Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
docs:guide-user:services:vpn:ipsec:openswan:site2site [2020/10/05 00:33] – [IPsec site-to-site] formatting vgaeteradocs:guide-user:services:vpn:libreswan:site2site [2022/10/28 03:54] (current) – fix spelling, typos, formatting, remove unrelated links vgaetera
Line 1: Line 1:
 ====== IPsec site-to-site ====== ====== IPsec site-to-site ======
-| For an overview over all existing Virtual private network (VPN)-related articles in the OpenWrt wiki, please visit [[docs:guide-user:services:vpn:overview]] | 
-For all those people who want to use openswan for a site to site connection here are the gory details... 
- 
 ===== Background ===== ===== Background =====
-In our office environment we use Centos on many of our internet faceing servers. +In our office environment we use CentOS on many of our internet facing servers. 
-In RedHat Enterprise Linux 5 the IPsec implementation was provided by racoon (KAME), userland tools, and NETKEY in the kernel. +In RedHat Enterprise Linux 5 the IPsec implementation was provided by racoon (KAME), userspace tools, and NETKEY in the kernel. 
-We set up our six office WAN using this and when it's up and running it seems to be stable, however adding a new site to the WAN seems to require reseting all of the IPsec server accross the WAN.+We set up our six office WAN using this and when it's up and running it seems to be stable, however adding a new site to the WAN seems to require resetting all of the IPsec server across the WAN.
 This can be accomplished by killing off the racoon service and starting it again. This can be accomplished by killing off the racoon service and starting it again.
-This is not particularly helpfull+This is not particularly helpful
-RedHat have decided to move to openswan for their Enterprise Linux 6 release as the default IPsec implementation using pluto for the userland tools but keeping with NETKEY for the kernel stack. +RedHat have decided to move to Libreswan for their Enterprise Linux 6 release as the default IPsec implementation using pluto for the userspace tools but keeping with NETKEY for the kernel stack. 
-We are now in the process of migrating all our IPsec VPN connections to Centos 6.x.+We are now in the process of migrating all our IPsec VPN connections to CentOS 6.x.
  
 ===== Preparation ===== ===== Preparation =====
-==== Background Reading ==== +[[wp>IPsec]] [[http://www.linuxjournal.com/article/9916|Linux Journal IPsec article]] A good explanation IPsec implementations in Linux
-[[https://www.openswan.org/projects/openswan/|Openswan]] +A good grounding on Libreswan and openVPN with discussion about the two kernel stacks KLIPS and NETKEY as well as the userspace tools pluto (Libreswan) and racoon (KAME). 
- +Note KLIPS is used in openWRT and NETKEY is used in RHEL 6.x / CentOS 6.x the peculiarities of this are discussed later.
-[[wp>IPsec]] [[http://www.linuxjournal.com/article/9916|Linux Journal IPsec article]] A good explanation IPsec implementations in linux+
-A good grounding on openSwan and openVPN with discussion about the two kernel stacks KLIPS and NETKEY as well as the userland tools pluto (openswan) and racoon (KAME). +
-Note KLIPS is used in openWRT and NETKEY is used in RHEL 6.x / CENTOS 6.x the pecularities of this are discussed later. +
- +
-==== Required Packages ==== +
-=== Server (OpenWrt) === +
-You need to install the openswan package+
  
-=== Server (RHEL 6.x / Centos 6.x) ===+==== Installation ====
 <code bash> <code bash>
-yum install openswan +opkg install libreswan
-</code> +
- +
-===== Installation ===== +
-Use the graphical package manager to install openswan or from the command prompt using [[docs:guide-user:additional-software:opkg|opkg]] +
- +
-<code bash> +
-opkg install openswan+
 </code> </code>
  
 ===== Configuration ===== ===== Configuration =====
-==== OpenWrt ==== 
-Edit **/etc/ipsec.conf** file and add this to the bottom of the file (uncomment the line). 
- 
 <code bash> <code bash>
 +# vi /etc/ipsec.conf
 include /etc/ipsec.d/*.conf include /etc/ipsec.d/*.conf
-</code> 
  
-Edit **/etc/ipsec.secrets** file and add this to the bottom of the file. +# vi /etc/ipsec.secrets
- +
-<code bash>+
 include /etc/ipsec.d/*.secret include /etc/ipsec.d/*.secret
 </code> </code>
  
-These two lines allow you to create separate configuration and secret files in the **/etc/ipsec.d/** directory for each connection.+These two lines allow you to create separate configuration and secret files in the ''/etc/ipsec.d/'' directory for each connection.
  
-By convention it makes sense to name these files: **<connection name>.conf** and **<connection name>.secrets**+By convention it makes sense to name these files: ''<connection_name>.conf'' and ''<connection_name>.secrets''.
  
 ==== DNS ==== ==== DNS ====
Line 66: Line 44:
   * **Automatically**: Dnsmasq forwards requests for acme.inc through the tunnel to the ACME DNS server. This avoids double work.   * **Automatically**: Dnsmasq forwards requests for acme.inc through the tunnel to the ACME DNS server. This avoids double work.
  
-DNS fowarding through VPN tunnels is almost the same as normal DNS forwarding with one exception.+DNS forwarding through VPN tunnels is almost the same as normal DNS forwarding with one exception.
 Dnsmasq must use the correct source interface. Dnsmasq must use the correct source interface.
 By default it will use the OpenWrt internet IP for it's requests but this cannot be tunneled. By default it will use the OpenWrt internet IP for it's requests but this cannot be tunneled.
Line 73: Line 51:
 Don't forget to add this domain on the whitelist otherwise Dnsmasq will detect rebind attacks and discard requests. Don't forget to add this domain on the whitelist otherwise Dnsmasq will detect rebind attacks and discard requests.
  
-{{:doc:howto:ipsec_dns.png|}}+{{doc:howto:ipsec_dns.png}}
  
 ===== Troubleshooting ===== ===== Troubleshooting =====
 If you are having problems getting the IPsec stuff to work, try dropping the firewalls. If you are having problems getting the IPsec stuff to work, try dropping the firewalls.
  
-=== Usefull Commands ===+=== Usefull commands ===
 <code bash> <code bash>
 # Interface & routing # Interface & routing
Line 93: Line 71:
  
 # Ping # Ping
-ping -I <local internal interface local internal ip> <remote internal ip>+ping -I <local_internal_interface local_internal_ip> <remote_internal_ip>
  
 # TCP dump # TCP dump
Line 100: Line 78:
  
 # Firewall # Firewall
-iptables-save+nft list ruleset
 </code> </code>
- 
-===== Notes ===== 
-  * The Project Homepage: [[http://mumble.sourceforge.net/]] 
-  * a very good tutorial: [[http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html]] 
  
  • Last modified: 2022/10/28 03:54
  • by vgaetera