Feature #3194
IPsec tunnels (net2net) web interface
Status: | CLOSED | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | - | % Done: | 100% | |
Category: | nethserver-ipsec | |||
Target version: | v6.6 | |||
Resolution: | NEEDINFO: | No |
Description
Create a new page inside the Server Manager to configure IPsec net2net tunnels.
The implementation should:- simplify creation of IPsec tunnels between two NethServer
- allow advanced configuration customization to maximize interoperability
- displaying tunnel status in a dedicate page
Related issues
Associated revisions
IPsec tunnels: first implementation. Refs #3194
IPsec tunnels: first implementation. Refs #3194
IPsec tunnels: fire nethserver-ipsec-save event. Refs #3194
Add ServerStatus prop. Refs #3194
The status prop must be always enabled for tunnels.
Copy xl2tpd{status} to ipsec{ServerStatus},
remove ipsec{access} and ispec{UDPPorts} props.
IPsec tunnels: auto-complete ids. Refs #3194
Web UI: add ipsec tunnels status page. Refs #3194
Web UI: hide disabled tunnels from status page. Refs #3194
createlinks: fix wrong template name. Refs #3194
Translations: add missing resources. Refs #3194
Inline help: remove Italian, add include directive. Refs #3194
Add inline help (en). Refs #3194
Add inline help (en). Refs #3194
Inline help: update English. Refs #3194
Inline help: add English language. Refs #3194
History
#1 Updated by Giacomo Sanchietti about 6 years ago
- Status changed from NEW to TRIAGED
- Target version set to v6.6
- % Done changed from 0 to 20
#2 Updated by Giacomo Sanchietti about 6 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Giacomo Sanchietti
- % Done changed from 20 to 30
#3 Updated by Giacomo Sanchietti about 6 years ago
- Related to Bug #2857: VPN: left subnet equals to right subnet in IPsec configuration added
#4 Updated by Giacomo Sanchietti about 6 years ago
- Description updated (diff)
#5 Updated by Giacomo Sanchietti about 6 years ago
- Description updated (diff)
#6 Updated by Giacomo Sanchietti about 6 years ago
- Status changed from ON_DEV to MODIFIED
- % Done changed from 30 to 60
The implementation can support custom properties to override the configuration from web interface.
Every property in the form Custom_<name>
will override any existing prop. The same syntax can also be used to set any IPsec options supported by OpenSwan.
Example: override left prop
Given the following record:
nethesis-test=ipsec-tunnel compress=no dpdaction=hold esp=auto ike=auto left=192.168.2.246 leftid=@nethesis leftsubnets=192.168.1.0/24 pfs=yes psk=Nethesis,12345678911 right=1.2.3.4.5 rightid=@test rightsubnets=192.168.6.0/24 status=enabled
The admin can override the left
property:
db vpn setprop nethesis-test Custom_left %any signal-event nethserver-ipsec-save
Example: set new option
Set aggressive mode:
db vpn setprop nethesis-test Custom_aggrmode yes signal-event nethserver-ipsec-save
#7 Updated by Giacomo Sanchietti about 6 years ago
- Status changed from MODIFIED to ON_QA
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 60 to 70
- nethserver-ipsec-1.0.3-1.7.g584aafa.ns6.noarch.rpm
- Create a tunnel on a public server
- Create the same tunnel on another server (you can swap local/remote parameters)
- Check the tunnel can connect both firewalls
#8 Updated by Davide Principi about 6 years ago
- Assignee set to Davide Principi
#9 Updated by Davide Principi about 6 years ago
- Assignee deleted (
Davide Principi)
Partially verified:
pluto daemon logs the tunnel is up. Can't verify now if routes are set up correctly.
[root@vm5epa ~]# ping 192.168.102.78Jun 17 16:43:19 vm5epa pluto[6381]: packet from 192.168.102.78:500: received Vendor ID payload [Openswan (this version) 2.6.32 ] Jun 17 16:43:19 vm5epa pluto[6381]: packet from 192.168.102.78:500: received Vendor ID payload [Dead Peer Detection] Jun 17 16:43:19 vm5epa pluto[6381]: packet from 192.168.102.78:500: received Vendor ID payload [RFC 3947] method set to=109 Jun 17 16:43:19 vm5epa pluto[6381]: packet from 192.168.102.78:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109 Jun 17 16:43:19 vm5epa pluto[6381]: packet from 192.168.102.78:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109 Jun 17 16:43:19 vm5epa pluto[6381]: packet from 192.168.102.78:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109 Jun 17 16:43:19 vm5epa pluto[6381]: packet from 192.168.102.78:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00] Jun 17 16:43:19 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #2: responding to Main Mode Jun 17 16:43:19 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #2: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 Jun 17 16:43:19 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #2: STATE_MAIN_R1: sent MR1, expecting MI2 Jun 17 16:43:19 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #2: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected Jun 17 16:43:19 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #2: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2 Jun 17 16:43:19 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #2: STATE_MAIN_R2: sent MR2, expecting MI3 Jun 17 16:43:19 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #2: Main mode peer ID is ID_IPV4_ADDR: '192.168.102.78' Jun 17 16:43:19 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #2: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3 Jun 17 16:43:19 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #2: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp2048} Jun 17 16:43:19 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #2: the peer proposed: 192.168.103.0/24:0/0 -> 192.168.104.0/24:0/0 Jun 17 16:43:19 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #3: responding to Quick Mode proposal {msgid:5c84497a} Jun 17 16:43:19 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #3: us: 192.168.103.0/24===192.168.101.44<192.168.101.44>[+S=C] Jun 17 16:43:19 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #3: them: 192.168.102.78<192.168.102.78>[+S=C]===192.168.104.0/24 Jun 17 16:43:19 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #3: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1 Jun 17 16:43:19 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #3: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 Jun 17 16:43:19 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #3: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2 Jun 17 16:43:19 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #3: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x1ac11826 <0xb419c686 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none} Jun 17 16:43:21 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #1: received Vendor ID payload [Openswan (this version) 2.6.32 ] Jun 17 16:43:21 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #1: received Vendor ID payload [Dead Peer Detection] Jun 17 16:43:21 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #1: received Vendor ID payload [RFC 3947] method set to=109 Jun 17 16:43:21 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #1: enabling possible NAT-traversal with method 4 Jun 17 16:43:21 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2 Jun 17 16:43:21 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #1: STATE_MAIN_I2: sent MI2, expecting MR2 Jun 17 16:43:21 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #1: I will NOT send an initial contact payload Jun 17 16:43:21 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected Jun 17 16:43:21 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #1: Not sending INITIAL_CONTACT Jun 17 16:43:21 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3 Jun 17 16:43:21 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #1: STATE_MAIN_I3: sent MI3, expecting MR3 Jun 17 16:43:21 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #1: received Vendor ID payload [CAN-IKEv2] Jun 17 16:43:21 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.102.78' Jun 17 16:43:21 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4 Jun 17 16:43:21 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp2048} Jun 17 16:43:21 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #4: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:996daa4c proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048} Jun 17 16:43:21 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #4: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2 Jun 17 16:43:21 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #4: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x3ff6e082 <0x87d67579 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
#10 Updated by Giacomo Sanchietti about 6 years ago
- nethserver-vpn-1.1.5-1.2.g6ed30b7.ns6.noarch.rpm
- nethserver-ipsec-1.0.3-1.15.g78881cd.ns6.noarch.rpm
- nethserver-openvpn-1.2.2-1.1.ga698f02.ns6.noarch.rpm
Also make sure to have the latest release of language pack (nethserver-lang-1.0.9).
#11 Updated by Davide Marini about 6 years ago
All test done, everything work as exspected:
Jul 15 16:41:50 hs pluto[11502]: initiating all conns with alias='a2b_ipsec-tunnel' Jul 15 16:41:50 hs pluto[11502]: "a2b_ipsec-tunnel/1x1" #1: initiating Main Mode Jul 15 16:41:50 hs pluto[11502]: "a2b_ipsec-tunnel/1x1" #1: received Vendor ID payload [Openswan (this version) 2.6.32 ] Jul 15 16:41:50 hs pluto[11502]: "a2b_ipsec-tunnel/1x1" #1: received Vendor ID payload [Dead Peer Detection] Jul 15 16:41:50 hs pluto[11502]: "a2b_ipsec-tunnel/1x1" #1: received Vendor ID payload [RFC 3947] method set to=109 Jul 15 16:41:50 hs pluto[11502]: "a2b_ipsec-tunnel/1x1" #1: enabling possible NAT-traversal with method 4 Jul 15 16:41:50 hs pluto[11502]: "a2b_ipsec-tunnel/1x1" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2 Jul 15 16:41:50 hs pluto[11502]: "a2b_ipsec-tunnel/1x1" #1: STATE_MAIN_I2: sent MI2, expecting MR2 Jul 15 16:41:51 hs pluto[11502]: "a2b_ipsec-tunnel/1x1" #1: I will NOT send an initial contact payload Jul 15 16:41:51 hs pluto[11502]: "a2b_ipsec-tunnel/1x1" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected Jul 15 16:41:51 hs pluto[11502]: "a2b_ipsec-tunnel/1x1" #1: Not sending INITIAL_CONTACT Jul 15 16:41:51 hs pluto[11502]: "a2b_ipsec-tunnel/1x1" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3 Jul 15 16:41:51 hs pluto[11502]: "a2b_ipsec-tunnel/1x1" #1: STATE_MAIN_I3: sent MI3, expecting MR3 Jul 15 16:41:51 hs pluto[11502]: "a2b_ipsec-tunnel/1x1" #1: received Vendor ID payload [CAN-IKEv2] Jul 15 16:41:51 hs pluto[11502]: "a2b_ipsec-tunnel/1x1" #1: Main mode peer ID is ID_IPV4_ADDR: '2.229.91.58' Jul 15 16:41:51 hs pluto[11502]: "a2b_ipsec-tunnel/1x1" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4 Jul 15 16:41:51 hs pluto[11502]: "a2b_ipsec-tunnel/1x1" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp2048} Jul 15 16:41:51 hs pluto[11502]: "a2b_ipsec-tunnel/1x1" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:028519e0 proposal=defaults pfsgroup=no-pfs} Jul 15 16:41:58 hs pluto[11502]: "a2b_ipsec-tunnel/1x1" #1: the peer proposed: 192.168.5.0/24:0/0 -> 192.168.6.0/24:0/0 Jul 15 16:41:58 hs pluto[11502]: "a2b_ipsec-tunnel/1x1" #3: responding to Quick Mode proposal {msgid:21cf926f} Jul 15 16:41:58 hs pluto[11502]: "a2b_ipsec-tunnel/1x1" #3: us: 192.168.5.0/24===93.57.48.70<93.57.48.70>[+S=C] Jul 15 16:41:58 hs pluto[11502]: "a2b_ipsec-tunnel/1x1" #3: them: 2.229.91.58<2.229.91.58>[+S=C]===192.168.6.0/24 Jul 15 16:41:58 hs pluto[11502]: "a2b_ipsec-tunnel/1x1" #3: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1 Jul 15 16:41:58 hs pluto[11502]: "a2b_ipsec-tunnel/1x1" #3: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 Jul 15 16:41:58 hs pluto[11502]: "a2b_ipsec-tunnel/1x1" #3: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2 Jul 15 16:41:58 hs pluto[11502]: "a2b_ipsec-tunnel/1x1" #3: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x0ae432a5 <0xbd57691d xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
ping beetween remote hosts works flawlessy
#12 Updated by Filippo Carletti about 6 years ago
- Status changed from ON_QA to VERIFIED
- % Done changed from 70 to 90
The inline help is present, the Italian lang pack adds correct translations.
#13 Updated by Giacomo Sanchietti about 6 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
- nethserver-vpn-1.1.6-1.ns6.noarch.rpm
- nethserver-openvpn-1.2.3-1.ns6.noarch.rpm
- nethserver-ipsec-1.1.0-1.ns6.noarch.rpm
Admin manual: http://docs.nethserver.org/en/latest/vpn.html
#14 Updated by Filippo Carletti over 5 years ago
- Duplicates Feature #2858: IPsec site-to-site support added