ClearFoundation

Hi all,

I am looking to connect our WAN directly to Clear 6.2. I will need some some 'hub and spoke' IPsec VPN's to terminate on on the box.

I see that there is no app for 'manual' VPNs in 6.2.

What is the recommended solution? If I download & install openswan via yum, do I need any other packages, or do I just configure the config files as as if it were 5.2 (i will need to write from scratch)?

Is there anything I need to be especially aware of that is different from 5.2's now that it is not an installed package (such as firewall config etc)?

Thanks

David

I don't have a production 6.2 box but I run a later version of Openswan on my 5.2.

Go ahead and configure manually. Leave out the references to the up/down scripts as they came from ClearOS. By default Openswan will use its own scripts which work fine for me. I am not a fan of how ClearOS used four conns for one VPN, but it was there for legacy reasons. You can do it in a single conn now using the left/rightsourceip key word and it is only needed for the local end of the tunnel. If you need compatibility with 5.2 you'll need the old four conn set up.

You can also drop all the stuff about opportunistic encryption as it is now off by default or just put one line "oe=no" in config setup.

Also you can make life easier by moving your hub definition into "conn default" so you don't have to repeat it for each conn.

If you're happy to help, I think we need a howto as we now have no webconfig. I can't do it on my own as I only have one ClearOS endpoint. I can give the configs to try but ultimately I cannot test it.

The firewall is should be straightforward. Just open the incoming IPSec standard service although there are other ways of doing it.

Hi Nick,

I would be more than happy to help write a 'how to' once I have my set-up working. Thanks for your speedy reply. I will follow the instructions and examples as per the native open swan documentation and see how I get on. Looking to install and test in about 3 weeks time.

The remote endpoints are all Netgear DSL routers - but they currently terminate on a 3com which is Linux based an uses Pluto. Don't Hold me to it, but I think the VPN is done by a version of Strong Swan. (I did find out the version number one time), So I'm fairly confident that I will be able to get it to work.

David

I would love to see an app created for manual VPN's going forward. can some of the work done under 5.2 be used as a base starting point (strip out the four connection elements from the submission routine, a few fields to be changed in the php table submission code for the VPN settings), as it already writes some data to the config files + starts / stops the service etc...It doesn't sound like an impossible task.

maybe I will see about sponsoring a developer or asking one of our own programmers to write something.

David

Hmm,
I was thinking of a ClearOS<->ClearOS IPSec VPN howto based on static WAN IP's. I think if you bring in third party devices you end up with too much of a case-by-case set up. Do you use pfs, aggressive mode, what encryption algorithms are available on the third party devices, is DPD supported etc? To this you can then add if one end is on a static IP and the other dynamic and so on.

If you have a couple of ClearOS endpoints I'd be happy to give it a shot. I'd also be happy to assist with connecting to your Netgear - it has been done recently on this forum and there are examples out in the internet as well.

As for an app for ClearOS, it s a good idea but I know nothing about php and don't think I'll get the time to learn at home. Some of the basic stuff should be in the 5.2 app as you say but if you want to achieve a generic configuration app it becomes trickier.

Nick,

The VPNs are static - and I would say they will be very basic. The output of my 3Com:



This configuration has many more 'options' that we will be putting into the openswan files!

I had a look at the configuration page of the netgear's source code (attached image), and for what seems to be a fairly simple page, there are a significant number of lines of code (lots of validation / multiple choice options taking place).

It is this sort of a screen that I would like to see made into an app - that writes the data back to the config files (shouldn't be a huge undertaking...to the point where if someone could set me up the basic form template and submit actions, I would be happy to do the 'typing' of all the required fields)

David

Image not attached ...... It must be 800*800px or less for it to attach.

The 3Com settings look like they could be reflected in Openswan quite easily (but I would prefer to see pfs turned on).

[edit]
What is the model of Netgear?
[/edit]

Hi Nick,

I can't understand why people make their configurations so complicated! (I think most people try and modify an example config that they find on the net, whereas I read up and have build my config from scratch). The (new) openswan has defaults within the program, so you do not explicitly need to define them with lines of config.

I have gone for a 'minimalist' config



you will see that I have defined an interface as opposed to the standard %defaultroute - this will be required as the VPNs are kept on a separate interface from the default route.

In the sites config:



..and so on for the next 100

in the ipsec.secrets:



many things like PFS are enabled by default - (so much so that the line



has no effect).

The netgear routers are all DG834's, and as far as I am concerned are already working with the linux version running on
the 3Com unit, so should have no problem working with Clear.

The only thing I think I may need some help on, is allowing the traffic through the firewall (slightly more complicated as I have IPsec traffic going to multiple places depending on source IP... that's for another forum post!)

David

In general, yes it is pretty easy. The harder bit is to make it inter-op with other devices as you don't always know the full set up and they sometimes do things slightly differently.

I would not bother with the up/down scripts. They are ClearOS specific so will not exist in 6.2. Default ones are supplied by Openswan which are generally fine.
I don't think the interfaces line is correct. It is normally more like interfaces="ipsec0=eth0" but that only works when using klips and not netkey. You may be able to drop the line.
I guess you've left off all your subnet masks e.g. /24
In config default set "leftsourceip=your_clearos_lan_ip". You'll then be able to ping correctly through from ClearOS to the remote ends otherwise it uses your WAN IP as the source IP.
I am more of a fan of aes over 3des as it is supposed to use one third of the processing power. Security-wise 3des is pretty similar to aes128. aes256 is better than both.
your value of salifetime is default so can be dropped.

If you really have 100 endpoints and you find the VPN start up is slow (netkey brings up each conn in turn) you may want to investigate using klips instead. I believe it launches one process per conn.

pfs is interesting. Openswan believe so much in it that if you say no and the other end says yes openswan will always use it. Only if pfs is set to no at both ends will it not be used.

As I have dynamic far end I have to use the rightid in the conn and ipsec.secrets.

[edit]
I think the same PSK for 100 conns is not recommended as one security breach covers all end points. Having said that defining 100 PSK's is a PITA.
Another thing you could investigate if you wanted to make life more difficult (but more secure) is using certificates instead of PSK's.
[/edit]

Hi Nick,

Thanks for your reply The Netgear's only support 3DES, so we are stuck with that at the moment.

The up/down scripts existed in the clear config (I assume that on 6.2 that these wont be there as we will do a manual openswan installation).

I'll need to look into the interfaces line in more detail, but I will want to specify the route that IP traffic uses. The interfaces ipsec0 that you mentioned is usually found in the routing table/firewall.

The subnet masks weren't in some of the examples I looked at, and aren't in the 3Com...we are already specifying the remote subnet, so I don't see defining the subnet mask adds anything.

Thanks for the left source IP.

The common PSK makes administration easy, yes I agree that a compromise would breach all sites, but that is a risk I'm okay with...I'll get the tunnels up and working for now!

I have no immediate plans to swap the Netgears out (and therefore upgrade to certificate based device) for the foreseeable future.

David