-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathipsecDB.Notes
71 lines (38 loc) · 2.28 KB
/
ipsecDB.Notes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
smeserver-libreswan-0.5.x
** Note that nothing is guaranteed to work and it may break your system or deny you access **
Also note that on occasion ipsec can get hung - I think this is when you enable/disable a few times quite quickly and the connection is still waiting on a timeout
Note there is no DB entry for phase2 - openswan defaults to ESP so unless you use AH (not recommended) leave as is
----------------------------------------------------------
Note that as it is very difficult currently to detect connections that are up (something libreswan are working on) the script does not try to detect connection status so it will reset them currently.
Just discovered we can probably do this with ipsec whack --status |grep -i "Ipsec SA established" (Only tells if it is up, not if it is active)
https://lists.libreswan.org/pipermail/swan/2015/001083.html
Any question then please ask at forums.contribs.org in the Contribs sections.
----------------------------------------------------------
To make sense we should rename these keys:
phase2 key should really be phase2alg
ipsecversion should really be ikev2
Per connection to add:
forceencaps per connection - needs nat_traversal=yes but that is obsoleted and defaults to yes in 3.19
nat-keepalive yes (default)
in main ipsec.conf
keep-alive - delay in secs if enabled with nat-keepalive above
----------------------------------------------------------
Notes to self on Firewalls
=======
IPSec (VPN tunneling) uses the following ports:
50 - Encapsulation Header (ESP)
51 - Authentication Header (AH)
500/udp - Internet Key Exchange (IKE)
4500/udp - NAT traversal
L2TPD
1701 (L2TP)
IPSEC v2 requires 4500
May need to change ipsec UDPPort 500 to UDPPorts 500,4500
the rp_filter and send redirects are directly set in sysctl.conf and manipulated by the ipsec-update script
http://wiki.contribs.org/DB_Variables_Configuration#IPTables_firewall_.28masq.29
ipsec only - note that ESP traffic runs on 50 and AH needs 51
config setprop ipsec access public UDPPorts 500,4500 TCPPort 50,51
l2tpd
config setprop ipsec access public UDPPorts 500,4500,1701 TCPPort 50,51
certname "Your cert nickname" - find with 'certutil -d . -L |grep u,u,u'
http://swan.libreswan.narkive.com/lg70MHRr/plicbd-pluto-6857-reapchild-failed-with-errno-10-no-child-processes