3,250
edits
Changes
Jump to navigation
Jump to search
Line 10:
Line 10: − + + + + + + Line 22:
Line 27: − {{ #smeversion: smeserver-openswan}}+ Line 48:
Line 53: − + + + + + + + + + + + Line 66:
Line 81: − + − + Line 76:
Line 91: − + − Use at your own risk !}}+ + + + + + + + + + + + − ==IPSEC server to server configuration==+ Line 96:
Line 122: − + Line 121:
Line 147: − ===Logs and Debug=== − − {{Warning box| If you are trying to connect Libreswan to other *swan versions using IPsec v2 you may see this in the logs − "failed to match authenticator" − which may cause link failures. − This seems to be an issue with some *swan versions - see this thread for more − https://lists.libreswan.org/pipermail/swan/2017/001956.html}} − − The following will give you connection details. − ipsec whack --status − − You should get this if the connection made : 'IPsec SA established' − − The following check your configuration (may be some warnings - severity depends on what they are): − − ipsec verify − − If you modify a connection use − − signal-event ipsec-update − − For a restart of ipsec use − − service ipsec restart − − You may find masq needs a restart sometimes − − /etc/init.d/masq restart − Check /var/log/iptables/current to see if packets are getting blocked.+ − − For ipsec itself place to look is /var/log/pluto/pluto.log − − If you need more debugging you can set plutodebug = all − − − Line 180:
Line 171: − + Line 245:
Line 236: − + − Line 266:
Line 256: − + − + Line 287:
Line 277: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Line 300:
Line 325: − ==Other articles in this category==+
no edit summary
An alternative solution is https://wiki.contribs.org/OpenVPN_SiteToSite or https://wiki.contribs.org/OpenVPN_Bridge
An alternative solution is https://wiki.contribs.org/OpenVPN_SiteToSite or https://wiki.contribs.org/OpenVPN_Bridge
Where possible avoid the use of PPTP as it was cracked a long time ago and is very easy to read }}
Where possible avoid the use of PPTP as it was cracked a long time ago and is very easy to read
With IKE v2 it is possible to allow dial in clients.
For older dial clients you can also look at https://wiki.contribs.org/Smeserver-libreswan-xl2tpd
}}
=== Version ===
=== Version ===
<div>Please use the version of openswan in the ReetP repo as below</div>
<div>Please use the version of openswan in the ReetP repo as below</div>
</div>
</div>
====Koozali SME v9====
====Koozali SME v9====
==Installation==
==Installation==
= '''For Koozali SME8''' =
= For Koozali SME10 =
For Koozali SME Server 10, the latest stable Libreswan can be found in the default repo's
Note that the contrib is currently in test so to install:
yum install smeserver-extrarepositories-libreswan -y
db yum_repositories setprop libreswan status enabled Priority 10
signal-event yum-modify
yum --enablerepo=smecontribs,smetest install smeserver-libreswan
Configuration options and notes are here (check the latest branch):
=For Koozali SME8=
For Koozali SME Server 8 you will need the [https://wiki.contribs.org/User:ReetP ReetP] repo to install openswan
For Koozali SME Server 8 you will need the [https://wiki.contribs.org/User:ReetP ReetP] repo to install openswan
{{:Reetspetit|transcludesection=SME9}}
{{:Reetspetit|transcludesection=SME9}}
RedHat have swapped to using Libreswan as their default IPsec implementation.
RedHat have swapped to using Libreswan as their default IPsec implementation.
= '''For Koozali SME9''' =
= For Koozali SME9 =
For Koozali SME Server 9, Libreswan can be found in the default repo's.
For Koozali SME Server 9, the latest stable Libreswan can be found in the default repo's
Note that the contrib is currently in test so to install:
Note that the contrib is currently in test so to install:
https://github.com/reetp/smeserver-libreswan
https://github.com/reetp/smeserver-libreswan
{{Note box|I usually have the the latest version of libreswan in my own repo https://wiki.contribs.org/User:ReetP
{{Note box|You can get the latest version of libreswan itself here }}
/sbin/e-smith/db yum_repositories set libreswan repository \
BaseURL https://download.libreswan.org/binaries/rhel/6/x86_64/ \
EnableGroups no \
GPGCheck yes \
GPGKey https://download.libreswan.org/binaries/RPM-GPG-KEY-libreswan \
Name LibreSwan \
Visible yes \
status disabled \
signal-event yum-modify
yum --enablerepo=libreswan install libreswan
<headertabs />
<headertabs />
=IPSEC server to server configuration=
Libreswan/Openswan/IPSEC can be used to setup a secure and permanent VPN connection between a SME Server and another (local or remote) IPSEC enabled device such as a router.
Libreswan/Openswan/IPSEC can be used to setup a secure and permanent VPN connection between a SME Server and another (local or remote) IPSEC enabled device such as a router.
===Settings===
===Setup PSK Passwords===
The contrib has a lot of configurable settings but with the defaults and a few details it should just work.
The contrib has a lot of configurable settings but with the defaults and a few details it should just work.
===Setup RSA Keys===
===RSA Keys===
For the better security it is recommended to use RSA keys.
For the better security it is recommended to use RSA keys.
===Certificates===
===Setup Certificates===
You can now use a CA and PKCS#12 certificates.
You can now use a CA and PKCS#12 certificates.
pfs: Default yes | Variable
pfs: Default yes | Variable
connectiontype: Default secret | rassig, certificate
connectiontype: Default secret | rassig, certificate
ike: Default aes-sha1 | variable - see ipsec.conf readme file for more options
ike: Default aes-sha1 | Variable - see ipsec.conf readme file for more options - sample: aes256-sha2;dh14 or aes256-sha2;modp2048
ipsecversion: Default permit | Whether to allow ikev2 - also : insist/propose/yes/never/no
ipsecversion: Default permit | Whether to allow ikev2 - also : insist/propose/yes/never/no
====Per connection settings====
====Per connection settings====
rightrsasig: Default Empty | Your Remote rsasignature key
rightrsasig: Default Empty | Your Remote rsasignature key
ipsecversion: Default permit | Whether to allow ikev2 - also : insist/propose/yes/never/no
ipsecversion: Default permit | Whether to allow ikev2 - also : insist/propose/yes/never/no
ike: Default aes-sha1 | Varable
ike: Default aes-sha1 | Variable - sample: aes256-sha2;dh14 or aes256-sha2;modp2048
phase2: Default aes-sha1 | Variable
phase2: Default aes-sha1 | Variable - sample: aes256-sha2;dh14 or aes256-sha2;modp2048
mtu: Default Empty | Variable
mtu: Default Empty | Variable
left: Default Empty | If Empty then %defaultroute is set. Can be local WAN IP
left: Default Empty | If Empty then %defaultroute is set. Can be local WAN IP
leftid: Default Empty - system generates %fromcert
leftid: Default Empty - system generates %fromcert
rightid: Default Empty - system generates %fromcert
rightid: Default Empty - system generates %fromcert
===Logs and Debug===
{{Warning box| If you are trying to connect Libreswan to other *swan versions using IPsec v2 you may see this in the logs
"failed to match authenticator"
which may cause link failures.
This seems to be an issue with some *swan versions - see this thread for more
https://lists.libreswan.org/pipermail/swan/2017/001956.html}}
The following will give you connection details.
ipsec whack --status
You should get this if the connection made : 'IPsec SA established'
The following check your configuration (may be some warnings - severity depends on what they are):
ipsec verify
If you modify a connection use
signal-event ipsec-update
For a restart of ipsec use
service ipsec restart
You may find masq needs a restart sometimes
/etc/init.d/masq restart
Check /var/log/iptables/current to see if packets are getting blocked.
For ipsec itself place to look is /var/log/pluto/pluto.log
If you need more debugging you can set plutodebug = all
{{#bugzilla:columns=id,product,version,status,summary |sort=id |order=desc |component=smeserver-libreswan|noresultsmessage="No open bugs found."}}
{{#bugzilla:columns=id,product,version,status,summary |sort=id |order=desc |component=smeserver-libreswan|noresultsmessage="No open bugs found."}}
=Other articles in this category=
{{#ask: [[Category:VPN]]}}
{{#ask: [[Category:VPN]]}}