We have just added smeserver-libreswan to the contribs repo for testing. I have a version using openswan for v8 and will post in the relevant forum.
See
https://bugs.contribs.org/show_bug.cgi?id=8677Please have a go and let us know what issues you experience.
There will be an updated wiki page soon but you can see some config notes here:
https://github.com/reetp/smeserver-libreswan/blob/smeserver-libreswan-0.5/IpsecSettings.txtyum --enablerepo=smedev,epel install smeserver-libreswan
There is a new config entry
config show ipsec
This contains some defaults most of which can be overridden in the per connection db
There is a per connection db
db ipsec_connections show
There is a new action
signal-event ipsec-update
This should start and stop connections depending on their status in the db
For a basic connection you need this as a bare minimum. Note the use of East and West rather than local and remote. When you start dealing with RSA Sigs it makes it easier !
Note we use 'set' when we create new connection. Thereafter you can modify it with setprop
Local - WAN IP 5.6.7.8 Local IP 192.168.20.1 Subnet 192.168.20.0/24
db ipsec_connections set MyEast ipsec status enabled leftsourceip 192.168.20.1 leftsubnet 192.168.20.0/24 right 1.2.3.4 rightsubnet 10.0.0.0/24 passwd MyPassWd
Remote - WAN IP 1.2.3.4 Local IP 10.0.0.1 Subnet 10.0.0.0/24
db ipsec_connections set MyWest ipsec status enabled leftsourceip 10.0.0.1 leftsubnet 10.0.0.0/24 right 5.6.7.8 rightsubnet 192.168.20.0/24 passwd MyPassWd
Make sure you go in to server-manager and enable a new 'LOCAL' network equating to the RIGHT (remote) network on each SME server. this will enable the correct ports in the firewall.
signal-event ipsec-update to start the connection
To check the basic setting use
ipsec whack --verify
To see the connection status use
ipsec whack --status
You should see somethign like this
000 #57: "MyConnection":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 3108s; newest IPSEC; eroute owner; isakmp#56; idle; import:not set
000 #57: "MyConnection" esp.ab2c614c@1.2.3.4 esp.4c788eca@5.6.7.8 tun.0@1.2.3.4 tun.0@5.6.7.8 ref=0 refhim=4294901761 Traffic: ESPin=252B ESPout=252B! ESPmax=4194303B
000 #56: "MyConnection":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 3107s; newest ISAKMP; lastdpd=13s(seq in:16319 out:0); idle; import:not set
You should be able to ping across your network
If you master the use of PSK Passwords then using RSA keys is even better. See the links for notes.
If one end is a dynamic host (even if you use hostname rather then the IP) there are some special considerations. ipsec does not detect changed IP addresses unless it is restarted
The only simple way around this is to set the db entry 'iptype'
This will set a source IP as 0.0.0.0
This is clearly a security risk enabling connections from any IP. If you DO use this then we strongly suggest you use RSA keys, IKE v2 and RSA-ids to enhance security
Also note that enabling ipsec DISABLES RP_filtering. This can be considered a potential risk and you are advised to read up accordingly.
A start is here :
https://lists.libreswan.org/pipermail/swan/2015/001092.html
0 Replies
1563 Views