Changes

From SME Server
Jump to navigationJump to search

Libreswan (view source)

Revision as of 18:53, 25 January 2017

19 bytes added ,  18:53, 25 January 2017
no edit summary
Line 83: Line 83:       −
==IPSEC server to server configuration==
+
=IPSEC server to server configuration=
    
Libreswan/Openswan/IPSEC can be used to setup a secure and permanent VPN connection between a SME Server and another (local or remote) IPSEC enabled device such as a router.
 
Libreswan/Openswan/IPSEC can be used to setup a secure and permanent VPN connection between a SME Server and another (local or remote) IPSEC enabled device such as a router.
Line 96: Line 96:       −
===Settings===
+
===Setup PSK Passwords===
    
The contrib has a lot of configurable settings but with the defaults and a few details it should just work.
 
The contrib has a lot of configurable settings but with the defaults and a few details it should just work.
Line 120: Line 120:  
  signal-event ipsec-update
 
  signal-event ipsec-update
   −
  −
===Logs and Debug===
  −
  −
{{Warning box| If you are trying to connect Libreswan to other *swan versions using IPsec v2 you may see this in the logs
  −
"failed to match authenticator"
  −
which may cause link failures.
  −
This seems to be an issue with some *swan versions - see this thread for more
  −
https://lists.libreswan.org/pipermail/swan/2017/001956.html}}
  −
  −
The following will give you connection details.
  −
ipsec whack --status
  −
  −
You should get this if the connection made : 'IPsec SA established'
  −
  −
The following check your configuration (may be some warnings - severity depends on what they are):
  −
  −
ipsec verify
  −
  −
If you modify a connection use
  −
  −
signal-event ipsec-update
  −
  −
For a restart of ipsec use
  −
  −
service ipsec restart
  −
  −
You may find masq needs a restart sometimes
  −
  −
/etc/init.d/masq restart
  −
  −
Check /var/log/iptables/current to see if packets are getting blocked.
  −
  −
For ipsec itself place to look is /var/log/pluto/pluto.log
  −
  −
If you need more debugging you can set plutodebug = all
        −
===RSA Keys===
+
===Setup RSA Keys===
    
For the better security it is recommended to use RSA keys.  
 
For the better security it is recommended to use RSA keys.  
Line 180: Line 145:       −
===Certificates===
+
===Setup Certificates===
    
You can now use a CA and PKCS#12 certificates.
 
You can now use a CA and PKCS#12 certificates.
Line 287: Line 252:  
  leftid: Default Empty - system generates %fromcert
 
  leftid: Default Empty - system generates %fromcert
 
  rightid: Default Empty - system generates %fromcert
 
  rightid: Default Empty - system generates %fromcert
 +
 +
===Logs and Debug===
 +
 +
{{Warning box| If you are trying to connect Libreswan to other *swan versions using IPsec v2 you may see this in the logs
 +
"failed to match authenticator"
 +
which may cause link failures.
 +
This seems to be an issue with some *swan versions - see this thread for more
 +
https://lists.libreswan.org/pipermail/swan/2017/001956.html}}
 +
 +
The following will give you connection details.
 +
ipsec whack --status
 +
 +
You should get this if the connection made : 'IPsec SA established'
 +
 +
The following check your configuration (may be some warnings - severity depends on what they are):
 +
 +
ipsec verify
 +
 +
If you modify a connection use
 +
 +
signal-event ipsec-update
 +
 +
For a restart of ipsec use
 +
 +
service ipsec restart
 +
 +
You may find masq needs a restart sometimes
 +
 +
/etc/init.d/masq restart
 +
 +
Check /var/log/iptables/current to see if packets are getting blocked.
 +
 +
For ipsec itself place to look is /var/log/pluto/pluto.log
 +
 +
If you need more debugging you can set plutodebug = all
      Line 300: Line 300:  
{{#bugzilla:columns=id,product,version,status,summary |sort=id |order=desc |component=smeserver-libreswan|noresultsmessage="No open bugs found."}}
 
{{#bugzilla:columns=id,product,version,status,summary |sort=id |order=desc |component=smeserver-libreswan|noresultsmessage="No open bugs found."}}
   −
==Other articles in this category==
+
=Other articles in this category=
 
{{#ask: [[Category:VPN]]}}
 
{{#ask: [[Category:VPN]]}}
  
Retrieved from "https://wiki.koozali.org/Special:MobileDiff/32572"

Navigation menu