Libreswan
Is this article helpful to you?
Please consider donating or volunteering
Thank you!
Version
Koozali SME v8
Koozali SME v9
About
Openswan
Openswan is a free implementation of IPsec & IKE for Linux. IPsec is the Internet Protocol Security and uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks. Everything passing through the untrusted net is encrypted by the ipsec gateway machine and decrypted by the gateway at the other end of the tunnel.The resulting tunnel is a virtual private network or VPN.
Libreswan
Libreswan is a free software implementation of the most widely supported and standarized VPN protocol based on ("IPsec") and the Internet Key Exchange ("IKE"). These standards are produced and maintained by the Internet Engineering Task Force ("IETF").
Note that Libreswan will become the default ipsec installation from CentOS 6.8
https://libreswan.org/wiki/HOWTO:_openswan_to_libreswan_migration
- Credits: John Crisp
- Discuss: This How-to can be discussed on the forums here
Installation
For Koozali SME Server 10, the latest stable Libreswan can be found in the default repo's
Note that the contrib is currently in test so to install:
yum install smeserver-extrarepositories-libreswan -y db yum_repositories setprop libreswan status enabled Priority 10 signal-event yum-modify yum --enablerepo=smecontribs,smetest install smeserver-libreswan
Configuration options and notes are here (check the latest branch):
For Koozali SME Server 8 you will need the ReetP repo to install openswan
db yum_repositories set reetp repository \ BaseURL https://reetspetit.com/smeserver/\$releasever \ EnableGroups no GPGCheck no \ Name "Mirror John Crisp reetspetit.com" \ GPGKey https://reetspetit.com/RPM-GPG-KEY \ Visible yes status disabled
signal-event yum-modify
Note that the contrib is currently in test so to install:
yum --enablerepo=smetest,reetp install smeserver-openswan
Configuration options and notes are here (check the latest branch):
https://github.com/reetp/smeserver-openswan
Please note that this version is no longer under development as SME v8 is EOL at the end of March 2017
It is possible to use Openswan on SME v9 but I do not have the time to maintain the contrib for both versions. RedHat have swapped to using Libreswan as their default IPsec implementation.
For Koozali SME Server 9, the latest stable Libreswan can be found in the default repo's
Note that the contrib is currently in test so to install:
yum --enablerepo=smetest install smeserver-libreswan
Configuration options and notes are here (check the latest branch):
https://github.com/reetp/smeserver-libreswan
/sbin/e-smith/db yum_repositories set libreswan repository \ BaseURL https://download.libreswan.org/binaries/rhel/6/x86_64/ \ EnableGroups no \ GPGCheck yes \ GPGKey https://download.libreswan.org/binaries/RPM-GPG-KEY-libreswan \ Name LibreSwan \ Visible yes \ status disabled \
signal-event yum-modify
yum --enablerepo=libreswan install libreswan
IPSEC server to server configuration
Libreswan/Openswan/IPSEC can be used to setup a secure and permanent VPN connection between a SME Server and another (local or remote) IPSEC enabled device such as a router.
Note - if you want to use with an online VPS set the server to server/gateway with a 'dummy' internal network adaptor.
Passwords
It is recommended to create a very strong random password and keep this safe. One way of generating and store a random strong password is explained here
Alternatively see RSA key and Certificate sections below for much stronger passwords
Setup PSK Passwords
The contrib has a lot of configurable settings but with the defaults and a few details it should just work.
General settings and some defaults are stored in the main config DB
config show ipsec
Connection specific settings are stored in a separate DB
db ipsec_connections show
Server East - WAN IP 5.6.7.8 Local IP 192.168.20.1 Subnet 192.168.20.0/24
db ipsec_connections set MyEast ipsec status enabled leftsourceip 192.168.20.1 leftsubnet 192.168.20.0/24 right 1.2.3.4 rightsubnet 10.0.0.0/24 passwd MyPassWd
Server West- WAN IP 1.2.3.4 Local IP 10.0.0.1 Subnet 10.0.0.0/24
db ipsec_connections set MyWest ipsec status enabled leftsourceip 10.0.0.1 leftsubnet 10.0.0.0/24 right 5.6.7.8 rightsubnet 192.168.20.0/24 passwd MyPassWd
signal-event ipsec-update
Setup RSA Keys
For the better security it is recommended to use RSA keys.
There are notes on github as this can be quite lengthy
https://github.com/reetp/smeserver-libreswan/blob/master/IpsecSettings.txt
A basic ipsec_connections entry setup should look this - note it will need a matching setup at the other end):
MyEast=ipsec leftsourceip=192.168.20.1 leftsubnet=192.168.20.0/24 right=1.2.3.4 rightsubnet=10.0.0.0/24 security=rsasig leftid=East rightid=West leftrsasig=SomeLongPassFromEast rightrsasig=SomeLongPasswordFromWest status enabled
Setup Certificates
You can now use a CA and PKCS#12 certificates.
There are notes on github as this can be quite lengthy
https://github.com/reetp/smeserver-libreswan/blob/master/ipsec-certificate-notes.txt
First setup the certificate store
ipsec checknss
Import the cert
ipsec import mycertificate.p12
Check the store
certutil -L -d sql:/etc/ipsec.d
A basic ipsec_connections entry setup should look this:
MyEast=ipsec leftcert=LocalServer leftsourceip=192.168.1.1 leftsubnet=192.168.1.0/24 right=5.6.7.8 rightcert=RemoteServer rightsubnet=192.168.100.0/24 security=certs status=enabled
DB Keys
There are a lot of keys involved in ipsec.
Where possible just use the minimum that you require depending on whether you want PSK password / RSA signature / Certificate security
There are notes on github as this can be quite lengthy
https://github.com/reetp/smeserver-libreswan/blob/master/IpsecSettings.txt
Here are the currently available settings and options:
IPsec settings
These settings are generic and can be overwritten on a per connection basis
config ipsec show
Only set with: db configuration setprop ipsec $key $property
Setting status enabled/disabled will modify access to private/public
status: Default disabled | enabled access: Default private | public UDPPorts: Default 500,4500 | Variable auto: Default start | add (do not use ondemand or ignore) debug: none | all raw crypt parsing emitting control controlmore lifecycle dns dpd klips pfkey natt oppo oppoinfo whackwatch private
(all generates a LARGE amount of logging so use with care)
General Settings
Overall default settings - these can be in main config db or set per connection in db ipsec_connections
security: secret | rsasig | certs ikelifetime: Default 3600s | Variable salifetime: Default 28800s | Variable dpdaction: Default restart | Variable dpddelay: Default 30 | Variable dpdtimeout: Default 10 | Variable pfs: Default yes | Variable connectiontype: Default secret | rassig, certificate ike: Default aes-sha1 | Variable - see ipsec.conf readme file for more options - sample: aes256-sha2;dh14 or aes256-sha2;modp2048 ipsecversion: Default permit | Whether to allow ikev2 - also : insist/propose/yes/never/no
Per connection settings
Manual keys
db ipsec_connections show
db ipsec_connections setprop ConnectionName $key $property
iptype: Default Empty | stattodyn or dyntostat - are we a static host to dynamic client or vice versa ? - Only required for dynamic clients with static hosts connectiontype: Default tunnel | transport/passthrough/drop/reject leftrsasig: Default Empty | Your Local rsasignature key rightrsasig: Default Empty | Your Remote rsasignature key ipsecversion: Default permit | Whether to allow ikev2 - also : insist/propose/yes/never/no ike: Default aes-sha1 | Variable - sample: aes256-sha2;dh14 or aes256-sha2;modp2048 phase2: Default aes-sha1 | Variable - sample: aes256-sha2;dh14 or aes256-sha2;modp2048 mtu: Default Empty | Variable left: Default Empty | If Empty then %defaultroute is set. Can be local WAN IP leftid: Default Empty | Variable leftsourceip: Default Empty | This server local IP leftsubnet: Default Empty | This server local subnet right: Default Empty | Destination WAN IP rightid: Default Empty | Variable rightsubnet: Default Empty | Destination subnet passwd: Default Empty | Variable keyingtries: Default Empty | 0 is default - 'forever' leftcert Default Empty | LeftCertName rightcert Default Empty | RightCertName
For certificates - do not set or leave the following empty:
leftrsasig: Default Empty - system generates %cert rightrsasig: Default Empty - system generates %cert leftid: Default Empty - system generates %fromcert rightid: Default Empty - system generates %fromcert
Logs and Debug
The following will give you connection details.
ipsec whack --status
You should get this if the connection made : 'IPsec SA established'
The following check your configuration (may be some warnings - severity depends on what they are):
ipsec verify
If you modify a connection use
signal-event ipsec-update
For a restart of ipsec use
service ipsec restart
You may find masq needs a restart sometimes
/etc/init.d/masq restart
Check /var/log/iptables/current to see if packets are getting blocked.
For ipsec itself place to look is /var/log/pluto/pluto.log
If you need more debugging you can set plutodebug = all
Bug report
SME8 OpenSwan IPSEC is listed in the bugtracker contribs section. Please report all bugs, new feature requests and documentation issues there.
SME9 LibreSwan IPSEC is listed in the bugtracker contribs section. Please report all bugs, new feature requests and documentation issues there.
| ID | Product | Version | Status | Summary (4 tasks) ⇒ |
|---|---|---|---|---|
| 12109 | SME Contribs | 10.0 | CONFIRMED | NFR reuse existing entries in manager code |
| 11405 | SME Contribs | 10beta | RESOLVED | Initial Import in SME 10 [smeserver-libreswan] |
| 10661 | SME Contribs | 9.2 | CONFIRMED | New file to adjust redirects in /etc/sysctl.d |
| 9305 | SME Contribs | 9.1 | CONFIRMED | Trouble configuring kernel settings for ipsec contrib |
Other articles in this category
Ipsec, Libreswan, Libreswan-xl2tpd, OpenVPN, OpenVPN Bridge, OpenVPN Bridge/fr, OpenVPN Routed, OpenVPN SiteToSite, SME Server wishlist, SoftEther VPN, Softethervpn-server, VPN, Wireguard