Feature #3194
IPsec tunnels (net2net) web interface
| Status: | CLOSED | Start date: | ||
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 100% | |
| Category: | nethserver-ipsec | |||
| Target version: | v6.6 | |||
| Resolution: | NEEDINFO: | No |
Description
Create a new page inside the Server Manager to configure IPsec net2net tunnels.
The implementation should:- simplify creation of IPsec tunnels between two NethServer
- allow advanced configuration customization to maximize interoperability
- displaying tunnel status in a dedicate page
Related issues
Associated revisions
IPsec tunnels: first implementation. Refs #3194
IPsec tunnels: first implementation. Refs #3194
IPsec tunnels: fire nethserver-ipsec-save event. Refs #3194
Add ServerStatus prop. Refs #3194
The status prop must be always enabled for tunnels.
Copy xl2tpd{status} to ipsec{ServerStatus},
remove ipsec{access} and ispec{UDPPorts} props.
IPsec tunnels: auto-complete ids. Refs #3194
Web UI: add ipsec tunnels status page. Refs #3194
Web UI: hide disabled tunnels from status page. Refs #3194
createlinks: fix wrong template name. Refs #3194
Translations: add missing resources. Refs #3194
Inline help: remove Italian, add include directive. Refs #3194
Add inline help (en). Refs #3194
Add inline help (en). Refs #3194
Inline help: update English. Refs #3194
Inline help: add English language. Refs #3194
History
#1
Updated by Giacomo Sanchietti about 6 years ago
- Status changed from NEW to TRIAGED
- Target version set to v6.6
- % Done changed from 0 to 20
#2
Updated by Giacomo Sanchietti about 6 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Giacomo Sanchietti
- % Done changed from 20 to 30
#3
Updated by Giacomo Sanchietti about 6 years ago
- Related to Bug #2857: VPN: left subnet equals to right subnet in IPsec configuration added
#4
Updated by Giacomo Sanchietti about 6 years ago
- Description updated (diff)
#5
Updated by Giacomo Sanchietti about 6 years ago
- Description updated (diff)
#6
Updated by Giacomo Sanchietti about 6 years ago
- Status changed from ON_DEV to MODIFIED
- % Done changed from 30 to 60
The implementation can support custom properties to override the configuration from web interface.
Every property in the form Custom_<name> will override any existing prop. The same syntax can also be used to set any IPsec options supported by OpenSwan.
Example: override left prop
Given the following record:
nethesis-test=ipsec-tunnel
compress=no
dpdaction=hold
esp=auto
ike=auto
left=192.168.2.246
leftid=@nethesis
leftsubnets=192.168.1.0/24
pfs=yes
psk=Nethesis,12345678911
right=1.2.3.4.5
rightid=@test
rightsubnets=192.168.6.0/24
status=enabled
The admin can override the left property:
db vpn setprop nethesis-test Custom_left %any signal-event nethserver-ipsec-save
Example: set new option
Set aggressive mode:
db vpn setprop nethesis-test Custom_aggrmode yes signal-event nethserver-ipsec-save
#7
Updated by Giacomo Sanchietti about 6 years ago
- Status changed from MODIFIED to ON_QA
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 60 to 70
Package in nethserver-testing:
- nethserver-ipsec-1.0.3-1.7.g584aafa.ns6.noarch.rpm
- Create a tunnel on a public server
- Create the same tunnel on another server (you can swap local/remote parameters)
- Check the tunnel can connect both firewalls
#8
Updated by Davide Principi about 6 years ago
- Assignee set to Davide Principi
#9
Updated by Davide Principi about 6 years ago
- Assignee deleted (
Davide Principi)
Partially verified:
pluto daemon logs the tunnel is up. Can't verify now if routes are set up correctly.
[root@vm5epa ~]# ping 192.168.102.78Jun 17 16:43:19 vm5epa pluto[6381]: packet from 192.168.102.78:500: received Vendor ID payload [Openswan (this version) 2.6.32 ]
Jun 17 16:43:19 vm5epa pluto[6381]: packet from 192.168.102.78:500: received Vendor ID payload [Dead Peer Detection]
Jun 17 16:43:19 vm5epa pluto[6381]: packet from 192.168.102.78:500: received Vendor ID payload [RFC 3947] method set to=109
Jun 17 16:43:19 vm5epa pluto[6381]: packet from 192.168.102.78:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
Jun 17 16:43:19 vm5epa pluto[6381]: packet from 192.168.102.78:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Jun 17 16:43:19 vm5epa pluto[6381]: packet from 192.168.102.78:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Jun 17 16:43:19 vm5epa pluto[6381]: packet from 192.168.102.78:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Jun 17 16:43:19 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #2: responding to Main Mode
Jun 17 16:43:19 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #2: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jun 17 16:43:19 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #2: STATE_MAIN_R1: sent MR1, expecting MI2
Jun 17 16:43:19 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #2: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
Jun 17 16:43:19 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #2: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jun 17 16:43:19 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #2: STATE_MAIN_R2: sent MR2, expecting MI3
Jun 17 16:43:19 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #2: Main mode peer ID is ID_IPV4_ADDR: '192.168.102.78'
Jun 17 16:43:19 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #2: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jun 17 16:43:19 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #2: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp2048}
Jun 17 16:43:19 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #2: the peer proposed: 192.168.103.0/24:0/0 -> 192.168.104.0/24:0/0
Jun 17 16:43:19 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #3: responding to Quick Mode proposal {msgid:5c84497a}
Jun 17 16:43:19 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #3: us: 192.168.103.0/24===192.168.101.44<192.168.101.44>[+S=C]
Jun 17 16:43:19 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #3: them: 192.168.102.78<192.168.102.78>[+S=C]===192.168.104.0/24
Jun 17 16:43:19 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #3: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jun 17 16:43:19 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #3: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Jun 17 16:43:19 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #3: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jun 17 16:43:19 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #3: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x1ac11826 <0xb419c686 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
Jun 17 16:43:21 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #1: received Vendor ID payload [Openswan (this version) 2.6.32 ]
Jun 17 16:43:21 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #1: received Vendor ID payload [Dead Peer Detection]
Jun 17 16:43:21 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #1: received Vendor ID payload [RFC 3947] method set to=109
Jun 17 16:43:21 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #1: enabling possible NAT-traversal with method 4
Jun 17 16:43:21 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Jun 17 16:43:21 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Jun 17 16:43:21 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #1: I will NOT send an initial contact payload
Jun 17 16:43:21 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
Jun 17 16:43:21 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #1: Not sending INITIAL_CONTACT
Jun 17 16:43:21 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Jun 17 16:43:21 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Jun 17 16:43:21 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #1: received Vendor ID payload [CAN-IKEv2]
Jun 17 16:43:21 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.102.78'
Jun 17 16:43:21 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Jun 17 16:43:21 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp2048}
Jun 17 16:43:21 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #4: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:996daa4c proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}
Jun 17 16:43:21 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #4: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jun 17 16:43:21 vm5epa pluto[6381]: "a2b_ipsec-tunnel/1x1" #4: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x3ff6e082 <0x87d67579 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
#10
Updated by Giacomo Sanchietti about 6 years ago
Fixes for inline help In nethserver-testing:
- nethserver-vpn-1.1.5-1.2.g6ed30b7.ns6.noarch.rpm
- nethserver-ipsec-1.0.3-1.15.g78881cd.ns6.noarch.rpm
- nethserver-openvpn-1.2.2-1.1.ga698f02.ns6.noarch.rpm
Also make sure to have the latest release of language pack (nethserver-lang-1.0.9).
#11
Updated by Davide Marini about 6 years ago
All test done, everything work as exspected:
Jul 15 16:41:50 hs pluto[11502]: initiating all conns with alias='a2b_ipsec-tunnel'
Jul 15 16:41:50 hs pluto[11502]: "a2b_ipsec-tunnel/1x1" #1: initiating Main Mode
Jul 15 16:41:50 hs pluto[11502]: "a2b_ipsec-tunnel/1x1" #1: received Vendor ID payload [Openswan (this version) 2.6.32 ]
Jul 15 16:41:50 hs pluto[11502]: "a2b_ipsec-tunnel/1x1" #1: received Vendor ID payload [Dead Peer Detection]
Jul 15 16:41:50 hs pluto[11502]: "a2b_ipsec-tunnel/1x1" #1: received Vendor ID payload [RFC 3947] method set to=109
Jul 15 16:41:50 hs pluto[11502]: "a2b_ipsec-tunnel/1x1" #1: enabling possible NAT-traversal with method 4
Jul 15 16:41:50 hs pluto[11502]: "a2b_ipsec-tunnel/1x1" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Jul 15 16:41:50 hs pluto[11502]: "a2b_ipsec-tunnel/1x1" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Jul 15 16:41:51 hs pluto[11502]: "a2b_ipsec-tunnel/1x1" #1: I will NOT send an initial contact payload
Jul 15 16:41:51 hs pluto[11502]: "a2b_ipsec-tunnel/1x1" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
Jul 15 16:41:51 hs pluto[11502]: "a2b_ipsec-tunnel/1x1" #1: Not sending INITIAL_CONTACT
Jul 15 16:41:51 hs pluto[11502]: "a2b_ipsec-tunnel/1x1" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Jul 15 16:41:51 hs pluto[11502]: "a2b_ipsec-tunnel/1x1" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Jul 15 16:41:51 hs pluto[11502]: "a2b_ipsec-tunnel/1x1" #1: received Vendor ID payload [CAN-IKEv2]
Jul 15 16:41:51 hs pluto[11502]: "a2b_ipsec-tunnel/1x1" #1: Main mode peer ID is ID_IPV4_ADDR: '2.229.91.58'
Jul 15 16:41:51 hs pluto[11502]: "a2b_ipsec-tunnel/1x1" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Jul 15 16:41:51 hs pluto[11502]: "a2b_ipsec-tunnel/1x1" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp2048}
Jul 15 16:41:51 hs pluto[11502]: "a2b_ipsec-tunnel/1x1" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:028519e0 proposal=defaults pfsgroup=no-pfs}
Jul 15 16:41:58 hs pluto[11502]: "a2b_ipsec-tunnel/1x1" #1: the peer proposed: 192.168.5.0/24:0/0 -> 192.168.6.0/24:0/0
Jul 15 16:41:58 hs pluto[11502]: "a2b_ipsec-tunnel/1x1" #3: responding to Quick Mode proposal {msgid:21cf926f}
Jul 15 16:41:58 hs pluto[11502]: "a2b_ipsec-tunnel/1x1" #3: us: 192.168.5.0/24===93.57.48.70<93.57.48.70>[+S=C]
Jul 15 16:41:58 hs pluto[11502]: "a2b_ipsec-tunnel/1x1" #3: them: 2.229.91.58<2.229.91.58>[+S=C]===192.168.6.0/24
Jul 15 16:41:58 hs pluto[11502]: "a2b_ipsec-tunnel/1x1" #3: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jul 15 16:41:58 hs pluto[11502]: "a2b_ipsec-tunnel/1x1" #3: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Jul 15 16:41:58 hs pluto[11502]: "a2b_ipsec-tunnel/1x1" #3: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jul 15 16:41:58 hs pluto[11502]: "a2b_ipsec-tunnel/1x1" #3: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x0ae432a5 <0xbd57691d xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
ping beetween remote hosts works flawlessy
#12
Updated by Filippo Carletti about 6 years ago
- Status changed from ON_QA to VERIFIED
- % Done changed from 70 to 90
The inline help is present, the Italian lang pack adds correct translations.
#13
Updated by Giacomo Sanchietti about 6 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
Released in nethserver-updates:
- nethserver-vpn-1.1.6-1.ns6.noarch.rpm
- nethserver-openvpn-1.2.3-1.ns6.noarch.rpm
- nethserver-ipsec-1.1.0-1.ns6.noarch.rpm
Admin manual: http://docs.nethserver.org/en/latest/vpn.html
#14
Updated by Filippo Carletti over 5 years ago
- Duplicates Feature #2858: IPsec site-to-site support added