Difference between revisions of "Libreswan-xl2tpd"

From SME Server
Jump to navigationJump to search
 
(38 intermediate revisions by 4 users not shown)
Line 1: Line 1:
 +
{{Languages}}
 
==Version==
 
==Version==
 +
{{#smeversion: smeserver-{{lc:{{FULLPAGENAME}}}} }}
  
Currently v0.2
+
==About==
 +
 
 +
L2TPD/IPSEC is secure method of connecting to your Koozali SME server. It is a suitable replacement for the existing PPTP VPN system on Koozali SME Server.
 +
 
 +
PPTP is totally insecure and should not be used.
  
==About==
+
L2TPD/IPSEC is like PPTP and really designed for roaming clients, each with their own IP. It is NOT suitable for Lan-Lan setups. Use pure IPSEC or OpenVPN instead.
 +
 
 +
If you are using with NAT behind a firewall, you can ONLY use one client per NAT'd Lan (because the Lan will likely only have one Public facing IP address.
  
L2TPD/IPSEC is method of connecting to your Koozali SME server. It is a suitable replacement for the existing PPTP VPN system on Koozali SME Server.
+
L2TPD/IPSEC does not need any special software configuration on your clients. It is supported on a very large number of modern mobile phones and laptops although not every phone or device will support L2TPD/IPSEC out of the box. Please check your device for specifics.
  
L2TPD/IPSEC does not need any special software configuration on your clients. It is supported on a very large number of modern mobile phones and laptops. Please note that not every phone or device will support L2TPD/IPSEC out of the box.
+
The device first calls the server via IPSEC and makes a transport encrypted connection. But it has no networking information. xl2tpd then makes a PPP connection through that encrypted IPSEC connection and get its network information at this point.
  
 
Once implemented you can disable PPTP, which will be good for you and your users.
 
Once implemented you can disable PPTP, which will be good for you and your users.
Line 13: Line 21:
 
===Notes===
 
===Notes===
  
The contrib basically works but there can be complications when you want to combine it with standard host-host ipsec connections. The issue that 'may' arise is if an IPSEC connection is matched prior to the L2TPD one. I do have them both running on my test box but need more feedback on this.  
+
The contrib basically works but there, can be complications when you want to combine it with standard host-host ipsec connections. The issue that 'may' arise is if an IPSEC connection is matched prior to the L2TPD one. I do have both types running on my test box but need more feedback on this.  
  
These links discuss the implementation and the creation of this page.
+
This is because pure ipsec usually relies on having connections from specific IP address / and or IDs / Certificates. To accept mobile clients, which could come from pretty well any IP address, we need to tell our L2TPD Ipsec configuration to accept connections from anywhere.
 +
 
 +
The potential issue is if you try a pure Ipsec connection that does not have a correct configuration in the database/configuration, it may try to connect via the L2TPD connection. That will not break anything, but you may experience odd results from the client.
 +
 
 +
Please note that you can enable or disable L2TPD VPN access for users via the Server Manager.
 +
 
 +
These links discuss the implementation and the creation of this page:
 
https://forums.contribs.org/index.php/topic,53021.0/all.html
 
https://forums.contribs.org/index.php/topic,53021.0/all.html
  
 +
Some further reading can be found on this page:
 
https://github.com/reetp/smeserver-libreswan-xl2tpd/blob/master/ipsecXl2tpd.Notes
 
https://github.com/reetp/smeserver-libreswan-xl2tpd/blob/master/ipsecXl2tpd.Notes
  
Please report any problems by adding a note to this issue in Bugzilla:
+
Please report any problems by adding a bug to Bugzilla. See [https://wiki.contribs.org/Smeserver-libreswan-xl2tpd#Bugs Bugs] below.
 +
 
 +
==Installation==
 +
 
 +
{{Warning box|Please test thoroughly on a test server before deploying in production.}}
 +
 
 +
{{Note box|Server MUST be in Server/Gateway mode for this to be enabled}}
  
https://bugs.contribs.org/show_bug.cgi?id=8890
+
{{Note box|If you had installed an earlier version e.g 0.2x or lower then please uninstall first. The early dev versions used /etc/e-smith/templates-custom for their templates. Make sure there are no fragments lying about or you may get unexpected results.}}
  
==Installation for testing==
+
The smeserver-libreswan-xl2tpd contrib is currently in the contribs repo.
  
{{Warning box|Please test thoroughly on a test server before deploying in production .}}
+
Add the EPEL and Libreswan repos:
  
{{Note box|Server MUST be in Server/Gateway mode for this to be enabled}}
+
yum  install smeserver-extrarepositories-libreswan smeserver-extrarepositories-epel
 +
db yum_repositories setprop libreswan status enabled Priority 10
 +
signal-event yum-modify
 +
config set UnsavedChanges no
  
You need my repo and the EPEL repo to test install.
 
  
https://wiki.contribs.org/User:ReetP
+
With the yum repo database updated, you can then run the installation of the package.
https://wiki.contribs.org/Epel
 
  
  yum --enablerepo=reetp,epel install smeserver-libreswan-xl2tpd
+
  yum --enablerepo=smecontribs,epel,libreswan install smeserver-libreswan-xl2tpd
  
 
That should bring everything in, including ipsec which is required
 
That should bring everything in, including ipsec which is required
Line 43: Line 65:
 
==Configuration settings==
 
==Configuration settings==
  
You need at least one user on the system - for testing it can be admin. The user account needs VPN Client Access enabled in the Server Manager
+
You need at least one ordinary user on the system - for testing it can be admin. The user account needs VPN Client Access enabled in the Server Manager
  
 
===Keys===
 
===Keys===
  
* IPRange Start/Finish<br>
+
These are the basic database keys required to setup the server
An IP range from your server. <br>
+
 
 +
======IPsec settings======
 +
 
 +
* IPRange Start/Finish
 +
An IP range from your server.
 
Note it '''MUST NOT''' conflict with IPs issued by your DHCP server
 
Note it '''MUST NOT''' conflict with IPs issued by your DHCP server
<br><br>
+
 
* rightsubnet<Br>
+
db ipsec_connections setprop L2TPD-PSK IPRangeStart 192.168.1.176 IPRangeFinish 192.168.1.190
The subnet of the remote / dialin network
+
 
<br><br>
+
* rightsubnet
* passwd <br>
+
This must be the subnet in CIDR format and match the IP range allocated above eg:
IPsec pre shared key as per db connection below. <br>
+
 
 +
db ipsec_connections setprop L2TPD-PSK rightsubnet 192.178.1.176/28
 +
 
 +
* passwd
 +
 
 +
IPsec pre shared key as per ipsec db connection below. Every user will need this common password.<br>
 
'''Make it long and complicated !'''
 
'''Make it long and complicated !'''
<br><br>
 
* DNS<br>
 
defaults to the SME server. Can add extra servers if required
 
<br><br>
 
* debug<Br>
 
defaults to disabled
 
  
===Create connection===
+
db ipsec_connections setprop L2TPD-PSK password SomeLongComplicatedSecret
 +
db ipsec_connections setprop L2TPD-PSK password `openssl rand -base64 64|sed  '/.*$/N;s/\n//'`
 +
 
 +
Ensure the connection is enabled:
 +
 
 +
db ipsec_connections setprop L2TPD-PSK status enabled
 +
 
 +
Ensure that the ipsec service is enabled:
  
{{Note box|There can only be ONE Ipsec L2TPD connection}}
+
config setprop ipsec status enabled
  
====Create a connection on the server:====
+
======Xl2tps settings======
  
Here we assume your local network is 192.168.101.x
+
* DNS
 +
Optional - defaults to the SME server. Can add extra servers if required
 +
config setprop xl2tpd DNS 8.8.8.8,8.8.4.4
  
  db ipsec_connections set L2TPD-PSK xl2tpd \  
+
* access
       status disabled \
+
Defaults to private. Not necessary to set public.
       IPRangeStart 192.168.101.180 \
+
 
       IPRangeFinish 192.168.101.200 \
+
* status
       rightsubnet 192.168.101.0/24 \
+
config setprop xl2tpd status enabled
       passwd somesecret \
+
 
      dpdaction clear \
+
*UDPPort
      dpddelay 10 \
+
Defaults to 1701
      dpdtimeout 90
+
 
 +
* debug
 +
Defaults to disabled
 +
 
 +
==Create Server Connection==
 +
 
 +
{{Note box|Remember that there can only be ONE IPSEC/L2TPD-PSK connection per public facing IP}}
 +
 
 +
Note that some settings are preconfigured in the ipsec_connections database.
 +
 
 +
  db ipsec_connections show L2TPD-PSK
 +
 
 +
We need to add some basic settings to the connection. Here we assume your local network is 192.168.101.x
 +
 
 +
db ipsec_connections setprop L2TPD-PSK \  
 +
       status enabled \
 +
       IPRangeStart 192.168.101.176 \
 +
       IPRangeFinish 192.168.101.90 \
 +
       rightsubnet 192.168.101.176/28 \
 +
       passwd somesecret
  
 
{{Note box| You CAN change some values as '''IPRangeStart''' and '''IPRangeFinish''' but you need to keep same subnet.<br>
 
{{Note box| You CAN change some values as '''IPRangeStart''' and '''IPRangeFinish''' but you need to keep same subnet.<br>
So if you change 101 on '''IPRangeStart''', you must change it on '''IPRangeFinist''' and '''rightsubnet''' too! }}
+
So if you change 101 on '''IPRangeStart''', you must change it on '''IPRangeFinish''' and '''rightsubnet''' too! }}
  
 
Make sure the Start and Finish addresses do NOT conflict with your server dhcp range. You can see your server dhcpd range with:
 
Make sure the Start and Finish addresses do NOT conflict with your server dhcp range. You can see your server dhcpd range with:
  
 
  config show dhcpd
 
  config show dhcpd
 +
 +
{{Note box|Ipsec has access private as default; if you want to connect from wan, you need to change it to public }}
 +
 +
config setprop ipsec access public
 +
 +
xl2tpd does not have to be set public as the xl2tpd connection is made inside the ipsec tunnel.
  
 
Now we can enable the required services which will automatically add the correct firewall ports.
 
Now we can enable the required services which will automatically add the correct firewall ports.
 
 
  config setprop xl2tpd status enabled
 
  config setprop xl2tpd status enabled
 
  config setprop ipsec status enabled
 
  config setprop ipsec status enabled
 
  signal-event ipsec-update
 
  signal-event ipsec-update
  
{{Note box|Ipsec has access private as default; if you want to connect from wan, you need to change it to public }}
+
You can regenerate the server templates with:
 +
 
 +
signal-event remoteaccess-update
 +
 
 +
Note that this this will not stop or restart ipsec. Use '''ipsec-update''' to do this:
 +
 
 +
signal-event ipsec-update
 +
 
 +
==Create a connection from a device==
 +
 
 +
Note. This is really designed for remote roaming clients with their own individual public IP.
 +
Ipsec/l2tpd can only cope with one public IP at a time. So you cannot connect two devices from the same LAN to the server.
 +
For that you need a Lan-Lan setup and can use pure ipsec or openvpn.
 +
 
 +
This is the basic setup for your remote device, e.g. laptop or tablet.
  
===Create a connection from a device:===
+
For Linux/Android it is pretty straight forward:
  
 
  Connection type: '''L2TP/IPSec PSK'''
 
  Connection type: '''L2TP/IPSec PSK'''
Line 105: Line 177:
 
  Password : adminpassword (the password for the above  user)
 
  Password : adminpassword (the password for the above  user)
  
You can regenerate the server templates with:
+
For Windows it is a little more complicated if you are going to use this behind a NAT.
 +
 
 +
This has links:
 +
https://github.com/StreisandEffect/streisand/issues/291
  
signal-event remoteaccess-update
+
You will need a new registry key:
  
Note that this this will not stop or restart ipsec. Use '''ipsec-update''' to do this:
+
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
 +
RegValue: AssumeUDPEncapsulationContextOnSendRule
 +
Type: DWORD
 +
Data Value: 2
  
signal-event ipsec-update
+
Note that after creating this key you will need to reboot the machine. Then create a VPN connection, type L2TP/Ipsec with pre-shared key.
  
===Stop the service===
+
==Stop the service==
 
  config setprop xl2tpd status disabled
 
  config setprop xl2tpd status disabled
 
  config setprop ipsec status disabled
 
  config setprop ipsec status disabled
Line 119: Line 197:
  
 
==Disable PPTP==
 
==Disable PPTP==
Once the implementation is complete and functional, you do NOT need PPTP enabled. You can go to your server manager and disable it forever and sing a thousand hallelujahs for secure communications ;-)
+
Once the implementation is complete and functional, you will not need PPTP enabled. If your L2TPD setup is working then make sure that this is disabled or you may still leave ordinary pptp connections open.
 +
 
 +
You can go to your server manager and disable it forever and sing a thousand hallelujahs for secure communications ;-)
  
 
  config setprop pptpd status disabled sessions 0
 
  config setprop pptpd status disabled sessions 0
  
==ToDo==
+
signal-event remoteaccess-update
 +
 
 +
Take this action only *after* you have confirmed proper L2TP connection is working.
 +
 
 +
== Issues ==
 +
Ipsec and l2tpd is a vast and complicated subject. I have tried to simplify it to the best of my abilities. Mainly because I can't do complicated.
 +
 
 +
Please go and have a good read of the online documentation for [https://libreswan.org/ Libreswan]
 +
 
 +
I basically used an example like this [https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_with_L2TP Ipsec/L2tpd] although this never page existed when I first started building this contrib.
 +
 
 +
The first thing to do if you get stuck is check all your settings and your logs.
 +
 
 +
Go back and check your network settings. Check you passwords. Get someone else to make sure they are OK.
 +
 
 +
Is the ipsec secret correct?
 +
 
 +
Have you enabled remote VPN access for a user and checked the password?
 +
 
 +
Ipsec - check here first:
 +
 
 +
/var/log/pluto/pluto.log
 +
 
 +
Look for L2TPD-PSK entries and in particular this "STATE_QUICK_R2: IPsec SA established transport mode"
 +
 
 +
That means that you have a basic ipsec connection
 +
 
 +
L2tpd - check here:
 +
 
 +
/var/log/messages
 +
 
 +
Look for xl2tpd and pppd entries
 +
 
 +
Do you get as far as this "ip-up: xl2tpd ppp0 /dev/pts/2 150 192.168.97.1 192.168.97.180 xl2tpd"
 +
 
 +
If so you have a basic l2tpd connection
 +
 
 +
To debug have a look at the following:
 +
 
 +
db ipsec_connections show L2TPD-PSK
 +
 
 +
config show ipsec
 +
 
 +
config show xl2tpd
 +
 
 +
cat /etc/ipsec.d/ipsec.conf
 +
 
 +
cat /etc/ipsec.d/ipsec.secrets
 +
 
 +
Try restarting both ipsec and xl2tpd and watch your logs for errors:
 +
 
 +
service xl2tpd restart
 +
 
 +
service ipsec restart
 +
 
 +
If you are still stuck then ask on the forums, or if you have some template errors or other issues please raise a bug.
 +
 
 +
==To Do List==
  
As of 0.2-4 you can enable or disable VPN access for users via the Server Manager.
 
 
A VPN Access Group may be worth looking at in the future
 
A VPN Access Group may be worth looking at in the future
  
 
Add server manager panel (with an IPsec panel too)
 
Add server manager panel (with an IPsec panel too)
 +
 +
<s>Commit the code to the CVS.</s>
 +
 +
The code probably needs reviewing and cleaning up by a greater mind than mine :-)
 +
 +
 +
== Bugs ==
 +
Please raise bugs under the SME-Contribs section in [http://bugs.contribs.org/enter_bug.cgi bugzilla]
 +
and select the {{lc:{{FULLPAGENAME}}}} component or use {{BugzillaFileBug|product=SME%20Contribs|component={{lc:{{FULLPAGENAME}}}}|title=this link}}
 +
 +
== Bugs (test entry) ==
 +
Please raise bugs under the SME-Contribs section in [http://bugs.contribs.org/enter_bug.cgi bugzilla]
 +
and select the smeserver-letsencrypt-xl2tpd component or use {{BugzillaFileBug|product=SME%20Contribs|component=smeserver-libreswan-xl2tpd|title=this link}}
 +
 +
{{#bugzilla:columns=id,product,version,status,summary |sort=id |order=desc |component=smeserver-libreswan-xl2tpd |disablecache=1|noresultsmessage="No open bugs found."}}
 +
 +
 +
 +
 +
Below is an overview of the current issues for this contrib:{{#bugzilla:columns=id,product,version,status,summary|sort=id|order=desc|component={{lc:{{FULLPAGENAME}}}} |noresultsmessage=No open bugs found.}}
 +
 +
===Changelog===
 +
Only released version in smecontrib are listed here.
 +
 +
{{#smechangelog: {{lc:{{FULLPAGENAME}}}} }}
 +
 +
[[Category: Contrib]] [[Category:VPN]]

Latest revision as of 04:05, 15 July 2022


Version

Devel 10:
Devel 9:
Contrib 9:
smeserver-libreswan-xl2tpd
The latest version of smeserver-libreswan-xl2tpd is available in the SME repository, click on the version number(s) for more information.


About

L2TPD/IPSEC is secure method of connecting to your Koozali SME server. It is a suitable replacement for the existing PPTP VPN system on Koozali SME Server.

PPTP is totally insecure and should not be used.

L2TPD/IPSEC is like PPTP and really designed for roaming clients, each with their own IP. It is NOT suitable for Lan-Lan setups. Use pure IPSEC or OpenVPN instead.

If you are using with NAT behind a firewall, you can ONLY use one client per NAT'd Lan (because the Lan will likely only have one Public facing IP address.

L2TPD/IPSEC does not need any special software configuration on your clients. It is supported on a very large number of modern mobile phones and laptops although not every phone or device will support L2TPD/IPSEC out of the box. Please check your device for specifics.

The device first calls the server via IPSEC and makes a transport encrypted connection. But it has no networking information. xl2tpd then makes a PPP connection through that encrypted IPSEC connection and get its network information at this point.

Once implemented you can disable PPTP, which will be good for you and your users.

Notes

The contrib basically works but there, can be complications when you want to combine it with standard host-host ipsec connections. The issue that 'may' arise is if an IPSEC connection is matched prior to the L2TPD one. I do have both types running on my test box but need more feedback on this.

This is because pure ipsec usually relies on having connections from specific IP address / and or IDs / Certificates. To accept mobile clients, which could come from pretty well any IP address, we need to tell our L2TPD Ipsec configuration to accept connections from anywhere.

The potential issue is if you try a pure Ipsec connection that does not have a correct configuration in the database/configuration, it may try to connect via the L2TPD connection. That will not break anything, but you may experience odd results from the client.

Please note that you can enable or disable L2TPD VPN access for users via the Server Manager.

These links discuss the implementation and the creation of this page: https://forums.contribs.org/index.php/topic,53021.0/all.html

Some further reading can be found on this page: https://github.com/reetp/smeserver-libreswan-xl2tpd/blob/master/ipsecXl2tpd.Notes

Please report any problems by adding a bug to Bugzilla. See Bugs below.

Installation

Warning.png Warning:
Please test thoroughly on a test server before deploying in production.



Important.png Note:
Server MUST be in Server/Gateway mode for this to be enabled



Important.png Note:
If you had installed an earlier version e.g 0.2x or lower then please uninstall first. The early dev versions used /etc/e-smith/templates-custom for their templates. Make sure there are no fragments lying about or you may get unexpected results.


The smeserver-libreswan-xl2tpd contrib is currently in the contribs repo.

Add the EPEL and Libreswan repos:

yum  install smeserver-extrarepositories-libreswan smeserver-extrarepositories-epel
db yum_repositories setprop libreswan status enabled Priority 10
signal-event yum-modify
config set UnsavedChanges no


With the yum repo database updated, you can then run the installation of the package.

yum --enablerepo=smecontribs,epel,libreswan install smeserver-libreswan-xl2tpd

That should bring everything in, including ipsec which is required

signal-event post-upgrade;signal-event reboot

Configuration settings

You need at least one ordinary user on the system - for testing it can be admin. The user account needs VPN Client Access enabled in the Server Manager

Keys

These are the basic database keys required to setup the server

IPsec settings
  • IPRange Start/Finish

An IP range from your server. Note it MUST NOT conflict with IPs issued by your DHCP server

db ipsec_connections setprop L2TPD-PSK IPRangeStart 192.168.1.176 IPRangeFinish 192.168.1.190
  • rightsubnet

This must be the subnet in CIDR format and match the IP range allocated above eg:

db ipsec_connections setprop L2TPD-PSK rightsubnet 192.178.1.176/28
  • passwd

IPsec pre shared key as per ipsec db connection below. Every user will need this common password.
Make it long and complicated !

db ipsec_connections setprop L2TPD-PSK password SomeLongComplicatedSecret
db ipsec_connections setprop L2TPD-PSK password `openssl rand -base64 64|sed  '/.*$/N;s/\n//'`

Ensure the connection is enabled:

db ipsec_connections setprop L2TPD-PSK status enabled

Ensure that the ipsec service is enabled:

config setprop ipsec status enabled
Xl2tps settings
  • DNS

Optional - defaults to the SME server. Can add extra servers if required

config setprop xl2tpd DNS 8.8.8.8,8.8.4.4
  • access

Defaults to private. Not necessary to set public.

  • status
config setprop xl2tpd status enabled
  • UDPPort

Defaults to 1701

  • debug

Defaults to disabled

Create Server Connection

Important.png Note:
Remember that there can only be ONE IPSEC/L2TPD-PSK connection per public facing IP


Note that some settings are preconfigured in the ipsec_connections database.

db ipsec_connections show L2TPD-PSK

We need to add some basic settings to the connection. Here we assume your local network is 192.168.101.x

db ipsec_connections setprop L2TPD-PSK \ 
     status enabled \
     IPRangeStart 192.168.101.176 \
     IPRangeFinish 192.168.101.90  \
     rightsubnet 192.168.101.176/28 \
     passwd somesecret


Important.png Note:
You CAN change some values as IPRangeStart and IPRangeFinish but you need to keep same subnet.

So if you change 101 on IPRangeStart, you must change it on IPRangeFinish and rightsubnet too!


Make sure the Start and Finish addresses do NOT conflict with your server dhcp range. You can see your server dhcpd range with:

config show dhcpd


Important.png Note:
Ipsec has access private as default; if you want to connect from wan, you need to change it to public


config setprop ipsec access public

xl2tpd does not have to be set public as the xl2tpd connection is made inside the ipsec tunnel.

Now we can enable the required services which will automatically add the correct firewall ports.

config setprop xl2tpd status enabled
config setprop ipsec status enabled
signal-event ipsec-update

You can regenerate the server templates with:

signal-event remoteaccess-update

Note that this this will not stop or restart ipsec. Use ipsec-update to do this:

signal-event ipsec-update

Create a connection from a device

Note. This is really designed for remote roaming clients with their own individual public IP. Ipsec/l2tpd can only cope with one public IP at a time. So you cannot connect two devices from the same LAN to the server. For that you need a Lan-Lan setup and can use pure ipsec or openvpn.

This is the basic setup for your remote device, e.g. laptop or tablet.

For Linux/Android it is pretty straight forward:

Connection type: L2TP/IPSec PSK
Server IP : Your server IP address
IPsec preshared key : as per passwd set above
Username : Any user on your server with VPN Access set to Enabled
Password : adminpassword (the password for the above  user)

For Windows it is a little more complicated if you are going to use this behind a NAT.

This has links: https://github.com/StreisandEffect/streisand/issues/291

You will need a new registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
RegValue: AssumeUDPEncapsulationContextOnSendRule
Type: DWORD
Data Value: 2

Note that after creating this key you will need to reboot the machine. Then create a VPN connection, type L2TP/Ipsec with pre-shared key.

Stop the service

config setprop xl2tpd status disabled
config setprop ipsec status disabled
signal-event ipsec-update

Disable PPTP

Once the implementation is complete and functional, you will not need PPTP enabled. If your L2TPD setup is working then make sure that this is disabled or you may still leave ordinary pptp connections open.

You can go to your server manager and disable it forever and sing a thousand hallelujahs for secure communications ;-)

config setprop pptpd status disabled sessions 0
signal-event remoteaccess-update

Take this action only *after* you have confirmed proper L2TP connection is working.

Issues

Ipsec and l2tpd is a vast and complicated subject. I have tried to simplify it to the best of my abilities. Mainly because I can't do complicated.

Please go and have a good read of the online documentation for Libreswan

I basically used an example like this Ipsec/L2tpd although this never page existed when I first started building this contrib.

The first thing to do if you get stuck is check all your settings and your logs.

Go back and check your network settings. Check you passwords. Get someone else to make sure they are OK.

Is the ipsec secret correct?

Have you enabled remote VPN access for a user and checked the password?

Ipsec - check here first:

/var/log/pluto/pluto.log

Look for L2TPD-PSK entries and in particular this "STATE_QUICK_R2: IPsec SA established transport mode"

That means that you have a basic ipsec connection

L2tpd - check here:

/var/log/messages

Look for xl2tpd and pppd entries

Do you get as far as this "ip-up: xl2tpd ppp0 /dev/pts/2 150 192.168.97.1 192.168.97.180 xl2tpd"

If so you have a basic l2tpd connection

To debug have a look at the following:

db ipsec_connections show L2TPD-PSK
config show ipsec
config show xl2tpd
cat /etc/ipsec.d/ipsec.conf
cat /etc/ipsec.d/ipsec.secrets

Try restarting both ipsec and xl2tpd and watch your logs for errors:

service xl2tpd restart
service ipsec restart

If you are still stuck then ask on the forums, or if you have some template errors or other issues please raise a bug.

To Do List

A VPN Access Group may be worth looking at in the future

Add server manager panel (with an IPsec panel too)

Commit the code to the CVS.

The code probably needs reviewing and cleaning up by a greater mind than mine :-)


Bugs

Please raise bugs under the SME-Contribs section in bugzilla and select the libreswan-xl2tpd component or use this link


Bugs (test entry)

Please raise bugs under the SME-Contribs section in bugzilla and select the smeserver-letsencrypt-xl2tpd component or use this link


IDProductVersionStatusSummary
11409SME Contribs10betaRESOLVEDInitial Import in SME 10 [smeserver-libreswan-xl2tpd]



Below is an overview of the current issues for this contrib:

No open bugs found.

Changelog

Only released version in smecontrib are listed here.