More notes

IpsecSettings.txt

@@ -1,3 +1,5 @@
+smeserver-libreswan-0.5
+
 Config settings
 
 For other options see here 

ToDo

@@ -2,4 +2,4 @@ ToDo
 
 * Remove debugging code
 * Stop/start individual connections - some code is alread there
-* Refine redirects
+* Enable pluto debug

ipsecDB.Notes

@@ -1,108 +1,17 @@
-V 0.7.x Notes
+smeserver-libreswan-0.5.x
 
 ** Note that nothing is guaranteed to work and it may break your system or deny you access **
 
 Also note that on occasion ipsec can get hung - I think this is when you enable/disable a few times quite quickly and the connection is still waiting on a timeout
 
-
-RSA passwords. These are much stronger than standard passwords.
-
-To generate run - ignore warnings :
-
-Delete all old dbs
-
-rm /etc/ipsec.d/*.db
-
-ipsec initnss --configdir /etc/ipsec.d
-
-ipsec newhostkey --output /etc/ipsec.d/rsa.secrets
-
-We need the following keys as our Left key and their Right key - the other end needs to do the same :
-ipsec showhostkey --left
-ipsec showhostkey --right
-
-
-We then add them to our connection -make sure you use an ID, ESPECIALLY with a dynamic host involved:
-
-db ipsec_connections setprop LocalToRemote leftrsasig SomeLongStringFromLocalRSASecrets leftid East rightid West
-db ipsec_connections setprop LocalToRemote rightrsasig SomeLongStringFromRemoteRSASecrets leftid West rightid East
-
-Be VERY careful copying these public keys - one character out anywhere and it will not work
-
-Various refinements and bug fixes.
-
-Note a new setting will be created in the ipsec_connections db called 'PreviousState'
-This tracks changes made so ipsec-update knows what to do on state changes. There is no need to touch this setting
-
-#Per connection settings like this
-
-ipsec_connections configs
-
-Note that settings in the main config db only get reread if you restart ipsec.
-
-Those on a per connection basis will get reread when a connection gets restarted / called via ipsec-update.
-
-db settings
-
-db ipsec_connections set workToVoip ipsec status disabled leftsourceip 192.168.10.100 leftsubnet 192.168.10.100/24 right 1.2.3.4 rightsubnet 10.0.0.0/24 passwd MyPassWd
-
-
-[root@test]# db ipsec_connections show
-workToVoip=ipsec
-    leftsourceip=192.168.10.100
-    leftsubnet=192.168.10.0/24
-    passwd=MyPassWd
-    right=1.2.3.4
-    rightsubnet=10.0.0.0/24
-    status=disabled
-
-
-Config Defaults
-
-config set ipsec service status disabled connectiontype tunnel left %defaultroute ikelifetime 28800s keylife 3600s dpdaction restart dpddelay 30 dpdtimeout 10 pfs yes auto start security secret salifetime 28800s
-
-Additional db entries
-
-Set mtu as in Config or ipsec connections if required
-
-Add rsasigs
-
-set
-security rsasig
-certname "Your cert nickname" - find with  'certutil -d . -L |grep u,u,u'
-
-https://libreswan.org/man/ipsec.conf.5.html
-
-ike = Some examples are ike=3des-sha1,aes-sha1, ike=aes, ike=aes128-md5;modp2048, ike=aes128-sha1;dh22, ike=3des-md5;modp1024,aes-sha1;modp1536 or ike=modp1536
-phase2alg = aes-sha1 | similar to above
-
-Note there is no DB entry for phase2 - Libreswan defaults to ESP so unless you use AH (not recommended) leave as is
+Note there is no DB entry for phase2 - openswan defaults to ESP so unless you use AH (not recommended) leave as is
 
 ----------------------------------------------------------
 
-[root@test ipsec.d]# config show ipsec
-ipsec=service
-    auto=start
-    connectiontype=tunnel
-    dpdaction=restart
-    dpddelay=30
-    dpdtimeout=10
-    ikelifetime=28800s
-    keylife=3600s
-    left=%defaultroute
-    pfs=yes
-    status=disabled
-
-
-Any setting in the db ipsec_connections will override the default settings in the config db (or should !) If there is no setting the system will set a default.
-
-There is now a new action script called ipsec-update.
-
-Make your changes and then signal-event ipsec-update to action them.
 
 Note that as it is very difficult currently to detect connections that are up (something libreswan are working on) the script does not try to detect connection status so it will reset them currently.
 
-Just discovered we can probably do this with ipsec whack --status |grep "Ipsec SA established" (Only trlls if it i up, not if it is active)
+Just discovered we can probably do this with ipsec whack --status |grep -i "Ipsec SA established" (Only tells if it is up, not if it is active)
 https://lists.libreswan.org/pipermail/swan/2015/001083.html
 
 Any question then please ask at forums.contribs.org in the Contribs sections.
@@ -112,6 +21,7 @@ Any question then please ask at forums.contribs.org in the Contribs sections.
 
 Notes to self on Firewalls
 
+=======
 IPSec (VPN tunneling) uses the following ports:
 
 50 - Encapsulation Header (ESP)
@@ -124,14 +34,10 @@ L2TPD
 
 
 
-the rp_filter and send redirects are directly manipulated by the ipsec-update script
-
-We could possibly set the firewall ports in the main config db and dispense with the masq fragment later.
-[11/2015 Done for ipsec - just need a postrouting config]
+the rp_filter and send redirects are directly set in sysctl.conf and manipulated by the ipsec-update script
 
 http://wiki.contribs.org/DB_Variables_Configuration#IPTables_firewall_.28masq.29
 
-Need to add this and remove the masq template :
 
 ipsec only - note that ESP traffic runs on 50 and AH needs 51
 
@@ -142,5 +48,6 @@ l2tpd
 
 config setprop ipsec access public UDPPorts 500,4500,1701 TCPPort 50,51
 
+certname "Your cert nickname" - find with  'certutil -d . -L |grep u,u,u'
 
 http://swan.libreswan.narkive.com/lg70MHRr/plicbd-pluto-6857-reapchild-failed-with-errno-10-no-child-processes