-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathipsecDB.Notes
70 lines (44 loc) · 2.21 KB
/
ipsecDB.Notes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
Server must be servergateway mode - need the action script to check this
config show SystemMode
SystemMode=servergateway
#Per connection settings like this
ipsec_connections configs
db ipsec_connections set workToVoip ipsec status disabled leftsourceip 192.168.10.100 leftsubnet 192.168.10.100/24 right 1.2.3.4 rightsubnet 10.0.0.0/24 passwd MyPassWd
[root@test]# db ipsec_connections show
workToVoip=ipsec
leftsourceip=192.168.10.100
leftsubnet=192.168.10.0/24
passwd=MyPassWd
right=1.2.3.4
rightsubnet=10.0.0.0/24
status=disabled
Config Defaults
config set ipsec service status disabled connection type tunnel left %defaultroute ikelifetime 28800s keylife 3600s dpdaction restart dpddelay 30 dpdtimeout 10 pfs yes auto start
----------------------------------------------------------
Also can set the firewall ports and dispense with the masq fragment later.
http://wiki.contribs.org/DB_Variables_Configuration#IPTables_firewall_.28masq.29
Need to add this and remove the masq template :
ipsec only - note that ESP traffic runs on 50 and AH needs 51
config setprop ipsec access public UDPPorts 500,4500 TCPPort 50,51
l2tpd
config setprop ipsec access public UDPPorts 500,4500,1701 TCPPort 50,51
----------------------------------------------------------
[root@test ipsec.d]# config show ipsec
ipsec=service
auto=start
connectiontype=tunnel
dpdaction=restart
dpddelay=30
dpdtimeout=10
ikelifetime=28800s
keylife=3600s
left=%defaultroute
pfs=yes
status=disabled
Any setting in the db ipsec_connections will override the defualt settings in the config db (or should !) If there is no setting the system will set a default.
There is now a new action script called ipsec-update.
Make your changes and then signal-event ipsec-update to action them.
Note that as it is very difficult currently to detect connections that are up (something libreswan are working on) the script does not try to detect connection status so it will reset them currently.
Just discovered we can probably do this with ipsec whack --status |grep "Ipsec SA established"
https://lists.libreswan.org/pipermail/swan/2015/001083.html
Any question then please ask at forums.contribs.org in the Contribs sections.