Topic: VPN - where to find IPSec ?

[BitNix]

I have a little project running, where i have to make a backup overnight from one SME to another over the internet.

Therefore i plan to use IPSec as the VPN connection, when transfering the backup (propably via rsync).
(for security reasons PPTP isn't good enough)

But - when looking at the contribs for SME 6.01 it looks like everything died after the 5.6 release.
Is this true ? (and yes - i have been looking in the contribs

Therefore - does anybody know of any IPSec solutions that works (stable) on a 6.01 ?

And - is what VPN possibilities are there regarding client->server and server->server.

Best regards
Anders - Denmark

[duncan]

Hi,

I have done an openvpn howto

http://mirror.contribs.org/smeserver/contribs/dthomas/smeserver/6.x/Beta/Openvpn/Openvpn.htm

Not as easy as the IPSec contrib - but it works well for Server<>Server, Server<>Client setups

Regards Duncan

[Michiel]

What's wrong with rsync over ssh?

[Michiel]

See for example http://hacks.oreilly.com/pub/h/38
regards,
Michiel

[salesman]

Hi,

I have done an openvpn howto

http://mirror.contribs.org/smeserver/contribs/dthomas/smeserver/6.x/Beta/Openvpn/Openvpn.htm

Not as easy as the IPSec contrib - but it works well for Server<>Server, Server<>Client setups

Regards Duncan

Hi Duncan

I have done your setup for a sme server and a winXP client. The connection seems to be fine and i added the local ip of the winxp client in the server-manager.
I can ping the server with its internal ip and that's it. No ssh, http, samba etc, nor can i ping other servers behind the sme getaway.
Please tell me what i've done wrong.

lg

Michael

[duncan]

Sounds like a it might be a routing problem.

I can help but I need some more info - such as your network scheme and configs etc.

[salesman]

Here we go:
internal office: 192.168.10.0 virt.: 10.1.0.1
server ip: 192.168.10.91
internal client: 10.0.0.0 virt.: 10.1.0.2
client ip 10.0.0.3

client config:
-------------------
dev tun
comp-lzo

remote sme.external.ip
port 5000
proto udp
tun-mtu 1500
ifconfig 10.1.0.2 10.1.0.1
route 192.168.10.0 255.255.255.0 10.1.0.1

tls-client
# key-method 1
ca ca.crt
cert remote.crt
key remote.key

ping 120
verb 5
mute 10
-----------------
server config:
-----------------
dev tun
tun-mtu 1500
port 5000
ifconfig 10.1.0.1 10.1.0.2
tls-server
dh dh1024.pem
ca ca.crt
cert local.crt
key local.key

user nobody
group nobody
comp-lzo

ping 120
ping-restart 150
ping-timer-rem
persist-tun
persist-key

verb 4
-----------------------

added local network in sme(btw 6.01): 10.0.0.0 255.255.255.0, router 192.168.10.91

lg

Michael

[duncan]

Looks good - However

added local network in sme(btw 6.01): 10.0.0.0 255.255.255.0, router 192.168.10.91

lg

Michael

The WinXP link is a Point to Point link, so it is using the 10.1.0.0 network. Try adding as a local network

10.1.0.0 255.255.255.0, router 192.168.10.91

This will adjust the firewall with respect to routing and allow the network access to ssh, mail etc.

I assume you are using openvpn 2.0 hence the # key-method 1

Regards Duncan

[BitNix]

Ok - i'm gonna try this.
And give you my feedback.

Hi,

I have done an openvpn howto

http://mirror.contribs.org/smeserver/contribs/dthomas/smeserver/6.x/Beta/Openvpn/Openvpn.htm

Not as easy as the IPSec contrib - but it works well for Server<>Server, Server<>Client setups

Regards Duncan

I did see your contrib, but i do have a habbit of skipping beta software. Too many bad experiences

Anyhow - for now this seems to be the best solution.
I even think it should be possible to make a blade interface if it works well.

Best regards
Anders - Denmark

[salesman]

Looks good - However

added local network in sme(btw 6.01): 10.0.0.0 255.255.255.0, router 192.168.10.91

lg

Michael

The WinXP link is a Point to Point link, so it is using the 10.1.0.0 network. Try adding as a local network

10.1.0.0 255.255.255.0, router 192.168.10.91

This will adjust the firewall with respect to routing and allow the network access to ssh, mail etc.

I assume you are using openvpn 2.0 hence the # key-method 1

Regards Duncan

Thank you, problem 1 resolved and yes i use 2.0.
But i still cannot ping the servers behind "openvpn-sme".
Maybe you can solve this too.
Short explanation:
PDC is another sme server in server only mode.
It works also as dns, wins and dhcp server.
Getaway for it is an ipcop (i need a DMZ for the mailserver).

Openvpn-sme should work as a VPN server, it is in the same ip-range as the domain, but no other server has it as its getaway. Maybe that's the reason why i cannot reach my network thru the openvpn-sme.

Any tricks ???

lg Michael

[duncan]

Add a static route to your networks primary gateway pointing at the vpn server.

Also - if the vpn server is in in server only mode - you will have to enable IP forwarding ie
echo 1 > /proc/sys/net/ipv4/ip_forward per boot.

[salesman]

Does not work.
Vpn server is in getaway mode.
When i use pptp-vpn, i can reach all the servers behind it.
I remember i had the same troubles with ipsec, thats why i try now the openvpn solution, which btw has a nice and easy setup (with your contribs - thanks a lot).

lg Michael

[duncan]

I cant quite visualize your network. Need some ascii art.

PPTP does proxyarp and bridges the network. The two big differences here.

Regards Duncan

[salesman]

diagram is on

ftp://ftp.koop.at/network.pdf

I can reach the vpnserver thru openvpn, but not the other servers.(can't even ping them)

lg

Michael

ps:
i stoped smoking 5 years ago, and i enjoy it.

[duncan]

Its been a while since I have used ipcop so I am not sure of the process. Can you confirm that you have a static route on the ipcop box pointing at the vpnserver for the network 10.1.0.0