859
edits
Changes
From SME Server
Jump to navigationJump to searchno edit summary
Whilst the contribs do their best to make sure there is a simple secure setup, I make no guarantees !
Whilst the contribs do their best to make sure there is a simple secure setup, I make no guarantees !
Where possible use RSA keys instead of passwords.
Where possible use RSA keys or certificates instead of passwords.
An alternative solution is https://wiki.contribs.org/OpenVPN_SiteToSite or https://wiki.contribs.org/OpenVPN_Bridge
An alternative solution is https://wiki.contribs.org/OpenVPN_SiteToSite or https://wiki.contribs.org/OpenVPN_Bridge
https://github.com/reetp/smeserver-openswan
https://github.com/reetp/smeserver-openswan
Please note that this version is no longer under development as SME v8 is EOL at the end of March 2017
It is possible to use Openswan on SME v9 but I do not have the time to maintain the contrib for both versions.
RedHat have swapped to using Libreswan as their default IPsec implementation.
= '''For Koozali SME9''' =
= '''For Koozali SME9''' =
<headertabs />
<headertabs />
==IPSEC server to server configuration==
==IPSEC server to server configuration==
Openswan/IPSEC can be used to setup a secure and permanent VPN connection between a SME Server and another (local or remote) IPSEC enabled device such as a router.
Libreswan/Openswan/IPSEC can be used to setup a secure and permanent VPN connection between a SME Server and another (local or remote) IPSEC enabled device such as a router.
Note - if you want to use with an online VPS set the server to server/gateway with a 'dummy' internal network adaptor.
Note - if you want to use with an online VPS set the server to server/gateway with a 'dummy' internal network adaptor.
===Passwords===
===Passwords===
It is recommended to create a very strong random password and keep this safe. One way of generating and store a random strong password is explained [http://wiki.contribs.org/Useful_Commands#Generating_strong_random_password '''here''']
It is recommended to create a very strong random password and keep this safe. One way of generating and store a random strong password is explained [http://wiki.contribs.org/Useful_Commands#Generating_strong_random_password '''here''']
Alternatively see RSA key section below for much stronger passwords
Alternatively see RSA key and Certificate sections below for much stronger passwords
===Settings===
===Settings===
The contrib has a lot of configurable settings but with the defaults and few details it should just work
The contrib has a lot of configurable settings but with the defaults and a few details it should just work.
General settings and some defaults are stored in the main config DB
config show ipsec
Note most people refer to East and West rather than Local and Remote. There is a very good reason for this if you start using RSA keys !
Connection specific settings are stored in a separate DB
db ipsec_connections show
{{Note box|For ipsec_connections we use 'set' when we create a new connection. Thereafter you can modify it with setprop}}
{{Note box|Most people refer to East and West rather than Local and Remote. There is a very good reason for this if you start using RSA keys !}}
Server East - WAN IP 5.6.7.8 Local IP 192.168.20.1 Subnet 192.168.20.0/24
Server East - WAN IP 5.6.7.8 Local IP 192.168.20.1 Subnet 192.168.20.0/24
signal-event ipsec-update
signal-event ipsec-update
===Logs and Debug===
===Logs and Debug===
{{Warning box| If you are trying to connect Libreswan to other *swan versions using IPsec v2 you may see this in the logs
"failed to match authenticator"
which may cause link failures.
This seems to be an issue with some *swan versions - see this thread for more
https://lists.libreswan.org/pipermail/swan/2017/001956.html}}
The following will give you connection details.
The following will give you connection details.
For ipsec itself place to look is /var/log/pluto/pluto.log
For ipsec itself place to look is /var/log/pluto/pluto.log
If you need more debugging you can set plutodebug = all
===RSA Keys===
For the better security it is recommended to use RSA keys.
There are notes on github as this can be quite lengthy
https://github.com/reetp/smeserver-libreswan/blob/master/IpsecSettings.txt
A basic ipsec_connections entry setup should look this - note it will need a matching setup at the other end):
MyEast=ipsec
leftsourceip=192.168.20.1
leftsubnet=192.168.20.0/24
right=1.2.3.4
rightsubnet=10.0.0.0/24
security=rsasig
leftid=East
rightid=West
leftrsasig=SomeLongPassFromEast
rightrsasig=SomeLongPasswordFromWest
status enabled
===Certificates===
You can now use a CA and PKCS#12 certificates.
There are notes on github as this can be quite lengthy
https://github.com/reetp/smeserver-libreswan/blob/master/ipsec-certificate-notes.txt
A basic ipsec_connections entry setup should look this:
MyEast=ipsec
leftcert=LocalServer
leftsourceip=192.168.1.1
leftsubnet=192.168.1.0/24
right=5.6.7.8
rightcert=RemoteServer
rightsubnet=192.168.100.0/24
security=certs
status=enabled
===DB Keys===
There are a lot of keys involved in ipsec.
Where possible just use the minimum that you require depending on whether you want PSK password / RSA signature / Certificate security
There are notes on github as this can be quite lengthy
https://github.com/reetp/smeserver-libreswan/blob/master/IpsecSettings.txt
Here are the currently available settings and options:
====IPsec settings====
These settings are generic and can be overwritten on a per connection basis
config ipsec show
Only set with:
db configuration setprop ipsec $key $property
Setting status enabled/disabled will modify access to private/public
status: Default disabled | enabled
access: Default private | public
UDPPorts: Default 500,4500 | Variable
auto: Default start | add (do not use ondemand or ignore)
debug: none | all raw crypt parsing emitting control controlmore lifecycle dns dpd klips pfkey natt oppo oppoinfo whackwatch private
(all generates a LARGE amount of logging so use with care)
====General Settings====
Overall default settings - these can be in main config db or set per connection in db ipsec_connections
security: secret | rsasig | certs
ikelifetime: Default 3600s | Variable
salifetime: Default 28800s | Variable
dpdaction: Default restart | Variable
dpddelay: Default 30 | Variable
dpdtimeout: Default 10 | Variable
pfs: Default yes | Variable
connectiontype: Default secret | rassig, certificate
ike: Default aes-sha1 | variable - see ipsec.conf readme file for more options
ipsecversion: Default permit | Whether to allow ikev2 - also : insist/propose/yes/never/no
====Per connection settings====
{{Warning box|Automatically modified - do not change this
PreviousState: Denotes previous connection state
}}
Manual keys
db ipsec_connections show
db ipsec_connections setprop ConnectionName $key $property
iptype: Default Empty | stattodyn or dyntostat - are we a static host to dynamic client or vice versa ? - Only required for dynamic clients with static hosts
connectiontype: Default tunnel | transport/passthrough/drop/reject
leftrsasig: Default Empty | Your Local rsasignature key
rightrsasig: Default Empty | Your Remote rsasignature key
ipsecversion: Default permit | Whether to allow ikev2 - also : insist/propose/yes/never/no
ike: Default aes-sha1 | Varable
phase2: Default aes-sha1 | Variable
mtu: Default Empty | Variable
left: Default Empty | If Empty then %defaultroute is set. Can be local WAN IP
leftid: Default Empty | Variable
leftsourceip: Default Empty | This server local IP
leftsubnet: Default Empty | This server local subnet
right: Default Empty | Destination WAN IP
rightid: Default Empty | Variable
rightsubnet: Default Empty | Destination subnet
passwd: Default Empty | Variable
keyingtries: Default Empty | 0 is default - 'forever'
leftcert Default Empty | LeftCertName
rightcert Default Empty | RightCertName
For certificates - do not set or leave the following empty:
leftrsasig: Default Empty - system generates %cert
rightrsasig: Default Empty - system generates %cert
leftid: Default Empty - system generates %fromcert
rightid: Default Empty - system generates %fromcert
