Testing IPsec tunnels (net2net) web interface


(Alessio Fattorini) #1

@giacomo has developed this amazing module that create a new page inside the Server Manager to configure IPsec net2net tunnels.

The implementation should:

  • simplify creation of IPsec tunnels between two NethServer
  • allow advanced configuration customization to maximize interoperability
  • displaying tunnel status in a dedicate page

http://dev.nethserver.org/issues/3194
Enjoy! Please report any issue or suggestions :wink:


Community Digest 3 - June 2015
(Jose "Martin" Abeleira. AKA Marto) #2

Wooow thats great it will fit my needs :D, when can we have it ready


(Alessio Fattorini) #3

Good to hear this man! Please test it and let me know your feedback :wink:


(Mark Edworthy) #4

Good idea, but over the last couple of months I have read a lot about IPsec having some major security flaws (when being compared to OpenVPN)


(sergio_screpanti) #5

it’s possible set the source nat?
I have a setup that require this


(Filippo Carletti) #6

@mabeleira: it’s ready.
@sergio_screpanti: snat is possible with a one-line template-custom. I have it working in production.


(Alessio Fattorini) #7

I moved 2 posts to a new topic: Setup a dsl connection


#8

Disclaimer: I’m not really good at this, just wanted to test it, take everything I write with several grains of salt

I’ve tried to test this in my vSphere lab, this is the virtual scenario I’m using:

Both Nethesis are vanilla installations, pcs are Windows xp (yes, I know, bear with me), the middle one has netmon installed on it, ip forwarding enabled (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters IPEnableRouter DWORD 1), and static routes to route the traffic.

Installed nethserver-ipsec-1.0.3-1.7.g584aafa.ns6.noarch.rpm from nethserver-testing, and configured both sides of the tunnel, here’s site 1:

and the dashboard showing good signs

Then I wondered if the tunnel was really doing its job, so I opened all traffic from the outside in on the Netservers firewalls, with a new firewall rule any-to-any, and tested connection from WINXP1 to WINXP2 with the tunnel disabled

here’s Netmon output with the tunnel disabled:

and with the tunnel enabled

So far so good.

Now, if only I could get my hands on a real public IP (got all sorts of natted ips from fastweb) I’d really like to see a working vpn tunnel from Nethserver to the Google vpn object in the cloud:


(Filippo Carletti) #9

VPN from private IPs (fastweb) are tricky but possible. I have one running from my home (fastweb) to the office.
One side should be declared as %any and id must be an FQDN like @casa.filippo.


(Alessio Fattorini) #10

@mabeleira @medworthy @andreac @sergio_screpanti do you have already tested this module?
It’s on QA
http://dev.nethserver.org/issues/3194


(sergio_screpanti) #11

I’m doing a new clean install and try today


(Alessio Fattorini) #12

4 posts were split to a new topic: Problem testing IPSec VPN


(Alessio Fattorini) #13

Released