Koozali.org: home of the SME Server

[ANNOUNCE] IPSec Network-to-Network VPN SME Server 7.1 HOWTO

Offline jumba

  • ****
  • 291
  • +0/-0
  • Donations: July 2007 - $ 20.00
    • Smeserver på svenska!
Re: [ANNOUNCE] IPSec Network-to-Network VPN SME Server 7.1 HOWTO
« Reply #30 on: February 05, 2008, 11:42:27 PM »
Please explain more about what "seems buggie"...

I'm using this on two production machines right now, and AFAIK it's not too "buggie"
« Last Edit: February 06, 2008, 10:12:03 AM by jumba »

Offline SoftDux

  • ****
  • 240
  • +0/-0
    • http://www.SoftDux.com
Re: [ANNOUNCE] IPSec Network-to-Network VPN SME Server 7.1 HOWTO
« Reply #31 on: February 20, 2008, 02:17:26 PM »
I want to implement some VPN's between our office and our client's offices for remote monitoring or servers / devices & client PC support, but I'm not 100% sure if will work, so I have some questions for those who use this setup.

We have SME 7.3 in the office, and our network is 192.168.10.0/24 in the LAN side, and 192.168.1.0/24 on the WAN side (it's really just the SME external interface & ADSL router at this stage). .

From my understanding, I would need to configure each LAN on the VPN on a different subnet, righ? So, clientA would be 192.168.20/24, clientB would be 192.168.21/24, clientC = 192.168.22/24, etc. is this right? Would I then be able to acces for example bob.clienta (if bob is the machine name, and clienta is the network name) or router.clientb (where router is the ADSL router on clientb's network)?

What happens to internet traffic at any of those locations? I have read in a few posts further up that it should go through the local ADSL modem, so clientA should use their own bandwidth, and clientB their own bandwidth, is that so? But what if I have a wireless 10KM link between 2 sites, and I want that network (clientD, 192.168.10.23/24) to use our internet bandwidth as well?

How well will this setup work if a client's network has OpenSuse 10.0 instead of SME?
Would a normal Windows PC with direct internet connectivity (like a laptop @ a Wifi hotspot in another town / state / country) be able to access the SME server, and ultimately the LAN as well?

Offline jumba

  • ****
  • 291
  • +0/-0
  • Donations: July 2007 - $ 20.00
    • Smeserver på svenska!
Re: [ANNOUNCE] IPSec Network-to-Network VPN SME Server 7.1 HOWTO
« Reply #32 on: February 20, 2008, 04:33:56 PM »
From my understanding, I would need to configure each LAN on the VPN on a different subnet, righ? So, clientA would be 192.168.20/24, clientB would be 192.168.21/24, clientC = 192.168.22/24, etc. is this right? Would I then be able to acces for example bob.clienta (if bob is the machine name, and clienta is the network name) or router.clientb (where router is the ADSL router on clientb's network)?

More correctly: lanA would be 192.168.20.0/24 and lanB would be 192.168.21.0/24. Please don't confuse yourself with "clientA" or "clientB", - you connect lanA with lanB (of course including any client in those lan)

What happens to internet traffic at any of those locations? I have read in a few posts further up that it should go through the local ADSL modem, so clientA should use their own bandwidth, and clientB their own bandwidth, is that so? But what if I have a wireless 10KM link between 2 sites, and I want that network (clientD, 192.168.10.23/24) to use our internet bandwidth as well?

Well, no.
ALL traffic, to the internet as well as to the other office, goes through the ADSL modem of course.
If you set up the SME server/gateway as in the instructions, the routing function will take care of the rest

How well will this setup work if a client's network has OpenSuse 10.0 instead of SME?
No difference. As long as the client (Win, Max, Linux or whatever) belongs to lanA and uses serverA as primary DNS, it just works!

Would a normal Windows PC with direct internet connectivity (like a laptop @ a Wifi hotspot in another town / state / country) be able to access the SME server, and ultimately the LAN as well?

Hopefully not :shock:

If you allow external IP's to act as local clients, you really don't need to worry about any VPN at all...

(It's of course possible to add every IP in the world under "local networks", but please please don't do that...)

If you make a connection with VPN (the built-in VPN in Smeserver) from the roadwarrior laptop to lanA it would be the same as actually being right there in lanA and you'll of course be able to contact resources even in lanB.

Hope this helps!


Offline SoftDux

  • ****
  • 240
  • +0/-0
    • http://www.SoftDux.com
Re: [ANNOUNCE] IPSec Network-to-Network VPN SME Server 7.1 HOWTO
« Reply #33 on: February 20, 2008, 09:47:12 PM »
More correctly: lanA would be 192.168.20.0/24 and lanB would be 192.168.21.0/24. Please don't confuse yourself with "clientA" or "clientB", - you connect lanA with lanB (of course including any client in those lan)

That's what I meant. With clientA, I mean a slient / office  (whether there's 1 PC or 10). So clientA could have 5 user PC's, clientB 3 & clientC 1 user / PC.


Well, no.
ALL traffic, to the internet as well as to the other office, goes through the ADSL modem of course.
If you set up the SME server/gateway as in the instructions, the routing function will take care of the rest
No difference. As long as the client (Win, Max, Linux or whatever) belongs to lanA and uses serverA as primary DNS, it just works!

Ok, differently put, if I download a 600MB Linux ISO from our LAN, will it use our internet, our route via the VPN, and use a client's bandwidth? I can't have this.


Hopefully not :shock:

If you allow external IP's to act as local clients, you really don't need to worry about any VPN at all...

(It's of course possible to add every IP in the world under "local networks", but please please don't do that...)

If you make a connection with VPN (the built-in VPN in Smeserver) from the roadwarrior laptop to lanA it would be the same as actually being right there in lanA and you'll of course be able to contact resources even in lanB.

Hope this helps!


I hear what you're saying from a security point of view, but how would I allow a field technician or sales rep (whether in town, or on a trip overseas) to connect to the LAN to retrieve documents from the server, or his office PC?

Offline jumba

  • ****
  • 291
  • +0/-0
  • Donations: July 2007 - $ 20.00
    • Smeserver på svenska!
Re: [ANNOUNCE] IPSec Network-to-Network VPN SME Server 7.1 HOWTO
« Reply #34 on: February 20, 2008, 09:51:12 PM »
I hear what you're saying from a security point of view, but how would I allow a field technician or sales rep (whether in town, or on a trip overseas) to connect to the LAN to retrieve documents from the server, or his office PC?

I told you:

Use VPN (PPTP).

It's in SME by default, and available in Windooze, Mac and Linux as well.

Do you see any problem with that, or why do you ask?

Offline SoftDux

  • ****
  • 240
  • +0/-0
    • http://www.SoftDux.com
Re: [ANNOUNCE] IPSec Network-to-Network VPN SME Server 7.1 HOWTO
« Reply #35 on: February 20, 2008, 10:19:25 PM »
sorry, I'm asking from a technical point of view. The mobile PC will travel, and thus won't have a fixed IP. Doe SME need to know about this PC, or not?

Offline jumba

  • ****
  • 291
  • +0/-0
  • Donations: July 2007 - $ 20.00
    • Smeserver på svenska!
Re: [ANNOUNCE] IPSec Network-to-Network VPN SME Server 7.1 HOWTO
« Reply #36 on: February 20, 2008, 10:30:13 PM »
sorry, I'm asking from a technical point of view. The mobile PC will travel, and thus won't have a fixed IP. Doe SME need to know about this PC, or not?

Not.

You don't even have to carry around any particular PC at all, it works with any PC out there as long as you can set up a VPN on it (even if it's better of course to use a virus free machine :))

Please, start reading the manual, for example http://wiki.contribs.org/SME_Server:Documentation:User_Manual:Chapter1

You have to note that we're talking about two quite different "VPN" here:

  • The IPSEC VPN to connect two networks
  • The PPTP VPN to connect a single machine out there in the World Wild Internet with your internal lan
« Last Edit: February 20, 2008, 10:32:44 PM by jumba »

Offline varunv

  • 6
  • +0/-0
Re: [ANNOUNCE] IPSec Network-to-Network VPN SME Server 7.1 HOWTO
« Reply #37 on: February 26, 2008, 08:55:53 AM »
Hi!

First of all, thanks for the great HOWTO! My setup is as follows:

192.168.1.0/24 [Home Network] <---> 192.168.1.2 [SME Server Internal IP] <---> x.x.x.23/24 [SME Server External IP] <---> x.x.x.1 [Cable Modem/Router Address] <---> y.y.y.178 [Office Linux Box Running FreeSwan] <---> 172.18.0.0/21 [Office Network]

Now, my problem is that when I try and ping any IP address in my office network [172.18.0.0/21], SME server  tries to send it out from the external interface NATed to the IP address of the external interface [x.x.x.23] instead of routing it over the tunnel.

My "ip route show" on my home SME box is:

172.18.0.0/21 via x.x.x.1 dev eth1  src 192.168.1.2

Which seems to correct as per the bug report referred to in the article.

I have followed it exactly and the tunnel is coming - I can see it from the logs of the two servers involved.

No PPPoE - just a bridged Ethernet connection at both ends. Any help would be appreciated!

Regards,
-Varun

Offline jumba

  • ****
  • 291
  • +0/-0
  • Donations: July 2007 - $ 20.00
    • Smeserver på svenska!
Re: [ANNOUNCE] IPSec Network-to-Network VPN SME Server 7.1 HOWTO
« Reply #38 on: February 26, 2008, 09:09:02 AM »
Hi!

First of all, thanks for the great HOWTO! My setup is as follows:

192.168.1.0/24 [Home Network] <---> 192.168.1.2 [SME Server Internal IP] <---> x.x.x.23/24 [SME Server External IP] <---> x.x.x.1 [Cable Modem/Router Address] <---> y.y.y.178 [Office Linux Box Running FreeSwan] <---> 172.18.0.0/21 [Office Network]

That looks like a very complicated setup!

I that was my stuff, firstly I would get rid of the router so I get:

192.168.1.0/24 [Home Network] <---> 192.168.1.2 [SME Server Internal IP] <--->  x.x.x.1 [SME Server External IP] <---> y.y.y.178 [Office Linux Box Running FreeSwan] <---> 172.18.0.0/21 [Office Network]

Secondly, I would like to replace that Office FreeSwan box with a SME Server....

If second step isn't possible, at least please try to set your cable modem in "bridge mode" and remove the routing functions in it...


Offline varunv

  • 6
  • +0/-0
Re: [ANNOUNCE] IPSec Network-to-Network VPN SME Server 7.1 HOWTO
« Reply #39 on: February 26, 2008, 12:08:27 PM »
That looks like a very complicated setup!

I that was my stuff, firstly I would get rid of the router so I get:

192.168.1.0/24 [Home Network] <---> 192.168.1.2 [SME Server Internal IP] <--->  x.x.x.1 [SME Server External IP] <---> y.y.y.178 [Office Linux Box Running FreeSwan] <---> 172.18.0.0/21 [Office Network]


My setup does look like this only - I agree that showing the Cable Modem was redundant and confusing since it is in bridge mode.


Secondly, I would like to replace that Office FreeSwan box with a SME Server....


Unfortunately, that won't be possible at this time - the office box is a firewall/router doing many unholy things including dynamic routing and fancy NAC. We are considering moving it to (Vyatta) http://www.vyatta.com though, but that's a whole different story.


If second step isn't possible, at least please try to set your cable modem in "bridge mode" and remove the routing functions in it...


My bad - the cable modem is in bridge mode only - I should not have mentioned the word router. So, in effect the network looks exactly like you have mentioned

Offline jumba

  • ****
  • 291
  • +0/-0
  • Donations: July 2007 - $ 20.00
    • Smeserver på svenska!
Re: [ANNOUNCE] IPSec Network-to-Network VPN SME Server 7.1 HOWTO
« Reply #40 on: February 26, 2008, 12:11:43 PM »
OK, if thatäs the case I simply don't know how to help you :sad:

All my experiences in this field are between two Sme servers, - I don't know what might be wrongly set in that FreeSwan box.


Offline varunv

  • 6
  • +0/-0
Re: [ANNOUNCE] IPSec Network-to-Network VPN SME Server 7.1 HOWTO
« Reply #41 on: February 26, 2008, 12:31:24 PM »
OK, if thatäs the case I simply don't know how to help you :sad:

All my experiences in this field are between two Sme servers, - I don't know what might be wrongly set in that FreeSwan box.



Hey Jumba! Thanks for taking an interest in my case and please don't give up on me yet!  :-P

The problem is definitely on the SME server side. What happens is that when I ping say, 172.18.0.1, the outgoing packets are generated with the a source IP of my external interface (x.x.x.23). Good ol' tcpdump shows something like:

16:58:30.161681 IP 192.168.1.77 > 172.18.0.1: icmp 64: echo request seq 3
16:58:30.161681 IP x.x.x.23 > 172.18.0.1: icmp 64: echo request seq 3

Which means that SME server receives the packets from my laptop (192.168.1.77) and decides to masquerade (NAT) them to x.x.x.23 and send them out of the external interface rather than route them over the IPSec tunnel.

My problem is that I have exactly zero experience with racoon and don't even know where to start looking. Will turn on more debugging in racoon and see if I get anything. Does anyone know the equivalent of FreeSwan's "ipsec show eroute" in racoon?

Regards,
-Varun

Offline jumba

  • ****
  • 291
  • +0/-0
  • Donations: July 2007 - $ 20.00
    • Smeserver på svenska!
Re: [ANNOUNCE] IPSec Network-to-Network VPN SME Server 7.1 HOWTO
« Reply #42 on: February 26, 2008, 12:36:37 PM »
OK, I just can't stay away, obviously :-P



Well, to start with, are you SURE that the ipsec tunnel is established correctly?

What does the command

Code: [Select]
less /var/log/messages | grep racoon
in the SME box give you???

Offline varunv

  • 6
  • +0/-0
Re: [ANNOUNCE] IPSec Network-to-Network VPN SME Server 7.1 HOWTO
« Reply #43 on: February 26, 2008, 12:47:03 PM »
OK, I just can't stay away, obviously :-P


Thaks! Much appreciated!


Well, to start with, are you SURE that the ipsec tunnel is established correctly?

What does the command

Code: [Select]
less /var/log/messages | grep racoon
in the SME box give you???

On the SME server side:

Code: [Select]
Feb 26 17:12:26 homestack racoon: INFO: IPsec-SA established: AH/Tunnel x.x.x.23->y.y.y.y.178 spi=1486974989(0x58a1700d)
Feb 26 17:12:26 homestack racoon: INFO: IPsec-SA established: ESP/Tunnel x.x.x.23->y.y.y.178 spi=1486974990(0x58a1700e)

On the FreeSwan side:

Code: [Select]
Feb 26 17:12:24 shiva pluto[1189]: "eod-noida-sify" #516: responding to Main Mode
Feb 26 17:12:24 shiva pluto[1189]: "eod-noida-sify" #516: Peer ID is ID_IPV4_ADDR: 'x.x.x.23'
Feb 26 17:12:24 shiva pluto[1189]: "eod-noida-sify" #516: sent MR3, ISAKMP SA established
Feb 26 17:12:24 shiva pluto[1189]: "eod-noida-sify" #516: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Feb 26 17:12:24 shiva pluto[1189]: "eod-noida-sify" #516: received and ignored informational message
Feb 26 17:12:25 shiva pluto[1189]: "eod-noida-sify" #518: responding to Quick Mode
Feb 26 17:12:25 shiva pluto[1189]: "eod-noida-sify" #518: IPsec SA established

Offline ldkeen

  • *
  • 401
  • +0/-0
Re: [ANNOUNCE] IPSec Network-to-Network VPN SME Server 7.1 HOWTO
« Reply #44 on: April 15, 2008, 11:53:52 AM »
Hi Varun,
You say that your cable modem is running in a bridge mode but "ip route show" at home displays the following
Quote
172.18.0.0/21 via x.x.x.1 dev eth1  src 192.168.1.2
Does the Linux box (running FreeSwan) have a public IP? If so I would have thought that "ip route show" (from home) should show the following:
Code: [Select]
172.18.0.0/21 via y.y.y.178 dev eth1  src 192.168.1.2Something must be wrong in the routing or setup. I would set it up again, but leave all references to the cable modem out the configuration.
Can you ping home from work?
Lloyd