Professional Documents
Culture Documents
Contents
1. 2. 3. Introduction .......................................................................................................................................... 2 IPsec related commands cheat sheet ................................................................................................... 2 Open SWAN IPsec management ........................................................................................................... 2 Define new tunnel..................................................................................................................................... 2 Delete the peer ......................................................................................................................................... 4 Delete the tunnel ...................................................................................................................................... 4 4. Basic troubleshooting & switch to backup line..................................................................................... 4 If connection is not established verify: ..................................................................................................... 4 If connection freeze .................................................................................................................................. 5 Switch to backup line Cluj-IBC ................................................................... Error! Bookmark not defined. Switch to backup line Iasi ........................................................................... Error! Bookmark not defined.
1. Introduction
This work instructions purpose is provide a guidelines for OpenSWAN IPsec configuration/management in. For detailed description of Endava IPsec configuration/topology please refer to All the configuration steps are for peers if not specified otherwise.
Define the new tunnel: conn Connection-Name authby=secret leftrsasigkey=%none rightrsasigkey=%none left=local-ipsec-source-ip leftsubnet=local-subnet-to-be-permitted-over-ipsec right=remote-peer-ip rightsubnet=remote-subnet-to-be-permitted-over-ipsec auto=start Add the tunnel and start it on both ends: ipsec auto add Connection-Name; ipsec auto up Connection-Name
If the endpoint (peer) is not yet defined: Update documentations VPN Status Matrix and IPsec Configuration Plan All the below should be done on both peers Add the pre shared key for the peer in /etc/ipsec.secrets in form(assure that you have a free line at the bottom of the file): local-ipsec-source-ip remote-ipsec-peer-ip: PSK Preshared-key-here Create the file for peer configuration in /etc/ipsec.d/connections/peer.conf Add tunnel config to it: conn Connection-Name authby=secret leftrsasigkey=%none rightrsasigkey=%none left=local-ipsec-source-ip leftsubnet=local-subnet-to-be-permitted-over-ipsec right=remote-peer-ip rightsubnet=remote-subnet-to-be-permitted-over-ipsec auto=start Include /etc/ipsec.d/connections/peer.conf in /etc/ipsec.conf by adding in it the line: include /etc/ipsec.d/connections/peer.conf Execute ipsec auto rereadall in order to reread all the configuration(preshared key, ipsec.conf) Add the tunnel and start it on both ends: ipsec auto add Connection-Name; ipsec auto up Connection-Name If the connection is made assure that the corresponding route is added on ipsec server to the LAN network via a corresponding gw. Update documentations VPN Status Matrix and IPsec Configuration Plan
If the client endpoint (peer) is not defined yet: Send the to the client and agree with him about connection parameters then proceed as above Some additional configurations may need to be defined for a tunnel as(depending on the agreement with client and vpn product): esp= ike= ikelifetime= keylife= pfs= After the tunnel is configured please place the IPsec VPN parameters form on intranet
If connection freeze
If connection freeze https and other big pachet protocols and is working but slow for http verify that mtu adjust is performed: -A FORWARD -i ipsecX -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -A FORWARD -o ipsecX -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu