End to end with Acheron - acis-acheron/acheron GitHub Wiki
About
This is a brief guide to getting Acheron running using the strongSwan Styx backend on a Debian Squeeze machine.
Building and Installing strongSwan from source
If building Contrail's strongSwan fork from source, you must first install the build dependencies, including installing and pinning the backports repository. How to do this is detailed in our building strongSwan guide.
Configuring strongSwan
Once strongSwan is installed, copy the default strongSwan configuration from the default-strongswan-config directory. This is done easily as root via
cp -r default-strongswan-config/* /
Be sure to remove /etc/ipsec.d/cacerts/strongswanCert.pem
and place your actual CA certificate into /etc/ipsec.d/cacerts
. This resultant default configuration should be present on all virtual machines.
Once the default configuration is in place, you can proceed to set up the keys and certificates specific to each machine. This machine-specific configuration includes a signed (by the CA) certificate in /etc/ipsec.d/certs
(as a PEM file), a private key in /etc/ipsec.d/private
(also as a PEM file), and a listing for the private key in /etc/ipsec.secrets
. You can find examples in demo-alice-ipsec-certs and demo-bob-ipsec-certs. It's important to note that the name of the certificate in the machine-specific configuration is myCert.pem
, and this is necessary for the default configuration to work correctly.
Installing GroupVPN
Since GroupVPN has a nasty habit of mangling /etc/resolv.conf
, first back it up and install resolvconf (which will be useful later) by running
cp /etc/resolv.conf /etc/resolv.conf.bak
aptitude install resolvconf
as root.
Acheron requires a slightly modified version of IPOP that broadcasts the the IPs of outgoing P2P connections locally. For convenience, we provide a .deb package.
The easiest way to install the modified version of IPOP is to first install mono-complete
, and then force the installation of the downloaded package, letting apt-get
take care of the other required dependencies automatically. You can do this with
aptitude install mono-complete
dpkg -i --force-depends ipop-squeeze.deb
apt-get install -fy # aptitude will want to remove the IPOP package
You can then continue to configure GroupVPN in the usual manner. Once finished, be sure to fix the mangled /etc/resolv.conf
via
resolvconf -a eth0 < /etc/resolv.conf.bak
The groupvpn.sh script in our vagrant repository automates this entire process using a demo configuration.
Installing Acheron
To install Acheron, you only need to clone the repository, and run ./install.sh
from within the acheron
directory.
Starting Acheron
First, ensure strongSwan and GroupVPN are running, and then start Acheron (as root):
/etc/init.d/ipsec start
/etc/init.d/groupvpn.sh start
/etc/init.d/acheron start
You can check that the daemon is running via /etc/init.d/acheron status
and you'll find Acheron's log file in /var/log/acheron.log
.