Koozali.org: home of the SME Server

FreeS/WAN, VPN, VLAN, WAN, ....

.nate

FreeS/WAN, VPN, VLAN, WAN, ....
« on: January 08, 2004, 07:00:58 PM »
I am looking for an elegant solution to connect three office networks by VPN (LAN to LAN to LAN).  My primary site uses e-smith 5.5 server and gateway.  The other offices networks are not up yet and they can be anything they need to be.
 
Is it all agreed that the Darrel May IPSEC how to for SME 5.5 is the best way to go?
Also, is there extended information somewhere that explains how to connect three (3) offices instead of only two?
 
…as always, much good karma for all those that help!
 
Thanks in advance.
 
.nate

[%sig%]

Steve Bush

Re: FreeS/WAN, VPN, VLAN, WAN, ....
« Reply #1 on: January 08, 2004, 11:21:15 PM »
I could use a bit of good Karma!!!

If it were me, I would either wait for (or build) a SME6.0 IPSEC solution, or install a seperate IPSEC box at each site to make the VPN connection and have the SME box as a server only behind it.

Tivon Coles

Re: FreeS/WAN, VPN, VLAN, WAN, ....
« Reply #2 on: January 11, 2004, 02:06:22 AM »
Ok well 2 things that may help a few people

for everyone that is trying to get IPSEC VPN  running on version 6 you will need to do the following...
download the files install as the howto says here
http://mirror.contribs.org/smeserver/contribs/saco/contrib/devinfo-freeswan-1.99/
.... then just follow the instruction on the prev post by Lloyd Keen found here
http://forums.contribs.org/index.php?topic=8658.msg32470#msg32470
...it works just like it should =)!

now for multiple networks .... ie more than 2 ....I have 3 networks connected, its real easy, just  like setting up 2 networks and repeating the process.... so you set up 2 connection on each box

eg ... if you have 3 IP ranges
192.168.1.*
192.168.2.*
192.168.3.*

just set up them as follows using the instructions at
http://mirror.contribs.org/smeserver/contribs/saco/contrib/devinfo-freeswan-1.99/freeswan-howto.html
so on each server....
192.168.1.* has the Local networks  and IPSEC set up to 192.168.2.* and 192.168.3.*
192.168.2.* has the local connections  and IPSEC set up to 192.168.1.* and 192.168.3.*
192.168.3.* has the local connections  and IPSEC set up to 192.168.1.* and 192.168.2.*

hope this helps

if anyone needs any help or has any questions lemme know =)

ryan

Re: FreeS/WAN, VPN, VLAN, WAN, ....
« Reply #3 on: January 11, 2004, 04:15:07 AM »
nate,

I am a huge fan of SME.  I got into linux because of e-smith server.  I currently have 4 remote sites connected to a central location using IPCop and linksys vpn routers.  IPCop is very easy to set up and does IPSEC VPN out of the box.  Even more cool is the fact you can setup a cheap linksys firewall VPN router ($130) as an end point for a IPSEC tunnel.  

I found the third party stuff for e-smith/SME to be difficult to make work when you upgrade, so I setup IPCOP for networking/routing/VPN and use SME for network services such as spam filtering, proxy, printing, squidguard etc...

Look at ipcop.org and set up a test box.  You can't find a cheaper way to link your offices if you put the remote locations on a linksys.   And since a linksys has no moving parts, it should be very reliable.  You could also use a linksys at your central location instead of IPCOP.  I prefer IPCOP at my central location due to it's true DMZ (orange) lan.

good luck

ryan

Boris

Re: FreeS/WAN, VPN, VLAN, WAN, ....
« Reply #4 on: January 11, 2004, 07:47:08 AM »
Also Netgear FVS318 (<$130) is a great VPN/firewall for this scenario.

Steve Bush

Re: FreeS/WAN, VPN, VLAN, WAN, ....
« Reply #5 on: January 11, 2004, 07:59:54 AM »
I have been very happy with IPCOP as a firewall/VPN server.
I have 4 sites up and running on it and will be moving my other 5 sites in the next few months.  Very simple to install, configure and update.
It even backs up to a floppy for a quick restore.

I've been using inexpensive Dell PE400SC servers that I've gotten for dirt cheap on Dell's Small Business website.

.nate

Re: FreeS/WAN, VPN, VLAN, WAN, ....
« Reply #6 on: January 18, 2004, 03:56:58 AM »
Thanks to everyone that responded.  Didn’t mean to start an IPCop flame-war!  I have since deployed FreeS/WAN successfully on the three e-smith 5.5 networks.  Everything seems to be working great.  BTW – It’s not too tuff.  …just need to be exact about everything, i.e. no extra spaces in the keys!
 
Att: Tivon Coles (or anyone)

> Tivon Coles wrote:

> Ok well 2 things that may help a few people
>
> for everyone that is trying to get IPSEC VPN  running on
> version 6 you will need to do the following...
> download the files install as the howto says here
>
> http://mirror.contribs.org/smeserver/contribs/saco/contrib/devinfo-freeswan-1.99/
> .... then just follow the instruction on the prev post by
> Lloyd Keen found here
>
> http://forums.contribs.org/index.php?topic=8658.msg32470#msg32470
> ...it works just like it should =)!
>

Regarding sme 6 (Final), can give us a more stepwise install process.  The 5.6 “how-to” and the Lloyd Keen post seem to disagree.

Something like:

To make FreeS/WAN ipsec work on sme 6 do this:

1) Install this rpm - http:/link…
2) Using this command # rpm –Uvh
3) Do this
4) Than do this
5) Got to the server manager and set up the tunnel.

This would be helpful as I got many errors trying to set it up on my 6 box at home with the information I had.

Still trying.

Thanks.

[%sig%]

.nate

IPSEC and PPPOE
« Reply #7 on: January 23, 2004, 11:24:07 PM »
IPSEC and PPPOE -

Using FreeS/WAN on 5.5 I have three networks talking in the "Lab", but I have yet to connect to the remote office over the Internet.  
 
This is the deal:
 
In my office I setup three 'mini' networks on different IPs, all with different names, internal addresses, etc.  These are all identical, fresh-install, 5.5 boxes, each with a win2k client hanging off of them.  This setup works like a charm.  From any client I can ping any client and life is good.  However, I have so far been unsuccessful connecting to a “real” remote office, across gateways, and in different address blocks.

The “Lab” is our main office, which has a direct 2 Mbps connection with static IP addresses.
 
The remote offices are ADSL, PPOE (SBC) Netopia, Cayman series ADSL/routers with static IPs.  NAT is turned off; the clients get DHCP from the e-smith box.
 
Could PPPOE be the issue?  If so, what is the resolution?
 
...I’m sticking with this - not going to give up and buy a hardware based VPN solution yet, but I got to make this work!
 
Thanks in advance,
.nate

Kevinm

ipsec errors and keep alive traffic query
« Reply #8 on: January 26, 2004, 11:41:41 AM »
Well I am trying to set up a similar scenario - head office and three remote offices via an ipsec vpn. Installed as per the references and nearly there. Of the three remote gateways 2 seem to be working fine. The third one has now been installed several times and is suspect. All four machines on on my desk and easily worked on. All four are identical and I have gone progressively through each one so the setup is the same (obviously ips changes etc).

I get a 127 error on the problem machine. Messages about exiting etc (similar to the responses from others in google) and then it claims it is synced. Still to confirm I can get traffic down the tunnel. Unfortunately in google there are many similar queries but a derth of answers. Anyone got any ideas?

Just out of interest from others who have VPNs using ipsec what sort of keep alive traffic do you see? I expect some but  around 20mb per hour seems high. Will try it with some continual traffic (watch df or similar) and see what effect that has.

Regards
kevin

gregg

VNC on V.6.0
« Reply #9 on: January 28, 2004, 08:14:03 AM »
Tivon

I am just about to try to connect two networks using E-Smith v6.0 (final-dev ver).
I’ve read as much as possible on various forums, but I could find only info about E-smith and FreeSwan  referring to Ver 4.1 and 5.x.
My questions are:
Will FreeSwan 2.04 (latest) work with SME 6.0 if I follow your instructions? Lloyd Keen in his post stated: “Install the freeswan binaries first then install dev-info next using --nodeps.” What does he mean by “…install dev-info…” ?

Offline ldkeen

  • *
  • 401
  • +0/-0
Freeswan
« Reply #10 on: January 28, 2004, 09:49:33 AM »
Greg,
At the time I was setting up the tunnel, the only FreeSwan stuff I could find that was compiled for the kernel on SME 6.0b3 was the X509 binaries. You may have more luck now finding Freeswan 2.04 for this kernel. The procedure I used to install the Freeswan 1.99 rpm's was as follows:
root@server root]#rpm -Uvh freeswan-1.99_x509_0.9.15_2.4.20_18.7-1 freeswan-module-1.99_x509_0.9.15_2.4.20_18.7-1
root@server root]#rpm -Uvh --nodeps devinfo-freeswan-1.99-8sme56.noarch.rpm
You can download these rpm's from here
 http://mirror.contribs.org/smeserver/contribs/saco/contrib/devinfo-freeswan-1.99/devinfo-freeswan-1.99-8sme56.noarch.rpm
and here
http://download.freeswan.ca/freeswan-x509/RedHat-RPMs/1.99/2.4.20-18.7/
Then just go into the server manager and setup the tunnel as per normal. It's been rock solid for a couple of months now so I'm in no hurry to upgrade to the 2.0.4 stuff.

wallyrp

Ours is not to reason why but to do or die
« Reply #11 on: April 01, 2004, 02:35:03 PM »
:hammer:

Good Morning,

I guess I'm blind as a bat or something. I haven't got a VPN to work since 5.1.2. Everytime I install it as per the instructions, there is no public encryption key listed in the server manager panel. I generate one and try to setup a VPN with the information straight from the ipsec.secrets file with no success. I've tried this with 1.99 and 2.04 of FreeSwan.

It's a fresh install of SME 6.0 (contribs distro). A penny for your thoughts?

Wally

Medimo

FreeS/WAN, VPN, VLAN, WAN, ....
« Reply #12 on: April 26, 2004, 09:35:34 AM »
have you done the:
/sbin/e-smith/signal-event ipsec-install

This will expand the template of ipsec.secrets (recreating the rsa-keys) and import it in your e-smith db. After that, it shows up in your server-panel.

grz,

Richard