Testing IPsec tunnels (net2net) web interface

alefattorini · June 16, 2015, 9:45am

@giacomo has developed this amazing module that create a new page inside the Server Manager to configure IPsec net2net tunnels.

The implementation should:

simplify creation of IPsec tunnels between two NethServer
allow advanced configuration customization to maximize interoperability
displaying tunnel status in a dedicate page

http://dev.nethserver.org/issues/3194
Enjoy! Please report any issue or suggestions

mabeleira · June 16, 2015, 12:35pm

Wooow thats great it will fit my needs :D, when can we have it ready

alefattorini · June 16, 2015, 12:38pm

Good to hear this man! Please test it and let me know your feedback

medworthy · June 17, 2015, 9:06am

Good idea, but over the last couple of months I have read a lot about IPsec having some major security flaws (when being compared to OpenVPN)

sergio_screpanti · June 17, 2015, 9:28am

it’s possible set the source nat?
I have a setup that require this

filippo_carletti · June 17, 2015, 9:43am

@mabeleira: it’s ready.
@sergio_screpanti: snat is possible with a one-line template-custom. I have it working in production.

alefattorini · June 17, 2015, 1:46pm

I moved 2 posts to a new topic: Setup a dsl connection

andreac · June 18, 2015, 10:55am

Disclaimer: I’m not really good at this, just wanted to test it, take everything I write with several grains of salt

I’ve tried to test this in my vSphere lab, this is the virtual scenario I’m using:

Both Nethesis are vanilla installations, pcs are Windows xp (yes, I know, bear with me), the middle one has netmon installed on it, ip forwarding enabled (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters IPEnableRouter DWORD 1), and static routes to route the traffic.

Installed nethserver-ipsec-1.0.3-1.7.g584aafa.ns6.noarch.rpm from nethserver-testing, and configured both sides of the tunnel, here’s site 1:

and the dashboard showing good signs

Then I wondered if the tunnel was really doing its job, so I opened all traffic from the outside in on the Netservers firewalls, with a new firewall rule any-to-any, and tested connection from WINXP1 to WINXP2 with the tunnel disabled

here’s Netmon output with the tunnel disabled:

and with the tunnel enabled

So far so good.

Now, if only I could get my hands on a real public IP (got all sorts of natted ips from fastweb) I’d really like to see a working vpn tunnel from Nethserver to the Google vpn object in the cloud:

filippo_carletti · June 18, 2015, 12:46pm

VPN from private IPs (fastweb) are tricky but possible. I have one running from my home (fastweb) to the office.
One side should be declared as %any and id must be an FQDN like @casa.filippo.

alefattorini · June 25, 2015, 2:29pm

@mabeleira @medworthy @andreac @sergio_screpanti do you have already tested this module?
It’s on QA
http://dev.nethserver.org/issues/3194

sergio_screpanti · June 26, 2015, 7:35am

I’m doing a new clean install and try today

alefattorini · November 23, 2015, 8:36am

4 posts were split to a new topic: Problem testing IPSec VPN

alefattorini · November 23, 2015, 8:36am

Released