Libreswan

From SME Server
Revision as of 03:14, 15 September 2014 by Trex (talk | contribs)
Jump to navigationJump to search

IPSec OpenSwan VPN to connect Servers HOWTO

Author/Contribitor: John Crisp

Revised: 15th Sept 2014

Summary: The purpose of this howto is to guide you through the procedure to connect servers using OpenSwan VPN to connect via IPSEC.

I actually use it so my Draytek routers can connect to my online Koozali SME VPS machine

This works on Koozali SME v8 and v9 with the unit in server-gateway mode.

On the online VPS it has a 'dummy' internal network adaptor but works fine with this.

Setup

SME Server 9.0

yum install openswan

===SME Server 8.1 On v8 you need to find the following package, or newer :

openswan-2.6.38-1.x86_64.rpm

You can grab a copy here :

http://www.reetspetit.com/smeserver/5/repoview/index.html

I can't remember if I built that myself or got it somewhere as it seems quite elusive. If I can find the source I will build a src rpm.

Then

yum localinstall openswan-2.6.38-1.x86_64.rpm

You will need a link in etc/rc.d/rc7.d so the service starts :

S99ipsec -> /etc/rc.d/init.d/e-smith-service


Alternatively to do it the Koozali SME way :

Create db entry:

db configuration set ipsec service status enabled

db configuration show ipsec

   ipsec=service
   status=enabled
   

ln -s /etc/rc.d/init.d/e-smith-service /etc/rc.d/rc7.d/S99ipsec

You can now enable and disble the service accordingly.


Firewall

We need a new template fragment to allow ipsec through the firewall

touch /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/15AllowIPsec

Add the following code :

  1. IPsec ports

/sbin/iptables -A INPUT -i $OUTERIF -p udp --sport 500 --dport 500 -j ACCEPT /sbin/iptables -t mangle -A PREROUTING -i $OUTERIF -p 50 -j MARK --set-mark 1 /sbin/iptables -A INPUT -i $OUTERIF -m mark --mark 1 -j ACCEPT /sbin/iptables -A FORWARD -i $OUTERIF -m mark --mark 1 -j ACCEPT /sbin/iptables -A INPUT -i $OUTERIF -m mark --mark 2 -j ACCEPT /sbin/iptables -A FORWARD -i $OUTERIF -m mark --mark 2 -j ACCEPT /sbin/iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT

expand-template /etc/rc.d/init.d/masq

service masq restart

We also need to disable redirects.

I have the following code in a file called Disable_Redirects.sh and a link to it in /etc/rc.d/rc.local

  1. !/bin/bash
  2. For OpenSwan
  3. Disable send redirects

echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects echo 0 > /proc/sys/net/ipv4/conf/lo/send_redirects

  1. echo 0 > /proc/sys/net/ipv4/conf/ppp0/send_redirects
  1. Disable accept redirects

echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/eth1/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/lo/accept_redirects

  1. echo 0 > /proc/sys/net/ipv4/conf/ppp0/accept_redirects


OpenSwan Configuration

Here is a sample of my /etc/ipsec.conf with some added notes.

LEFT side is your server. RIGHT side is your router.

  1. /etc/ipsec.conf
  2. basic configuration
  1. auto = 'start' for both ways or 'add' for incoming only

version 2.0

config setup

  1. Debug-logging controls: "none" for (almost) none, "all" for lots.
  2. klipsdebug=none

plutodebug=none interfaces=%defaultroute oe=no protostack=netkey syslog=syslog.debug

  1. syslog=syslog.warning

virtual_private=%v4:192.168.0.0/24, # Here you add the local/internal network of your server nat_traversal=yes # if required - probably yes

  1. Connection settings
  1. Router to Server

conn draytek-wan1 # Your connection name type=tunnel authby=secret auto=start # n.b. "auto = start" for ipsec to try and make a connection or "auto = add" to accept incoming ikelifetime=28800s keylife=3600s left=%defaultroute leftsourceip=192.168.98.1 # This is the IP address of your internal ethernet connection on your server leftsubnet=192.168.98.0/24 # This is your local network on your server pfs=yes # If require dpdaction=restart dpddelay=30 dpdtimeout=10 right=1.2.3.4 # This is the WAN IP address of your router that is connecting in rightsubnet=192.168.0.0/24 # This is the local network behind the router at the far end

  1. More incoming connections here.....


Passwords

The following file needs to be looked after and should be set chmod 0600

  1. /etc/ipsec.secrets
  2. Format is
  3. Incoming_IP Local_IP: PSK "Your#Strong#Password"

1.2.3.4 %any: PSK "Your#Strong#Password" host.dnsalias.org %any: PSK "Your#Strong#Password" 1.2.3.4 192.168.98.1: PSK "Your#Strong#Password" %any 192.168.98.1: PSK "Your#Strong#Password"

A reboot should get everythign going.

Now set up your router. Create a new IPSEC VPN connection with the correct credentials and it shoudl connect up.

Check /var/log/secure for debug messages, and once you are happy, change the debug settings in ipsec.conf from debug to warning. If you need more debugging you can set plutodebug = all