6,280 bytes added
, 10:59, 16 April 2007
'''IPSec Network-to-Network VPN SME Server 7.1 HOWTO'''
Author(s): Lloyd Keen, David Biczo
Revised: 7th March 2007
Summary: The purpose of this howto is to guide you through the procedure to connect two private subnets, both behind servers running SME Server version 7.1 in server/gateway mode via an encrypted tunnel using IPsec (sometimes referred to as NETKEY or Kernel IPsec). Both servers have static IP’s on the external interface using PPPoE or bridged Ethernet. NETKEY under linux 2.6 works a bit different to Ipsec under linux 2.4, the most obvious difference being that there is no visible ipsecx device as such. This document serves as a guide only, it worked for us but YMMV. As usual “all care but no responsibility taken”. Comments and suggestions are welcome. If you don’t feel comfortable following the procedure described below, then I have written a script which will prompt you for the required settings and automate the process for you. You can download the script here. This script is written for my personal use - if you can get any benefit from it - great, but if it doesn't work then you're on your own. You can download the script from here: [http://www.comnetel.com/sme7_ipsec/ipsec_install.sh]
== SECTION A: ==
Procedure '''smeserverA''':
#mcedit /etc/sysconfig/network-scripts/ifcfg-ipsec0
and enter the following information:
TYPE=IPSEC
ONBOOT=no
IKE_METHOD=PSK
SRCNET=192.168.aa.0/24 (smeserverA’s LAN address)
DSTNET=192.168.bb.0/24 (smeserverB’s LAN address)
SRCGW=xxx.xxx.xxx.xxx (smeserverA’s Gateway address)
DST=xxx.xxx.xxx.xxx (replace xxx’s with smeserverB’s external static IP)
Now add the preshared key into /etc/sysconfig/network-scripts/keys-ipsec0
#mcedit /etc/sysconfig/network-scripts/keys-ipsec0
and add the following line:
IKE_PSK=my_shared_secret
Procedure '''smeserverB''':
#mcedit /etc/sysconfig/network-scripts/ifcfg-ipsec0
and enter the following information:
TYPE=IPSEC
ONBOOT=no
IKE_METHOD=PSK
SRCNET=192.168.bb.0/24 (smeserverB’s LAN address)
DSTNET=192.168.aa.0/24 (smeserverA’s LAN address)
SRCGW=xxx.xxx.xxx.xxx (smeserverB’s Gateway address)
DST=xxx.xxx.xxx.xxx (replace xxx’s with smeserverA’s external static IP)
Then add the preshared key into etc/sysconfig/network-scripts/keys-ipsec0
#mcedit /etc/sysconfig/network-scripts/keys-ipsec0
and add the following line:
IKE_PSK=my_shared_secret
NOTE: If you have a PPPoE connection you don't want the interface to come up at boot time (ONBOOT=no). You need IPSec to come up AFTER the ppp interface. You can address this issue by modifying /etc/ppp/ip-up.local and /etc/ppp/ip-down.local scripts as described later in this document. If you have a bridged Ethernet connection then you can set this option to ONBOOT=yes.
Now open up the server-manager on both servers and add the appropriate network settings into the "Local Networks" panel.
For example on smeserverA you would enter the following values:
*Network Address: 192.168.bb.1
*Subnet Mask: 255.255.255.0
*Router 192.168.aa.1
*And on smeserverB you would enter the following:
*Network Address: 192.168.aa.1
*Subnet Mask: 255.255.255.0
*Router 192.168.bb.1
== SECTION B: ==
This section contains information on modifying the firewall and installing modified scripts to fix routing issues.
#mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/
#cd /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/
#mcedit 15AllowIPsec
and add the following:
/sbin/iptables -A INPUT -i $OUTERIF -p udp --sport 500 --dport 500 -j ACCEPT
/sbin/iptables -t mangle -A PREROUTING -i $OUTERIF -p 50 -j MARK --set-mark 1
/sbin/iptables -A INPUT -i $OUTERIF -m mark --mark 1 -j ACCEPT
/sbin/iptables -A FORWARD -i $OUTERIF -m mark --mark 1 -j ACCEPT
/sbin/iptables -t mangle -A PREROUTING -i $OUTERIF -p 51 -j MARK --set-mark 2
/sbin/iptables -A INPUT -i $OUTERIF -m mark --mark 2 -j ACCEPT
/sbin/iptables -A FORWARD -i $OUTERIF -m mark --mark 2 -j ACCEPT
Make sure to leave a blank line at the top of the file and a carriage return at the end of the file, then do:
#/sbin/e-smith/expand-template /etc/rc.d/init.d/masq
#/etc/init.d/masq restart
There appears to be a bug in the way ifup-ipsec and ifdown-ipsec sets up the routing so you will need to install modified versions of these scripts from here [http://www.comnetel.com/sme7_ipsec]. For more information about this bug see [https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=146169]. There is some minor code duplication in the scripts, but it works. If you have any comments or suggestions we’d be glad to hear them. Any changes made in the scripts have been documented where applicable.
#cd /etc/sysconfig/network-scripts
#mv ifup-ipsec ifup-ipsec.old
#mv ifdown-ipsec ifdown-ipsec.old
#wget http://www.comnetel.com/sme7_ipsec/ifup-ipsec
#wget http://www.comnetel.com/sme7_ipsec/ifdown-ipsec
If you have a bridged Ethernet connection you can skip the next section
and either reboot or bring up the tunnel with the following command:
#/sbin/ifup ipsec0
== SECTION C: ==
Only complete this section if you have a PPPoE connection on the external interface. And finally as mentioned previously in this document, we need to add a command to bring up the tunnel automatically at boot time.
Modify /etc/ppp/ip-up.local
#mkdir –p /etc/e-smith/templates-custom/etc/ppp/ip-up.local
#cd /etc/e-smith/templates-custom/etc/ppp/ip-up.local
#mcedit 40ipup15ipsec
and add the following code to the file:
<nowiki>case $IPPARAM in
pppoe)
/sbin/ifdown ipsec0
sleep 5
/sbin/ifup ipsec0
;;
*)
esac</nowiki>
Then expand the template
#expand-template /etc/ppp/ip-up.local
Modify /etc/ppp/ip-down.local
#mkdir –p /etc/e-smith/templates-custom/etc/ppp/ip-down.local
#cd /etc/e-smith/templates-custom/etc/ppp/ip-down.local
#mcedit 40ipdown15ipsec
and add the following code into this file:
<nowiki> IPPARAM=$6
case $IPPARAM in
pppoe)
/sbin/ifdown ipsec0
;;
*)
esac</nowiki>
Then expand the template
#expand-template /etc/ppp/ip-down.local
Reboot or bring up the tunnel with the following command:
#/sbin/ifup ipsec0
Regards, Lloyd