Changes

Jump to navigation Jump to search
468 bytes removed ,  15:13, 22 June 2016
Line 66: Line 66:  
Here is an example:
 
Here is an example:
    +
Note - if you want to use with an online VPS set the server to server/gateway with a 'dummy' internal network adaptor.
   −
On the online VPS it has a 'dummy' internal network adaptor but works fine with this.
     −
Here is a sample of my /etc/ipsec.conf with some added notes.
+
===Passwords===
 +
It is recommended to create a very strong random password and keep this safe. One way of generating and store a random strong password is explained [http://wiki.contribs.org/Useful_Commands#Generating_strong_random_password '''here''']
   −
LEFT side is your server. RIGHT side is your router.
+
===Setting===
   −
# /etc/ipsec.conf
+
The contrib has a lot of configurable settings but with the defaults and few details it should just work
# basic configuration
  −
#auto = 'start' for both ways or 'add' for incoming only
     −
version 2.0
+
config setprop ipsec status enabled access public
config setup
     −
# Debug-logging controls:  "none" for (almost) none, "all" for lots.
+
Note for ipsec_connections we use 'set' when we create new connection. Thereafter you can modify it with setprop
#klipsdebug=none
  −
plutodebug=none
  −
interfaces=%defaultroute
  −
oe=no
  −
protostack=netkey
  −
syslog=syslog.debug
  −
# syslog=syslog.warning
  −
virtual_private=%v4:192.168.0.0/24,  # Here you add the local/internal network of your server
  −
nat_traversal=yes  # if required - probably yes
  −
# Connection settings
  −
# Router to Server
  −
conn draytek-wan1 # Your connection name
  −
type=tunnel
  −
authby=secret
  −
auto=start  # n.b. "auto = start" for ipsec to try and make a connection or "auto = add" to accept incoming
  −
ikelifetime=28800s
  −
keylife=3600s
  −
left=%defaultroute
  −
leftsourceip=192.168.98.1  # This is the IP address of your internal ethernet connection on your server
  −
leftsubnet=192.168.98.0/24 # This is your local network on your server
  −
pfs=yes  # If require
  −
dpdaction=restart
  −
dpddelay=30
  −
dpdtimeout=10
  −
right=1.2.3.4  # This is the WAN IP address of your router that is connecting in
  −
rightsubnet=192.168.0.0/24 # This is the local network behind the router at the far end
  −
# More incoming connections here
     −
===Passwords===
+
Local - WAN IP 5.6.7.8 Local IP 192.168.20.1 Subnet 192.168.20.0/24
It is recommended to create a very strong random password and keep this safe. One way of generating and store a random strong password is explained [http://wiki.contribs.org/Useful_Commands#Generating_strong_random_password '''here''']
+
db ipsec_connections set MyEast ipsec status enabled leftsourceip 192.168.20.1 leftsubnet 192.168.20.0/24 right 1.2.3.4 rightsubnet 10.0.0.0/24 passwd MyPassWd
 +
 
 +
Remote - WAN IP 1.2.3.4 Local IP 10.0.0.1 Subnet 10.0.0.0/24
 +
db ipsec_connections set MyWest ipsec status enabled leftsourceip 10.0.0.1 leftsubnet 10.0.0.0/24 right 5.6.7.8 rightsubnet 192.168.20.0/24 passwd MyPassWd
 +
 
 +
signal-event ipsec-update
 +
 
 +
Check /var/log/pluto/pluto.log
 +
ipsec whack --status
 +
ipsec verify (may be some warnings - severity depends on what they are)
 +
 
 +
For the better security it is recommended to use RSA keys. There is more on this on the github page https://github.com/reetp/smeserver-libreswan/blob/master/IpsecSettings.txt
 +
 
 +
If you modify a connection use
   −
The following file needs to be looked after and should be set chmod 0600
+
signal-event ipsec-update
   −
# /etc/ipsec.secrets
+
For a restart of ipsec use
# Format is
  −
# Incoming_IP Local_IP: PSK "Your#Strong#Password"
  −
1.2.3.4 %any: PSK "Your#Strong#Password"
  −
host.dnsalias.org %any: PSK "Your#Strong#Password"
  −
1.2.3.4 192.168.98.1: PSK "Your#Strong#Password"
  −
%any 192.168.98.1: PSK "Your#Strong#Password"
      +
service ipsec restart
    
==Verifying configuration==
 
==Verifying configuration==

Navigation menu