1,574
edits
Changes
Jump to navigation
Jump to search
Line 8:
Line 8: − + − − Line 18:
Line 16: − + − + − − − + − + − − + − − − − + − + − − + − − − + − + − + − + − + − + − + − + − + − − − expand-template /etc/rc.d/init.d/masq − + + − − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − − − − − + − + − + − − − # Debug-logging controls: "none" for (almost) none, "all" for lots. − #klipsdebug=none − plutodebug=none − interfaces=%defaultroute − oe=no − protostack=netkey − syslog=syslog.debug − # syslog=syslog.warning − virtual_private=%v4:192.168.0.0/24, # Here you add the local/internal network of your server − nat_traversal=yes # if required - probably yes − − # Connection settings − − # Router to Server − conn draytek-wan1 # Your connection name − type=tunnel − authby=secret − auto=start # n.b. "auto = start" for ipsec to try and make a connection or "auto = add" to accept incoming − ikelifetime=28800s − keylife=3600s − left=%defaultroute − leftsourceip=192.168.98.1 # This is the IP address of your internal ethernet connection on your server − leftsubnet=192.168.98.0/24 # This is your local network on your server − pfs=yes # If require − dpdaction=restart − dpddelay=30 − dpdtimeout=10 − right=1.2.3.4 # This is the WAN IP address of your router that is connecting in − rightsubnet=192.168.0.0/24 # This is the local network behind the router at the far end − − # More incoming connections here..... + + + + + + + + + + + + + + + + + + + + + + + + + + + + − − + − + − + − + − + − + − + − Line 164:
Line 139: + − −
no edit summary
Summary: The purpose of this howto is to guide you through the procedure to connect servers using OpenSwan VPN to connect via IPSEC.
Summary: The purpose of this howto is to guide you through the procedure to connect servers using OpenSwan VPN to connect via IPSEC.
I actually use it so my Draytek routers can connect to my online Koozali SME VPS machine
I actually use it so my Draytek routers can connect to my online Koozali SME VPS machine. This works on Koozali SME v8 and v9 with the unit in server-gateway mode.
This works on Koozali SME v8 and v9 with the unit in server-gateway mode.
On the online VPS it has a 'dummy' internal network adaptor but works fine with this.
On the online VPS it has a 'dummy' internal network adaptor but works fine with this.
yum install openswan
yum install openswan
===SME Server 8.1
===SME Server 8.1===
On v8 you need to find the following package, or newer :
On v8 you need to find the following package, or newer :
openswan-2.6.38-1.x86_64.rpm
openswan-2.6.38-1.x86_64.rpm
You can grab a copy here :
You can grab a copy here : http://www.reetspetit.com/smeserver/5/repoview/index.html
http://www.reetspetit.com/smeserver/5/repoview/index.html
I can't remember if I built that myself or got it somewhere as it seems quite elusive. If I can find the source I will build a src rpm.
I can't remember if I built that myself or got it somewhere as it seems quite elusive. If I can find the source I will build a src rpm.
Then
Then":
yum localinstall openswan-2.6.38-1.x86_64.rpm
yum localinstall openswan-2.6.38-1.x86_64.rpm
You will need a link in etc/rc.d/rc7.d so the service starts :
You will need a link in etc/rc.d/rc7.d so the service starts :
S99ipsec -> /etc/rc.d/init.d/e-smith-service
S99ipsec -> /etc/rc.d/init.d/e-smith-service
Alternatively to do it the Koozali SME way :
Alternatively to do it the Koozali SME way :
Create db entry:
Create db entry:
db configuration set ipsec service status enabled
db configuration set ipsec service status enabled
db configuration show ipsec
db configuration show ipsec
ipsec=service
ipsec=service
status=enabled
status=enabled
ln -s /etc/rc.d/init.d/e-smith-service /etc/rc.d/rc7.d/S99ipsec
ln -s /etc/rc.d/init.d/e-smith-service /etc/rc.d/rc7.d/S99ipsec
You can now enable and disble the service accordingly.
You can now enable and disble the service accordingly.
===Firewall===
===Firewall===
We need a new template fragment to allow ipsec through the firewall
We need a new template fragment to allow ipsec through the firewall
touch /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/15AllowIPsec
touch /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/15AllowIPsec
Add the following code :
Add the following code :
# IPsec ports
# IPsec ports
/sbin/iptables -A INPUT -i $OUTERIF -p udp --sport 500 --dport 500 -j ACCEPT
/sbin/iptables -A INPUT -i $OUTERIF -p udp --sport 500 --dport 500 -j ACCEPT
/sbin/iptables -t mangle -A PREROUTING -i $OUTERIF -p 50 -j MARK --set-mark 1
/sbin/iptables -t mangle -A PREROUTING -i $OUTERIF -p 50 -j MARK --set-mark 1
/sbin/iptables -A INPUT -i $OUTERIF -m mark --mark 1 -j ACCEPT
/sbin/iptables -A INPUT -i $OUTERIF -m mark --mark 1 -j ACCEPT
/sbin/iptables -A FORWARD -i $OUTERIF -m mark --mark 1 -j ACCEPT
/sbin/iptables -A FORWARD -i $OUTERIF -m mark --mark 1 -j ACCEPT
/sbin/iptables -A INPUT -i $OUTERIF -m mark --mark 2 -j ACCEPT
/sbin/iptables -A INPUT -i $OUTERIF -m mark --mark 2 -j ACCEPT
/sbin/iptables -A FORWARD -i $OUTERIF -m mark --mark 2 -j ACCEPT
/sbin/iptables -A FORWARD -i $OUTERIF -m mark --mark 2 -j ACCEPT
/sbin/iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
/sbin/iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
service masq restart
expand-template /etc/rc.d/init.d/masq
service masq restart
We also need to disable redirects.
We also need to disable redirects.
I have the following code in a file called Disable_Redirects.sh and a link to it in /etc/rc.d/rc.local
I have the following code in a file called Disable_Redirects.sh and a link to it in /etc/rc.d/rc.local
#!/bin/bash
#!/bin/bash
# For OpenSwan
# For OpenSwan
# Disable send redirects
# Disable send redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/lo/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/lo/send_redirects
# echo 0 > /proc/sys/net/ipv4/conf/ppp0/send_redirects
# echo 0 > /proc/sys/net/ipv4/conf/ppp0/send_redirects
# Disable accept redirects
# Disable accept redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/eth1/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/eth1/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/lo/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/lo/accept_redirects
# echo 0 > /proc/sys/net/ipv4/conf/ppp0/accept_redirects
# echo 0 > /proc/sys/net/ipv4/conf/ppp0/accept_redirects
===OpenSwan Configuration===
===OpenSwan Configuration===
Here is a sample of my /etc/ipsec.conf with some added notes.
Here is a sample of my /etc/ipsec.conf with some added notes.
LEFT side is your server. RIGHT side is your router.
LEFT side is your server. RIGHT side is your router.
# /etc/ipsec.conf
# /etc/ipsec.conf
# basic configuration
# basic configuration
#auto = 'start' for both ways or 'add' for incoming only
#auto = 'start' for both ways or 'add' for incoming only
version 2.0
version 2.0
config setup
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
#klipsdebug=none
plutodebug=none
interfaces=%defaultroute
oe=no
protostack=netkey
syslog=syslog.debug
# syslog=syslog.warning
virtual_private=%v4:192.168.0.0/24, # Here you add the local/internal network of your server
nat_traversal=yes # if required - probably yes
# Connection settings
# Router to Server
conn draytek-wan1 # Your connection name
type=tunnel
authby=secret
auto=start # n.b. "auto = start" for ipsec to try and make a connection or "auto = add" to accept incoming
ikelifetime=28800s
keylife=3600s
left=%defaultroute
leftsourceip=192.168.98.1 # This is the IP address of your internal ethernet connection on your server
leftsubnet=192.168.98.0/24 # This is your local network on your server
pfs=yes # If require
dpdaction=restart
dpddelay=30
dpdtimeout=10
right=1.2.3.4 # This is the WAN IP address of your router that is connecting in
rightsubnet=192.168.0.0/24 # This is the local network behind the router at the far end
# More incoming connections here
===Passwords===
===Passwords===
The following file needs to be looked after and should be set chmod 0600
The following file needs to be looked after and should be set chmod 0600
# /etc/ipsec.secrets
# /etc/ipsec.secrets
# Format is
# Format is
# Incoming_IP Local_IP: PSK "Your#Strong#Password"
# Incoming_IP Local_IP: PSK "Your#Strong#Password"
1.2.3.4 %any: PSK "Your#Strong#Password"
1.2.3.4 %any: PSK "Your#Strong#Password"
host.dnsalias.org %any: PSK "Your#Strong#Password"
host.dnsalias.org %any: PSK "Your#Strong#Password"
1.2.3.4 192.168.98.1: PSK "Your#Strong#Password"
1.2.3.4 192.168.98.1: PSK "Your#Strong#Password"
%any 192.168.98.1: PSK "Your#Strong#Password"
%any 192.168.98.1: PSK "Your#Strong#Password"
A reboot should get everythign going.
A reboot should get everythign going.
Check /var/log/secure for debug messages, and once you are happy, change the debug settings in ipsec.conf from debug to warning.
Check /var/log/secure for debug messages, and once you are happy, change the debug settings in ipsec.conf from debug to warning.
If you need more debugging you can set plutodebug = all
If you need more debugging you can set plutodebug = all
[[Category:Contrib:HowTo]]
[[Category:Contrib:HowTo]]
[[Category:Administration:VPN]]
[[Category:Administration:VPN]]