I had a terrible fight getting my Linux box to connect and talk to my Draytek routers using a IPSec VPN.
There was little information about, and nothing concrete.
So I am recording here how I did it.
I wanted to use IPSec VPN tunnels in my routers as it is built in, and I had a number of VPN tunnels between routers that were already running with this method
I was running CentOS 5 with my favourite distro contribs.org on a VPS server and wanted to create a IPSec VPN tunnel to the Draytek.
I tried various different implementations of IPsec but at the end of the day I used Openswan.
my ipsec.conf looked like this :
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# This is enabled currently
klipsdebug=all
plutodebug="control parsing"
interfaces=%defaultroute
oe=no
protostack=netkey
syslog=syslog.debug
# These are the two local nets I am tunelling
virtual_private=%v4:10.1.0.0/24,%v4:192.168.88.0/24
conn net-to-net
type=tunnel
authby=secret
auto=start
ikelifetime=28800s
keylife=3600s
left=%defaultroute
# This is the VPS Server
leftsourceip=192.168.88.1
leftsubnet=192.168.88.0/24
pfs=yes
dpdaction=restart
#This is the Draytek forward facing IP address
right=123.128.243.69
rightsubnet=10.1.0.0/24
Put your PSK password in ipsec.secrets :
# /etc/ipsec.secrets - strongSwan IPsec secrets file
#The IP is the forward facing IP of the VPS
5.99.23.43 %any : PSK "SomeStrongPassword#"
I was advised to set the advanced IPSec conf of the Draytek as follows :
"use aes256,sha1,group14 and you also enable pfs in the advanced setting"
Last is you need to set your iptables up correctly. My server is set in what is known as 'Server and Gateway' mode. It is meant to have two network cards, one for the outside world and the other for the internal/local network and it routes across as required. Masquerading is enabled.
I *believe* you need the following. I am no iptables guru. I think you need port 500 for ipsec.
/sbin/iptables -A INPUT -i $OUTERIF -p udp --sport 500 --dport 500 -j ACCEPT
/sbin/iptables -t mangle -A PREROUTING -i $OUTERIF -p 50 -j MARK --set-mark 1
/sbin/iptables -A INPUT -i $OUTERIF -m mark --mark 1 -j ACCEPT
/sbin/iptables -A FORWARD -i $OUTERIF -m mark --mark 1 -j ACCEPT
/sbin/iptables -A INPUT -i $OUTERIF -m mark --mark 2 -j ACCEPT
/sbin/iptables -A FORWARD -i $OUTERIF -m mark --mark 2 -j ACCEPT
# Not sure if this should go here but it works.
iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
The last was the final bit of the jigsaw - without it I could ping from the Draytek end to the server, but not the server to the Draytek.
Fire up the last line and it all worked.
Thanks to the people on the OpenSwan list for help and guidance and I hope this helps someone.
No comments:
Post a Comment