IPSec under 5.5 HOWTO

Lloyd Keen

IPSec under 5.5 HOWTO

« on: October 21, 2002, 08:20:33 AM »

I've just put together a rough howto for IPSec under 5.5 Would anyone like to test and report back?

Procedure for IPSec on SME 5.5 Update2
Download and install dmc-mitel-freeswan-0.4-12.noarch.rpm
Fix the problem with no key being displayed:
edit /etc/e-smith/templates/etc/ipsec.secrets/10RSAKey
look for
@args = ("/usr/lib/ipsec/ipsec", "rsasigkey", "2048");
$result .= /usr/lib/ipsec/ipsec rsasigkey 2048;
and change them to read
@args = ("/usr/local/lib/ipsec/ipsec", "rsasigkey", "2048");
$result .= /usr/local/lib/ipsec/ipsec rsasigkey 2048;

then run /sbin/e-smith/signal-event ipsec-install

Setup the Ipsec tunnel both ends as per normal.
Now turn off compression:
#mcedit /etc/e-smith/templates/etc/ipsec.conf/20default and change the line
that says
compress=yes to
compress=no
then rebuild the template with
#/sbin/e-smith/expand-template /etc/ipsec.conf followed by
#service ipsec restart

Logged

John Kupski

Re: IPSec under 5.5 HOWTO

« Reply #1 on: October 22, 2002, 06:01:33 AM »

I've tried the above, and get the following error when I attempt to execute the expand-template command:

In /etc/e-smith/templates//etc/ipsec.conf/40LocalAttributes: Use of uninitialized value in concatenation (.) or string at /etc/e-smith/templates//etc/ipsec.conf/40LocalAttributes line 21.
In /etc/e-smith/templates//etc/ipsec.conf/40LocalAttributes: Use of uninitialized value in concatenation (.) or string at /etc/e-smith/templates//etc/ipsec.conf/40LocalAttributes line 34.
In /etc/e-smith/templates//etc/ipsec.conf/40LocalAttributes: Use of uninitialized value in concatenation (.) or string at /etc/e-smith/templates//etc/ipsec.conf/40LocalAttributes line 44.
In /etc/e-smith/templates//etc/ipsec.conf/40LocalAttributes: Use of uninitialized value in concatenation (.) or string at /etc/e-smith/templates//etc/ipsec.conf/40LocalAttributes line 56.

The values in question seem to be leftnexthop and rightnexthop. I don't know enough (alright, anything) about the templating system so I'm not sure how to debug this. Can anyone shed some light on this error?Lloyd Keen wrote:

Logged

Darrell May

Re: IPSec under 5.5 HOWTO

« Reply #2 on: October 22, 2002, 06:06:29 AM »

Date: Monday, October 21 2002 15:55
From: Darrell May

To: e-smith-devinfo
Reply-To: dmay@netsourced.com
Subject: [e-smith-devinfo] [BETA] freeswan contrib for SME5.5 available

[WARNING] for non-production testing only! [WARNING]

I've updated the freeswan contrib to work with SME5.5. See the HowTo and
rpms for download here:

http://myezserver.com/downloads/mitel/beta/freeswan-sme55/

I have tested only briefly... but have established a vpn connection from
Vancouver BC to Pheonix Arizona. I'd appreciate those running current vpns,
whom have experience with freeswan, to give this a test and report your
results.

As always, comments and suggestions for improvement are welcomed. Bonus
points if you provide the improvement code

Regards,

--
Darrell May
DMC Netsourced.com
http://myEZserver.com

Logged

Lloyd Keen

Re: IPSec under 5.5 HOWTO

« Reply #3 on: October 22, 2002, 07:59:46 AM »

John,
Could you post the values that you are entering as your External IP, Gateway IP and subnet mask (blanking out the host ID). What type of Internet connection are you using? On my setup I have a static DSL connection with IP addresses similar to the following:
External IP 203.xxx.15.21
Gateway IP 203.xxx.15.20
Subnet 255.255.255.252
The Gateway IP (or nexthop) has to be an external IP address, maybe this could be the problem?

Logged

John Kupski

Re: IPSec under 5.5 HOWTO

« Reply #4 on: October 22, 2002, 08:37:05 AM »

Lloyd Keen wrote:
>
> John,
> Could you post the values that you are entering as your
> External IP, Gateway IP and subnet mask (blanking out the
> host ID).

Lloyd,

Are you asking for the address of the problem box, or the remote machine?

If you're asking about the problem box, it's cable (dynamic IP.)

Current settings are:

Ext IP: 24.xxx.xxx.173
GW IP: 24.xxx.xxx.128
Netmask: 255.255.255.128

If you're asking about the remote side, it's connected via T1 and is static

Ext IP: 66.xxx.xxx.37
GW IP: 66.xxx.xxx.33
Netmask: 255.255.255.248

Looking into the ipsec.conf built by the template, the leftnexthop and rightnexthop for the local connection are null. As an experiment, I've edited this file by hand to add the proper gateway, and restarted ipsec.

This still results in routing problems when I try to bring the tunnel up (route-client command exited with status 7) seemingly because of a missing gateway.

I know I'm missing something rather simple here, but can't put my finger on it.

Logged

Lloyd Keen

Re: IPSec under 5.5 HOWTO

« Reply #5 on: October 22, 2002, 10:20:53 AM »

Aha,
Then you have some real problems. The E-smith setup requires static IP's at either end in order to work. You will need to do some mods to the above in order to get it to work. I think what you need to setup is a "Road Warrior" configuration. Do a search for it on the net. GOOD LUCK.

Logged

Peter Schubert

Re: IPSec under 5.5 HOWTO

« Reply #6 on: October 22, 2002, 09:33:28 PM »

Hi Lloyd,

Have a look at this message:
http://forums.contribs.org/index.php?topic=14029.msg53340#msg53340

If it works post your success.

Peter

Logged

David Rinaldi

Re: IPSec under 5.5 HOWTO

« Reply #7 on: November 01, 2002, 05:47:21 PM »

Loyd or Darrell could you please respond to this since you guys seem to be the experts.

I have been following some of threads about installing and configuring freeswan-sme55 and I guess I am confused about some of the details of the configuration.

THE REASON I AM CONFUSED IS THAT IT WORKS!

It entails SME5.5u2 on one end and an xp VPN client on the other. I have 2 T1's in the same building, the first T1 is through a cable-modem, the second T1 is ADSL.

I installed and followed the below how-to for my installation which is:
http://myezserver.com/downloads/mitel/beta/freeswan-sme55/freeswan-howto.html
dmc-mitel-freeswan-0.4-12.noarch.rpm

But, I have NOT set up the SME5.5u2 VPN IPSEC through the screen. The screen DOES display the RSA key.

The details are as follows:

Server Side:
SME5.5u2 server/gateway mode
static ip using cable-modem 24.xxx.xx.xx (T1-bandwidth)
Gateway address: 192.168.1.1
Network: 192.168.1.0

Client Side:
Windows XP Pro no service pack - DSL Modem
Free VPN client supplied with XP
In connecting the client to the internet with the DSL service in creates 2 connections.

The first connection is the modem to the card-169.254.244.220/255.255.0.0

Then when I connect to the ISP I am assigned a dynamic client and server address
server-66.72.47.254, client-66.72.47.179.
I then connect using the XP pro vpn client to my domain name, www.mydomain.com, and I sign in.

When this is complete another connection is created which has my internal SME5.5u2 address 192.168.1.1 and it assigns a local address through DHCP which is 192.168.1.247.

I can now ping, create/read a microsoft network drive, etc.

I have not used the RSA Key from the freeswan server install on the client.

So, again should this be working since I have not defined a network on the VPN IPSEC screen as well as not adding the RSA key to the client.

Thanks in advance

David

Logged

Lloyd Keen

Re: IPSec under 5.5 HOWTO

« Reply #8 on: November 06, 2002, 10:04:31 AM »

David,
It appears that your XP box has established a pptp vpn connection to the server, which is different to an IPsec vpn. Basically pptp is where a single client establishes a connection to a remote LAN but IPsec provides a LAN to LAN connection through the servers.

Logged