Difference between revisions of "Libreswan-xl2tpd"

From SME Server
Jump to navigationJump to search
m (→‎Keys: formatting only)
m (→‎Create connection: formatting)
Line 72: Line 72:
 
On the server:
 
On the server:
  
  db ipsec_connections setprop L2TPD-PSK status disabled IPRangeStart 192.168.x.180 IPRangeFinish 192.168.x.200  rightsubnet 192.168.x.0/24 passwd somesecret dpdaction clear dpddelay 10 dpdtimeout 90
+
  db ipsec_connections setprop L2TPD-PSK \
 +
      status disabled \
 +
      IPRangeStart 192.168.101.180 \
 +
      IPRangeFinish 192.168.101.200  \
 +
      rightsubnet 192.168.101.0/24 \
 +
      passwd somesecret \
 +
      dpdaction clear \
 +
      dpddelay 10 \
 +
    dpdtimeout 90
 +
 
 +
{{Note box| You CAN change some values as '''IPRangeStart''' and '''IPRangeFinish''' but you need to keep same subnet.<br>
 +
So if you change 101 on '''IPRangeStart''', you must change it on '''IPRangeFinist''' and '''rightsubnet''' too! }}
 +
 
  
 
  config setprop xl2tpd status enabled
 
  config setprop xl2tpd status enabled
Line 80: Line 92:
 
You should now be able to create a connection from a device.
 
You should now be able to create a connection from a device.
  
  Connection type: L2TP/IPSec PSK
+
  Connection type: '''L2TP/IPSec PSK'''
  Server IP : Your server IP
+
  Server IP : '''Your server IP address'''
  IPsec preshared key : as per passwd set above
+
  IPsec preshared key : as per '''passwd''' set above
  Username : admin (server user)
+
  Username : admin (or any user from your server )
  Password : adminpassword (server user password)
+
  Password : adminpassword (the password for the above  user)
  
 
You can regenerate the server templates with:
 
You can regenerate the server templates with:
Line 90: Line 102:
 
  signal-event remoteaccess-update
 
  signal-event remoteaccess-update
  
Note that this this will not stop or restart ipsec. Use ipsec-update to do this:
+
Note that this this will not stop or restart ipsec. Use '''ipsec-update''' to do this:
  
 
  signal-event ipsec-update
 
  signal-event ipsec-update
 
  
 
===Stop the service===
 
===Stop the service===

Revision as of 02:03, 30 June 2017

Warning.png Warning:
This does appear to work, but I offer no guarantees on anything. I suggest you only use for testing and on a VM only


Version

Currently v0.2

About

L2TPD/IPSEC can be used to replace the existing PPTP VPN system on Koozali SME Server It does not need any special software configure or run Virtually any mobile phone has L2TPD/Ipsec support

Some notes:

https://forums.contribs.org/index.php/topic,53021.0/all.html

https://bugs.contribs.org/show_bug.cgi?id=8890

https://github.com/reetp/smeserver-libreswan-xl2tpd/blob/master/ipsecXl2tpd.Notes


Installation for testing

Warning.png Warning:
Do not use on a production server.



Important.png Note:
Server MUST be in Server/Gateway mode for this to be enabled



Important.png Note:
You do NOT need PPTP enabled for this. You can go to your server manager and disable it forever and sing a thousand hallelujahs for secure communications ;-) 


config setprop pptpd status disabled sessions 0

You need my repo and the EPEL repo to test install.

https://wiki.contribs.org/User:ReetP https://wiki.contribs.org/Epel 

yum --enablerepo=reetp,epel install smeserver-libreswan-xl2tpd

That should bring everything in, including ipsec which is required 

signal-event post-upgrade;signal-event reboot


Configuration settings

You need at least one user on the system - for testing it can be admin.


Keys

  • IPRange Start/Finish

An IP range from your server.
Note it MUST NOT conflict with IPs issued by your DHCP server

  • rightsubnet

The subnet of the remote / dialin network

  • passwd

IPsec pre shared key as per db connection below.
Make it long and complicated !

  • DNS

defaults to the SME server. Can add extra servers if required

  • debug

defaults to disabled

Create connection

Important.png Note:
There can only be ONE L2TPD connection


On the server: 

db ipsec_connections setprop L2TPD-PSK \ 
     status disabled \
     IPRangeStart 192.168.101.180 \
     IPRangeFinish 192.168.101.200  \
     rightsubnet 192.168.101.0/24 \
     passwd somesecret \
     dpdaction clear \
     dpddelay 10 \
    dpdtimeout 90


Important.png Note:
You CAN change some values as IPRangeStart and IPRangeFinish but you need to keep same subnet.

So if you change 101 on IPRangeStart, you must change it on IPRangeFinist and rightsubnet too! 



config setprop xl2tpd status enabled
config setprop ipsec status enabled
signal-event ipsec-update

You should now be able to create a connection from a device. 

Connection type: L2TP/IPSec PSK
Server IP : Your server IP address
IPsec preshared key : as per passwd set above
Username : admin (or any user from your server )
Password : adminpassword (the password for the above  user)

You can regenerate the server templates with: 

signal-event remoteaccess-update

Note that this this will not stop or restart ipsec. Use ipsec-update to do this: 

signal-event ipsec-update

Stop the service

config setprop xl2tpd status disabled
config setprop ipsec status disabled
signal-event ipsec-update


Bugs

Currently the code is not in CVS.

You can add to the bug noted above or ask in the forums.

The contrib basically works. The complications arise when you want to combine it with standard host-host ipsec connections.

The code probably needs reviewing and cleaning up by a greater mind than mine :-)


ToDo

Create a 'VPN access' group or somesuch and add users to a group - I think this this could be accommodated in the contrib at a later date.

Add server manager panel (with an IPsec panel too)

Retrieved from "https://wiki.koozali.org/index.php?title=Libreswan-xl2tpd&oldid=33651"