Koozali.org: home of the SME Server

Site to Site VPN (PPTP/IPSec)

ztasevski

Site to Site VPN (PPTP/IPSec)
« on: September 06, 2004, 07:18:40 AM »
Hi,

Has anyone successfully setup site to site VPN on SME6 ??

I found a howto but it specifies that it only works on sme 5.x.

Thanks in advance !

Offline ldkeen

  • *
  • 401
  • +0/-0
Site to Site VPN (PPTP/IPSec)
« Reply #1 on: September 06, 2004, 12:52:08 PM »
http://forums.contribs.org/index.php?topic=8658.msg32470#msg32470
I've had a tunnel running between Sydney & Brisbane for over 6 months now and it hasn't missed a beat. Should work OK with 6.0.1-01
Lloyd

ztasevski

Site to Site VPN (PPTP/IPSec)
« Reply #2 on: September 07, 2004, 01:45:32 AM »
Hi Lloyd,

Looks very promising !

Where are the ipsec setting for the tunnel stored? That forum entry only shows how to set it up !

Zoran

Offline ldkeen

  • *
  • 401
  • +0/-0
Site to Site VPN (PPTP/IPSec)
« Reply #3 on: September 07, 2004, 02:07:07 AM »
Hi Zoran,
The dev-info-freeswan rpm installs a server manager panel and you configure the tunnel from there.
Lloyd

ztasevski

Site to Site VPN (PPTP/IPSec)
« Reply #4 on: September 07, 2004, 02:16:20 AM »
Hi Lloyd,

Great ! The way it should be...

I will try out you setup early next weeks as Optus has to sort itself out and get a DSL connection on this one site. It's taken them over 2 months.

I'll keep yourself and the forum of the outcome posted of the progress !

Thanks once again Lloyd..

Offline ldkeen

  • *
  • 401
  • +0/-0
Site to Site VPN (PPTP/IPSec)
« Reply #5 on: September 07, 2004, 05:38:02 AM »
I'm gunna test it out with another site up here both running 6.0.1-01 today or tommorrow. I'll report back.
lloyd

ztasevski

Site to Site VPN (PPTP/IPSec)
« Reply #6 on: September 07, 2004, 11:05:21 AM »
Please do !

Offline ldkeen

  • *
  • 401
  • +0/-0
Site to Site VPN (PPTP/IPSec)
« Reply #7 on: September 08, 2004, 01:55:10 AM »
Hey Zoran,
Great news - it works like a dream. Just managed to bring up a tunnel between two SME6.0.1 boxes:

Sep  8 09:06:31 ice ipsec__plutorun: 104 "net.local-net.192.168.10.0" #1: STATE_MAIN_I1: initiate
Sep  8 09:06:31 ice ipsec__plutorun: 106 "net.local-net.192.168.10.0" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Sep  8 09:06:31 ice ipsec__plutorun: 108 "net.local-net.192.168.10.0" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Sep  8 09:06:31 ice ipsec__plutorun: 004 "net.local-net.192.168.10.0" #1: STATE_MAIN_I4: ISAKMP SA established
Sep  8 09:06:31 ice ipsec__plutorun: 112 "net.local-net.192.168.10.0" #2: STATE_QUICK_I1: initiate
Sep  8 09:06:31 ice ipsec__plutorun: 004 "net.local-net.192.168.10.0" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
Sep  8 09:06:31 ice ipsec__plutorun: 112 "gate.local-net.192.168.10.0" #3: STATE_QUICK_I1: initiate
Sep  8 09:06:31 ice ipsec__plutorun: 004 "gate.local-net.192.168.10.0" #3: STATE_QUICK_I2: sent QI2, IPsec SA established
Sep  8 09:06:32 ice ipsec__plutorun: 112 "gate.local-gate.192.168.10.0" #4: STATE_QUICK_I1: initiate
Sep  8 09:06:32 ice ipsec__plutorun: 004 "gate.local-gate.192.168.10.0" #4: STATE_QUICK_I2: sent QI2, IPsec SA established
Sep  8 09:06:32 ice ipsec__plutorun: 112 "net.local-gate.192.168.10.0" #5: STATE_QUICK_I1: initiate
Sep  8 09:06:32 ice ipsec__plutorun: 004 "net.local-gate.192.168.10.0" #5: STATE_QUICK_I2: sent QI2, IPsec SA established


Welcome to SME Server 6.0.1-01
[root@ice root]# ping 192.168.163.1
PING 192.168.163.1 (192.168.163.1) from 192.168.163.1 : 56(84) bytes of data.
64 bytes from 192.168.163.1: icmp_seq=1 ttl=64 time=0.132 ms
64 bytes from 192.168.163.1: icmp_seq=2 ttl=64 time=0.125 ms

--- 192.168.163.1 ping statistics ---
2 packets transmitted, 2 received, 0% loss, time 999ms
rtt min/avg/max/mdev = 0.125/0.128/0.132/0.011 ms

[root@ice root]# ping 192.168.163.66
PING 192.168.163.66 (192.168.163.66) from 192.168.163.1 : 56(84) bytes of data.
64 bytes from 192.168.163.66: icmp_seq=1 ttl=60 time=4.45 ms
64 bytes from 192.168.163.66: icmp_seq=2 ttl=60 time=2.33 ms
64 bytes from 192.168.163.66: icmp_seq=3 ttl=60 time=2.33 ms

--- 192.168.163.66 ping statistics ---
3 packets transmitted, 3 received, 0% loss, time 2016ms
rtt min/avg/max/mdev = 2.331/3.040/4.457/1.003 ms

[root@ice root]# ping 192.168.10.1
PING 192.168.10.1 (192.168.10.1) from 203.213.xxx.xxx : 56(84) bytes of data.
64 bytes from 192.168.10.1: icmp_seq=1 ttl=64 time=44.4 ms
64 bytes from 192.168.10.1: icmp_seq=2 ttl=64 time=45.7 ms
64 bytes from 192.168.10.1: icmp_seq=3 ttl=64 time=47.2 ms

--- 192.168.10.1 ping statistics ---
3 packets transmitted, 3 received, 0% loss, time 2021ms
rtt min/avg/max/mdev = 44.419/45.796/47.234/1.163 ms

[root@ice root]# ping 192.168.10.67
PING 192.168.10.67 (192.168.10.67) from 203.213.xxx.xxx : 56(84) bytes of data.
64 bytes from 192.168.10.67: icmp_seq=1 ttl=127 time=46.0 ms
64 bytes from 192.168.10.67: icmp_seq=2 ttl=127 time=82.3 ms
64 bytes from 192.168.10.67: icmp_seq=3 ttl=127 time=113 ms

--- 192.168.10.67 ping statistics ---
3 packets transmitted, 3 received, 0% loss, time 2017ms
rtt min/avg/max/mdev = 46.021/80.482/113.098/27.417 ms

Just a couple of gotchas to watch out for. Here is a very rough howto:

Download all three rpm's from www.comnetel.com/ipsec and put them in a temp directory
Install the freeswan rpm's first:
# rpm -Uvh freeswan*
Now install the dev-info rpm using --nodeps
#rpm -Uvh --nodeps devinfo-freeswan-1.99-8sme56.noarch.rpm
Run the following command:
#/sbin/e-smith/signal-event ipsec-install
Now go into the server-manager and modify the local networks panel and add the info for the remote:
Network address is the remote server's lan IP
Subnet address is the remote server's subnet
Router is the local lan address
Next go into the vitualprivatenetworks panel located at the bottom of the server-manager and "add an ipsec vpn". Most of the stuff in there is self explanatory. After doing this at both sites and providing all the keys are correct you should have your tunnel up and going. I had a problem with the rsa keys and when I tried to bring the tunnel up at the remote it froze me out but I was able to shell in to the remote from a third party and shut down ipsec. Let me know how you go.
Regards Lloyd

ztasevski

Site to Site VPN (PPTP/IPSec)
« Reply #8 on: September 08, 2004, 03:10:33 AM »
Nice one Lloyd,

That looks very good !

As soon as the dsl connection is up I will give it a shot straightaway and let you know of the progress. I might give the interface a shot shortly to get familiar with it. I presume as soon as the tunnel is up there should be no probs duing Win2K AD syncs (in place before i got in) ?

Offline ldkeen

  • *
  • 401
  • +0/-0
Site to Site VPN (PPTP/IPSec)
« Reply #9 on: September 08, 2004, 03:40:32 AM »
Quote
I presume as soon as the tunnel is up there should be no probs duing Win2K AD syncs (in place before i got in) ?

I dont think so. As long as you have added the remote network in "local networks" panel then for all intents and purposes they should appear as one and the same network.

Just make sure that you are well prepared prior to setting it up in that you have access to a third party shell so you can stop ipsec on the remote if something goes wrong. It's also best if you give yourself remote access to the remote sites server manager, that way you can set it all up from the one PC. You can e-mail me off list if you have any probs.
Regards Lloyd

ztasevski

Re: Site to Site VPN (PPTP/IPSec)
« Reply #10 on: September 08, 2004, 03:50:21 AM »
[/quote]
I dont think so. [/quote] - did you mean i think so...

You don't have your email in your profile...I have just enabled mine through my profile...email me and i'll disable so i don't get spammed..

mbachmann

Site to Site VPN (PPTP/IPSec)
« Reply #11 on: September 08, 2004, 02:38:31 PM »
Hey, we also want to know how it is going on.

ztasevski

Site to Site VPN (PPTP/IPSec)
« Reply #12 on: September 09, 2004, 04:51:51 AM »
Should have something early next week...waiting on ISP to setup DSL connection still !

Offline Ness

  • ***
  • 108
  • +0/-0
    • http://www.tapiochre.co.uk
Site to Site VPN (PPTP/IPSec)
« Reply #13 on: September 16, 2004, 06:28:19 PM »
I'm not spotting something here... is this simply site to site or are there complications on multi-site networks.

In partic, I'd like info or setup docs for both star and meshed topology for say a 5 node network.

Have I missed something folk?

Cheers

Chris
Chris Elliott - SME Server user and helper

Offline ldkeen

  • *
  • 401
  • +0/-0
Site to Site VPN (PPTP/IPSec)
« Reply #14 on: September 19, 2004, 11:05:15 AM »
Chris,
I have succesfully brought up two consecutive tunnels and haven't had any problems with them. If two work then I couldn't see any problems with 5 tunnels in a star topology but meshed may be pushing the envelope a bit (not saying it can't work - just never tested it).
Lloyd