On 8/23/2011 8:23 AM, Andrew McGlashan wrote:
> Olaf Westrik wrote:
>> Still missing for 2.0.0 is an update facility for IPsec configuration to
>> smoothen the migration from 1.4 to 2.0.0.
> I wouldn't think that an update facility should be required. Start with
> 2.0.0 and then create fresh IPSEC VPNs .... if you have a VPN, you
> should be able to re-create it.
> Isn't 1.4 different enough to 2.0.0 to warrant a clean and fresh install
> anyway? Certainly would be helpful to keep all the firewall rules, and
> fixed lease settings, but not sure anything else should be a worry.
It depends on how many OpenVPN and IPSec clients you have out there. If
you have many, then re-creating and distributing the new certificates
would be a pain.
>> Other than that only bugfixes (should there be any in 1.9.20), critical
>> updates and language modifications. Anything else will have to wait
>> until after 2.0.0 is released.
> So we are finally that close now...... just after I had installed
> ClearOS on a new box. Oh well, that box _may_ get re-installed with the
> new version of IPCop, but it'll probably stay ClearOS for at least a
> little while now.
If you have installed Zerina to get OpenVPN support in IPCop, then you
have two Certificate Authorities(CA). One for IPSec and a second for
OpenVPN. The 2.0.0 IPcop only has one CA for both IPSec and OpenVPN.
I don't have any working IPSec VPNs that use certificates, so I copied
the Zerina OpenVPN CA, serverkey and client certificates manually to the
correct directory on the new IPCop machine and they worked. I only had
to rename the "serverkey.pem" to "hostkey.pem" and "servercert.pem" to
"hostcert.pem" for it to work.
I still haven't been able to get the one IPSec tunnel that used a
Pre-Shared Key(PSK) working, but that will require some debugging. It
works on the 1.4.21, but not the 1.9.21 IPCop. I think that I had to
hand edit some of the files to get it to work, but I don't remember
exactly what changes I had to make to get it to work. If you use a PSK,
you can't use aggressive mode, but must use "main" mode.