Difference between revisions of "Libreswan-xl2tpd"
Line 22: | Line 22: | ||
==Installation for testing== | ==Installation for testing== | ||
− | {{Warning box| | + | {{Warning box|Please test thoroughly on a test server before deploying in production .}} |
{{Note box|Server MUST be in Server/Gateway mode for this to be enabled}} | {{Note box|Server MUST be in Server/Gateway mode for this to be enabled}} | ||
Line 40: | Line 40: | ||
signal-event post-upgrade;signal-event reboot | signal-event post-upgrade;signal-event reboot | ||
− | |||
==Configuration settings== | ==Configuration settings== |
Revision as of 15:49, 20 September 2017
Version
Currently v0.2
About
L2TPD/IPSEC can be used to replace the existing PPTP VPN system on Koozali SME Server It does not need any special software configure or run Virtually any mobile phone has L2TPD/Ipsec support
Some notes:
https://forums.contribs.org/index.php/topic,53021.0/all.html
https://bugs.contribs.org/show_bug.cgi?id=8890
https://github.com/reetp/smeserver-libreswan-xl2tpd/blob/master/ipsecXl2tpd.Notes
Installation for testing
config setprop pptpd status disabled sessions 0
You need my repo and the EPEL repo to test install.
https://wiki.contribs.org/User:ReetP https://wiki.contribs.org/Epel
yum --enablerepo=reetp,epel install smeserver-libreswan-xl2tpd
That should bring everything in, including ipsec which is required
signal-event post-upgrade;signal-event reboot
Configuration settings
You need at least one user on the system - for testing it can be admin.
Keys
- IPRange Start/Finish
An IP range from your server.
Note it MUST NOT conflict with IPs issued by your DHCP server
- rightsubnet
The subnet of the remote / dialin network
- passwd
IPsec pre shared key as per db connection below.
Make it long and complicated !
- DNS
defaults to the SME server. Can add extra servers if required
- debug
defaults to disabled
Create connection
On the server:
db ipsec_connections set L2TPD-PSK xl2tpd \ status disabled \ IPRangeStart 192.168.101.180 \ IPRangeFinish 192.168.101.200 \ rightsubnet 192.168.101.0/24 \ passwd somesecret \ dpdaction clear \ dpddelay 10 \ dpdtimeout 90
config setprop xl2tpd status enabled config setprop ipsec status enabled signal-event ipsec-update
You should now be able to create a connection from a device.
Connection type: L2TP/IPSec PSK Server IP : Your server IP address IPsec preshared key : as per passwd set above Username : admin (or any user from your server ) Password : adminpassword (the password for the above user)
You can regenerate the server templates with:
signal-event remoteaccess-update
Note that this this will not stop or restart ipsec. Use ipsec-update to do this:
signal-event ipsec-update
Stop the service
config setprop xl2tpd status disabled config setprop ipsec status disabled signal-event ipsec-update
Bugs
Currently the code is not in CVS.
You can add to the bug noted above or ask in the forums.
The contrib basically works. The complications arise when you want to combine it with standard host-host ipsec connections.
The code probably needs reviewing and cleaning up by a greater mind than mine :-)
ToDo
Create a 'VPN access' group or somesuch and add users to a group - I think this this could be accommodated in the contrib at a later date.
Add server manager panel (with an IPsec panel too)