-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathIpsecSettings.txt
217 lines (146 loc) · 8.51 KB
/
IpsecSettings.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
smeserver-libreswan-0.5
Config settings
For other options see here
https://libreswan.org/man/ipsec.conf.5.html
We have a new action
signal-event ipsec-update
This will process the required templates and create some files.
When a ipsec and a connection is enabled it will open the relevant ports on the firewall
It has to disable send redirects, accept redirects and rp_filter. Note that these are considered security features and you disabled them at your own risk
https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_send_redirects_in_.2Fproc.2Fsys.2Fnet_.3F
https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_rp_filter_in_.2Fproc.2Fsys.2Fnet_.3F
These settings are generic and can be overwritten on a per connection basis
config ipsec show
Only set with
db configuration setprop ipsec $key $property
Setting status enabled/disabled will modify access to private/public
status: Default disabled | enabled
access: Default private | public
UDPPort: Default 500 | Variable
auto: Default start | add (do not use ondemand or ignore)
debug: none | all raw crypt parsing emitting control controlmore lifecycle dns dpd klips pfkey natt oppo oppoinfo whackwatch private
(all generates a large amount of logging so use with care)
Overall settings - can be in main config db or in ipsec_connections as per connection
security: secret | rsasig | certs
ikelifetime: Default 3600s | Variable
salifetime: Default 28800s | Variable
dpdaction: Default restart | Variable
dpddelay: Default 30 | Variable
dpdtimeout: Default 10 | Variable
pfs: Default yes | Variable
connectiontype: Default secret | rassig, certificate
ike: Default aes-sha1 | variable - see ipsec.conf readme file for more options
ipsecversion: Default permit | Whether to allow ikev2 - also : insist/propose/yes/never/no
Per connection only settings
Automatically modified - do not change this
PreviousState: Denotes previous connection state
Manual keys
db ipsec_connections show
db ipsec_connections setprop ConnectionName $key $property
iptype: Default Emtpy | stattodyn or dyntostat - are we a static host to dynamic client or vice versa ? - Only required for dynamic clients with static hosts
connectiontype: Default tunnel | transport/passthrough/drop/reject
leftrsasig: Default Empty | Your Local rsasignature key
rightrsasig: Default Empty | Your Remote rsasignature key
ipsecversion: Default permit | Whether to allow ikev2 - also : insist/propose/yes/never/no
ike: Default aes-sha1 | Variable - aes256-sha2;dh14 or aes256-sha2;modp2048
phase2: aes-sha1 | Variable - sample aes256-sha2;dh14 or aes256-sha2;modp2048
mtu: Default Empty | Variable
left: Default Empty | If Empty then %defaultroute is set. Can be local WAN IP
leftid: Default Empty | Variable
leftsourceip: Default Empty | This server local IP
leftsubnet: Default Empty | This server local subnet
right: Default Empty | Destination WAN IP
rightid: Default Empty | Variable
rightsubnet: Default Empty | Destination subnet
passwd: Default Empty | Variable
keyingtries: Default Empty | 0 is default - 'forever'
forcencaps: Default auto | auto/yes/no
reauth: Default Empty | 1 or y - sets to yes (hidden libreswan setting)
leftcert Default Empty | LeftCertName
rightcert Default Empty | RightCertName
For certificates - do not set or leave the following empty:
leftrsasig: Default Empty - system generates %cert
rightrsasig: Default Empty - system generates %cert
leftid: Default Empty - system generates %fromcert
rightid: Default Empty - system generates %fromcert
*** For a basic connection you need this as a bare minimum ***
config setprop ipsec status enabled access public
Note for ipsec_connections we use 'set' when we create new connection. Thereafter you can modify it with setprop
Local - WAN IP 5.6.7.8 Local IP 192.168.20.1 Subnet 192.168.20.0/24
db ipsec_connections set MyEast ipsec status enabled leftsourceip 192.168.20.1 leftsubnet 192.168.20.0/24 right 1.2.3.4 rightsubnet 10.0.0.0/24 passwd MyPassWd
Remote - WAN IP 1.2.3.4 Local IP 10.0.0.1 Subnet 10.0.0.0/24
db ipsec_connections set MyWest ipsec status enabled leftsourceip 10.0.0.1 leftsubnet 10.0.0.0/24 right 5.6.7.8 rightsubnet 192.168.20.0/24 passwd MyPassWd
Bare minimum config for ipsec with static hosts (ike is automatically added)
MyConnection=ipsec
ike=aes-sha1
leftsourceip=192.168.50.1
leftsubnet=192.168.50.0/24
passwd=SomeLongAndComplicatedPassword
right=1.2.3.4
rightsubnet=192.68.60.0/24
status=enabled
signal-event ipsec-update
Check /var/log/pluto/pluto.log
ipsec whack --status
ipsec verify (may be some warnings - severity depends on what they are)
*** For a rsasig connection ***
Please see the section on generating rsa Signatures.
The FIRST time you must run this command to setup the dbs. Thereafter if you delete them NSS will regenerate new dbs and you do not need to do this.
ipsec initnss
ipsec newhostkey --random /dev/random --output /etc/ipsec.d/rsa.secrets
When you copy the key it MUST be in one long line.
Remember
East
leftrsasig=PUBLIC key of East
rightrsasig=PUBLIC key of West
West
leftrsasig=PUBLIC key of West
rightrsasig=PUBLIC key of East
You MUST use IDs, ESPECIALLY if you have a dynamic IP at one end.
Local - WAN IP 5.6.7.8 Local IP 192.168.20.1 Subnet 192.168.20.0/24
db ipsec_connections set MyEast ipsec status enabled leftsourceip 192.168.20.1 leftsubnet 192.168.20.0/24 right 1.2.3.4 rightsubnet 10.0.0.0/24 security rsasig leftid East rightid West leftrsasig SomeLongPassFromEast rightrsasig SomeLongPasswordFromWest
Remote - WAN IP 1.2.3.4 Local IP 10.0.0.1 Subnet 10.0.0.0/24
db ipsec_connections set MyWest ipsec status enabled leftsourceip 10.0.0.1 leftsubnet 10.0.0.0/24 right 5.6.7.8 rightsubnet 192.168.20.0/24 security rsasig leftid West rightid West leftrsasig SomeLongPassFromWest rightrsasig SomeLongEastPasswordFromEast
*** For a rsasig connection with dynamic IP ***
This will set your local 'left' rsasig
db ipsec_connections setprop East leftrsasig `cat rsa.secrets |grep pubkey |sed 's/.*key=//'`
Then Extract the public key for the far end. When you copy the key it MUST be in one long line.
cat /etc/ipsec.d/rsa.secrets |grep pubkey |sed 's/.*key=//'
East needs to create a set of keys and send the public key to West. West needs to create a set of keys key and send the public key to East
Note that with dynamic IPs we have to allow connections from anywhere which is not as safe as fixed IPs.
We therefore recommend setting security rsasig, ike v2, and use leftid/rightid to enhance security
We set the static server to:
auto 'add' so it only listens for incoming connections
dpdaction 'clear' so the route is cleared if the connection is dropped
iptype stattodyn - sets right = %any (allow all hosts to
We set the dynamic server to:
auto 'start' so it immediately attempts to connect
iptype dyntostat
Local - MyEast - WAN IP 5.6.7.8 Local IP 192.168.20.1 Subnet 192.168.20.0/24
db ipsec_connections set MyEast ipsec status enabled iptype stattodyn auto add dpdaction clear leftsourceip 192.168.20.1 leftsubnet 192.168.20.0/24 rightsubnet 10.0.0.0/24 security rsasig leftid East rightid West leftrsasig SomeLongPassFromEast rightrsasig SomeLongPasswordFromWest
Remote MyWest - WAN IP %variable Local IP 10.0.0.1 Subnet 10.0.0.0/24
db ipsec_connections set MyWest ipsec status enabled iptype dyntostat auto start leftsourceip 10.0.0.1 leftsubnet 10.0.0.0/24 right 5.6.7.8 rightsubnet 192.168.20.0/24 security rsasig leftid West rightid East leftrsasig SomeLongPassFromWest rightrsasig SomeLongEastPasswordFromEast
You can't ping across the network unless you add a 'local' connection to the server.
Either do that in the Server manager or like this
config set networks 192.168.10.0 network Mask 255.255.255.0 Router 192.168.97.1
(?) network-create 192.168.10.0
/etc/e-smith/events/actions/generic_template_expand
*** for a certificate based connection ***
Please see ipsec-certificate-notes.txt for help on setting up certificates.
A basic configuration should look like this:
db ipsec_connections set LocalToRemote ipsec leftcert LocalServer leftsourceip 192.168.1.1 leftsubnet 192.168.1.0/24 right 5.6.7.8 rightcert RemoteServer rightsubnet 192.168.100.0/24 security certs status enabled
LocalToRemote=ipsec
leftcert=LocalServer
leftsourceip=192.168.1.1
leftsubnet=192.168.1.0/24
right=5.6.7.8
rightcert=RemoteServer
rightsubnet=192.168.100.0/24
security=certs
status=enabled
Ipsec v2
May need to change the following key (done in contrib now):
ipsec UDPPort 500 to UDPPorts 500,4500
config delprop ipsec UDPPort
config setprop ipsec UDPPorts 500,4500
signal-event remoteaccess-update