Libreswan-xl2tpd
Version
Currently v0.2
About
L2TPD/IPSEC is method of connecting to your Koozali SME server. It is a suitable replacement for the existing PPTP VPN system on Koozali SME Server.
L2TPD/IPSEC does not need any special software configuration on your clients. It is supported on a very large number of modern mobile phones and laptops. Please note that not every phone or device will support L2TPD/IPSEC out of the box.
Once implemented you can disable PPTP, which will be good for you and your users.
Notes
The contrib basically works but there can be complications when you want to combine it with standard host-host ipsec connections. The issue that 'may' arise is if an IPSEC connection is matched prior to the L2TPD one. I do have them both running on my test box but need more feedback on this.
These links discuss the implementation and the creation of this page. https://forums.contribs.org/index.php/topic,53021.0/all.html
https://github.com/reetp/smeserver-libreswan-xl2tpd/blob/master/ipsecXl2tpd.Notes
Please report any problems by adding a note to this issue in Bugzilla:
Installation for testing
You need my repo and the EPEL repo to test install.
https://wiki.contribs.org/User:ReetP https://wiki.contribs.org/Epel
yum --enablerepo=reetp,epel install smeserver-libreswan-xl2tpd
That should bring everything in, including ipsec which is required
signal-event post-upgrade;signal-event reboot
Configuration settings
You need at least one user on the system - for testing it can be admin. The user account needs VPN Client Access enabled in the Server Manager
Keys
- IPRange Start/Finish
An IP range from your server.
Note it MUST NOT conflict with IPs issued by your DHCP server
- rightsubnet
The subnet of the remote / dialin network
- passwd
IPsec pre shared key as per db connection below.
Make it long and complicated !
- DNS
defaults to the SME server. Can add extra servers if required
- debug
defaults to disabled
Create connection
Create a connection on the server:
Here we assume your local network is 192.168.101.x
db ipsec_connections set L2TPD-PSK xl2tpd \ status disabled \ IPRangeStart 192.168.101.180 \ IPRangeFinish 192.168.101.200 \ rightsubnet 192.168.101.0/24 \ passwd somesecret \ dpdaction clear \ dpddelay 10 \ dpdtimeout 90
Make sure the Start and Finish addresses do NOT conflict with your server dhcp range. You can see your server dhcpd range with:
config show dhcpd
Now we can enable the required services which will automatically add the correct firewall ports.
config setprop xl2tpd status enabled config setprop ipsec status enabled signal-event ipsec-update
Create a connection from a device:
Connection type: L2TP/IPSec PSK Server IP : Your server IP address IPsec preshared key : as per passwd set above Username : Any user on your server with VPN Access set to Enabled Password : adminpassword (the password for the above user)
You can regenerate the server templates with:
signal-event remoteaccess-update
Note that this this will not stop or restart ipsec. Use ipsec-update to do this:
signal-event ipsec-update
Stop the service
config setprop xl2tpd status disabled config setprop ipsec status disabled signal-event ipsec-update
Disable PPTP
Once the implementation is complete and functional, you do NOT need PPTP enabled. You can go to your server manager and disable it forever and sing a thousand hallelujahs for secure communications ;-)
config setprop pptpd status disabled sessions 0
Bugs
Currently the code is not in CVS.
You can add to the bug noted above or ask in the forums.
The contrib basically works but there can be complications when you want to combine it with standard host-host ipsec connections. The issue that 'may' arise is if an IPSEC connection is matched prior to the L2TPD one.
I do have them both running on my test box but need more feedback on this.
The code probably needs reviewing and cleaning up by a greater mind than mine :-)
ToDo
As of 0.2-4 you can enable or disable VPN access for users via the Server Manager. A VPN Access Group may be worth looking at in the future
Add server manager panel (with an IPsec panel too)