Koozali.org: home of the SME Server

[ANNOUNCE] IPSec Network-to-Network VPN SME Server 7.1 HOWTO

Offline ldkeen

  • *
  • 401
  • +0/-0
[ANNOUNCE] IPSec Network-to-Network VPN SME Server 7.1 HOWTO
« on: March 07, 2007, 10:49:01 AM »
IPSec Network-to-Network VPN SME Server 7.1 HOWTO

Author(s): Lloyd Keen, David Biczo
Revised: 7th March 2007

Summary: The purpose of this howto is to guide you through the procedure to connect two private subnets, both behind servers running SME Server version 7.1 in server/gateway mode via an encrypted tunnel using IPsec (sometimes referred to as NETKEY or Kernel IPsec). Both servers have static IP’s on the external interface using PPPoE or bridged Ethernet. NETKEY under linux 2.6 works a bit different to Ipsec under linux 2.4, the most obvious difference being that there is no visible ipsecx device as such. This document serves as a guide only, it worked for us but YMMV. As usual “all care but no responsibility taken”. Comments and suggestions are welcome. If you don’t feel comfortable following the procedure described below, then I have written a script which will prompt you for the required settings and automate the process for you. You can download the script here. This script is written for my personal use - if you can get any benefit from it - great, but if it doesn't work then you're on your own. You can download the script from here: http://www.comnetel.com/sme7_ipsec/ipsec_install.sh

SECTION A:
Procedure smeserverA:
Code: [Select]
#mcedit /etc/sysconfig/network-scripts/ifcfg-ipsec0
and enter the following information:
Code: [Select]
TYPE=IPSEC
ONBOOT=no
IKE_METHOD=PSK
SRCNET=192.168.aa.0/24 (smeserverA’s LAN address)
DSTNET=192.168.bb.0/24 (smeserverB’s LAN address)
SRCGW=xxx.xxx.xxx.xxx (smeserverA’s Gateway address)
DST=xxx.xxx.xxx.xxx (replace xxx’s with smeserverB’s external static IP)
Now add the preshared key into /etc/sysconfig/network-scripts/keys-ipsec0
Code: [Select]
#mcedit /etc/sysconfig/network-scripts/keys-ipsec0
and add the following line:
Code: [Select]
IKE_PSK=my_shared_secret
Procedure smeserverB:
Code: [Select]
#mcedit /etc/sysconfig/network-scripts/ifcfg-ipsec0
and enter the following information:
Code: [Select]
TYPE=IPSEC
ONBOOT=no
IKE_METHOD=PSK
SRCNET=192.168.bb.0/24 (smeserverB’s LAN address)
DSTNET=192.168.aa.0/24 (smeserverA’s LAN address)
SRCGW=xxx.xxx.xxx.xxx (smeserverB’s Gateway address)
DST=xxx.xxx.xxx.xxx (replace xxx’s with smeserverA’s external static IP)

Then add the preshared key into etc/sysconfig/network-scripts/keys-ipsec0
Code: [Select]
#mcedit /etc/sysconfig/network-scripts/keys-ipsec0
and add the following line:
Code: [Select]
IKE_PSK=my_shared_secret
NOTE: If you have a PPPoE connection you don't want the interface to come up at boot time (ONBOOT=no). You need IPSec to come up AFTER the ppp interface. You can address this issue by modifying /etc/ppp/ip-up.local and /etc/ppp/ip-down.local scripts as described later in this document. If you have a bridged Ethernet connection then you can set this option to ONBOOT=yes.

Now open up the server-manager on both servers and add the appropriate network settings into the "Local Networks" panel.
For example on smeserverA you would enter the following values:
Network Address: 192.168.bb.1
Subnet Mask: 255.255.255.0
Router 192.168.aa.1
And on smeserverB you would enter the following:
Network Address: 192.168.aa.1
Subnet Mask: 255.255.255.0
Router 192.168.bb.1


SECTION B:
This section contains information on modifying the firewall and installing modified scripts to fix routing issues.
Code: [Select]
#mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/
#cd /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/
#mcedit 15AllowIPsec

and add the following:
Code: [Select]
/sbin/iptables -A INPUT -i $OUTERIF -p udp --sport 500 --dport 500 -j ACCEPT
/sbin/iptables -t mangle -A PREROUTING -i $OUTERIF -p 50 -j MARK --set-mark 1
/sbin/iptables -A INPUT -i $OUTERIF -m mark --mark 1 -j ACCEPT
/sbin/iptables -A FORWARD -i $OUTERIF -m mark --mark 1 -j ACCEPT
/sbin/iptables -t mangle -A PREROUTING -i $OUTERIF -p 51 -j MARK --set-mark 2
/sbin/iptables -A INPUT -i $OUTERIF -m mark --mark 2 -j ACCEPT
/sbin/iptables -A FORWARD -i $OUTERIF -m mark --mark 2 -j ACCEPT

Make sure to leave a blank line at the top of the file and a carriage return at the end of the file, then do:
Code: [Select]
#/sbin/e-smith/expand-template /etc/rc.d/init.d/masq
#/etc/init.d/masq restart


There appears to be a bug in the way ifup-ipsec and ifdown-ipsec sets up the routing so you will need to install modified versions of these scripts from here www.comnetel.com/sme7_ipsec. For more information about this bug see https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=146169. There is some minor code duplication in the scripts, but it works. If you have any comments or suggestions we’d be glad to hear them. Any changes made in the scripts have been documented where applicable.
Code: [Select]
#cd /etc/sysconfig/network-scripts
#mv ifup-ipsec ifup-ipsec.old
#mv ifdown-ipsec ifdown-ipsec.old
#wget http://www.comnetel.com/sme7_ipsec/ifup-ipsec
#wget http://www.comnetel.com/sme7_ipsec/ifdown-ipsec

If you have a bridged Ethernet connection you can skip the next section
and either reboot or bring up the tunnel with the following command:
Code: [Select]
#/sbin/ifup ipsec0

SECTION C:
Only complete this section if you have a PPPoE connection on the external interface. And finally as mentioned previously in this document, we need to add a command to bring up the tunnel automatically at boot time.
Modify /etc/ppp/ip-up.local
Code: [Select]
#mkdir –p /etc/e-smith/templates-custom/etc/ppp/ip-up.local
#cd /etc/e-smith/templates-custom/etc/ppp/ip-up.local
#mcedit 40ipup15ipsec

and add the following code to the file:
Code: [Select]
case $IPPARAM in
    pppoe)
    /sbin/ifdown ipsec0
    sleep 5
    /sbin/ifup ipsec0
                 ;;
    *)
esac

Then expand the template
Code: [Select]
#expand-template /etc/ppp/ip-up.local
Modify /etc/ppp/ip-down.local
Code: [Select]
#mkdir –p /etc/e-smith/templates-custom/etc/ppp/ip-down.local
#cd /etc/e-smith/templates-custom/etc/ppp/ip-down.local
#mcedit 40ipdown15ipsec

and add the following code into this file:
Code: [Select]
IPPARAM=$6
case $IPPARAM in
    pppoe)
    /sbin/ifdown ipsec0
                 ;;
    *)
esac

Then expand the template
Code: [Select]
#expand-template /etc/ppp/ip-down.local
Reboot or bring up the tunnel with the following command:
Code: [Select]
#/sbin/ifup ipsec0
This completes the setup of the IPSec tunnel and you should now be able to ping between PC’s on the different subnets. This has been working great for us but any feedback would be appreciated.
Regards, Lloyd & David

CooLCaT1975

one of the two networks doesnt see the other
« Reply #1 on: March 14, 2007, 03:57:51 PM »
hi together!

i encounterd the following problem:


VPN connection with 2 SME Server


192.168.1.202<---->192.168.1.251<----->xxx.xxx.xxx.xxx<------>xxx.xxx.xxx.xxx<----->192.168.0.254<---->192.168.0.75
                    internal IP         external ip             external ip           internal ip
       SME A                                                            SME B


Now:

ping from 192.168.1.251 to 192.168.0.254 OK

ping from 192.168.0.251 to 192.168.1.251 OK


ping from 192.168.1.52 to 192.168.0.75 OK

Ping from 192.168.0.75  to 192.168.1.52 not ok

It seems like that only ip 192.168.0.254 can see the 192.168.1.0/24 network
but not the whole 192.168.0.0/24 network

Network 192.168.1.0/24 can see 192.168.0.0/24

any ideas whats maybe wrong?

could it be possible, that a cable modem blocks something?

and what i also saw:

one of the files which should be downloaded (15AllowIPsec) is missing on the server

regards

Karl

CooLCaT1975

[ANNOUNCE] IPSec Network-to-Network VPN SME Server 7.1 HOWTO
« Reply #2 on: March 14, 2007, 09:21:29 PM »
SOLVED

i forgot to set SME A as default gateway on the 192.168.1.0/24 network machines, cause this network has 2 gateways

best regards

Karl

Offline ldkeen

  • *
  • 401
  • +0/-0
[ANNOUNCE] IPSec Network-to-Network VPN SME Server 7.1 HOWTO
« Reply #3 on: March 14, 2007, 09:37:16 PM »
Quote from: "CooLCaT1975"
one of the files which should be downloaded (15AllowIPsec) is missing on the server

Thanks Karl, I've put it back up now.
Lloyd

CooLCaT1975

[ANNOUNCE] IPSec Network-to-Network VPN SME Server 7.1 HOWTO
« Reply #4 on: March 14, 2007, 10:19:01 PM »
now that the networks know and see each other i encountered another problem:

if i try to reach a http-server on the other network there is no response:

192.168.0.24->192.168.1.102

the machines are pingable each other

is http protocol not possible?

best regards

Karl

Offline ldkeen

  • *
  • 401
  • +0/-0
[ANNOUNCE] IPSec Network-to-Network VPN SME Server 7.1 HOWTO
« Reply #5 on: March 14, 2007, 10:57:08 PM »
Karl,
I don't think that IPsec has anything to do with this. I think the firewall on 192.168.1.1 is blocking the request. On 192.168.1.1 try forwarding port 80 to 192.168.1.102 then try again.
Regards, Lloyd

Offline bpivk

  • *
  • 908
  • +0/-0
    • http://www.bezigrad.com
[ANNOUNCE] IPSec Network-to-Network VPN SME Server 7.1 HOWTO
« Reply #6 on: March 15, 2007, 12:20:57 AM »
deleted
"It should just work" if it doesn't report it. Thanks!

Offline sonoracomm

  • *
  • 208
  • +0/-0
    • http://www.sonoracomm.com
[ANNOUNCE] IPSec Network-to-Network VPN SME Server 7.1 HOWTO
« Reply #7 on: March 18, 2007, 01:12:22 AM »
Hi All,

Thanks, Lloyd, very much for your howto!

I'm trying to implement it, and I'm having some problems.

I wanted to point out what I think may be a small error in your install script (not the howto, exactly).  It does not enter the "IKE_METHOD=PSK" bit in the  /etc/sysconfig/network-scripts/ifcfg-ipsec0 file, so I just added it by hand.

After I went through the howto manually, the tunnel came up and I was able to ping from a host on Net A to a host on Net B.  But after a reboot, I cannot ping (or anything else) across the VPN.

I am at a loss to troubleshoot this as I'm not familiar with the new (kernel) IPsec.  I think it was easier to troubleshoot open/freeswan.  I'm also a little hesitant to change things because a) it looks right to me and b) it worked once.

I do know that the tunnels come up if I ping from a host on Net A to Net B, but the ping fails.  I see this in /var/log/messages:

Code: [Select]
Mar 17 16:38:55 sol racoon: INFO: IPsec-SA request for 207.182.36.206 queued due to no phase1 found.
Mar 17 16:38:55 sol racoon: INFO: initiate new phase 1 negotiation: 24.255.24.230[500]<=>207.182.36.206[500]
Mar 17 16:38:55 sol racoon: INFO: begin Aggressive mode.
Mar 17 16:38:55 sol racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
Mar 17 16:38:55 sol racoon: INFO: ISAKMP-SA established 24.255.24.230[500]-207.182.36.206[500] spi:79b911d73d80e49d:d75f2a5d13318d91
Mar 17 16:38:56 sol racoon: INFO: initiate new phase 2 negotiation: 24.255.24.230[0]<=>207.182.36.206[0]
Mar 17 16:38:56 sol racoon: INFO: IPsec-SA established: AH/Tunnel 207.182.36.206->24.255.24.230 spi=128242889(0x7a4d4c9)
Mar 17 16:38:56 sol racoon: INFO: IPsec-SA established: ESP/Tunnel 207.182.36.206->24.255.24.230 spi=261946672(0xf9cfd30)
Mar 17 16:38:56 sol racoon: INFO: IPsec-SA established: AH/Tunnel 24.255.24.230->207.182.36.206 spi=69429640(0x4236988)
Mar 17 16:38:56 sol racoon: INFO: IPsec-SA established: ESP/Tunnel 24.255.24.230->207.182.36.206 spi=268012479(0xff98bbf)


The same is not true if I try to bring up the connection by pinging from a host on Net B to Net A.  Might this indicate I have an issue on Server B?

If I look in /var/logs/iptables/current, it doesn't show any dropped packets on either server.  

I have tried manually 'ifup' and 'ifdown' as well as 'masq restart'.

Both my servers are 7.1.2 and are in server-gateway mode.

Does anyone have any troubleshooting tips or suggestions for me?

Has anyone ever heard of an ISP doing anything to break IPsec?  One of these connections is on Cox Cable...and they block certain ports...like SMTP and HTTP.

Thanks,

G

Offline ldkeen

  • *
  • 401
  • +0/-0
[ANNOUNCE] IPSec Network-to-Network VPN SME Server 7.1 HOWTO
« Reply #8 on: March 18, 2007, 10:14:40 AM »
Quote from: "sonoracomm"
It does not enter the "IKE_METHOD=PSK" bit in the  /etc/sysconfig/network-scripts/ifcfg-ipsec0 file, so I just added it by hand.

Thanks for that, I'll check it out. As you probably noticed it was my first attempt at scripting something :-)
Are you using Wondershaper (QoS) at all? We have found some problems with the Wondershaper script causing problems with IPsec which we are going to look at next week. Also found a nasty bug that dropped the tunnel after a succesful VPN connection which we fixed about 2 weeks ago. Maybe compare "route -n" at both ends. Do you have PPPoE at both ends?
Lloyd

Offline ldkeen

  • *
  • 401
  • +0/-0
[ANNOUNCE] IPSec Network-to-Network VPN SME Server 7.1 HOWTO
« Reply #9 on: March 18, 2007, 10:36:15 AM »
Check both /etc/ppp/ip-up.local and /etc/ppp/ip-down.local and make sure that the ipsec device mentioned there matches your ipsec device.
Lloyd

Offline sonoracomm

  • *
  • 208
  • +0/-0
    • http://www.sonoracomm.com
[ANNOUNCE] IPSec Network-to-Network VPN SME Server 7.1 HOWTO
« Reply #10 on: March 18, 2007, 06:53:57 PM »
Thanks again, Lloyd.

The /etc/ppp/ip-up.local and /etc/ppp/ip-down.local scripts don't mention IPsec and I suspect they don't apply to me as I'm not using PPPoE.

I compared the routing (again) at your suggestion.  I did notice a bit of funkiness concerning the gateway setting of the route to the remote subnet, so I experimented some by editing /etc/sysconfig/network-scripts/ifcfg-ipsec0 without success.

In your howto, you enter the gateway address like this:
Code: [Select]
SRCGW=xxx.xxx.xxx.xxx (smeserverA’s Gateway address)
Is this really supposed to be the server's gateway address (which is probably the default gateway on the server)?  Or should it be the external interface on the server?  In any case, I could get the tunnel to come up, but I had no success passing data.

Yes, in answer to your question about WonderShaper.  Both of these boxes are SAIL/Asterisk boxes.  However I already tried turning it off to see if that made a difference:
Code: [Select]
/etc/init.d/qosd stop
/etc/init.d/qosd start

I am beginning to think I need to build a couple of vanilla test boxes... ;-)

Anyway, thanks again for your help so far!

G

Offline ldkeen

  • *
  • 401
  • +0/-0
[ANNOUNCE] IPSec Network-to-Network VPN SME Server 7.1 HOWTO
« Reply #11 on: March 18, 2007, 09:55:17 PM »
Quote from: "sonoracomm"
Is this really supposed to be the server's gateway address

Yes, don't get this confused with the server's external IP. You need to enter the gateway IP for the routing to work correctly.
If you've been running qos I don't think turning it off is sufficient, you need to recheck the masq script to make sure that it contains all the IPsec stuff in there (mentioned in the howto). You can check using /sbin/iptables-save. Maybe expand the masq script again and restart. QoS looks like it marks the packets as well and this seems to cause some problems with IPsec, we're going to have a look at this later in the week. It would be good to be able to use both QoS and IPsec.
Lloyd

Offline dlalleme

  • **
  • 47
  • +0/-0
    • http://www.dlaoctet.com
[ANNOUNCE] IPSec Network-to-Network VPN SME Server 7.1 HOWTO
« Reply #12 on: July 23, 2007, 10:27:54 AM »
Hello,

  Is it possible to use this contribs between a SME 7.1 and a SME 6.0.1 ?

  Thank you

Regards
Denis
Cordialement
Denis

Offline ldkeen

  • *
  • 401
  • +0/-0
[ANNOUNCE] IPSec Network-to-Network VPN SME Server 7.1 HOWTO
« Reply #13 on: July 23, 2007, 10:49:10 PM »
Denis,
Theoretically, you should be able to connect a sme6 and sme7 via IPSec but not using these instructions. From memory I think sme6 was running a 2.4 kernel which used a different veriosn of IPsec.
Lloyd

Offline dlalleme

  • **
  • 47
  • +0/-0
    • http://www.dlaoctet.com
Re: [ANNOUNCE] IPSec Network-to-Network VPN SME Server 7.1 HOWTO
« Reply #14 on: November 21, 2007, 09:50:14 AM »
Hello world,

  When I look at the ifcfg-ipsec0 file, there is one line for the destination network (DSTNET).

  If I want to install an other server (SERVER C) in the VPN net, how to insert it in ifcfg-ipsec0 file?

  May be that isn't possible ? Could you confirm that ? thank

Regards

Denis
Cordialement
Denis