Line 8: |
Line 8: |
| Summary: The purpose of this howto is to guide you through the procedure to connect servers using OpenSwan VPN to connect via IPSEC. | | Summary: The purpose of this howto is to guide you through the procedure to connect servers using OpenSwan VPN to connect via IPSEC. |
| | | |
− | I actually use it so my Draytek routers can connect to my online Koozali SME VPS machine | + | I actually use it so my Draytek routers can connect to my online Koozali SME VPS machine. This works on Koozali SME v8 and v9 with the unit in server-gateway mode. |
− | | |
− | This works on Koozali SME v8 and v9 with the unit in server-gateway mode. | |
| | | |
| On the online VPS it has a 'dummy' internal network adaptor but works fine with this. | | On the online VPS it has a 'dummy' internal network adaptor but works fine with this. |
Line 18: |
Line 16: |
| yum install openswan | | yum install openswan |
| | | |
− | ===SME Server 8.1 | + | ===SME Server 8.1=== |
| On v8 you need to find the following package, or newer : | | On v8 you need to find the following package, or newer : |
| | | |
| openswan-2.6.38-1.x86_64.rpm | | openswan-2.6.38-1.x86_64.rpm |
| | | |
− | You can grab a copy here : | + | You can grab a copy here : http://www.reetspetit.com/smeserver/5/repoview/index.html |
− | | |
− | http://www.reetspetit.com/smeserver/5/repoview/index.html | |
| | | |
| I can't remember if I built that myself or got it somewhere as it seems quite elusive. If I can find the source I will build a src rpm. | | I can't remember if I built that myself or got it somewhere as it seems quite elusive. If I can find the source I will build a src rpm. |
| | | |
− | Then | + | Then": |
− | | + | yum localinstall openswan-2.6.38-1.x86_64.rpm |
− | yum localinstall openswan-2.6.38-1.x86_64.rpm | |
| | | |
| You will need a link in etc/rc.d/rc7.d so the service starts : | | You will need a link in etc/rc.d/rc7.d so the service starts : |
− | | + | S99ipsec -> /etc/rc.d/init.d/e-smith-service |
− | S99ipsec -> /etc/rc.d/init.d/e-smith-service | |
− | | |
| | | |
| Alternatively to do it the Koozali SME way : | | Alternatively to do it the Koozali SME way : |
− |
| |
| Create db entry: | | Create db entry: |
| | | |
− | db configuration set ipsec service status enabled | + | db configuration set ipsec service status enabled |
− | | + | db configuration show ipsec |
− | db configuration show ipsec | |
| ipsec=service | | ipsec=service |
| status=enabled | | status=enabled |
| | | |
− | ln -s /etc/rc.d/init.d/e-smith-service /etc/rc.d/rc7.d/S99ipsec | + | ln -s /etc/rc.d/init.d/e-smith-service /etc/rc.d/rc7.d/S99ipsec |
| | | |
| You can now enable and disble the service accordingly. | | You can now enable and disble the service accordingly. |
− |
| |
| | | |
| ===Firewall=== | | ===Firewall=== |
− |
| |
| We need a new template fragment to allow ipsec through the firewall | | We need a new template fragment to allow ipsec through the firewall |
| | | |
− | touch /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/15AllowIPsec | + | touch /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/15AllowIPsec |
| | | |
| Add the following code : | | Add the following code : |
| | | |
− | # IPsec ports | + | # IPsec ports |
− | | + | /sbin/iptables -A INPUT -i $OUTERIF -p udp --sport 500 --dport 500 -j ACCEPT |
− | /sbin/iptables -A INPUT -i $OUTERIF -p udp --sport 500 --dport 500 -j ACCEPT | + | /sbin/iptables -t mangle -A PREROUTING -i $OUTERIF -p 50 -j MARK --set-mark 1 |
− | /sbin/iptables -t mangle -A PREROUTING -i $OUTERIF -p 50 -j MARK --set-mark 1 | + | /sbin/iptables -A INPUT -i $OUTERIF -m mark --mark 1 -j ACCEPT |
− | /sbin/iptables -A INPUT -i $OUTERIF -m mark --mark 1 -j ACCEPT | + | /sbin/iptables -A FORWARD -i $OUTERIF -m mark --mark 1 -j ACCEPT |
− | /sbin/iptables -A FORWARD -i $OUTERIF -m mark --mark 1 -j ACCEPT | + | /sbin/iptables -A INPUT -i $OUTERIF -m mark --mark 2 -j ACCEPT |
− | /sbin/iptables -A INPUT -i $OUTERIF -m mark --mark 2 -j ACCEPT | + | /sbin/iptables -A FORWARD -i $OUTERIF -m mark --mark 2 -j ACCEPT |
− | /sbin/iptables -A FORWARD -i $OUTERIF -m mark --mark 2 -j ACCEPT | + | /sbin/iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT |
− | /sbin/iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT | |
− | | |
− | expand-template /etc/rc.d/init.d/masq
| |
| | | |
− | service masq restart | + | expand-template /etc/rc.d/init.d/masq |
| + | service masq restart |
| | | |
| We also need to disable redirects. | | We also need to disable redirects. |
− |
| |
| I have the following code in a file called Disable_Redirects.sh and a link to it in /etc/rc.d/rc.local | | I have the following code in a file called Disable_Redirects.sh and a link to it in /etc/rc.d/rc.local |
| | | |
− | #!/bin/bash | + | #!/bin/bash |
− | # For OpenSwan | + | # For OpenSwan |
− | # Disable send redirects | + | # Disable send redirects |
− | echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects | + | echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects |
− | echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects | + | echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects |
− | echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects | + | echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects |
− | echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects | + | echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects |
− | echo 0 > /proc/sys/net/ipv4/conf/lo/send_redirects | + | echo 0 > /proc/sys/net/ipv4/conf/lo/send_redirects |
− | # echo 0 > /proc/sys/net/ipv4/conf/ppp0/send_redirects | + | # echo 0 > /proc/sys/net/ipv4/conf/ppp0/send_redirects |
− | | + | # Disable accept redirects |
− | # Disable accept redirects | + | echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects |
− | echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects | + | echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects |
− | echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects | + | echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects |
− | echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects | + | echo 0 > /proc/sys/net/ipv4/conf/eth1/accept_redirects |
− | echo 0 > /proc/sys/net/ipv4/conf/eth1/accept_redirects | + | echo 0 > /proc/sys/net/ipv4/conf/lo/accept_redirects |
− | echo 0 > /proc/sys/net/ipv4/conf/lo/accept_redirects | + | # echo 0 > /proc/sys/net/ipv4/conf/ppp0/accept_redirects |
− | # echo 0 > /proc/sys/net/ipv4/conf/ppp0/accept_redirects | |
− | | |
| | | |
| ===OpenSwan Configuration=== | | ===OpenSwan Configuration=== |
− |
| |
| Here is a sample of my /etc/ipsec.conf with some added notes. | | Here is a sample of my /etc/ipsec.conf with some added notes. |
− |
| |
| LEFT side is your server. RIGHT side is your router. | | LEFT side is your server. RIGHT side is your router. |
| | | |
− | # /etc/ipsec.conf | + | # /etc/ipsec.conf |
− | # basic configuration | + | # basic configuration |
− | | + | #auto = 'start' for both ways or 'add' for incoming only |
− | #auto = 'start' for both ways or 'add' for incoming only | |
| | | |
| version 2.0 | | version 2.0 |
− |
| |
| config setup | | config setup |
− | # Debug-logging controls: "none" for (almost) none, "all" for lots.
| |
− | #klipsdebug=none
| |
− | plutodebug=none
| |
− | interfaces=%defaultroute
| |
− | oe=no
| |
− | protostack=netkey
| |
− | syslog=syslog.debug
| |
− | # syslog=syslog.warning
| |
− | virtual_private=%v4:192.168.0.0/24, # Here you add the local/internal network of your server
| |
− | nat_traversal=yes # if required - probably yes
| |
− |
| |
− | # Connection settings
| |
− |
| |
− | # Router to Server
| |
− | conn draytek-wan1 # Your connection name
| |
− | type=tunnel
| |
− | authby=secret
| |
− | auto=start # n.b. "auto = start" for ipsec to try and make a connection or "auto = add" to accept incoming
| |
− | ikelifetime=28800s
| |
− | keylife=3600s
| |
− | left=%defaultroute
| |
− | leftsourceip=192.168.98.1 # This is the IP address of your internal ethernet connection on your server
| |
− | leftsubnet=192.168.98.0/24 # This is your local network on your server
| |
− | pfs=yes # If require
| |
− | dpdaction=restart
| |
− | dpddelay=30
| |
− | dpdtimeout=10
| |
− | right=1.2.3.4 # This is the WAN IP address of your router that is connecting in
| |
− | rightsubnet=192.168.0.0/24 # This is the local network behind the router at the far end
| |
− |
| |
− | # More incoming connections here.....
| |
| | | |
| + | # Debug-logging controls: "none" for (almost) none, "all" for lots. |
| + | #klipsdebug=none |
| + | plutodebug=none |
| + | interfaces=%defaultroute |
| + | oe=no |
| + | protostack=netkey |
| + | syslog=syslog.debug |
| + | # syslog=syslog.warning |
| + | virtual_private=%v4:192.168.0.0/24, # Here you add the local/internal network of your server |
| + | nat_traversal=yes # if required - probably yes |
| + | # Connection settings |
| + | # Router to Server |
| + | conn draytek-wan1 # Your connection name |
| + | type=tunnel |
| + | authby=secret |
| + | auto=start # n.b. "auto = start" for ipsec to try and make a connection or "auto = add" to accept incoming |
| + | ikelifetime=28800s |
| + | keylife=3600s |
| + | left=%defaultroute |
| + | leftsourceip=192.168.98.1 # This is the IP address of your internal ethernet connection on your server |
| + | leftsubnet=192.168.98.0/24 # This is your local network on your server |
| + | pfs=yes # If require |
| + | dpdaction=restart |
| + | dpddelay=30 |
| + | dpdtimeout=10 |
| + | right=1.2.3.4 # This is the WAN IP address of your router that is connecting in |
| + | rightsubnet=192.168.0.0/24 # This is the local network behind the router at the far end |
| + | # More incoming connections here |
| | | |
| ===Passwords=== | | ===Passwords=== |
− |
| |
| The following file needs to be looked after and should be set chmod 0600 | | The following file needs to be looked after and should be set chmod 0600 |
| | | |
− | # /etc/ipsec.secrets | + | # /etc/ipsec.secrets |
− | # Format is | + | # Format is |
− | # Incoming_IP Local_IP: PSK "Your#Strong#Password" | + | # Incoming_IP Local_IP: PSK "Your#Strong#Password" |
− | | + | 1.2.3.4 %any: PSK "Your#Strong#Password" |
− | 1.2.3.4 %any: PSK "Your#Strong#Password" | + | host.dnsalias.org %any: PSK "Your#Strong#Password" |
− | host.dnsalias.org %any: PSK "Your#Strong#Password" | + | 1.2.3.4 192.168.98.1: PSK "Your#Strong#Password" |
− | 1.2.3.4 192.168.98.1: PSK "Your#Strong#Password" | + | %any 192.168.98.1: PSK "Your#Strong#Password" |
− | %any 192.168.98.1: PSK "Your#Strong#Password" | |
| | | |
| A reboot should get everythign going. | | A reboot should get everythign going. |
Line 164: |
Line 139: |
| | | |
| Check /var/log/secure for debug messages, and once you are happy, change the debug settings in ipsec.conf from debug to warning. | | Check /var/log/secure for debug messages, and once you are happy, change the debug settings in ipsec.conf from debug to warning. |
| + | |
| If you need more debugging you can set plutodebug = all | | If you need more debugging you can set plutodebug = all |
− |
| |
− |
| |
| | | |
| [[Category:Contrib:HowTo]] | | [[Category:Contrib:HowTo]] |
| [[Category:Administration:VPN]] | | [[Category:Administration:VPN]] |