Line 9: |
Line 9: |
| L2TPD/IPSEC does not need any special software configuration on your clients. It is supported on a very large number of modern mobile phones and laptops. Please note that not every phone or device will support L2TPD/IPSEC out of the box. | | L2TPD/IPSEC does not need any special software configuration on your clients. It is supported on a very large number of modern mobile phones and laptops. Please note that not every phone or device will support L2TPD/IPSEC out of the box. |
| | | |
− | The device first calls the server via ipsec and makes and encrypted connection. But it has no networking information. xl2tpd then makes a ppp connection through that encrypted ipsec connection.and get its network information at this point. | + | The device first calls the server via ipsec and makes and encrypted connection. But it has no networking information. xl2tpd then makes a ppp connection through that encrypted ipsec connection and get its network information at this point. |
| | | |
| Once implemented you can disable PPTP, which will be good for you and your users. | | Once implemented you can disable PPTP, which will be good for you and your users. |
Line 17: |
Line 17: |
| The contrib basically works but there, can be complications when you want to combine it with standard host-host ipsec connections. The issue that 'may' arise is if an IPSEC connection is matched prior to the L2TPD one. I do have both types running on my test box but need more feedback on this. | | The contrib basically works but there, can be complications when you want to combine it with standard host-host ipsec connections. The issue that 'may' arise is if an IPSEC connection is matched prior to the L2TPD one. I do have both types running on my test box but need more feedback on this. |
| | | |
− | This is because pure ipsec usually relies on having connections from specific IP address / and or IDs / Certificates. To accept mobile clients, which could come from pretty well any IP address, we need to tell out L2TPD Ipsec configuration to accept connections from anywhere. | + | This is because pure ipsec usually relies on having connections from specific IP address / and or IDs / Certificates. To accept mobile clients, which could come from pretty well any IP address, we need to tell our L2TPD Ipsec configuration to accept connections from anywhere. |
| | | |
− | The potential issue is if you try a pure Ipsec connection that does not have a correct configuration in the database/configuration, it may try to connect via the L2TPD connection. That will not break anything, but you may experience odd results from the client | + | The potential issue is if you try a pure Ipsec connection that does not have a correct configuration in the database/configuration, it may try to connect via the L2TPD connection. That will not break anything, but you may experience odd results from the client. |
| | | |
| Please note that you can enable or disable L2TPD VPN access for users via the Server Manager. | | Please note that you can enable or disable L2TPD VPN access for users via the Server Manager. |
| | | |
− | These links discuss the implementation and the creation of this page. | + | These links discuss the implementation and the creation of this page: |
| https://forums.contribs.org/index.php/topic,53021.0/all.html | | https://forums.contribs.org/index.php/topic,53021.0/all.html |
| | | |
| Some further reading can be found on this page: | | Some further reading can be found on this page: |
− |
| |
| https://github.com/reetp/smeserver-libreswan-xl2tpd/blob/master/ipsecXl2tpd.Notes | | https://github.com/reetp/smeserver-libreswan-xl2tpd/blob/master/ipsecXl2tpd.Notes |
| | | |
Line 38: |
Line 37: |
| {{Note box|Server MUST be in Server/Gateway mode for this to be enabled}} | | {{Note box|Server MUST be in Server/Gateway mode for this to be enabled}} |
| | | |
− | The smeserver-libreswan-xl2tpd contrib is currently in the development repo at Contribs | + | {{Note box|If you had installed an earlier version e.g 0.2x or lower then please uninstall first. The early dev versions used /etc/e-smith/templates-custom for their templates. Make sure there are no fragments lying about or you may get unexpected results.}} |
| + | |
| + | The smeserver-libreswan-xl2tpd contrib is currently in the contribs repo. |
| + | |
| + | Add the EPEL and Libreswan repos: |
| | | |
− | You will need the EPEL repo as well:
| + | yum install smeserver-extrarepositories-libreswan smeserver-extrarepositories-epel |
| + | signal-event yum-modify |
| + | config set UnsavedChanges no |
| | | |
− | https://wiki.contribs.org/Epel
| |
| | | |
| With the yum repo database updated, you can then run the installation of the package. | | With the yum repo database updated, you can then run the installation of the package. |
| | | |
− | yum --enablerepo=smedev,epel install smeserver-libreswan-xl2tpd | + | yum --enablerepo=smecontribs,epel,libreswan install smeserver-libreswan-xl2tpd |
| | | |
| That should bring everything in, including ipsec which is required | | That should bring everything in, including ipsec which is required |
Line 141: |
Line 145: |
| | | |
| config setprop pptpd status disabled sessions 0 | | config setprop pptpd status disabled sessions 0 |
| + | |
| + | signal-event remoteaccess-update |
| | | |
| Take this action only *after* you have confirmed proper L2TP connection is working. | | Take this action only *after* you have confirmed proper L2TP connection is working. |
Line 161: |
Line 167: |
| Ipsec - check here first: | | Ipsec - check here first: |
| | | |
− | /var/log/pluto/pluto./log | + | /var/log/pluto/pluto.log |
| | | |
| Look for L2TPD-PSK entries and in particular this "STATE_QUICK_R2: IPsec SA established transport mode" | | Look for L2TPD-PSK entries and in particular this "STATE_QUICK_R2: IPsec SA established transport mode" |
Line 169: |
Line 175: |
| L2tpd - check here: | | L2tpd - check here: |
| | | |
− | /var/log/messages | + | /var/log/messages |
| | | |
| Look for xl2tpd and pppd entries | | Look for xl2tpd and pppd entries |
Line 179: |
Line 185: |
| To debug have a look at the following: | | To debug have a look at the following: |
| | | |
− | db ipsec_connections show L2TPD-PSK | + | db ipsec_connections show L2TPD-PSK |
| | | |
− | config show ipsec | + | config show ipsec |
| | | |
− | config show xl2tpd | + | config show xl2tpd |
| | | |
− | cat /etc/ipsec.d/ipsec.conf | + | cat /etc/ipsec.d/ipsec.conf |
| | | |
− | cat /etc/ipsec.d/ipsec.secrets | + | cat /etc/ipsec.d/ipsec.secrets |
| | | |
| Try restarting both ipsec and xl2tpd and watch your logs for errors: | | Try restarting both ipsec and xl2tpd and watch your logs for errors: |
| | | |
− | service xl2tpd restart | + | service xl2tpd restart |
| | | |
− | service ipsec restart | + | service ipsec restart |
| | | |
| If you are still stuck then ask on the forums, or if you have some template errors or other issues please raise a bug. | | If you are still stuck then ask on the forums, or if you have some template errors or other issues please raise a bug. |
Line 208: |
Line 214: |
| | | |
| | | |
− | === Bugs ===
| + | == Bugs == |
| Please raise bugs under the SME-Contribs section in [http://bugs.contribs.org/enter_bug.cgi bugzilla] | | Please raise bugs under the SME-Contribs section in [http://bugs.contribs.org/enter_bug.cgi bugzilla] |
| and select the {{lc:{{FULLPAGENAME}}}} component or use {{BugzillaFileBug|product=SME%20Contribs|component={{lc:{{FULLPAGENAME}}}}|title=this link}} | | and select the {{lc:{{FULLPAGENAME}}}} component or use {{BugzillaFileBug|product=SME%20Contribs|component={{lc:{{FULLPAGENAME}}}}|title=this link}} |
| + | |
| + | == Bugs (test entry) == |
| + | Please raise bugs under the SME-Contribs section in [http://bugs.contribs.org/enter_bug.cgi bugzilla] |
| + | and select the smeserver-letsencrypt-xl2tpd component or use {{BugzillaFileBug|product=SME%20Contribs|component=smeserver-libreswan-xl2tpd|title=this link}} |
| + | |
| + | {{#bugzilla:columns=id,product,version,status,summary |sort=id |order=desc |component=smeserver-libreswan-xl2tpd |disablecache=1|noresultsmessage="No open bugs found."}} |
| + | |
| + | |
| + | |
| | | |
| Below is an overview of the current issues for this contrib:{{#bugzilla:columns=id,product,version,status,summary|sort=id|order=desc|component={{lc:{{FULLPAGENAME}}}} |noresultsmessage=No open bugs found.}} | | Below is an overview of the current issues for this contrib:{{#bugzilla:columns=id,product,version,status,summary|sort=id|order=desc|component={{lc:{{FULLPAGENAME}}}} |noresultsmessage=No open bugs found.}} |
Line 219: |
Line 234: |
| {{#smechangelog: {{lc:{{FULLPAGENAME}}}} }} | | {{#smechangelog: {{lc:{{FULLPAGENAME}}}} }} |
| | | |
− | [[Category: Contrib]] | + | [[Category: Contrib]] [[Category:VPN]] |