-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathipsecDB.Notes
141 lines (82 loc) · 4.33 KB
/
ipsecDB.Notes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
V 0.5.x Notes
** Note that nothing is guaranteed to work and it may break your system or deny you access **
Also note that on occasion ipsec can get hung - I think this is when you enable/disable a few times quite quickly and the connection is still waiting on a timeout
We can now add rsasigs
To generate run - ignore warnings :
Delete all old dbs
rm /etc/ipsec.d/*.db
ipsec initnss --configdir /etc/ipsec.d
ipsec newhostkey --output /etc/ipsec.d/rsa.secrets
ipsec showhostkey --left
ipsec showhostkey --right
We then add them to our connection :
db ipsec_connections setprop LocalToRemote leftrsasig SomeLongStringFromLocalRSASecrets
db ipsec_connections setprop LocalToRemote rightrsasig SomeLongStringFromRemoteRSASecrets
Be VERY careful copying these - one character out anywhere and it will not work
Various refinements and bug fixes.
Note a new setting will be created in the ipsec_connections db called 'PreviousState'
This tracks changes made so ipsec-update knows what to do on state changes. There is no need to touch this setting
#Per connection settings like this
ipsec_connections configs
Note that settings in the main config db only get reread if you restart ipsec.
Those on a per connection basis will get reread when a connection gets restarted / called via ipsec-update.
db settings
db ipsec_connections set workToVoip ipsec status disabled leftsourceip 192.168.10.100 leftsubnet 192.168.10.100/24 right 1.2.3.4 rightsubnet 10.0.0.0/24 passwd MyPassWd
[root@test]# db ipsec_connections show
workToVoip=ipsec
leftsourceip=192.168.10.100
leftsubnet=192.168.10.0/24
passwd=MyPassWd
right=1.2.3.4
rightsubnet=10.0.0.0/24
status=disabled
Config Defaults
config set ipsec service status disabled connectiontype tunnel left %defaultroute ikelifetime 28800s keylife 3600s dpdaction restart dpddelay 30 dpdtimeout 10 pfs yes auto start security secret salifetime 28800s
Additional db entries
Set mtu as in Config or ipsec connections if required
Add rsasigs
set
security rsasig
certname "Your cert nickname" - find with 'certutil -d . -L |grep u,u,u'
https://libreswan.org/man/ipsec.conf.5.html
ike = Some examples are ike=3des-sha1,aes-sha1, ike=aes, ike=aes128-md5;modp2048, ike=aes128-sha1;dh22, ike=3des-md5;modp1024,aes-sha1;modp1536 or ike=modp1536
phase2alg = aes-sha1 | similar to above
Note there is no DB entry for phase2 - Libreswan defaults to ESP so unless you use AH (not recommended) leave as is
----------------------------------------------------------
[root@test ipsec.d]# config show ipsec
ipsec=service
auto=start
connectiontype=tunnel
dpdaction=restart
dpddelay=30
dpdtimeout=10
ikelifetime=28800s
keylife=3600s
left=%defaultroute
pfs=yes
status=disabled
Any setting in the db ipsec_connections will override the default settings in the config db (or should !) If there is no setting the system will set a default.
There is now a new action script called ipsec-update.
Make your changes and then signal-event ipsec-update to action them.
Note that as it is very difficult currently to detect connections that are up (something libreswan are working on) the script does not try to detect connection status so it will reset them currently.
Just discovered we can probably do this with ipsec whack --status |grep "Ipsec SA established" (Only trlls if it i up, not if it is active)
https://lists.libreswan.org/pipermail/swan/2015/001083.html
Any question then please ask at forums.contribs.org in the Contribs sections.
----------------------------------------------------------
Notes to self on Firewalls
IPSec (VPN tunneling) uses the following ports:
50 - Encapsulation Header (ESP)
51 - Authentication Header (AH)
500/udp - Internet Key Exchange (IKE)
4500/udp - NAT traversal
L2TPD
1701 (L2TP)
the rp_filter and send redirects are directly manipulated by the ipsec-update script
We could possibly set the firewall ports in the main config db and dispense with the masq fragment later.
[11/2015 Done for ipsec - just need a postrouting config]
http://wiki.contribs.org/DB_Variables_Configuration#IPTables_firewall_.28masq.29
Need to add this and remove the masq template :
ipsec only - note that ESP traffic runs on 50 and AH needs 51
config setprop ipsec access public UDPPorts 500,4500 TCPPort 50,51
l2tpd
config setprop ipsec access public UDPPorts 500,4500,1701 TCPPort 50,51