Koozali.org: home of the SME Server

[ANNOUNCE] IPSec Network-to-Network VPN SME Server 7.1 HOWTO

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: [ANNOUNCE] IPSec Network-to-Network VPN SME Server 7.1 HOWTO
« Reply #15 on: November 22, 2007, 02:24:55 AM »
Caveat: I've never set up an IPSEC vpn on SME...

I think you need to create an entirely new 'ifcfg-ipsec1' file for the "second" ipsec connection to your 3rd site...

Offline jumba

  • ****
  • 291
  • +0/-0
  • Donations: July 2007 - $ 20.00
    • Smeserver på svenska!
Re: [ANNOUNCE] IPSec Network-to-Network VPN SME Server 7.1 HOWTO
« Reply #16 on: January 13, 2008, 09:38:41 PM »
This is just great!

I think this might be the answer to my needs, explained a bit in http://forums.contribs.org/index.php?topic=33043.msg182097#msg182097

Before I get those new servers delivered (early this coming week), could I just ask a few questions?

1. Is this contrib verified working with a freshly installed Smeserver 7.3?

2. If I set this up om BOTH servers, - would the other traffic (ie internet access) function as usual from the two different locations?

3. Would this contrib in any way interfere with the built-in VPN (users connecting from remote using PPTP)?



Offline ldkeen

  • *
  • 401
  • +0/-0
Re: [ANNOUNCE] IPSec Network-to-Network VPN SME Server 7.1 HOWTO
« Reply #17 on: January 14, 2008, 12:54:32 PM »
1. Is this contrib verified working with a freshly installed Smeserver 7.3?
I haven't tried it on a freshly installed box, but I have just yum updated 2 boxes to 7.3 and the tunnel didn't miss a beat.

Quote
2. If I set this up om BOTH servers, - would the other traffic (ie internet access) function as usual from the two different locations?
Yes, the internet traffic goes out through it's own gateway at each site. Only the LAN2LAN specific traffic such as RDC uses the IPSEC tunnel.

Quote
3. Would this contrib in any way interfere with the built-in VPN (users connecting from remote using PPTP)?
No it doesn't interfere with the VPN for remote users at all. We use both IPSEC and PPTP all the time without any problems.
The only small problem that I've run into using IPSEC is that on the odd occasion the tunnel might go down but is easily fixed by issuing an "ifdown ipsec0" followed by an "ifup ipsec0" and every thing is sweet again. This might occur maybe once a month at the most.
Best Regards,
Lloyd




Offline jumba

  • ****
  • 291
  • +0/-0
  • Donations: July 2007 - $ 20.00
    • Smeserver på svenska!
Re: [ANNOUNCE] IPSec Network-to-Network VPN SME Server 7.1 HOWTO
« Reply #18 on: January 14, 2008, 01:10:31 PM »
Thank you very much for your quick response!

Your answers were extactly what I was hoping for :D

I've just unpacked the servers, and will perform the installation during the day.

Unfortunately, it's a bit hard to "test" a VPN-tunnel like this in my office, - the servers are to be delivered to two locations with something like 250 km between them :-? :-? :-?

Therefore, it's more than important for me that the PPTP-VPN works...

Again: Thanks a lot, I will of course report back how things proceed!!!

Offline jumba

  • ****
  • 291
  • +0/-0
  • Donations: July 2007 - $ 20.00
    • Smeserver på svenska!
Re: [ANNOUNCE] IPSec Network-to-Network VPN SME Server 7.1 HOWTO
« Reply #19 on: January 26, 2008, 08:03:53 PM »
Hi again!

Well, things might not be 100 % crystal clear to me...

I've tried your script now on two different servers (both with 7.3).

None of them use PPPoE, so I close the script after the first part.

When trying to execute the command
Code: [Select]
#/sbin/ifup ipsec0
I get the following error messages:

Code: [Select]
[root@server2 ~]# /sbin/ifup ipsec0
mktemp: cannot create temp file /etc/racoon/psk.V21438: No such file or directory
/etc/sysconfig/network-scripts/ifup-ipsec: line 227: $tmpfile: ambiguous redirect
/etc/sysconfig/network-scripts/ifup-ipsec: line 228: $tmpfile: ambiguous redirect
mv: missing file argument
Try `mv --help' for more information.
/etc/sysconfig/network-scripts/ifup-ipsec: line 232: /etc/racoon/[IP-of remote-SMESERVER].conf: No such file or directory
/etc/sysconfig/network-scripts/ifup-ipsec: line 239: /etc/racoon/[IP-of remote-SMESERVER].conf: No such file or directory
mktemp: cannot create temp file /etc/racoon/racoon.p21443: No such file or directory
/etc/sysconfig/network-scripts/ifup-ipsec: line 286: $racoontmp: ambiguous redirect
/etc/sysconfig/network-scripts/ifup-ipsec: line 287: $racoontmp: ambiguous redirect
mv: missing file argument
Try `mv --help' for more information.
/etc/sysconfig/network-scripts/ifup-ipsec: line 292: /usr/sbin/racoon: No such file or directory
[root@server2 ~]# ll /etc/racoon
ls: /etc/racoon: No such file or directory

I really feel confused with this racoon stuff, since Smeserver 7.3 doesn't seem to have racoon installed, and I cannot find anywhere in the script where racoon is supposed to be installed.

Did I miss some part somewhere, or am I supposed to install racoon manually before doing this???

By the way, just to survive this, I wrote down the steps needed to "uninstall" the changes made by the script ipsec_install.sh:

Code: [Select]
REM First delete some files...

rm /etc/sysconfig/network-scripts/ifcfg-ipsec0
rm /etc/sysconfig/network-scripts/ifdown-ipsec
rm /etc/sysconfig/network-scripts/ifup-ipsec

REM ...and restore from backup-files:

mv /etc/sysconfig/network-scripts/ifdown-ipsec.bak /etc/sysconfig/network-scripts/ifdown-ipsec
mv /etc/sysconfig/network-scripts/ifup-ipsec.bak /etc/sysconfig/network-scripts/ifup-ipsec

REM ...time to delete some more files:

rm /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/*

REM ...and remove some directories:

rmdir /etc/e-smith/templates-custom/etc/rc.d/init.d/masq
rmdir /etc/e-smith/templates-custom/etc/rc.d/init.d
rmdir /etc/e-smith/templates-custom/etc/rc.d
rmdir /etc/e-smith/templates-custom/etc

REM Expand template:

/sbin/e-smith/expand-template /etc/rc.d/init.d/masq

REM Restart masq

/etc/init.d/masq restart

Please, I'm close, but quite obviously not close enough :-x :-x :-x

Offline jumba

  • ****
  • 291
  • +0/-0
  • Donations: July 2007 - $ 20.00
    • Smeserver på svenska!
Re: [ANNOUNCE] IPSec Network-to-Network VPN SME Server 7.1 HOWTO
« Reply #20 on: January 26, 2008, 08:20:10 PM »
Hi again!

A short update:

I decided to manually create the directory /etc/racoon just in order to see what happens, and this is the output:

Code: [Select]
]# /sbin/ifup ipsec0
RTNETLINK answers: File exists
grep: /etc/racoon/psk.txt: No such file or directory
grep: /etc/racoon/racoon.conf: No such file or directory
/etc/sysconfig/network-scripts/ifup-ipsec: line 292: /usr/sbin/racoon: No such file or directory

If I understand the line
Code: [Select]
/etc/sysconfig/network-scripts/ifup-ipsec: line 292: /usr/sbin/racoon: No such file or directory correctly, this indicates that some racoon executables seems to be missing in a 7.3 system in order to use this solution.

Am I on the right track?



Updated question:

Could someone with a system working with this howto/contrib installed please share the output from the following command:

Code: [Select]
yum provides racoonThat would be of enormous help to me, thanks!
« Last Edit: January 26, 2008, 09:46:57 PM by jumba »

Offline jumba

  • ****
  • 291
  • +0/-0
  • Donations: July 2007 - $ 20.00
    • Smeserver på svenska!
Re: [ANNOUNCE] IPSec Network-to-Network VPN SME Server 7.1 HOWTO
« Reply #21 on: January 27, 2008, 01:40:10 PM »
Another update of "progress":

After doing some more research, I tried

Code: [Select]
yum --enablerepo=base --enablerepo=updates install ipsec-tools
Obviously, ipsec-tools provides racoon.

Am I on the right track now, somebody????

Later:

OK, I'm almost home now:

After installing ipsec-tools, this is what I get:

Code: [Select]
#/sbin/ifup ipsec0
RTNETLINK answers: Invalid argument

...so a check in the messages log gives me:

Code: [Select]
# tail /var/log/messages

Jan 27 14:14:45 server2 racoon: INFO: @(#)ipsec-tools 0.3.3 (http://ipsec-tools.sourceforge.net)
Jan 27 14:14:45 server2 racoon: INFO: @(#)This product linked OpenSSL 0.9.7a Feb 19 2003 (http://www.openssl.org/)
Jan 27 14:14:45 server2 racoon: INFO: 192.168.103.1[500] used as isakmp port (fd=8)
Jan 27 14:14:45 server2 racoon: INFO: 81.230.149.198[500] used as isakmp port (fd=9)
Jan 27 14:14:45 server2 racoon: ERROR: failed to bind to address 192.168.103.1[500] (Address already in use).
Jan 27 14:14:45 server2 racoon: INFO: 1.1.1.1[500] used as isakmp port (fd=10)
Jan 27 14:14:45 server2 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=11)

What exactly does the line
Code: [Select]
ERROR: failed to bind to address 192.168.103.1[500] (Address already in use) mean???

The address 192.168.103.1 is the internal (LAN) interface of this server.

Should I do some configuration elsewhere as well?

Please, someone! I really need this up & running :-o

By the way, Ldkeen, why don't you start a new bug in bugzilla about this?
That would probably help in speeding things up even further?

...Just my recommendation...
« Last Edit: January 27, 2008, 09:57:04 PM by jumba »

Offline jumba

  • ****
  • 291
  • +0/-0
  • Donations: July 2007 - $ 20.00
    • Smeserver på svenska!
Re: [ANNOUNCE] IPSec Network-to-Network VPN SME Server 7.1 HOWTO
« Reply #22 on: January 28, 2008, 08:18:01 PM »
Help!

(I won't give up on this, so I'll continue this strange monologue until someone out there respond :-?)

What's wrong with this (extract from messages log):

The machine trying to establish connection is using 192.168.103.1 on the LAN-port, and 81.230.149.198 is the WAN-port.


Code: [Select]
Jan 28 20:03:52 server2 racoon: INFO: 192.168.103.1[500] used as isakmp port (fd=8)
Jan 28 20:03:52 server2 racoon: INFO: 81.230.149.198[500] used as isakmp port (fd=9)
Jan 28 20:03:52 server2 racoon: ERROR: failed to bind to address 192.168.103.1[500] (Address already in use).
Jan 28 20:03:52 server2 racoon: INFO: 1.1.1.1[500] used as isakmp port (fd=10)
Jan 28 20:03:52 server2 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=11) 

Why does the machine use 1.1.1.1 and 127.0.0.1 as isakmp ports?
This just has to be wrong, but how do I fix it?

Someone out there obviosly keeps some secrets I need to know, so please, please share your knowledge with me a bit...
« Last Edit: January 28, 2008, 08:26:38 PM by jumba »

Offline jumba

  • ****
  • 291
  • +0/-0
  • Donations: July 2007 - $ 20.00
    • Smeserver på svenska!
Re: [ANNOUNCE] IPSec Network-to-Network VPN SME Server 7.1 HOWTO
« Reply #23 on: February 01, 2008, 12:16:58 AM »
Eventhough this thread is surprisingly quiet, I earlier promised to report what happens, so here we go:

After a week or so I checked the servers again today.

To my big surprise, the VPN was established! I guess this "delay" has been caused by a very bad ADSL connection at one of the actual sites.

No one is happier than me!


Offline nate

  • **
  • 55
  • +0/-0
    • http://www.solardepot.com
Re: [ANNOUNCE] IPSec Network-to-Network VPN SME Server 7.1 HOWTO
« Reply #24 on: February 05, 2008, 08:16:28 PM »
Hi Jumba,
 
Since you were crying out for help in vain at one time and then it seems you have worked through it, I'm hoping you can now help me...
 
I'm right at this point (quoting your post below):
 
I've got three identical sme 7.3 boxes setup in the lab and so far - no joy!  Can you (or someone) point me in the right direction?  I followed the how to EXACTLY and now I'm getting the "racoon" errors.


Hi again!

Well, things might not be 100 % crystal clear to me...

I've tried your script now on two different servers (both with 7.3).

None of them use PPPoE, so I close the script after the first part.

When trying to execute the command
Code: [Select]
#/sbin/ifup ipsec0
I get the following error messages:

Code: [Select]
[root@server2 ~]# /sbin/ifup ipsec0
mktemp: cannot create temp file /etc/racoon/psk.V21438: No such file or directory
/etc/sysconfig/network-scripts/ifup-ipsec: line 227: $tmpfile: ambiguous redirect
/etc/sysconfig/network-scripts/ifup-ipsec: line 228: $tmpfile: ambiguous redirect
mv: missing file argument
Try `mv --help' for more information.
/etc/sysconfig/network-scripts/ifup-ipsec: line 232: /etc/racoon/[IP-of remote-SMESERVER].conf: No such file or directory
/etc/sysconfig/network-scripts/ifup-ipsec: line 239: /etc/racoon/[IP-of remote-SMESERVER].conf: No such file or directory
mktemp: cannot create temp file /etc/racoon/racoon.p21443: No such file or directory
/etc/sysconfig/network-scripts/ifup-ipsec: line 286: $racoontmp: ambiguous redirect
/etc/sysconfig/network-scripts/ifup-ipsec: line 287: $racoontmp: ambiguous redirect
mv: missing file argument
Try `mv --help' for more information.
/etc/sysconfig/network-scripts/ifup-ipsec: line 292: /usr/sbin/racoon: No such file or directory
[root@server2 ~]# ll /etc/racoon
ls: /etc/racoon: No such file or directory

I really feel confused with this racoon stuff, since Smeserver 7.3 doesn't seem to have racoon installed, and I cannot find anywhere in the script where racoon is supposed to be installed.

Did I miss some part somewhere, or am I supposed to install racoon manually before doing this???

By the way, just to survive this, I wrote down the steps needed to "uninstall" the changes made by the script ipsec_install.sh:


Please, I'm close, but quite obviously not close enough :-x :-x :-x

....Making the Jump to 7.x   8-)

Offline jumba

  • ****
  • 291
  • +0/-0
  • Donations: July 2007 - $ 20.00
    • Smeserver på svenska!
Re: [ANNOUNCE] IPSec Network-to-Network VPN SME Server 7.1 HOWTO
« Reply #25 on: February 05, 2008, 09:35:59 PM »
Please read my "« Reply #21 on: 2008-01-27, 13:40:10 »" above again.

There I describe that ipsec-tools provides racoon, and I also show how to install it.

Good luck!

Offline nate

  • **
  • 55
  • +0/-0
    • http://www.solardepot.com
Re: [ANNOUNCE] IPSec Network-to-Network VPN SME Server 7.1 HOWTO
« Reply #26 on: February 05, 2008, 10:46:38 PM »
Success!
 
ipsec-tools 'eh, ......yep, seems that package is an important part of it I would say!
 
Just out of curiosity, ...why the doggFunk doesn't ipsec-tools come with it in the first place?   .....or ever so curious, ...why is there nothing about it in the main how-to?   Perhaps this came with 7.1?
 
 
....Making the Jump to 7.x   8-)

Offline jumba

  • ****
  • 291
  • +0/-0
  • Donations: July 2007 - $ 20.00
    • Smeserver på svenska!
Re: [ANNOUNCE] IPSec Network-to-Network VPN SME Server 7.1 HOWTO
« Reply #27 on: February 05, 2008, 10:56:32 PM »

Just out of curiosity, ...why the doggFunk doesn't ipsec-tools come with it in the first place?   .....or ever so curious, ...why is there nothing about it in the main how-to?   Perhaps this came with 7.1?

I even tried to make a test install of 7.1 on a Vmware server just to find out, - and the answer is:

7.1 did NOT come with ipsec-tools :shock:

Maybe someone (you, or maybe me if I find the time and inspiration?) should try to re-write the install script and include the installation of ipsec-tools as well?


(I'n still curious why all other people in this thread suddenly became stone dead and quiet.....)

Offline jumba

  • ****
  • 291
  • +0/-0
  • Donations: July 2007 - $ 20.00
    • Smeserver på svenska!
Re: [ANNOUNCE] IPSec Network-to-Network VPN SME Server 7.1 HOWTO
« Reply #28 on: February 05, 2008, 11:05:53 PM »
I made an even more surprising finding:

Setting up a ipsec tunnel between serverA and serverB, where serverA is hooked up to a goof T1 line and serverB is connected with a not so good ADSL, the following situation showed up:

Making an external VPN (using the built-in VPN in Smeserver) to serverA is of course no problem at all.

Making an external VPN (using the built-in VPN in Smeserver) to serverB is very much of a problem, have to try maybe up to 10 times before it works, and if it works even typing into the terminal is slow like a joke.

BUT: Making an external VPN (using the built-in VPN in Smeserver) to serverA, and afterwards doing a SSH connection from here over to serverB works surprisingly good and fast!

Something is very strange here, and I wouldn't be surprised if the ipsec vpn actually "disturbs" the external VPN connectivity or something...

Offline nate

  • **
  • 55
  • +0/-0
    • http://www.solardepot.com
Re: [ANNOUNCE] IPSec Network-to-Network VPN SME Server 7.1 HOWTO
« Reply #29 on: February 05, 2008, 11:38:57 PM »
ya, ...i have it connected in my "lab" but I'm not liking the results I'm getting.   ---seems buggie.   Do you have it rolled out as production machines?  I've been using FreeSWAN on sem 6.x boxes for years - solid as a rock. 
....Making the Jump to 7.x   8-)