Scribd Logo
Upload

Welcome to Scribd!

  • Openswan Ipsec Work Instructions & Basic Troubleshooting

    Uploaded by

    Sergiu Plotnicu
    377 views5 pages
    OpenSWAN work instruction

    Original Title

    OpenSWAN

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    OpenSWAN work instruction

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    377 views5 pages

    Openswan Ipsec Work Instructions & Basic Troubleshooting

    Uploaded by

    Sergiu Plotnicu
    OpenSWAN work instruction

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 5

    OPENSWAN IPSEC WORK INSTRUCTIONS & BASIC TROUBLESHOOTING

    Contents
    1. 2. 3. Introduction .......................................................................................................................................... 2 IPsec related commands cheat sheet ................................................................................................... 2 Open SWAN IPsec management ........................................................................................................... 2 Define new tunnel..................................................................................................................................... 2 Delete the peer ......................................................................................................................................... 4 Delete the tunnel ...................................................................................................................................... 4 4. Basic troubleshooting & switch to backup line..................................................................................... 4 If connection is not established verify: ..................................................................................................... 4 If connection freeze .................................................................................................................................. 5 Switch to backup line Cluj-IBC ................................................................... Error! Bookmark not defined. Switch to backup line Iasi ........................................................................... Error! Bookmark not defined.

    1. Introduction
    This work instructions purpose is provide a guidelines for OpenSWAN IPsec configuration/management in. For detailed description of Endava IPsec configuration/topology please refer to All the configuration steps are for peers if not specified otherwise.

    2. IPsec related commands cheat sheet


    Restart Ipsec Add tunnel Delete tunnel Start tunnel Stop tunnel Reread all configuration Ipsec start debug Verify connectivity by ping Verify connectivity by connecting to port Restart all the tunnels for a peer service ipsec restart ipsec auto add Tunnel Name Ipsec auto delete Tunnel Name ipsec auto up Tunnel Name Ipsec auto down Tunnel Name ipsec auto --rereadall Ipsec klipsdebug set Ipsec plutodebug --set mtr a local_lan_ip remote_lan_ip nc s local_lan_ip remote_lan_ip remote_port /etc/ipsec.d/connections/vpn-restart peer.conf

    3. Open SWAN IPsec management


    OpenSWAN IPsec configuration in Endava is organized as below: /etc/ipsec.conf is the main files which specify IPsec engine parameters and include files with peer tunnel configuration details. /etc/ipsec.d/connection the directory which contains tunnel files one per endpoint these are included in /etc/ipsec.conf. (Using include directive)

    Define new tunnel


    If the Endava endpoint (peer) is already defined: Update documentations Endava VPN Status Matrix and IPsec Configuration Plan Open for editing /etc/ipsec.d/connections/peer.conf firs on the local then on the remote peer

    Define the new tunnel: conn Connection-Name authby=secret leftrsasigkey=%none rightrsasigkey=%none left=local-ipsec-source-ip leftsubnet=local-subnet-to-be-permitted-over-ipsec right=remote-peer-ip rightsubnet=remote-subnet-to-be-permitted-over-ipsec auto=start Add the tunnel and start it on both ends: ipsec auto add Connection-Name; ipsec auto up Connection-Name

    If the endpoint (peer) is not yet defined: Update documentations VPN Status Matrix and IPsec Configuration Plan All the below should be done on both peers Add the pre shared key for the peer in /etc/ipsec.secrets in form(assure that you have a free line at the bottom of the file): local-ipsec-source-ip remote-ipsec-peer-ip: PSK Preshared-key-here Create the file for peer configuration in /etc/ipsec.d/connections/peer.conf Add tunnel config to it: conn Connection-Name authby=secret leftrsasigkey=%none rightrsasigkey=%none left=local-ipsec-source-ip leftsubnet=local-subnet-to-be-permitted-over-ipsec right=remote-peer-ip rightsubnet=remote-subnet-to-be-permitted-over-ipsec auto=start Include /etc/ipsec.d/connections/peer.conf in /etc/ipsec.conf by adding in it the line: include /etc/ipsec.d/connections/peer.conf Execute ipsec auto rereadall in order to reread all the configuration(preshared key, ipsec.conf) Add the tunnel and start it on both ends: ipsec auto add Connection-Name; ipsec auto up Connection-Name If the connection is made assure that the corresponding route is added on ipsec server to the LAN network via a corresponding gw. Update documentations VPN Status Matrix and IPsec Configuration Plan

    If the client endpoint (peer) is already defined:

    Proceed as described above

    If the client endpoint (peer) is not defined yet: Send the to the client and agree with him about connection parameters then proceed as above Some additional configurations may need to be defined for a tunnel as(depending on the agreement with client and vpn product): esp= ike= ikelifetime= keylife= pfs= After the tunnel is configured please place the IPsec VPN parameters form on intranet

    Delete the peer


    Update Endava VPN Status Matrix and IPsec Configuration Plan or move IPsec VPN parameters form to archive Execute ipsec auto down Connection name for all the tunnels for the peer, ipsec auto delete Tunnel name for all the tunnels for the peer. Edit /etc/ipsec.secrets and remove the line with pre-shared auth key for the peer Edit /etc/ipsec.conf and delete include line for the peer Move /etc/ipsec.d/connections/peer.conf to /etc/ipsec.d/connections/archive\ Execute: ipsec auto --rereadall

    Delete the tunnel


    Update Endava VPN Status Matrix and IPsec Configuration Plan or move IPsec VPN parameters form to archive Execute ipsec auto --down Connection Name, ipsec auto delete Connection name Edit the corresponding config file /etc/ipsec.d/connections/peer.conf and delete conn Connection name entry from it

    4. Basic troubleshooting & switch to backup line


    If connection is not established verify:
    If configuration on both sides match( preshared key, networks, ike and ipsec parameters) If firewall allows: udp on port 500 and protocols 50 (ESP) and 51(AH), you can use nc for this nc u remote_peer 500 If nat exceptions are in place Enable debugging: ipsec klipsdebug --set , ipsec plutodebug set After connections was established you can use nc and mtr to verify LAN to LAN connectivity directly from gw

    If connection freeze
    If connection freeze https and other big pachet protocols and is working but slow for http verify that mtu adjust is performed: -A FORWARD -i ipsecX -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -A FORWARD -o ipsecX -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

    You might also like