=id,product,version,status,summary |sort=id |order=desc |component=smeserver-libreswan|noresultsmessage="No open bugs found."}}
 +
 +
=Other articles in this category=
 +
{{#ask: [[Category:VPN]]}}
 +
 
[[Category:Howto]]
 
[[Category:Howto]]
 
[[Category:Contrib]]
 
[[Category:Contrib]]
 
[[Category:Administration:VPN]]
 
[[Category:Administration:VPN]]
 
[[Category:Security]]
 
[[Category:Security]]
 +
[[Category:VPN]]

Latest revision as of 13:54, 9 July 2024

Is this article helpful to you?
Please consider donating or volunteering
Thank you!


Warning.png Warning:
Note that you should try and learn as much as you can about VPN, Ipsec, and Security in general before playing with this. You risk leaving your server exposed to the bad guys.

Whilst the contribs do their best to make sure there is a simple secure setup, I make no guarantees !

Where possible use RSA keys or certificates instead of passwords.

An alternative solution is https://wiki.contribs.org/OpenVPN_SiteToSite or https://wiki.contribs.org/OpenVPN_Bridge

Where possible avoid the use of PPTP as it was cracked a long time ago and is very easy to read

With IKE v2 it is possible to allow dial in clients.

For older dial clients you can also look at https://wiki.contribs.org/Smeserver-libreswan-xl2tpd


Version

Koozali SME v8

Centos 5:
openswan
Please use the version of openswan in the ReetP repo as below


Koozali SME v9

Alpha 10:
Contrib 9:
libreswan
The latest version of libreswan is available in the SME repository, click on the version number(s) for more information.


Devel 10:
Devel 9:
Contrib 9:
smeserver-libreswan
The latest version of smeserver-libreswan is available in the SME repository, click on the version number(s) for more information.


About

Openswan

Openswan.jpg

Openswan is a free implementation of IPsec & IKE for Linux. IPsec is the Internet Protocol Security and uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks. Everything passing through the untrusted net is encrypted by the ipsec gateway machine and decrypted by the gateway at the other end of the tunnel.The resulting tunnel is a virtual private network or VPN.

Libreswan

Libreswan is a free software implementation of the most widely supported and standarized VPN protocol based on ("IPsec") and the Internet Key Exchange ("IKE"). These standards are produced and maintained by the Internet Engineering Task Force ("IETF").

Note that Libreswan will become the default ipsec installation from CentOS 6.8

https://libreswan.org/wiki/HOWTO:_openswan_to_libreswan_migration

  • Credits: John Crisp
  • Discuss: This How-to can be discussed on the forums here


Installation

[edit]

For Koozali SME Server 10, the latest stable Libreswan can be found in the default repo's

Note that the contrib is currently in test so to install:

yum install smeserver-extrarepositories-libreswan -y
db yum_repositories setprop libreswan status enabled Priority 10
signal-event yum-modify
yum --enablerepo=smecontribs,smetest install smeserver-libreswan

Configuration options and notes are here (check the latest branch):

For Koozali SME Server 8 you will need the ReetP repo to install openswan

db yum_repositories set reetp repository \
BaseURL https://reetspetit.com/smeserver/\$releasever \
EnableGroups no GPGCheck no \
Name "Mirror John Crisp reetspetit.com" \
GPGKey https://reetspetit.com/RPM-GPG-KEY \
Visible yes status disabled



signal-event yum-modify

Note that the contrib is currently in test so to install:

yum --enablerepo=smetest,reetp install smeserver-openswan

Configuration options and notes are here (check the latest branch):

https://github.com/reetp/smeserver-openswan

Please note that this version is no longer under development as SME v8 is EOL at the end of March 2017

It is possible to use Openswan on SME v9 but I do not have the time to maintain the contrib for both versions. RedHat have swapped to using Libreswan as their default IPsec implementation.

For Koozali SME Server 9, the latest stable Libreswan can be found in the default repo's

Note that the contrib is currently in test so to install:

yum --enablerepo=smetest install smeserver-libreswan

Configuration options and notes are here (check the latest branch):

https://github.com/reetp/smeserver-libreswan


Important.png Note:
You can get the latest version of libreswan itself here


/sbin/e-smith/db yum_repositories set libreswan repository \
BaseURL https://download.libreswan.org/binaries/rhel/6/x86_64/ \
EnableGroups no \
GPGCheck yes \
GPGKey https://download.libreswan.org/binaries/RPM-GPG-KEY-libreswan \
Name LibreSwan \
Visible yes \
status disabled \
signal-event yum-modify
yum --enablerepo=libreswan install libreswan


IPSEC server to server configuration

Libreswan/Openswan/IPSEC can be used to setup a secure and permanent VPN connection between a SME Server and another (local or remote) IPSEC enabled device such as a router.

Note - if you want to use with an online VPS set the server to server/gateway with a 'dummy' internal network adaptor.

Passwords

It is recommended to create a very strong random password and keep this safe. One way of generating and store a random strong password is explained here

Alternatively see RSA key and Certificate sections below for much stronger passwords


Setup PSK Passwords

The contrib has a lot of configurable settings but with the defaults and a few details it should just work.

General settings and some defaults are stored in the main config DB

config show ipsec

Connection specific settings are stored in a separate DB

db ipsec_connections show


Important.png Note:
For ipsec_connections we use 'set' when we create a new connection. Thereafter you can modify it with setprop



Important.png Note:
Most people refer to East and West rather than Local and Remote. There is a very good reason for this if you start using RSA keys !


Server East - WAN IP 5.6.7.8 Local IP 192.168.20.1 Subnet 192.168.20.0/24

db ipsec_connections set MyEast ipsec status enabled leftsourceip 192.168.20.1 leftsubnet 192.168.20.0/24 right 1.2.3.4 rightsubnet 10.0.0.0/24 passwd MyPassWd

Server West- WAN IP 1.2.3.4 Local IP 10.0.0.1 Subnet 10.0.0.0/24

db ipsec_connections set MyWest ipsec status enabled leftsourceip 10.0.0.1 leftsubnet 10.0.0.0/24 right 5.6.7.8 rightsubnet 192.168.20.0/24 passwd MyPassWd
signal-event ipsec-update


Setup RSA Keys

For the better security it is recommended to use RSA keys.

There are notes on github as this can be quite lengthy

https://github.com/reetp/smeserver-libreswan/blob/master/IpsecSettings.txt

A basic ipsec_connections entry setup should look this - note it will need a matching setup at the other end):

MyEast=ipsec 
   leftsourceip=192.168.20.1
   leftsubnet=192.168.20.0/24
   right=1.2.3.4
   rightsubnet=10.0.0.0/24
   security=rsasig
   leftid=East
   rightid=West
   leftrsasig=SomeLongPassFromEast
   rightrsasig=SomeLongPasswordFromWest
   status enabled


Setup Certificates

You can now use a CA and PKCS#12 certificates.

There are notes on github as this can be quite lengthy

https://github.com/reetp/smeserver-libreswan/blob/master/ipsec-certificate-notes.txt

First setup the certificate store

ipsec checknss

Import the cert

ipsec import mycertificate.p12

Check the store

certutil -L -d sql:/etc/ipsec.d

A basic ipsec_connections entry setup should look this:

MyEast=ipsec
   leftcert=LocalServer
   leftsourceip=192.168.1.1
   leftsubnet=192.168.1.0/24
   right=5.6.7.8
   rightcert=RemoteServer
   rightsubnet=192.168.100.0/24
   security=certs
   status=enabled

DB Keys

There are a lot of keys involved in ipsec.

Where possible just use the minimum that you require depending on whether you want PSK password / RSA signature / Certificate security

There are notes on github as this can be quite lengthy

https://github.com/reetp/smeserver-libreswan/blob/master/IpsecSettings.txt

Here are the currently available settings and options:


IPsec settings

These settings are generic and can be overwritten on a per connection basis

config ipsec show

Only set with: db configuration setprop ipsec $key $property

Setting status enabled/disabled will modify access to private/public

status: Default disabled | enabled
access: Default private | public
UDPPorts: Default 500,4500 | Variable
auto: Default start | add (do not use ondemand or ignore)
debug: none | all raw crypt parsing emitting control controlmore lifecycle dns dpd klips pfkey natt oppo oppoinfo whackwatch private

(all generates a LARGE amount of logging so use with care)


General Settings

Overall default settings - these can be in main config db or set per connection in db ipsec_connections

security: secret | rsasig | certs
ikelifetime: Default 3600s | Variable
salifetime: Default 28800s | Variable
dpdaction: Default restart | Variable
dpddelay: Default 30 | Variable
dpdtimeout: Default 10 | Variable
pfs: Default yes | Variable
connectiontype: Default secret | rassig, certificate
ike: Default aes-sha1 | Variable - see ipsec.conf readme file for more options - sample: aes256-sha2;dh14 or aes256-sha2;modp2048
ipsecversion: Default permit | Whether to allow ikev2 - also : insist/propose/yes/never/no

Per connection settings

Warning.png Warning:
Automatically modified - do not change this

PreviousState: Denotes previous connection state


Manual keys

db ipsec_connections show
db ipsec_connections setprop ConnectionName $key $property
iptype: Default Empty | stattodyn or dyntostat - are we a static host to dynamic client or vice versa ? - Only required for dynamic clients with static hosts
connectiontype: Default tunnel | transport/passthrough/drop/reject
leftrsasig: Default Empty | Your Local rsasignature key
rightrsasig: Default Empty | Your Remote rsasignature key
ipsecversion: Default permit | Whether to allow ikev2 - also : insist/propose/yes/never/no 
ike: Default aes-sha1 | Variable - sample: aes256-sha2;dh14 or aes256-sha2;modp2048
phase2: Default aes-sha1 | Variable - sample: aes256-sha2;dh14 or aes256-sha2;modp2048
mtu: Default Empty | Variable
left: Default Empty | If Empty then %defaultroute is set. Can be local WAN IP
leftid: Default Empty | Variable
leftsourceip:  Default Empty | This server local IP
leftsubnet:  Default Empty | This server local subnet
right: Default Empty | Destination WAN IP
rightid: Default Empty | Variable
rightsubnet: Default Empty | Destination subnet
passwd: Default Empty | Variable
keyingtries: Default Empty | 0 is default - 'forever'
leftcert Default Empty | LeftCertName
rightcert Default Empty | RightCertName

For certificates - do not set or leave the following empty:

leftrsasig: Default Empty - system generates %cert
rightrsasig: Default Empty - system generates %cert
leftid: Default Empty - system generates %fromcert
rightid: Default Empty - system generates %fromcert

Logs and Debug

Warning.png Warning:
If you are trying to connect Libreswan to other *swan versions using IPsec v2 you may see this in the logs
"failed to match authenticator"

which may cause link failures. This seems to be an issue with some *swan versions - see this thread for more https://lists.libreswan.org/pipermail/swan/2017/001956.html


The following will give you connection details.

ipsec whack --status

You should get this if the connection made : 'IPsec SA established'

The following check your configuration (may be some warnings - severity depends on what they are):

ipsec verify 

If you modify a connection use

signal-event ipsec-update

For a restart of ipsec use

service ipsec restart

You may find masq needs a restart sometimes

/etc/init.d/masq restart

Check /var/log/iptables/current to see if packets are getting blocked.

For ipsec itself place to look is /var/log/pluto/pluto.log

If you need more debugging you can set plutodebug = all


Bug report

SME8 OpenSwan IPSEC is listed in the bugtracker contribs section. Please report all bugs, new feature requests and documentation issues there.

"No open bugs found."

SME9 LibreSwan IPSEC is listed in the bugtracker contribs section. Please report all bugs, new feature requests and documentation issues there.

IDProductVersionStatusSummary (4 tasks)
12109SME Contribs10.0CONFIRMEDNFR reuse existing entries in manager code
11405SME Contribs10betaRESOLVEDInitial Import in SME 10 [smeserver-libreswan]
10661SME Contribs9.2CONFIRMEDNew file to adjust redirects in /etc/sysctl.d
9305SME Contribs9.1CONFIRMEDTrouble configuring kernel settings for ipsec contrib

Other articles in this category

Ipsec, Libreswan, Libreswan-xl2tpd, OpenVPN, OpenVPN Bridge, OpenVPN Bridge/fr, OpenVPN Routed, OpenVPN SiteToSite, SME Server wishlist, SoftEther VPN, Softethervpn-server, VPN, Wireguard