Difference between revisions of "Libreswan"
Unnilennium (talk | contribs) |
|||
Line 86: | Line 86: | ||
The contrib has a lot of configurable settings but with the defaults and few details it should just work | The contrib has a lot of configurable settings but with the defaults and few details it should just work | ||
− | config setprop ipsec status enabled access public | + | config setprop ipsec status enabled access public |
Note for ipsec_connections we use 'set' when we create new connection. Thereafter you can modify it with setprop. | Note for ipsec_connections we use 'set' when we create new connection. Thereafter you can modify it with setprop. |
Revision as of 21:10, 15 August 2016
Is this article helpful to you?
Please consider donating or volunteering
Thank you!
Version
SME8
SME9
About
Openswan
Openswan is a free implementation of IPsec & IKE for Linux. IPsec is the Internet Protocol Security and uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks. Everything passing through the untrusted net is encrypted by the ipsec gateway machine and decrypted by the gateway at the other end of the tunnel.The resulting tunnel is a virtual private network or VPN.
Libreswan
Libreswan is a free software implementation of the most widely supported and standarized VPN protocol based on ("IPsec") and the Internet Key Exchange ("IKE"). These standards are produced and maintained by the Internet Engineering Task Force ("IETF").
Note that Libreswan will become the default ipsec installation from CentOS 6.8
https://libreswan.org/wiki/HOWTO:_openswan_to_libreswan_migration
- Credits: John Crisp
- Discuss: This How-to can be discussed on the forums here
Installation
For Koozali SME Server 8 you will need the ReetP repo to install openswan
yum --enablerepo=smecontribs,epel,reetp install smeserver-openswan
Configuration options and notes are here (check the latest branch):
https://github.com/reetp/smeserver-openswan
For Koozali SME Server 9, Libreswan can be found in the default repo's, so to install Libreswan simply enter the following command:
yum --enablerepo=smecontribs,epel install smeserver-libreswan
Configuration options and notes are here (check the latest branch):
https://github.com/reetp/smeserver-libreswan
IPSEC server to server configuration
Openswan/IPSEC can be used to setup a secure and permanent VPN connection between a SME Server and another (local or remote) IPSEC enabled device such as a router.
Note - if you want to use with an online VPS set the server to server/gateway with a 'dummy' internal network adaptor.
Passwords
It is recommended to create a very strong random password and keep this safe. One way of generating and store a random strong password is explained here
Alternatively see RSA key section below for much stronger passwords
Settings
The contrib has a lot of configurable settings but with the defaults and few details it should just work
config setprop ipsec status enabled access public
Note for ipsec_connections we use 'set' when we create new connection. Thereafter you can modify it with setprop.
Note most people refer to East and West rather than Local and Remote. There is a very good reason for this if you start using RSA keys !
Server East - WAN IP 5.6.7.8 Local IP 192.168.20.1 Subnet 192.168.20.0/24
db ipsec_connections set MyEast ipsec status enabled leftsourceip 192.168.20.1 leftsubnet 192.168.20.0/24 right 1.2.3.4 rightsubnet 10.0.0.0/24 passwd MyPassWd
Server West- WAN IP 1.2.3.4 Local IP 10.0.0.1 Subnet 10.0.0.0/24
db ipsec_connections set MyWest ipsec status enabled leftsourceip 10.0.0.1 leftsubnet 10.0.0.0/24 right 5.6.7.8 rightsubnet 192.168.20.0/24 passwd MyPassWd
signal-event ipsec-update
Logs and Debug
The following will give you connection details.
ipsec whack --status
You should get this if the connection made : 'IPsec SA established'
The following check your configuration (may be some warnings - severity depends on what they are):
ipsec verify
If you modify a connection use
signal-event ipsec-update
For a restart of ipsec use
service ipsec restart
You may find masq needs a restart sometimes
/etc/init.d/masq restart
Check /var/log/iptables/current to see if packets are getting blocked.
For ipsec itself place to look is /var/log/pluto/pluto.log
If you need more debugging you can set plutodebug = all
RSA Keys
For the better security it is recommended to use RSA keys. There is more on this on the github page https://github.com/reetp/smeserver-libreswan/blob/master/IpsecSettings.txt
Bug report
SME8 OpenSwan IPSEC is listed in the bugtracker contribs section. Please report all bugs, new feature requests and documentation issues there.
SME9 LibreSwan IPSEC is listed in the bugtracker contribs section. Please report all bugs, new feature requests and documentation issues there.
ID | Product | Version | Status | Summary (4 tasks) ⇒ |
---|---|---|---|---|
12109 | SME Contribs | 10.0 | CONFIRMED | NFR reuse existing entries in manager code |
11405 | SME Contribs | 10beta | RESOLVED | Initial Import in SME 10 [smeserver-libreswan] |
10661 | SME Contribs | 9.2 | CONFIRMED | New file to adjust redirects in /etc/sysctl.d |
9305 | SME Contribs | 9.1 | CONFIRMED | Trouble configuring kernel settings for ipsec contrib |
Other articles in this category
Ipsec, Libreswan, Libreswan-xl2tpd, OpenVPN, OpenVPN Bridge, OpenVPN Bridge/fr, OpenVPN Routed, OpenVPN SiteToSite, SME Server wishlist, SoftEther VPN, Softethervpn-server, VPN, Wireguard