==================================================================
Please DO NOT REPLY to this mail or send email to the developers
about this bug. Please follow-up to Bugzilla using this link:
https://bugs.contribs.org/show_bug.cgi?id=9295
Have you checked the Frequently Asked Questions (FAQ)?
http://wiki.contribs.org/SME_Server:Documentation:FAQ
Please also take the time to read the following useful guide:
http://www.chiark.greenend.org.uk/~sgtatham/bugs.html
==================================================================
Bug ID: 9295
Summary: First inport smeserver LibreSwan VPN contrib
Classification: Contribs
Product: SME Contribs
Version: 9.0
Hardware: ---
OS: ---
Status: CONFIRMED
Severity: normal
Priority: P3
Component: smeserver-libreswan
Assignee: [email protected]
Reporter: [email protected]
QA Contact: [email protected]
CC: [email protected], [email protected],
[email protected], [email protected],
[email protected]
Depends on: 8677
Blocks: 8890
+++ This bug was initially created as a clone of Bug #8677 +++
This bug is to track the development of OpenSwan on v9 / CentOS 6
I also intend to have a go at the l2tpd part later as this would enable out of
the box VPN support for Android phones (and possibly others)
Here are the notes I sent Stephane who is working on templating it - it's a
dump of all the notes I had c/w notes.
I have got a working solution I use on a couple of my servers. I am not
sure if this will work in Private server mode - I have not tested.
My servers are in gateway mode and I use Draytek routers to make the
IPSEC VPN connections to them.
There is nothing to stop you using server to server mode but I have not
bothered. It is more difficult (because of NAT) when the server is
behind a router/firewall than when it is exposed.
To test ipsec use
ipsec verify
OK, I actually grabbed the latest openswan rpm I could find rather than
install from the repos, so I am using
openswan-2.6.38-1.x86_64.rpm
We need to :
Install openswan
Create a DB (I think it is better to have a separate one)
Create
/etc/ipsec.conf - custom template
/etc/ipsec.secrets custom template
/etc/rc.d/init.d/masq - custom template fragment
=====================================================================
Add disable redirects to rc.local (I actually link to a
disable_redirects.sh script)
#!/bin/bash
# Note this is for my Virtual machine which has two interfaces so it is
effectively 'hardcoded'
Could add this to Disable Redirects :
echo 1 >/proc/sys/net/core/xfrm_larval_drop
On my v8 box it seemed to be need as it was set to 0 but the v9 box
seems to be set to 1 by default.
# Disable send redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/lo/send_redirects
# echo 0 > /proc/sys/net/ipv4/conf/ppp0/send_redirects
# Disable accept redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/eth1/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/lo/accept_redirects
# echo 0 > /proc/sys/net/ipv4/conf/ppp0/accept_redirects
# Alternative method :
/etc/rc.local
Add the following block to the bottom of the configuration file:
# Correct ICMP Redirect issues with OpenSWAN
for each in /proc/sys/net/ipv4/conf/*; do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
echo 0 > $each/rp_filter
done
=====================================================================
/etc/e-smith/db/configuration/defaults/ipsec/status
Contains the word 'enabled'
/etc/e-smith/db/configuration/defaults/ipsec/type
Contains the word 'service'
db configuration set ipsec service status enabled
S99ipsec -> /etc/rc.d/init.d/e-smith-service
That should work....
I have written as much perl as I can in the file SME-templateNotes.txt
The part I am stuck on is using a new database ! I just can't figure the
format for it.
--------------------------------------------------------------------
Masq notes.txt
http://forums.contribs.org/index.php/topic,31528.msg133300.html
SECTION B:
This section contains information on modifying the firewall and installing
modified scripts to fix routing issues.
#mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/
#cd /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/
#mcedit 15AllowIPsec
and add the following:
Code: [Select]
/sbin/iptables -A INPUT -i $OUTERIF -p udp --sport 500 --dport 500 -j ACCEPT
/sbin/iptables -t mangle -A PREROUTING -i $OUTERIF -p 50 -j MARK --set-mark 1
/sbin/iptables -A INPUT -i $OUTERIF -m mark --mark 1 -j ACCEPT
/sbin/iptables -A FORWARD -i $OUTERIF -m mark --mark 1 -j ACCEPT
/sbin/iptables -A INPUT -i $OUTERIF -m mark --mark 2 -j ACCEPT
/sbin/iptables -A FORWARD -i $OUTERIF -m mark --mark 2 -j ACCEPT
# Not sure if this should go here but it works.
iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
Make sure to leave a blank line at the top of the file and carriage return at
the end of the file.
Then do:
#/sbin/e-smith/expand-template /etc/rc.d/init.d/masq
#/etc/init.d/masq restart
SME-templateNotes.txt
Existing DB
ipsec=service|status|enabled
New ipsec DB
db ipsec
Used to create
/etc/ipsec.conf
Note further down suggested DB keys
Notes :
Top config section
----------------------------------------------------------------------
# Note debug levels
#define KERN_EMERG "<0>" /* system is unusable */
#define KERN_ALERT "<1>" /* action must be taken immediately */
#define KERN_CRIT "<2>" /* critical conditions */
#define KERN_ERR "<3>" /* error conditions */
#define KERN_WARNING "<4>" /* warning conditions */
#define KERN_NOTICE "<5>" /* normal but significant condition */
#define KERN_INFO "<6>" /* informational */
#define KERN_DEBUG "<7>" /* debug-level messages */
#auto = 'start' for both ways or 'add' for incoming only
# basic configuration
# LEFT is local IP settings
# RIGHT is destination IP settings (remote IP and remote subnet)
# In my setup the destination (right) dials in to the server (left)
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none/all - db 'klipsdebug'
plutodebug=control parsing / none / all - db 'plutodebug'
syslog=syslog.debug / syslog.warning - db 'logging'
interfaces=%defaultroute
oe=no # Opportunistic Encryption
protostack=netkey
nat_traversal=yes
# Allowed private networks
virtual_private=%v4:10.0.0.0/24,%v4:192.168.99.0/24 - these are added from
the per connection 'rightsubnet' settings below
DB Keys - these are generic :
setup=plutodebug|none/all/control parsing | klipsdebug|none | logging|warning |
nat|yes |
----------------------------------------------------------------------
Notes :
Per connection section - we need to generate this for each connection
# VPS to Work VOIP 2820
conn vps-to-voip # db 'name'
type=tunnel
authby=secret
auto=start # start = dial out, add = dial in - db 'auto'
ikelifetime=28800s
keylife=3600s
left=%defaultroute
leftsourceip=192.168.99.1 # Local private network IP - db 'leftip'
leftsubnet=192.168.99.0/24 # Local private subnet - db 'leftsubnet'
pfs=yes # Perfect Forward Secrecy - db 'pfs'
dpdaction=restart # Dead Peer Detection - restart/clear - clear is only
used in road warrior configs - db 'dpdaction'
dpddelay=30 # db 'dpddelay'
dpdtimeout=10 # db 'dpdtimeout'
right=222.222.222.222 # Remote IP - db 'rightip'
rightsubnet=10.0.0.0/24 # Remote private network db 'rightsubnet'
DB Keys these are per connection :
connection=name|vps-to-voip | leftip|192.168.99.1 | leftsubnet|255.255.255.0 |
rightip|222.222.222.222 | rightsubnet|10.0.0.0/24 | auto|start/add | pfs|yes/no
dpdaction|restart | dpddelay|30 | dpdtimeout|10 | passwd|MyPasswd
----------------------------------------------------------------------
Notes:
This needs to be able to be configured with DB entries per connection
/etc/ipsec.secrets
# /etc/ipsec.secrets - strongSwan IPsec secrets file
# 222.222.222.222 is the External IP of the dialin server
# Each connection has its own line
222.222.222.222 %any : PSK "MyPassword"
DB keys :
db 'rightip' and 'passwd'
----------------------------------------------------------------------
This is pretty crap, but the basics for some templates. No idea how to properly
use the ipsecDB !
We can get the External IP from the standard config data
base
/etc/e-smith/templates-custom/etc/ipsec.conf/
10GeneralConfiguration
{
# Not sure how to get to the DBs
use esmith::config;
use esmith::db;
my %ipsecconf;
tie %ipsecconf, 'esmith::config', '/home/e-smith/db/ipsec';
# Or
my $status = $ipsec{status} || 'disabled';
if ($status eq 'enabled')
{
use esmith::AccountsDB; ????? What do we do to use get to the ipsec db ?
my $adb = esmith::AccountsDB->open_ro();
# Anyway, once we have here are the keys - this is only rough
$OUT .= "# General Configuration";
$OUT .= "config setup\n";
my $klipsdebug = $ipsec->prop('klipsdebug') || "none";
$OUT .= "\t$klipsdebug\n";
my $plutodebug = $ipsec->prop('plutodebug') || "none";
$OUT .= "\t$plutodebug\n";
my $nat = $ipsec->prop('nat') || "yes";
$OUT .= "\t$nat\n";
$OUT .= "interfaces=%defaultroute";
$OUT .= "oe=no";
$OUT .= "protostack=netkey";
# Don't know how to generate the next bit....
$OUT .= "virtual_private=";
foreach my $connection ($adb->ipsec)
$OUT .= "%v4:$connection";
}
----------------------------------------------------------------------
20PerConnection
{
return unless (($ipsec->prop('status') || 'disabled') eq 'enabled'); # this
way or the next way ?
use esmith::config;
use esmith::db;
my %ipsecconf;
tie %ipsecconf, 'esmith::config', '/home/e-smith/db/ipsec';
$status = $ipsec{"status"} || 'disabled';
if ($status eq "enabled")
{
# return if no connections ???
$OUT .= "# Per Connection Configuration";
my $connection = $ipsec->prop('name');
$OUT .= "conn $connection";
$OUT .= " type=tunnel";
$OUT .= " authby=secret";
$OUT .= " ikelifetime=28800s";
$OUT .= " keylife=3600s";
$OUT .= " left=%defaultroute";
my $auto = $ipsec->prop('auto');
$OUT .= " auto = $auto";
my $pfs = $ipsec->prop('pfs');
$OUT .= " pfs = $pfs";
my $dpdaction = $ipsec->prop('dpdaction');
$OUT .= " pfs = $dpdaction";
my $dpddelay = $ipsec->prop('dpddelay');
$OUT .= " pfs = $dpddelay";
my $dpdtimeout = $ipsec->prop('dpdtimeout');
$OUT .= " pfs = $dpdtimeout";
my $leftip = $ipsec->prop('leftip');
$OUT .= " leftip = $leftip";
my $leftsubnet = $ipsec->prop('leftsubnet');
$OUT .= " leftsubnet = $leftsubnet
my $rightip = $ipsec->prop('rightip');
$OUT .= " rightip = $rightip";
my $rightsubnet = $ipsec->prop('rightsubnet');
$OUT .= " leftsubnet = $rightsubnet";
}
----------------------------------------------------------------------
/etc/e-smith/templates-custom/etc/ipsec.secrets/
10PerConnection
return unless (($ipsec->prop('status') || 'disabled') eq 'enabled'); # this
way or the next way ?
use esmith::config;
use esmith::db;
my %ipsecconf;
tie %ipsecconf, 'esmith::config', '/home/e-smith/db/ipsec';
$status = $ipsec{"status"} || 'disabled';
if ($status eq "enabled")
{
# return if no connections ???
$OUT .= "# ipsec.secrets
$OUT .= "# Format is :
$OUT .= "# rightip %any : PSK \"MyPassword\""
{
foreach $connection
{
my $leftip = db_get_prop(\%ipsec, $connection, "leftip");
my $password = db_get_prop(\%ipsec, $connection, "passwd");
$OUT .= "$leftip \%any \: PSK "$passwd";
}
}
----------------------------------------------------------------------
--
You are receiving this mail because:
You are the QA Contact for the bug._______________________________________________
Mail for each SME Contribs bug report
To unsubscribe, e-mail [email protected]
Searchable archive at https://lists.contribs.org/mailman/public/contribteam/
