Line 10: |
Line 10: |
| An alternative solution is https://wiki.contribs.org/OpenVPN_SiteToSite or https://wiki.contribs.org/OpenVPN_Bridge | | An alternative solution is https://wiki.contribs.org/OpenVPN_SiteToSite or https://wiki.contribs.org/OpenVPN_Bridge |
| | | |
− | Where possible avoid the use of PPTP as it was cracked a long time ago and is very easy to read }} | + | Where possible avoid the use of PPTP as it was cracked a long time ago and is very easy to read |
| + | |
| + | With IKE v2 it is possible to allow dial in clients. |
| + | |
| + | For older dial clients you can also look at https://wiki.contribs.org/Smeserver-libreswan-xl2tpd |
| + | }} |
| | | |
| === Version === | | === Version === |
Line 22: |
Line 27: |
| <div>Please use the version of openswan in the ReetP repo as below</div> | | <div>Please use the version of openswan in the ReetP repo as below</div> |
| </div> | | </div> |
− | {{ #smeversion: smeserver-openswan}}
| |
| | | |
− | ====SME9==== | + | |
| + | ====Koozali SME v9==== |
| {{ #smeversion: libreswan}} | | {{ #smeversion: libreswan}} |
| {{ #smeversion: smeserver-libreswan}} | | {{ #smeversion: smeserver-libreswan}} |
Line 48: |
Line 53: |
| | | |
| ==Installation== | | ==Installation== |
− | = '''For Koozali SME8''' = | + | = For Koozali SME10 = |
| + | For Koozali SME Server 10, the latest stable Libreswan can be found in the default repo's |
| + | |
| + | Note that the contrib is currently in test so to install: |
| + | yum install smeserver-extrarepositories-libreswan -y |
| + | db yum_repositories setprop libreswan status enabled Priority 10 |
| + | signal-event yum-modify |
| + | yum --enablerepo=smecontribs,smetest install smeserver-libreswan |
| + | |
| + | Configuration options and notes are here (check the latest branch): |
| + | =For Koozali SME8= |
| For Koozali SME Server 8 you will need the [https://wiki.contribs.org/User:ReetP ReetP] repo to install openswan | | For Koozali SME Server 8 you will need the [https://wiki.contribs.org/User:ReetP ReetP] repo to install openswan |
| {{:Reetspetit|transcludesection=SME9}} | | {{:Reetspetit|transcludesection=SME9}} |
Line 66: |
Line 81: |
| RedHat have swapped to using Libreswan as their default IPsec implementation. | | RedHat have swapped to using Libreswan as their default IPsec implementation. |
| | | |
− | = '''For Koozali SME9''' = | + | = For Koozali SME9 = |
− | For Koozali SME Server 9, Libreswan can be found in the default repo's. | + | For Koozali SME Server 9, the latest stable Libreswan can be found in the default repo's |
| | | |
| Note that the contrib is currently in test so to install: | | Note that the contrib is currently in test so to install: |
Line 76: |
Line 91: |
| https://github.com/reetp/smeserver-libreswan | | https://github.com/reetp/smeserver-libreswan |
| | | |
− | {{Note box|I usually have the the latest version of libreswan in my own repo https://wiki.contribs.org/User:ReetP | + | {{Note box|You can get the latest version of libreswan itself here }} |
| | | |
− | Use at your own risk !}}
| + | /sbin/e-smith/db yum_repositories set libreswan repository \ |
| + | BaseURL https://download.libreswan.org/binaries/rhel/6/x86_64/ \ |
| + | EnableGroups no \ |
| + | GPGCheck yes \ |
| + | GPGKey https://download.libreswan.org/binaries/RPM-GPG-KEY-libreswan \ |
| + | Name LibreSwan \ |
| + | Visible yes \ |
| + | status disabled \ |
| + | |
| + | signal-event yum-modify |
| + | |
| + | yum --enablerepo=libreswan install libreswan |
| | | |
| <headertabs /> | | <headertabs /> |
| | | |
| | | |
− | ==IPSEC server to server configuration==
| + | =IPSEC server to server configuration= |
| | | |
| Libreswan/Openswan/IPSEC can be used to setup a secure and permanent VPN connection between a SME Server and another (local or remote) IPSEC enabled device such as a router. | | Libreswan/Openswan/IPSEC can be used to setup a secure and permanent VPN connection between a SME Server and another (local or remote) IPSEC enabled device such as a router. |
Line 96: |
Line 122: |
| | | |
| | | |
− | ===Settings=== | + | ===Setup PSK Passwords=== |
| | | |
| The contrib has a lot of configurable settings but with the defaults and a few details it should just work. | | The contrib has a lot of configurable settings but with the defaults and a few details it should just work. |
Line 121: |
Line 147: |
| | | |
| | | |
− | ===Logs and Debug===
| |
− |
| |
− | {{Warning box| If you are trying to connect Libreswan to other *swan versions using IPsec v2 you may see this in the logs
| |
− | "failed to match authenticator"
| |
− | which may cause link failures.
| |
− | This seems to be an issue with some *swan versions - see this thread for more
| |
− | https://lists.libreswan.org/pipermail/swan/2017/001956.html}}
| |
− |
| |
− | The following will give you connection details.
| |
− | ipsec whack --status
| |
− |
| |
− | You should get this if the connection made : 'IPsec SA established'
| |
− |
| |
− | The following check your configuration (may be some warnings - severity depends on what they are):
| |
− |
| |
− | ipsec verify
| |
− |
| |
− | If you modify a connection use
| |
− |
| |
− | signal-event ipsec-update
| |
− |
| |
− | For a restart of ipsec use
| |
− |
| |
− | service ipsec restart
| |
− |
| |
− | You may find masq needs a restart sometimes
| |
− |
| |
− | /etc/init.d/masq restart
| |
| | | |
− | Check /var/log/iptables/current to see if packets are getting blocked.
| + | ===Setup RSA Keys=== |
− | | |
− | For ipsec itself place to look is /var/log/pluto/pluto.log
| |
− | | |
− | If you need more debugging you can set plutodebug = all
| |
− | | |
− | | |
− | ===RSA Keys=== | |
| | | |
| For the better security it is recommended to use RSA keys. | | For the better security it is recommended to use RSA keys. |
Line 180: |
Line 171: |
| | | |
| | | |
− | ===Certificates=== | + | ===Setup Certificates=== |
| | | |
| You can now use a CA and PKCS#12 certificates. | | You can now use a CA and PKCS#12 certificates. |
Line 245: |
Line 236: |
| pfs: Default yes | Variable | | pfs: Default yes | Variable |
| connectiontype: Default secret | rassig, certificate | | connectiontype: Default secret | rassig, certificate |
− | ike: Default aes-sha1 | variable - see ipsec.conf readme file for more options | + | ike: Default aes-sha1 | Variable - see ipsec.conf readme file for more options - sample: aes256-sha2;dh14 or aes256-sha2;modp2048 |
| ipsecversion: Default permit | Whether to allow ikev2 - also : insist/propose/yes/never/no | | ipsecversion: Default permit | Whether to allow ikev2 - also : insist/propose/yes/never/no |
− |
| |
| | | |
| ====Per connection settings==== | | ====Per connection settings==== |
Line 266: |
Line 256: |
| rightrsasig: Default Empty | Your Remote rsasignature key | | rightrsasig: Default Empty | Your Remote rsasignature key |
| ipsecversion: Default permit | Whether to allow ikev2 - also : insist/propose/yes/never/no | | ipsecversion: Default permit | Whether to allow ikev2 - also : insist/propose/yes/never/no |
− | ike: Default aes-sha1 | Varable | + | ike: Default aes-sha1 | Variable - sample: aes256-sha2;dh14 or aes256-sha2;modp2048 |
− | phase2: Default aes-sha1 | Variable | + | phase2: Default aes-sha1 | Variable - sample: aes256-sha2;dh14 or aes256-sha2;modp2048 |
| mtu: Default Empty | Variable | | mtu: Default Empty | Variable |
| left: Default Empty | If Empty then %defaultroute is set. Can be local WAN IP | | left: Default Empty | If Empty then %defaultroute is set. Can be local WAN IP |
Line 287: |
Line 277: |
| leftid: Default Empty - system generates %fromcert | | leftid: Default Empty - system generates %fromcert |
| rightid: Default Empty - system generates %fromcert | | rightid: Default Empty - system generates %fromcert |
| + | |
| + | ===Logs and Debug=== |
| + | |
| + | {{Warning box| If you are trying to connect Libreswan to other *swan versions using IPsec v2 you may see this in the logs |
| + | "failed to match authenticator" |
| + | which may cause link failures. |
| + | This seems to be an issue with some *swan versions - see this thread for more |
| + | https://lists.libreswan.org/pipermail/swan/2017/001956.html}} |
| + | |
| + | The following will give you connection details. |
| + | ipsec whack --status |
| + | |
| + | You should get this if the connection made : 'IPsec SA established' |
| + | |
| + | The following check your configuration (may be some warnings - severity depends on what they are): |
| + | |
| + | ipsec verify |
| + | |
| + | If you modify a connection use |
| + | |
| + | signal-event ipsec-update |
| + | |
| + | For a restart of ipsec use |
| + | |
| + | service ipsec restart |
| + | |
| + | You may find masq needs a restart sometimes |
| + | |
| + | /etc/init.d/masq restart |
| + | |
| + | Check /var/log/iptables/current to see if packets are getting blocked. |
| + | |
| + | For ipsec itself place to look is /var/log/pluto/pluto.log |
| + | |
| + | If you need more debugging you can set plutodebug = all |
| | | |
| | | |
Line 300: |
Line 325: |
| {{#bugzilla:columns=id,product,version,status,summary |sort=id |order=desc |component=smeserver-libreswan|noresultsmessage="No open bugs found."}} | | {{#bugzilla:columns=id,product,version,status,summary |sort=id |order=desc |component=smeserver-libreswan|noresultsmessage="No open bugs found."}} |
| | | |
− | ==Other articles in this category==
| + | =Other articles in this category= |
| {{#ask: [[Category:VPN]]}} | | {{#ask: [[Category:VPN]]}} |
| | | |