Difference between revisions of "Libreswan"
m (Add note for SME9) |
m (added credits) |
||
Line 2: | Line 2: | ||
__TOC__ | __TOC__ | ||
+ | |||
+ | Credits: John Crisp | ||
+ | |||
+ | |||
==About== | ==About== | ||
[[File:openswan.jpg]] | [[File:openswan.jpg]] |
Revision as of 08:25, 15 September 2014
Credits: John Crisp
About
Openswan is an IPsec implementation for Linux. It has support for most of the extensions (RFC + IETF drafts) related to IPsec, including IKEv2, X.509 Digital Certificates, NAT Traversal, and many others.
Installation
There are different installation instructions for SME8 and SME9:
SME Server 8
For SME Server 8, at least openswan-2.6.38-1.x86_64.rpm is required. However, this version is not to be found in the default repo's, nor any of the additional repo's. A trusted copy of Openswan for SME8 can be found here. (This is only for 64bit systems!)
After you have downloaded the above file, you can install it by issuing the following command:
yum localinstall openswan-2.6.38-1.x86_64.rpm
SME Server 9
For SME Server 9, the Openswan can be found in the default repo's, so to install Openswan on SME Server 9, simply enter the following command:
yum install openswan
Openswan as a SME Server service
To make the Openswan service start at boot time we need to issue the following commands as root:
ln -s /etc/rc.d/init.d/e-smith-service /etc/rc7.d/S99ipsec chkconfig ipsec on config set ipsec service config setprop ipsec status enabled
This makes ipsec service start at boot time and you can disable/enable the ipsec service at will.
SME Server firewall configuration
Since Openswan/ipsec is all about security and private connections, the SME Server firewall rules play a crucial part of a correct configuration.
We need a new template fragment to allow ipsec through the firewall
touch /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/15AllowIPsec
Add the following code :
# IPsec ports /sbin/iptables -A INPUT -i $OUTERIF -p udp --sport 500 --dport 500 -j ACCEPT /sbin/iptables -t mangle -A PREROUTING -i $OUTERIF -p 50 -j MARK --set-mark 1 /sbin/iptables -A INPUT -i $OUTERIF -m mark --mark 1 -j ACCEPT /sbin/iptables -A FORWARD -i $OUTERIF -m mark --mark 1 -j ACCEPT /sbin/iptables -A INPUT -i $OUTERIF -m mark --mark 2 -j ACCEPT /sbin/iptables -A FORWARD -i $OUTERIF -m mark --mark 2 -j ACCEPT /sbin/iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
expand-template /etc/rc.d/init.d/masq service masq restart
We also need to disable redirects.
I have the following code in a file called Disable_Redirects.sh and a link to it in /etc/rc.d/rc.local
#!/bin/bash # For OpenSwan # Disable send redirects echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects echo 0 > /proc/sys/net/ipv4/conf/lo/send_redirects # echo 0 > /proc/sys/net/ipv4/conf/ppp0/send_redirects # Disable accept redirects echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/eth1/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/lo/accept_redirects # echo 0 > /proc/sys/net/ipv4/conf/ppp0/accept_redirects
IPSEC server to server configuration
Openswan/IPSEC can be used to setup a secue and permanent VPN connection between a SME Server and another IPSEC enabled device such as a router.
Here is an example:
On the online VPS it has a 'dummy' internal network adaptor but works fine with this.
Here is a sample of my /etc/ipsec.conf with some added notes.
LEFT side is your server. RIGHT side is your router.
# /etc/ipsec.conf # basic configuration #auto = 'start' for both ways or 'add' for incoming only
version 2.0 config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots. #klipsdebug=none plutodebug=none interfaces=%defaultroute oe=no protostack=netkey syslog=syslog.debug # syslog=syslog.warning virtual_private=%v4:192.168.0.0/24, # Here you add the local/internal network of your server nat_traversal=yes # if required - probably yes # Connection settings # Router to Server conn draytek-wan1 # Your connection name type=tunnel authby=secret auto=start # n.b. "auto = start" for ipsec to try and make a connection or "auto = add" to accept incoming ikelifetime=28800s keylife=3600s left=%defaultroute leftsourceip=192.168.98.1 # This is the IP address of your internal ethernet connection on your server leftsubnet=192.168.98.0/24 # This is your local network on your server pfs=yes # If require dpdaction=restart dpddelay=30 dpdtimeout=10 right=1.2.3.4 # This is the WAN IP address of your router that is connecting in rightsubnet=192.168.0.0/24 # This is the local network behind the router at the far end # More incoming connections here
Passwords
The following file needs to be looked after and should be set chmod 0600
# /etc/ipsec.secrets # Format is # Incoming_IP Local_IP: PSK "Your#Strong#Password" 1.2.3.4 %any: PSK "Your#Strong#Password" host.dnsalias.org %any: PSK "Your#Strong#Password" 1.2.3.4 192.168.98.1: PSK "Your#Strong#Password" %any 192.168.98.1: PSK "Your#Strong#Password"
A reboot should get everythign going.
Now set up your router. Create a new IPSEC VPN connection with the correct credentials and it shoudl connect up.
Check /var/log/secure for debug messages, and once you are happy, change the debug settings in ipsec.conf from debug to warning.
If you need more debugging you can set plutodebug = all