Topic: Ipsec Passthrough

[brianr]

Can I use SME server as a gateway and have an Ipsec VPN appliance on the LAN side, communicating with a remote site?

This means opening up the firewall to the Ipsec protocol.

Can someone advise me?

[ReetP]

Can I use SME server as a gateway and have an Ipsec VPN appliance on the LAN side, communicating with a remote site?

This means opening up the firewall to the Ipsec protocol.

Can someone advise me?

I think you can, but I think ipsec is a bit funny about the endpoint/originating IP address.

So if the appliance is inside your LAN the far end will see the appliance IP and the gateway IP and might not be too happy with the connection - probably depends on the equipment etc.

As far as ports go, this is your answer :

"To make IPSec work through your firewalls, you should open UDP port 500 and permit IP protocol numbers 50 and 51 on both inbound and outbound firewall filters. UDP Port 500 should be opened to allow Internet Security Association and Key Management Protocol (ISAKMP) traffic to be forwarded through your firewalls. IP protocol ID 50 should be set to allow IPSec Encapsulating Security Protocol (ESP) traffic to be forwarded. Finally, IP protocol ID 51 should be set to allow Authentication Header (AH) traffic to be forwarded."

I have built and am testing a ipsec contribs for SME to replace the broken and outdated PPTP.

https://github.com/reetp/smeserver-libreswan/tree/smeserver-libreswan-0.4

Beware - it may break you system So usual caveats apply - don't use it on a production system ! If you want to test and need some help please ask.

Personally I do have it working on a couple of boxes currently - one is for a VPN to my asterisk VOIP server - and it seems OK. I will build a new RPM this week.

B. Rgds
John

[brianr]

I think you can, but I think ipsec is a bit funny about the endpoint/originating IP address.

So if the appliance is inside your LAN the far end will see the appliance IP and the gateway IP and might not be too happy with the connection - probably depends on the equipment etc.

As far as ports go, this is your answer :

"To make IPSec work through your firewalls, you should open UDP port 500 and permit IP protocol numbers 50 and 51 on both inbound and outbound firewall filters. UDP Port 500 should be opened to allow Internet Security Association and Key Management Protocol (ISAKMP) traffic to be forwarded through your firewalls. IP protocol ID 50 should be set to allow IPSec Encapsulating Security Protocol (ESP) traffic to be forwarded. Finally, IP protocol ID 51 should be set to allow Authentication Header (AH) traffic to be forwarded."

I have built and am testing a ipsec contribs for SME to replace the broken and outdated PPTP.

https://github.com/reetp/smeserver-libreswan/tree/smeserver-libreswan-0.4

Beware - it may break you system So usual caveats apply - don't use it on a production system ! If you want to test and need some help please ask.

Personally I do have it working on a couple of boxes currently - one is for a VPN to my asterisk VOIP server - and it seems OK. I will build a new RPM this week.

B. Rgds
John

Yes I was aware of your work in this area, however I have an immediate requirement for IPSec connection between a site running SMEserver and a site with no server.

I am currently using VPN Ipsec ADSL modems each end, which work fine.  However one end is converting to Fibre to the Cabinet this thurs (they have just told me), so I am keen to get it all sorted on Friday!

I am looking at using Netgear or Zyxel VPN boxes each end.  I'd prefer to use the SMEServer to replace the Router for the FTTC (I've done that before), but I might well end up using the VPN box to drive the FTTC modem and hang the SMEServer on the LAN as Server only.  Which is actually what currently happens anyway.

[brianr]

John - Is your contrib for SME9 only? I'd be happy to help with testing, but I have a mixture of 9s and 8.1s, and my own server is still @ 8.1!

[ReetP]

John - Is your contrib for SME9 only? I'd be happy to help with testing, but I have a mixture of 9s and 8.1s, and my own server is still @ 8.1!

The code should work on both. Only difference is that v9/CentOS6 has libreswan in a standard repo but v8 doesn't. I think there is one minor setting in the masq template that won't affect SME 8 anyway i.e. there is a CentOS 6 specific setting there that won't affect CentOS 5 I believe.

You can get my el5 rpm here : http://www.reetspetit.com/smeserver/5/repoview/libreswan.html

yum localinstall and then use the code from git - make sure you use the 0.4 branch. Just copy it to the right places. I *think* you need a

Code: [Select]

signal-event initialize-default-databases
and possibly

Code: [Select]

signal-event post-upgrade
(not got that far yet !!!!)

That should set the minimum default settings for a connection. You need to add the specifics for your IPs and passwords etc to the ipsec_connections file, enable ipsec itself, and the connection, and then run signal-event ipsec-update.

Remember this is effectively for a peer to peer (LAN - LAN) connection. I need to sort out L2TPD for dialup ones from mobiles etc.

To connect OUT you need auto=start
For just incoming use auto=add

There are a few notes on settings in git. Note there is no panel yet, but should be easy enough for someone to build one later. Just wanted the basic thing working first.

I'll try and roll a contrib RPM asap - just up to my neck in stuff right now ! Probably be tomorrow.

Fire away of you have questions.

B. Rgds
John

[CharlieBrady]

Can I use SME server as a gateway and have an Ipsec VPN appliance on the LAN side, communicating with a remote site?

This means opening up the firewall to the Ipsec protocol.

Opening the firewall won't help. It would just mean that the kernel will drop the ipsec traffic because it isn't expected, rather than ignored because of firewall rules.

You will need to do some research on ipsec NAT traversal. Because IPSEC traffic is not UDP and not TCP, the built-in NAT which does packet forwarding with port translation won't connect the LAN device through to the remote site.

[brianr]

Opening the firewall won't help. It would just mean that the kernel will drop the ipsec traffic because it isn't expected, rather than ignored because of firewall rules.

You will need to do some research on ipsec NAT traversal. Because IPSEC traffic is not UDP and not TCP, the built-in NAT which does packet forwarding with port translation won't connect the LAN device through to the remote site.

Thanks Charlie I was afraid that something like that was true. I've now ordered the boxes, and will be putting them "in-front" of the LAN.  I've found Zyxel ones that do ADSL and VDSL (Which is FTTC here), so I can use the same ones both ends, I hope then maximising the chance of a succesful connection.

[ReetP]

Thanks Charlie I was afraid that something like that was true. I've now ordered the boxes, and will be putting them "in-front" of the LAN.  I've found Zyxel ones that do ADSL and VDSL (Which is FTTC here), so I can use the same ones both ends, I hope then maximising the chance of a succesful connection.

Personally I have used Drayteks (though I have got bit p-d off with them in recent times). For my main site to site stuff I use the IPSEC in the routers so 'router to router'

However, as I have some cloud VMs I needed to VPN to them and so I worked on libreswan. That allows me to use the Drayteks one end and libreswan on the other which works pretty well.

I used to use 2820s as a normal router, but now use them with DMZ set to 'True Active IP' which passes all traffic to  a 3300 WAN router behind them. The 3300 manages the IPSEC VPNs.

Re Charlies excellent points I had a look about - this was interesting :

https://www.centos.org/forums/viewtopic.php?t=30586

I am really not sure about how you would go about setting up NAT traversal but clearly it is possible, though it is probably easier without it ! Not my specialist subject though

Let me know if you have a go with libreswan...

B. Rgd
John

[ReetP]

Just bashed out the latest RPM which you can get here :

http://www.reetspetit.com/smeserver/6/repoview/smeserver-libreswan.html

Should be v0.4-1

Versions are noarch, but I have done them as v8 and v9. Make sure you install libreswan first as it is a dependency. Will post something in the contribs section later.

Please see the notes at github.

B. Rgds
John

[ReetP]

Note - I have learned a bit. There are some bugs in this version. It DOES work, but some of the configs are not really right.

I'll get another version out soonest.

Note that I have now also got IPSEC/L2TDP working for dial in connections Need to template it.

B. Rgds
John