Libreswan
Is this article helpful to you?
Please consider donating or volunteering
Thank you!
Version
SME8
SME9
About
Openswan is a free implementation of IPsec& IKE for Linux. IPsec is the Internet Protocol Security and uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks. Everything passing through the untrusted net is encrypted by the ipsec gateway machine and decrypted by the gateway at the other end of the tunnel.The resulting tunnel is a virtual private network or VPN.
Libreswan is a free software implementation of the most widely supported and standarized VPN protocol based on ("IPsec") and the Internet Key Exchange ("IKE"). These standards are produced and maintained by the Internet Engineering Task Force ("IETF").
Note that Libreswan will become the default ipsec installation from CentOS 6.8
https://libreswan.org/wiki/HOWTO:_openswan_to_libreswan_migration
- Credits: John Crisp
- Discuss: This How-to can be discussed on the forums here
For v9 you can simply install as follows
yum --enablerepo=smecontribs,epel install smeserver-libreswan
Configuration options and notes are here (check the latest branch):
https://github.com/reetp/smeserver-libreswan
For v8 you will additionally need the ReetP repo to install openswan
yum --enablerepo=smecontribs,epel,reetp install smeserver-openswan
Configuration options and notes are here (check the latest branch):
https://github.com/reetp/smeserver-openswan
Installation
For SME Server 8, at least openswan-2.6.38-1.x86_64.rpm is required. However, this version is not to be found in the default repo's, nor any of the additional repo's. A trusted copy of Openswan for SME8 can be found here. (This is only for 64bit systems!)
After you have downloaded the above file, you can install it by issuing the following command:
yum localinstall openswan-2.6.38-1.x86_64.rpm
For SME Server 9, the Openswan can be found in the default repo's, so to install Openswan on SME Server 9, simply enter the following command:
yum install openswan
SME Server firewall configuration
Since Openswan/ipsec is all about security and private connections, the SME Server firewall rules play a crucial part of a correct configuration.
We need a new template fragment to allow ipsec through the firewall
mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq nano -w /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/15AllowIPsec
Add the following code :
# IPsec ports /sbin/iptables -A INPUT -i $OUTERIF -p udp --sport 500 --dport 500 -j ACCEPT /sbin/iptables -t mangle -A PREROUTING -i $OUTERIF -p 50 -j MARK --set-mark 1 /sbin/iptables -A INPUT -i $OUTERIF -m mark --mark 1 -j ACCEPT /sbin/iptables -A FORWARD -i $OUTERIF -m mark --mark 1 -j ACCEPT /sbin/iptables -A INPUT -i $OUTERIF -m mark --mark 2 -j ACCEPT /sbin/iptables -A FORWARD -i $OUTERIF -m mark --mark 2 -j ACCEPT /sbin/iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
expand-template /etc/rc.d/init.d/masq service masq restart
We also need to disable redirects.
I have the following code in a file called Disable_Redirects.sh and a link to it in /etc/rc.d/rc.local
#!/bin/bash # For OpenSwan # Disable send redirects echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects echo 0 > /proc/sys/net/ipv4/conf/lo/send_redirects # echo 0 > /proc/sys/net/ipv4/conf/ppp0/send_redirects # Disable accept redirects echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects echo 0 > /Subscript textproc/sys/net/ipv4/conf/eth1/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/lo/accept_redirects # echo 0 > /proc/sys/net/ipv4/conf/ppp0/accept_redirects
This is experimental. Please provide your feedback in the forums.
To disable redirects (port forwarding) within the IPsec tnnels, we have to create a custom template that will disable these at boot time. To create the custom template execute the following commands as root (simplefied):
mkdir -p /etc/e-smith/templates/templates-custom/etc/sysctl.conf nano -w /etc/e-smith/templates/templates-custom/etc/sysctl.conf/net.ipv4.ip_deny_redirects
Then copy the below contents so you can paste them into the above custom template:
# SME Server Openswan specifics # Send redirects, No! net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 # Accept packets with SRR option? No! net.ipv4.conf.all.accept_source_route = 0 # Accept Redirects? No! net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0
Now we need to expand the newly created custome template:
expand-template /etc/sysctl.conf
and make them effective:
sysctl -p
Another way to disable/enable redirects on all interfaces on the fly from the console as root would be:
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $f; done for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f; done for f in /proc/sys/net/ipv4/conf/*/secure_redirects; do echo 0 > $f; done
(these last commands will work for sure on both SME8 and SME9, but that's not the sustainable SME Server way that will stick on reboots, updates and upgrades.)
end of experimental section
IPSEC server to server configuration
Openswan/IPSEC can be used to setup a secue and permanent VPN connection between a SME Server and another (local or remote) IPSEC enabled device such as a router.
Here is an example:
On the online VPS it has a 'dummy' internal network adaptor but works fine with this.
Here is a sample of my /etc/ipsec.conf with some added notes.
LEFT side is your server. RIGHT side is your router.
# /etc/ipsec.conf # basic configuration #auto = 'start' for both ways or 'add' for incoming only
version 2.0 config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots. #klipsdebug=none plutodebug=none interfaces=%defaultroute oe=no protostack=netkey syslog=syslog.debug # syslog=syslog.warning virtual_private=%v4:192.168.0.0/24, # Here you add the local/internal network of your server nat_traversal=yes # if required - probably yes # Connection settings # Router to Server conn draytek-wan1 # Your connection name type=tunnel authby=secret auto=start # n.b. "auto = start" for ipsec to try and make a connection or "auto = add" to accept incoming ikelifetime=28800s keylife=3600s left=%defaultroute leftsourceip=192.168.98.1 # This is the IP address of your internal ethernet connection on your server leftsubnet=192.168.98.0/24 # This is your local network on your server pfs=yes # If require dpdaction=restart dpddelay=30 dpdtimeout=10 right=1.2.3.4 # This is the WAN IP address of your router that is connecting in rightsubnet=192.168.0.0/24 # This is the local network behind the router at the far end # More incoming connections here
Passwords
It is recommended to create a very strong random password and keep this safe. One way of generating and store a random strong password is explained here
The following file needs to be looked after and should be set chmod 0600
# /etc/ipsec.secrets # Format is # Incoming_IP Local_IP: PSK "Your#Strong#Password" 1.2.3.4 %any: PSK "Your#Strong#Password" host.dnsalias.org %any: PSK "Your#Strong#Password" 1.2.3.4 192.168.98.1: PSK "Your#Strong#Password" %any 192.168.98.1: PSK "Your#Strong#Password"
Verifying configuration
To verify your configuration give the following command:
ipsec verify
A reboot should get everything going.
Now set up your router.
Create a new IPSEC VPN connection with the correct credentials and it should connect up.
Check /var/log/secure for debug messages, and once you are happy, change the debug settings in ipsec.conf from debug to warning.
If you need more debugging you can set plutodebug = all
Bug report
SME8 OpenSwan IPSEC is listed in the bugtracker contribs section. Please report all bugs, new feature requests and documentation issues there.
SME9 LibreSwan IPSEC is listed in the bugtracker contribs section. Please report all bugs, new feature requests and documentation issues there.
ID | Product | Version | Status | Summary (4 tasks) ⇒ |
---|---|---|---|---|
12109 | SME Contribs | 10.0 | CONFIRMED | NFR reuse existing entries in manager code |
11405 | SME Contribs | 10beta | RESOLVED | Initial Import in SME 10 [smeserver-libreswan] |
10661 | SME Contribs | 9.2 | CONFIRMED | New file to adjust redirects in /etc/sysctl.d |
9305 | SME Contribs | 9.1 | CONFIRMED | Trouble configuring kernel settings for ipsec contrib |
Other articles in this category
Ipsec, Libreswan, Libreswan-xl2tpd, OpenVPN, OpenVPN Bridge, OpenVPN Bridge/fr, OpenVPN Routed, OpenVPN SiteToSite, SME Server wishlist, SoftEther VPN, Softethervpn-server, VPN, Wireguard