-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathinstalluse
153 lines (116 loc) · 4.44 KB
/
installuse
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
Note this is for v9/Libre
Add epel repos
http://wiki.contribs.org/Epel
# signal-event yum-modify
# yum --enablerepo=smedev,epel install smeserver-libreswan
# signal-event post-upgrade; signal-event reboot
Check the status of ipsec - default db entries
config show ipsec
[root@sme91x64 ~]# config show ipsec
ipsec=service
UDPPort=500
access=public
auto=start
connectiontype=tunnel
dpdaction=restart
dpddelay=30
dpdtimeout=10
ikelifetime=3600s
left=%defaultroute
pfs=yes
salifetime=28800s
security=secret
status=enabled
Should be enabled but if not enable it.
# config setprop ipsec status enabled
Access should be public if not set to public
# config setprop ipsec access public
auto should be start (originator) or add (destination)
# config setprop ipsec auto start
Connection profile
# db ipsec_connections set xyz(profile name) ipsec ike aes-sha1 leftsourceip \
192.168.#.# leftsubnet 192.168.#.0/24 passwd ######### right \
#.#.#.#(Wan ip of destination) rightsubnet 192.168.#.0/24 status enabled
# db ipsec_connections show
Should be enabled, if not enable, should be auto start
# db ipsec_connections setprop xyz status enabled
# db ipsec_connections setprop xyz auto start
# Add remote network to Local networks in server-manager
# signal-event ipsec-update
# 25/11/2015 masq templates updated now
[root@sme91x64 ~]# db ipsec_connections show
xyz=ipsec
PreviousState=enabled
auto=start
ike=aes-sha1
leftsourceip=192.168.#.#
leftsubnet=192.168.#.0/24
passwd=#########
right=#.#.#.#
rightsubnet=192.168.#.0/24
status=enabled
-- Extra testing/dev notes
Fix errors from # ipsec verify with rp_filters
Make a .sh file and paste the following and run it
- it's brute force but works
for each in /proc/sys/net/ipv4/conf/*; do
echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
echo 0 > $each/rp_filter
done
[root@sme90x64 ~]# /root/brute
[root@sme90x64 ~]# service ipsec restart
if it is running
# ipsec verify
[root@sme91x64 ~]# ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.15 (netkey) on 2.6.32-573.8.1.el6.x86_64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Hardware random device [N/A]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPS [PRESENT]
Checking for obsolete ipsec.conf options [OK]
Opportunistic Encryption [DISABLED]
# ipsec whack --status
---snip----
000
000 Total IPsec connections: loaded 1, active 1
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)
000
000 #2: "xyz":500 STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 28047s; newest IPSEC; eroute owner; isakmp#1; idle;
import:admin initiate
000 #2: "xyz" esp.7458fbb3@#.#.#.# esp.4e5997f@#.#.#.#
tun.0@#.#.#.# tun.0@#.#.#.# ref=0 refhim=4294901761 Traffic:
ESPin=0B ESPout=0B! ESPmax=4194303B
000 #1: "xyz":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in
2606s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000
000 Bare Shunt list:
000
----snip----
# ping "local ip of remote system eg 192.168.1.1 or any other systems on the connected lan"
In server-manager add additional local networks
In server-manager make sure Secure Shell Settings set to
Local network access only
Allow administrative command line access over secure shell Yes
Allow secure shell access using standard passwords Yes
TCP Port for secure shell access leave default or choose a different port number eg 2222
Ongoing admin usage
# service ipsec stop
# service ipsec restart
# signal-event ipsec-update
# config setprop ipsec status disabled