IPCop Firewall

Hi,

Olaf Westrik wrote:
> Still missing for 2.0.0 is an update facility for IPsec configuration to 
> smoothen the migration from 1.4 to 2.0.0.

I wouldn't think that an update facility should be required.  Start with 
2.0.0 and then create fresh IPSEC VPNs .... if you have a VPN, you 
should be able to re-create it.

Isn't 1.4 different enough to 2.0.0 to warrant a clean and fresh install 
anyway?  Certainly would be helpful to keep all the firewall rules, and 
fixed lease settings, but not sure anything else should be a worry.

> Other than that only bugfixes (should there be any in 1.9.20), critical 
> updates and language modifications. Anything else will have to wait 
> until after 2.0.0 is released.

So we are finally that close now...... just after I had installed 
ClearOS on a new box.  Oh well, that box _may_ get re-installed with the 
new version of IPCop, but it'll probably stay ClearOS for at least a 
little while now.

-- 
Kind Regards
AndrewM

Andrew McGlashan
Broadband Solutions now including VoIP

On 8/23/2011 8:23 AM, Andrew McGlashan wrote:
> Hi,
> 
> Olaf Westrik wrote:
>> Still missing for 2.0.0 is an update facility for IPsec configuration to 
>> smoothen the migration from 1.4 to 2.0.0.
> 
> I wouldn't think that an update facility should be required.  Start with 
> 2.0.0 and then create fresh IPSEC VPNs .... if you have a VPN, you 
> should be able to re-create it.
> 
> Isn't 1.4 different enough to 2.0.0 to warrant a clean and fresh install 
> anyway?  Certainly would be helpful to keep all the firewall rules, and 
> fixed lease settings, but not sure anything else should be a worry.

It depends on how many OpenVPN and IPSec clients you have out there. If
you have many, then re-creating and distributing the new certificates
would be a pain.

>> Other than that only bugfixes (should there be any in 1.9.20), critical 
>> updates and language modifications. Anything else will have to wait 
>> until after 2.0.0 is released.
> 
> So we are finally that close now...... just after I had installed 
> ClearOS on a new box.  Oh well, that box _may_ get re-installed with the 
> new version of IPCop, but it'll probably stay ClearOS for at least a 
> little while now.
> 

If you have installed Zerina to get OpenVPN support in IPCop, then you
have two Certificate Authorities(CA). One for IPSec and a second for
OpenVPN. The 2.0.0 IPcop only has one CA for both IPSec and OpenVPN.

I don't have any working IPSec VPNs that use certificates, so I copied
the Zerina OpenVPN CA, serverkey and client certificates manually to the
correct directory on the new IPCop machine and they worked. I only had
to rename the "serverkey.pem" to "hostkey.pem" and "servercert.pem" to
"hostcert.pem" for it to work.

I still haven't been able to get the one IPSec tunnel that used a
Pre-Shared Key(PSK) working, but that will require some debugging. It
works on the 1.4.21, but not the 1.9.21 IPCop. I think that I had to
hand edit some of the files to get it to work, but I don't remember
exactly what changes I had to make to get it to work. If you use a PSK,
you can't use aggressive mode, but must use "main" mode.

Mike

On 2011-08-21 22:02, Olaf Westrik wrote:


> Still missing for 2.0.0 is an update facility for IPsec configuration to
> smoothen the migration from 1.4 to 2.0.0.
> Other than that only bugfixes (should there be any in 1.9.20), critical
> updates and language modifications. Anything else will have to wait
> until after 2.0.0 is released.

after about 4 weeks of testing -rc1 (v1.9.20), I will release IPCop 
v2.0.0 tomorrow (23 September 2011).

There have been some modifications since -rc1, but IMHO those have all 
seen enough successful tests so I will skip -rc2.


Olaf

Many thanks for all the hard work (to all who have been working on it).

RJL


> On 2011-08-21 22:02, Olaf Westrik wrote:
> > Still missing for 2.0.0 is an update facility for IPsec configuration to
> > smoothen the migration from 1.4 to 2.0.0.
> > Other than that only bugfixes (should there be any in 1.9.20), critical
> > updates and language modifications. Anything else will have to wait
> > until after 2.0.0 is released.
> 
> after about 4 weeks of testing -rc1 (v1.9.20), I will release IPCop
> v2.0.0 tomorrow (23 September 2011).
> 
> There have been some modifications since -rc1, but IMHO those have all
> seen enough successful tests so I will skip -rc2.
> 
> 
> Olaf
> 
> ---------------------------------------------------------------------------
> --- All the data continuously generated in your IT infrastructure contains
>  a definitive record of customers, application performance, security
> threats, fraudulent activity and more. Splunk takes this data and makes
> sense of it. Business sense. IT sense. Common sense.
> http://p.sf.net/sfu/splunk-d2dcopy1
> _______________________________________________
> IPCop-devel mailing list
> IPCop-devel@...
> https://lists.sourceforge.net/lists/listinfo/ipcop-devel
> 

-- 
Robert Ladyman
File-Away Limited
3 Ralston Business Centre, Newtyle, Blairgowrie
Perthshire  PH12 8TL SCOTLAND
Tel: +44 (0) 1828 898 158
Mobile: +44 (0) 7732 771 649
http://www.file-away.co.uk

============================================
Registered Office: 32 Church Street, Newtyle, Blairgowrie
Perthshire, PH12 8TZ SCOTLAND
Registered in Scotland, Company Number SC222086