Topic: [ANNOUNCE] IPsec Net To Net VPN between two SME7.0rc1 HOWTO

[ldkeen]

IPSEC NETWORK TO NETWORK VPN ON SME 7.0rc1


Author(s):   Lloyd Keen, David Biczo

Summary:   The purpose of this howto is to guide you through the procedure to
connect two private subnets, both behind servers running SME Server7.0rc1 in
server/gateway mode via an encrypted tunnel using IPsec (sometimes referred to as
NETKEY or Kernel IPsec). Both servers have static IP’s on the external interface
using PPPoE or bridged Ethernet. NETKEY under linux 2.6 works a bit different to
Ipsec under linux 2.4, the most obvious difference being that there is no visible ipsecx
device as such. This document serves as a guide only, it worked for us but YMMV.
As usual “all care but no responsibility taken”. Comments and suggestions are welcome.


SECTION A
Procedure:
Install ipsec-tools on both machines.
#yum –enablerepo=base –enablerepo=addons install ipsec-tools
Edit /etc/sysconfig/network-scripts/ifcfg-ipsec0 (smeserverA) and enter the
following:
TYPE=IPSEC
ONBOOT=no
IKE_METHOD=PSK
SRCNET=192.168.xx.0/24 (smeserverA's LAN address)
DSTNET=192.168.yy.0/24 (smeserverB's LAN address)
DST=xxx.xxx.xxx.xxx (replace xxx’s with smeserverB’s external static IP)
Add the preshared key into /etc/sysconfig/network-scripts/keys-ipsec0
#mcedit /etc/sysconfig/network-scripts/keys-ipsec0
and add the following line:
IKE_PSK=my_shared_secret

Repeat the above procedure on smeserverB
#yum –enablerepo=base –enablerepo=addons install ipsec-tools
Edit /etc/sysconfig/network-scripts/ifcfg-ipsec0 (smeserverB) and enter the
Following:
TYPE=IPSEC
ONBOOT=no
IKE_METHOD=PSK
SRCNET=192.168.yy.0/24 (smeserverB’s LAN address)
DSTNET=192.168.xx.0/24 (smeserverA’s LAN address)
DST=xxx.xxx.xxx.xxx (replace xxx’s with smeserverA’s external static IP)
Add the preshared key into /etc/sysconfig/network-scripts/keys-ipsec0
#mcedit /etc/sysconfig/network-scripts/keys-ipsec0
and add the following line:
IKE_PSK=my_shared_secret

NOTE: If you have a PPPoE connection you don't want the interface
to come up at boot time (ONBOOT=no). You need IPsec to come up AFTER the
ppp interface. You can address this issue by adding /sbin/ifup-ipsec to the
bottom of /etc/ppp/ip-up.local and /sbin/ifdown-ipsec into the
/etc/ppp/ip-down.local scripts as described later in this document.  If you have
a bridged Ethernet connection then you can set this option to ONBOOT=yes.
 
Now open up the server-manager on both servers and add the appropriate network
settings into the "Local Networks" panel. For example on smeserverA you would
enter the following values:
Network Address: 192.168.yy.1
Subnet Mask:     255.255.255.0
Router           192.168.xx.1

SECTION B:
This section contains information on modifying the firewall and installing modified
scripts to fix routing issues.

#mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/
#cd /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/
#mcedit 15AllowIPsec
and add the following:
 

Code: [Select]

/sbin/iptables -A INPUT -i $OUTERIF -p udp --sport 500 --dport 500 -j ACCEPT
/sbin/iptables -t mangle -A PREROUTING -i $OUTERIF -p 50 -j MARK --set-mark 1
/sbin/iptables -A INPUT -i $OUTERIF -m mark --mark 1 -j ACCEPT
/sbin/iptables -A FORWARD -i $OUTERIF -m mark --mark 1 -j ACCEPT
/sbin/iptables -t mangle -A PREROUTING -i $OUTERIF -p 51 -j MARK --set-mark 2
/sbin/iptables -A INPUT -i $OUTERIF -m mark --mark 2 -j ACCEPT
/sbin/iptables -A FORWARD -i $OUTERIF -m mark --mark 2 -j ACCEPT



Make sure to leave a blank line at the top of the file and carriage return at the end of the file.
Then do:
#/sbin/e-smith/expand-template /etc/rc.d/init.d/masq
#/etc/init.d/masq restart

There appears to be a bug in the way ifup-ipsec and ifdown-ipsec sets up the
routing so you will need to install modified versions of these scripts from here
www.comnetel.com/sme7_ipsec  For more information about this bug see
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=146169. There is some minor
code duplication in the scripts, but it works. If you have any comments or suggestions
we’d be glad to hear them. Any changes made in the scripts have been documented
where applicable.
#cd /etc/sysconfig/network-scripts
#mv ifup-ipsec ifup-ipsec.old
#mv ifdown-ipsec ifdown-ipsec.old
#wget http://www.comnetel.com/sme7_ipsec/ifup-ipsec  
# wget http://www.comnetel.com/sme7_ipsec/ifdown-ipsec

If you have a bridged ethernet connection you can skip the next section and either
reboot or bring up the tunnel with the following command:
#ifup ipsec0

SECTION C:
Only complete this section if you have a PPPoE connection on the external interface.
And finally as mentioned previously in this document, we need to add a command
to bring up the tunnel automatically at boot time.
#mcedit /etc/ppp/ip-up.local
and add the following line to the bottom of the file:
/sbin/ifup-ipsec
#mcedit /etc/ppp/ip-down.local
and add the following into this file:
/sbin/ifdown-ipsec

Reboot or bring up the tunnel with the following command:
#ifup ipsec0

You should be able to ping between subnets now, and if you connect a workstation
from smeserverA to a workstation on smeserverB (using remote desktop) you should
be able to sniff the external interface on smeserverB (using tcpdump –I eth1
Note: replace eth1 with your external interface) and notice that the traffic
between the two is encrypted (look for AH and ESP packets). Be aware that traffic
is only encrypted between the two gateways (across the internet). Traffic is NOT
encrypted from the gateway to the workstation.

[jmarcosm]

Hi Lloyd,
I am a newbie and I have acople of questions regarding IPSec:

1) Is possible to connect one SME 5.6 to a SME7.0 with IPSec?
In the past I have connected a 6.0 with a 5.6 with the  Darrell May, Peter Schubert and Shad Lords freeswan contrib, with the  freeswan-1.99 rpm.

2) When you said "Add the preshared key into /etc/sysconfig/network-scripts/keys-ipsec0" How I can generate this key?

3) Is the IPSec obsolete? I am using It for years with an excellent result. Should I have to be afraid about the security?

Is in your plans develope a sme panel for sme7.0?

Thanks in advance for any answer you can give me and for this useful Howto!

Regards

Marcos Migliorini

[ldkeen]

Hi Marcos,

Is possible to connect one SME 5.6 to a SME7.0 with IPSec

Well, I don't like to state the obvious but you really shouldn't be using 5.6 anymore, you should be using at least 6.0.1 or better still 7.0rc1 but having said that I imagine that you would be able to do it. It would be a nightmare to setup and your best bet would be to try and use Openswan on 7.0rc1 which may be more compatible with the Freeswan contrib. I'm starting to get a headache thinking about it.

"Add the preshared key into /etc/sysconfig/network-scripts/keys-ipsec0" How I can generate this key

It's generated by thinking up a secret in your head then typing it into the file Sorry that was my poor attempt at humour. It can be anything that you choose.

Is the IPSec obsolete

On the contrary, IPsec is alive and well and in fact is now included in the kernel if required. There are other implementations of IPsec around, some commercial, some GPL. The version that was included in the contrib for 5.6 used Freeswan which I believe has now been obsoleted by Openswan. Both these implementations made use of "userland tools" called Pluto. This howto relates to Kernel IPsec using racoon. See here http://www.xelerance.com/pr/20040318/ for some more info.

Is in your plans develope a sme panel for sme7.0?

I have spoken to a third party developer regarding this but it would require some funding. Panels are good if you are constantly setting up or changing settings which is not the case with IPsec. Set it once and it's there for good and almost never needs modifying, so a panel would be nice but not high on the priority list.
Best Regards
Lloyd

[Mace]

Great stuff ldkeen, thanks!

Me being the noob that I am needed a little extra help though. I found the extra help I needed here:

 IPsec Network-to-Network configuration

Regards.

[jmarcosm]

I have installed ipsec in two sme 7.0 final boxes. This boxes are connected with out problem, but when one box is rebooted the ipsec connection is lost. I have to get in the box with pptp and do:

ifup ipsec0 and the two times ping 192.168.0.x (the first time the system respond network unrecheable, the second time works find).

Also in the ifcfg-ipsec0 I wrote ONBOOT=yes buy ihave the same problem.

Could somebody help to findout how to start the ipsec at the boot time?

Thanks in advance

[ldkeen]

You only want ONBOOT=yes if you have static IP's at both ends. If you have PPP at either end then you need to follow the steps described in Section C.
Lloyd

[jmarcosm]

ldkeen,

Thank you for your aswer. I have static IP´s.

You only want ONBOOT=yes if you have static IP's at both ends. If you have PPP at either end then you need to follow the steps described in Section C.
Lloyd

[jmarcosm]

Hi ldkeen,

I´m still having this problem with my 2 sme 7.1 servers with static IPs. When one of them is rebooted I have to type ifup ipsecX and perform two pings (the first one doesn't work and the second one do the trick.

You have the same problem ?

Marcos

[ldkeen]

Hi Marcos,
The two servers that we are running the Ipsec tunnel on are both 7.0rc2 boxes. I'll be upgrading the boxes to 7.1 on the 20th Jan so I'll have to revisit the Ipsec issue then. I'll post back any issues/fixes that we come across during the upgrade.
Lloyd

[jmarcosm]

Thank you Lloyd for your answer!

I have performed a newbie solution. On the /etc/rc.d/rc.local file I do:

ifup ipsecX
ping -c 1 192.168.30.1
ping -c 1 192.168.30.1
ping -c 1 192.168.30.1
ping -c 1 192.168.30.1

I´m pinging to the local network of the other server.
I ping 4 times just in case but I guess with 2 times is ok.

I don´t know if this will stay in the rc.local after a reconfiguration but at the moment this is working for me.

Marcos

[sseitz]

Hi,

thanks for contributing your ipsec installation script.

In general, i think this works, but i've encountered a weired problem initiating a lan-lan connection.

i checked the setup several times using your written information, well it differs slightly from the setup script results, but the ipsec result is always the same.

the ipsec tunnel needs to be started from both ends (demands on scheduled jobs on my site and/or the opposite lan). If the opposite machine (a cisco vpn gateway, i do not know the model, but i assume it's not a linksys home equipment since the opposite partner hosts a few thousands of tunnels) initiates the tunnel all goes well for some time, after about 4-5 SA expirations, it dies for some unknown reason independently of theres active traffic or not.
If the smeserver tries to initiates the tunnel, phase1 is handled correctly, but phase2 initiates and purges the newly created SA immediately.

Code: [Select]


...
Jan 12 12:16:57 gate racoon: DEBUG: compute IV for phase2
Jan 12 12:16:57 gate racoon: DEBUG: phase1 last IV:
Jan 12 12:16:57 gate racoon: DEBUG:  8824da06 97006cdc 1af098a1
Jan 12 12:16:57 gate racoon: DEBUG: hash(sha1)
Jan 12 12:16:57 gate racoon: DEBUG: encription(3des)
Jan 12 12:16:57 gate racoon: DEBUG: phase2 IV computed:
Jan 12 12:16:57 gate racoon: DEBUG:  5e33c8e2 bf764a11
Jan 12 12:16:57 gate racoon: DEBUG: begin decryption.
Jan 12 12:16:57 gate racoon: DEBUG: encription(3des)
Jan 12 12:16:57 gate racoon: DEBUG: IV was saved for next processing:
Jan 12 12:16:57 gate racoon: DEBUG:  eb3d7044 0a1638d0
Jan 12 12:16:57 gate racoon: DEBUG: encription(3des)
Jan 12 12:16:57 gate racoon: DEBUG: with key:
Jan 12 12:16:57 gate racoon: DEBUG:  93ebce49 dda383f7 faa61ef4 e8c1faff c10ea348 0e4841bd
Jan 12 12:16:57 gate racoon: DEBUG: decrypted payload by IV:
Jan 12 12:16:57 gate racoon: DEBUG:  eb3d7044 0a1638d0
Jan 12 12:16:57 gate racoon: DEBUG: decrypted payload, but not trimed.
Jan 12 12:16:57 gate racoon: DEBUG:  0c000018 142f9a29 7c91e754 d1cbdd01 b0b499ff 80194856 00000010 00000001 03040001 f52c90ba 00000000 00000000
Jan 12 12:16:57 gate racoon: DEBUG: padding len=1
Jan 12 12:16:57 gate racoon: DEBUG: skip to trim padding.
Jan 12 12:16:57 gate racoon: DEBUG: decrypted.
Jan 12 12:16:57 gate racoon: DEBUG:  3cb4a247 adba1f87 26b09616 6c981f3c 08100501 1af098a1 0000004c 0c000018 142f9a29 7c91e754 d1cbdd01 b0b499ff 80194856 00000010 00000001 03040001 f52c90ba 00000000 00000000
Jan 12 12:16:57 gate racoon: DEBUG: HASH with:
Jan 12 12:16:57 gate racoon: DEBUG:  1af098a1 00000010 00000001 03040001 f52c90ba
Jan 12 12:16:57 gate racoon: DEBUG: hmac(hmac_sha1)
Jan 12 12:16:57 gate racoon: DEBUG: HASH computed:
Jan 12 12:16:57 gate racoon: DEBUG:  142f9a29 7c91e754 d1cbdd01 b0b499ff 80194856
Jan 12 12:16:57 gate racoon: DEBUG: hash validated.
Jan 12 12:16:57 gate racoon: DEBUG: begin.
Jan 12 12:16:57 gate racoon: DEBUG: seen nptype=8(hash)
Jan 12 12:16:57 gate racoon: DEBUG: seen nptype=12(delete)
Jan 12 12:16:57 gate racoon: DEBUG: succeed.
Jan 12 12:16:57 gate racoon: DEBUG: call pfkey_send_dump
Jan 12 12:16:57 gate racoon: DEBUG: check spi(packet)=4113338554 spi(db)=3979249686.
Jan 12 12:16:57 gate racoon: DEBUG: purged SAs.
Jan 12 12:16:58 gate racoon: DEBUG: call pfkey_send_dump


 This happens periodically after an "ifup ipsec0" (or "ifup-ipsec ipsec0"). At this state, the routing table has been altered correctly. The real strange thing is, if i "ifdown ipsec0" to end the sa-purging madness, it lasts about 10 seconds and the tunnel is started and initiated. At this state, the route to the opposite partner has been removed from the routingtable, but as the the tunnel uses always the device with default-routing, this doesn't seem to matter.

Please could you give me a hint to get this working stable? - as my customer isn't ahhm... very relaxed now ...

thanks in advance!

[ldkeen]

Hi sseitz,
We've had to rewrite this for 7.1 I'm in the process of rewriting the howto at the moment, but there are new scripts on the website if you'd like to test. Let me know how it goes. Yes there were some problems which have been rectified now.
Regards, Lloyd

[damoj]

So, when might this new and improved howto be available?

[ldkeen]

Thanks for the nudge damo,
http://forums.contribs.org/index.php?topic=36033.0
Lloyd