User Tools

Site Tools


Sidebar

Kerlink Wiki Home Page

Home

Setups

General information

Wirnet™ iBTS information

Wirnet™ iFemtoCell information

Wirnet™ iFemtoCell-evolution information

Wirnet™ iStation information

System management

Network management

LoRa Features

KerOS customization

Support and resources



www.kerlink.com

wiki:network_mana:secure_network:keros_4.x:running_the_application

VPN - Starting the VPN client

Launching OpenVPN

Firewall

Set the appropriate Firewall rules to accept OpenVPN traffic:

/etc/firewall.d/10_openvpn.rules
*filter
# OpenVPN ports
-A INPUT  -p udp -m udp --sport 1194 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 1194 -j ACCEPT
COMMIT

Or disable the firewall (only during test phase!) with:

/etc/init.d/firewall stop

Start OpenVPN

Put the OpenVPN main configuration file on the gateway and launch it with (replace with the appropriate file name):

openvpn --config /user/client-openvpn.conf 2>&1 | logger &

Check that OpenVPN client is well launched on your gateway:

ps | grep [o]penvpn
31342 root      4700 S    openvpn --config /user/client-openvpn.conf

Check with the ifconfig command that the vpn0 interface is now active.

Once everything is working, you can add initialization scripts to enable the VPN automatically. Don't forget to enable the firewall again if it was disabled.

Launching IPsec / strongSwan

Firewall

Set the appropriate Firewall rules to accept IPsec traffic:

/etc/firewall.d/10_ipsec.rules
*filter
# OpenVPN ports
-A INPUT  -p udp -m udp --sport  500 -j ACCEPT
-A OUTPUT -p udp -m udp --dport  500 -j ACCEPT
-A INPUT  -p udp -m udp --sport 4500 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 4500 -j ACCEPT
COMMIT

Or disable the firewall (only during test phase!) with:

/etc/init.d/firewall stop

Start ipsec

Two TKM daemons can be used:

  • If the /etc/ipsec.secrets file is used, and the P12 file is stored as clear in the filesystem: use charon
  • If the /etc/ipsec.secrets file is empty, and the secrets and P12 files are stored ciphered in the TrustZone: use charon-tkm

To do so, either add the --daemon charon or --daemon charon-tkm to the command line, or set the DAEMON_NAME environment variable to the desired value. For example, if the TrustZone is used:

export DAEMON_NAME=charon-tkm
 
# or, alternatively
ipsec start <other ipsec options...> --daemon charon-tkm

If the TrustZone is not used, here is how the VPN should be started:

export DAEMON_NAME=charon
 
# or, alternatively
ipsec start <other ipsec options...> --daemon charon

To troubleshoot, the --nofork switch can be added to the command line. This will prevent the daemon from forking, and will log all output to the console (instead of syslog).

Once everything is working, you can add initialization scripts to enable the VPN automatically. Don't forget to enable the firewall again.

wiki/network_mana/secure_network/keros_4.x/running_the_application.txt · Last modified: 2023/03/02 15:04 by gja