Ipsec Under the Hood
ClearOS 6 contains functionality for lots of IPSec functionality from the Marketplace through the Dynamic VPN app, Basic Static VPN app, and the Static VPN app and potentially others! Special care has to be done when making IPSec VPN apps so that they don't conflict with other packages (like multiwan) and there is some special tweaking that goes on in the various VPN technologies that overcomes these issues in a way that the plain open source application cannot automatically provide.
Moreover, IPSec is prone to stale sessions and disconnect to which its own service is unable to detect and resolve. The reason for the existence of the Managed VPN service is that IPSec is inherently a flaky technology. We recommend using OpenVPN for unmanaged tunnels.
This guide, however, gives some minimal help for configuring an IPSec VPN tunnel manually between two ClearOS boxes in case you have to use IPSec. Consider, however, resolving your issues with the apps in the marketplace before using this guide which is mostly useful to software developers that wish to create new IPSec VPN apps. Another reason for requiring a manual IPSec is that you may need to set up a tunnel between ClearOS and a third party firewall/router which only has this option and the paid app is not able to provide the connection or perhaps you just want to do it for free. These type of multi-vendor tunnels are possible but it is beyond the scope of this document to address them all. You can have success but you will need to familiarize yourself extensively with OpenSwan (the package which provides ipsec under ClearOS) and the terms involved. Also, you will need to google … a lot.
Under ClearOS 6 you can download and install openswan IPSec by running the following:
yum install openswan
You might also want to grab the documentation.
yum install openswan-doc
Structure of OpenSwan
Openswan will install the following configuration files in etc:
Binaries and libraries:
The OpenSwan IPSec daemon is controlled by the following init script:
Setting the ipsec daemon to autostart
By default the ipsec daemon will not be automatically started. You can check the automatic start status by running the following (note: this works for all services in the init scripts)
chkconfig --list ipsec
You should get the following results after a fresh install:
[root@home pluto]# chkconfig --list ipsec
ipsec 0:off 1:off 2:off 3:off 4:off 5:off 6:off
If you want ipsec to automatically start when you start your server, run the following command.
chkconfig --level 345 ipsec on && chkconfig --list ipsec
[root@home pluto]# chkconfig --level 345 ipsec on && chkconfig --list ipsec
ipsec 0:off 1:off 2:off 3:on 4:on 5:on 6:off
The Webconfig Daemon class should handle this nicely when converted to an app.
The main two things that you will need for a tunnel are a properly configured .conf file and .secrets file which should be contained in the /etc/ipsec.d folder.
To build a minimal tunnel, create a file that ends in .conf in the /etc/ipsec.d folder. For example:
For ClearOS to ClearOS connections this is pretty much it. Here are the values you will need to modify (in all examples our current/first box is the 'right' box):
OK. That file needs to be that same way on both sides of the tunnel. No need to reverse the left and right sides of the thing. It can figure out by a comparison of the IP address and the next hop as to which side it is. This makes it easy to just copy the file so that it is the same on both sides.
Next is an example of a file that works to connect ClearOS to a Netgear router. I don't have the GUI snapshot of the Netgear but this is what a certain Netgear router needs for a 3rd party IPSec tunnel.
#rightnexthop=220.127.116.11 #Wasn't needed
The .secrets file should be named the same as the .conf for simplicity sake more than anything. If your .conf file was ipsec-here-to-there.conf then your secrets file should be ipsec-here-to-there.secrets. Both should be placed in /etc/ipsec.d/.
The .secrets file is the easy configuration. Here is an example:
18.104.22.168 22.214.171.124 : PSK "blahblahblah.this-is_mySecretPRE-SHARED_key"
The elements are“
Starting and stopping ipsec
To start ipsec run the following:
service ipsec start
To stop ipsec run the following:
service ipsec stop
Most of the information that will be useful can be found in two places.
tail -n 500 -f /var/log/secure | grep pluto
And the more verbose tool:
ipsec auto --status