Line 112: |
Line 112: |
| For other options see here | | For other options see here |
| http://linux.die.net/man/5/ipsec.html | | http://linux.die.net/man/5/ipsec.html |
| + | |
| + | We have a new action |
| + | |
| + | signal-event ipsec-update |
| + | |
| + | This will process the required templates and create some files. |
| + | When a ipsec and a connection is enabled it will open the relevant ports on the firewall |
| + | It has to disable send redirects, accept redirects and rp_filter. Note that these are considered security features and you disabled them at your own risk |
| + | https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_send_redirects_in_.2Fproc.2Fsys.2Fnet_.3F |
| + | https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_rp_filter_in_.2Fproc.2Fsys.2Fnet_.3F |
| + | |
| + | These settings are generic and can be overwritten on a per connection basis |
| + | |
| + | config ipsec show |
| + | |
| + | Only set with |
| + | db configuration setprop ipsec $key $property |
| + | |
| + | Setting status enabled/disabled will modify access to private/public |
| + | |
| + | status: Default disabled | enabled |
| + | access: Default private | public |
| + | UDPPort: Default 500 | Variable |
| + | auto: Default start | add (do not use ondemand or ignore) |
| + | debug: none | all raw crypt parsing emitting contril controlmore lifecycle dns dpd klips pfkey natt oppo oppoinfo whackwatch private |
| + | (all generates a large amount of logging so use with care) |
| + | |
| + | Overall settings - can be in main config db or in ipsec_connections as per connection |
| + | |
| + | ikelifetime: Default 3600s | Variable |
| + | salifetime: Default 28800s | Variable |
| + | dpdaction: Default restart | Variable |
| + | dpddelay: Default 30 | Variable |
| + | dpdtimeout: Default 10 | Variable |
| + | pfs: Default yes | Variable |
| + | connectiontype: Default secret | rassig, certificate |
| + | ike: Default aes-sha1 | variable - see ipsec.conf readme file for more options |
| + | |
| + | |
| + | Per connection only settings |
| + | |
| + | Automatically modified - do not change this |
| + | PreviousState: Denotes previous connection state |
| + | |
| + | Manual keys |
| + | |
| + | db ipsec_connections show |
| + | |
| + | db ipsec_connections setprop ConnectionName $key $property |
| + | |
| + | iptype: Default Emtpy | stattodyn or dyntostat - are we a static host to dynamic client or vice versa ? - Only required for dynamic clients with static hosts |
| + | connectiontype: Default tunnel | transport/passthrough/drop/reject |
| + | leftrsasig: Default Empty | Your Local rsasignature key |
| + | rightrsasig: Default Empty | Your Remote rsasignature key |
| + | ipsecversion: Default Empty - v1 | If this is set v2 then only v2 will be allowed |
| + | phase2: aes-sha1 | Various |
| + | mtu: Default Empty | Various |
| + | left: Default Empty | If Empty then %defaultroute is set. Can be local WAN IP |
| + | leftid: Default Empty | Variable |
| + | leftsourceip: Default Empty | This server local IP |
| + | leftsubnet: Default Empty | This server local subnet |
| + | right: Default Empty | Destination WAN IP |
| + | rightid: Default Empty | Variable |
| + | rightsubnet: Default Empty | Destination subnet |
| + | passwd| Default Empty | Variable |
| + | keyingtries| Default Empty | 0 is default - 'forever' |
| + | |
| + | # Future |
| + | # certname: Default Empty | Your certificate name |
| + | # leftcert |
| + | # rightca: Default %same |
| + | |
| + | |
| + | *** For a basic connection you need this as a bare minimum *** |
| + | |
| + | config setprop ipsec status enabled access public |
| + | |
| + | Note for ipsec_connections we use 'set' when we create new connection. Thereafter you can modify it with setprop |
| + | |
| + | Local - WAN IP 5.6.7.8 Local IP 192.168.20.1 Subnet 192.168.20.0/24 |
| + | db ipsec_connections set MyEast ipsec status enabled leftsourceip 192.168.20.1 leftsubnet 192.168.20.0/24 right 1.2.3.4 rightsubnet 10.0.0.0/24 passwd MyPassWd |
| + | |
| + | Remote - WAN IP 1.2.3.4 Local IP 10.0.0.1 Subnet 10.0.0.0/24 |
| + | db ipsec_connections set MyWest ipsec status enabled leftsourceip 10.0.0.1 leftsubnet 10.0.0.0/24 right 5.6.7.8 rightsubnet 192.168.20.0/24 passwd MyPassWd |
| + | |
| + | Bare minimum config for ipsec with static hosts (ike is automatically added) |
| + | |
| + | MyConnection=ipsec |
| + | ike=aes-sha1 |
| + | leftsourceip=192.168.50.1 |
| + | leftsubnet=192.168.50.0/24 |
| + | passwd=SomeLongAndComplicatedPassword |
| + | right=1.2.3.4 |
| + | rightsubnet=192.68.60.0/24 |
| + | status=enabled |
| + | |
| + | |
| + | signal-event ipsec-update |
| + | |
| + | Check /var/log/pluto/pluto.log |
| + | ipsec whack --status |
| + | ipsec verify (may be some warnings - severity depends on what they are) |
| + | |
| + | |
| + | *** For a rsasig connection *** |
| + | |
| + | Please see the section on generating rsa Signatures. |
| + | |
| + | The FIRST time you must run this command to setup the dbs. Thereafter if you delete them NSS will regenerate new dbs and you do not need to do this. |
| + | |
| + | ipsec initnss |
| + | |
| + | ipsec newhostkey --random /dev/random --output /etc/ipsec.d/rsa.secrets |
| + | |
| + | When you copy the key it MUST be in one long line. |
| + | |
| + | Remember |
| + | |
| + | East |
| + | leftrsasig=PUBLIC key of East |
| + | rightrsasig=PUBLIC key of West |
| + | |
| + | West |
| + | leftrsasig=PUBLIC key of West |
| + | rightrsasig=PUBLIC key of East |
| + | |
| + | |
| + | You MUST use IDs, ESPECIALLY if you have a dynamic IP at one end. |
| + | |
| + | Local - WAN IP 5.6.7.8 Local IP 192.168.20.1 Subnet 192.168.20.0/24 |
| + | db ipsec_connections set MyEast ipsec status enabled leftsourceip 192.168.20.1 leftsubnet 192.168.20.0/24 right 1.2.3.4 rightsubnet 10.0.0.0/24 security rsasig leftid East rightid West leftrsasig SomeLongPassFromEast rightrsasig SomeLongPasswordFromWest |
| + | |
| + | Remote - WAN IP 1.2.3.4 Local IP 10.0.0.1 Subnet 10.0.0.0/24 |
| + | db ipsec_connections set MyWest ipsec status enabled leftsourceip 10.0.0.1 leftsubnet 10.0.0.0/24 right 5.6.7.8 rightsubnet 192.168.20.0/24 security rsasig leftid West rightid West leftrsasig SomeLongPassFromWest rightrsasig SomeLongEastPasswordFromEast |
| + | |
| + | |
| + | *** For a rsasig connection with dynamic IP *** |
| + | |
| + | This will set your local 'left' rsasig |
| + | |
| + | db ipsec_connections setprop East leftrsasig `cat rsa.secrets |grep pubkey |sed 's/.*key=//'` |
| + | |
| + | Then Extract the public key for the far end. When you copy the key it MUST be in one long line. |
| + | |
| + | cat /etc/ipsec.d/rsa.secrets |grep pubkey |sed 's/.*key=//' |
| + | |
| + | East needs to create a set of keys and send the public key to West. West needs to create a set of keys key and send the public key to East |
| + | |
| + | Note that with dynamic IPs we have to allow connections from anywhere which is not as safe as fixed IPs. |
| + | We therefore recommend setting security rsasig, ike v2, and use leftid/rightid to enhance security |
| + | |
| + | We set the static server to: |
| + | auto 'add' so it only listens for incoming connections |
| + | dpdaction 'clear' so the route is cleared if the connection is dropped |
| + | iptype stattodyn - sets right = %any (allow all hosts to |
| + | |
| + | We set the dynamic server to: |
| + | auto 'start' so it immediately attempts to connect |
| + | iptype dyntostat |
| + | |
| + | Local - MyEast - WAN IP 5.6.7.8 Local IP 192.168.20.1 Subnet 192.168.20.0/24 |
| + | db ipsec_connections set MyEast ipsec status enabled iptype stattodyn auto add dpdaction clear leftsourceip 192.168.20.1 leftsubnet 192.168.20.0/24 rightsubnet 10.0.0.0/24 security rsasig leftid East rightid West leftrsasig SomeLongPassFromEast rightrsasig SomeLongPasswordFromWest |
| + | |
| + | Remote MyWest - WAN IP %variable Local IP 10.0.0.1 Subnet 10.0.0.0/24 |
| + | db ipsec_connections set MyWest ipsec status enabled iptype dyntostat auto start leftsourceip 10.0.0.1 leftsubnet 10.0.0.0/24 right 5.6.7.8 rightsubnet 192.168.20.0/24 security rsasig leftid West rightid East leftrsasig SomeLongPassFromWest rightrsasig SomeLongEastPasswordFromEast |
| + | |
| + | == smeserver-libreswan notes == |
| + | |
| + | smeserver-libreswan-0.5 |
| + | |
| + | Config settings |
| + | |
| + | For other options see here |
| + | https://libreswan.org/man/ipsec.conf.5.html |
| | | |
| We have a new action | | We have a new action |