-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathipsecDB.Notes
96 lines (57 loc) · 3.25 KB
/
ipsecDB.Notes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
V 0.5.x Notes
** Note that nothing is guaranteed to work and it may break your system or deny you access **
Various refinements and bug fixes.
Note a new setting will be created in the ipsec_connections db called 'PreviousState'
This tracks changes made so ipsec-update knows what to do on state changes. There is no need to touch this setting
#Per connection settings like this
ipsec_connections configs
Note that settings in the main config db only get reread if you restart ipsec.
Those on a per connection basis will get reread when a connection gets restarted / called via ipsec-update.
db settings
db ipsec_connections set workToVoip ipsec status disabled leftsourceip 192.168.10.100 leftsubnet 192.168.10.100/24 right 1.2.3.4 rightsubnet 10.0.0.0/24 passwd MyPassWd
[root@test]# db ipsec_connections show
workToVoip=ipsec
leftsourceip=192.168.10.100
leftsubnet=192.168.10.0/24
passwd=MyPassWd
right=1.2.3.4
rightsubnet=10.0.0.0/24
status=disabled
Config Defaults
config set ipsec service status disabled connectiontype tunnel left %defaultroute ikelifetime 28800s keylife 3600s dpdaction restart dpddelay 30 dpdtimeout 10 pfs yes auto start
Additional db entries
Set mtu as in Config or ipsec connections if required
https://libreswan.org/man/ipsec.conf.5.html
ike = Some examples are ike=3des-sha1,aes-sha1, ike=aes, ike=aes128-md5;modp2048, ike=aes128-sha1;dh22, ike=3des-md5;modp1024,aes-sha1;modp1536 or ike=modp1536
phase2alg = aes-sha1 | similar to above
Note there is no DB entry for phase2 - Libreswan defaults to ESP so unless you use AH (not recommended) leave as is
----------------------------------------------------------
[root@test ipsec.d]# config show ipsec
ipsec=service
auto=start
connectiontype=tunnel
dpdaction=restart
dpddelay=30
dpdtimeout=10
ikelifetime=28800s
keylife=3600s
left=%defaultroute
pfs=yes
status=disabled
Any setting in the db ipsec_connections will override the default settings in the config db (or should !) If there is no setting the system will set a default.
There is now a new action script called ipsec-update.
Make your changes and then signal-event ipsec-update to action them.
Note that as it is very difficult currently to detect connections that are up (something libreswan are working on) the script does not try to detect connection status so it will reset them currently.
Just discovered we can probably do this with ipsec whack --status |grep "Ipsec SA established" (Only trlls if it i up, not if it is active)
https://lists.libreswan.org/pipermail/swan/2015/001083.html
Any question then please ask at forums.contribs.org in the Contribs sections.
----------------------------------------------------------
Notes to self on Firewalls
the rp_filter and send redirects are directly manipulated by the ipsec-update script
We could possibly set the firewall ports in the main config db and dispense with the masq fragment later.
http://wiki.contribs.org/DB_Variables_Configuration#IPTables_firewall_.28masq.29
Need to add this and remove the masq template :
ipsec only - note that ESP traffic runs on 50 and AH needs 51
config setprop ipsec access public UDPPorts 500,4500 TCPPort 50,51
l2tpd
config setprop ipsec access public UDPPorts 500,4500,1701 TCPPort 50,51