Line 1: |
Line 1: |
| {{Languages}} | | {{Languages}} |
| ==Version== | | ==Version== |
− | {{#smeversion: {{lc:{{FULLPAGENAME}}}} }} | + | {{#smeversion: smeserver-{{lc:{{FULLPAGENAME}}}} }} |
| | | |
| ==About== | | ==About== |
Line 7: |
Line 7: |
| L2TPD/IPSEC is secure method of connecting to your Koozali SME server. It is a suitable replacement for the existing PPTP VPN system on Koozali SME Server. | | L2TPD/IPSEC is secure method of connecting to your Koozali SME server. It is a suitable replacement for the existing PPTP VPN system on Koozali SME Server. |
| | | |
− | L2TPD/IPSEC does not need any special software configuration on your clients. It is supported on a very large number of modern mobile phones and laptops. Please note that not every phone or device will support L2TPD/IPSEC out of the box.
| + | PPTP is totally insecure and should not be used. |
| | | |
− | The device first calls the server via ipsec and makes and encrypted connection. But it has no networking information. xl2tpd then makes a ppp connection through that encrypted ipsec connection and get its network information at this point. | + | L2TPD/IPSEC is like PPTP and really designed for roaming clients, each with their own IP. It is NOT suitable for Lan-Lan setups. Use pure IPSEC or OpenVPN instead. |
| + | |
| + | If you are using with NAT behind a firewall, you can ONLY use one client per NAT'd Lan (because the Lan will likely only have one Public facing IP address. |
| + | |
| + | L2TPD/IPSEC does not need any special software configuration on your clients. It is supported on a very large number of modern mobile phones and laptops although not every phone or device will support L2TPD/IPSEC out of the box. Please check your device for specifics. |
| + | |
| + | The device first calls the server via IPSEC and makes a transport encrypted connection. But it has no networking information. xl2tpd then makes a PPP connection through that encrypted IPSEC connection and get its network information at this point. |
| | | |
| Once implemented you can disable PPTP, which will be good for you and your users. | | Once implemented you can disable PPTP, which will be good for you and your users. |
Line 39: |
Line 45: |
| {{Note box|If you had installed an earlier version e.g 0.2x or lower then please uninstall first. The early dev versions used /etc/e-smith/templates-custom for their templates. Make sure there are no fragments lying about or you may get unexpected results.}} | | {{Note box|If you had installed an earlier version e.g 0.2x or lower then please uninstall first. The early dev versions used /etc/e-smith/templates-custom for their templates. Make sure there are no fragments lying about or you may get unexpected results.}} |
| | | |
− | The smeserver-libreswan-xl2tpd contrib is currently in the development repo at Contribs | + | The smeserver-libreswan-xl2tpd contrib is currently in the contribs repo. |
| + | |
| + | Add the EPEL and Libreswan repos: |
| | | |
− | You will need the EPEL repo as well:
| + | yum install smeserver-extrarepositories-libreswan smeserver-extrarepositories-epel |
| + | db yum_repositories setprop libreswan status enabled Priority 10 |
| + | signal-event yum-modify |
| + | config set UnsavedChanges no |
| | | |
− | https://wiki.contribs.org/Epel
| |
| | | |
| With the yum repo database updated, you can then run the installation of the package. | | With the yum repo database updated, you can then run the installation of the package. |
| | | |
− | yum --enablerepo=smedev,epel install smeserver-libreswan-xl2tpd | + | yum --enablerepo=smecontribs,epel,libreswan install smeserver-libreswan-xl2tpd |
| | | |
| That should bring everything in, including ipsec which is required | | That should bring everything in, including ipsec which is required |
Line 55: |
Line 65: |
| ==Configuration settings== | | ==Configuration settings== |
| | | |
− | You need at least one user on the system - for testing it can be admin. The user account needs VPN Client Access enabled in the Server Manager | + | You need at least one ordinary user on the system - for testing it can be admin. The user account needs VPN Client Access enabled in the Server Manager |
| | | |
| ===Keys=== | | ===Keys=== |
| | | |
− | * IPRange Start/Finish<br> | + | These are the basic database keys required to setup the server |
| + | |
| + | ======IPsec settings====== |
| + | |
| + | * IPRange Start/Finish |
| An IP range from your server. | | An IP range from your server. |
| Note it '''MUST NOT''' conflict with IPs issued by your DHCP server | | Note it '''MUST NOT''' conflict with IPs issued by your DHCP server |
| + | |
| + | db ipsec_connections setprop L2TPD-PSK IPRangeStart 192.168.1.176 IPRangeFinish 192.168.1.190 |
| | | |
| * rightsubnet | | * rightsubnet |
− | The subnet of the remote / dialin network
| + | This must be the subnet in CIDR format and match the IP range allocated above eg: |
| + | |
| + | db ipsec_connections setprop L2TPD-PSK rightsubnet 192.178.1.176/28 |
| | | |
| * passwd | | * passwd |
| + | |
| IPsec pre shared key as per ipsec db connection below. Every user will need this common password.<br> | | IPsec pre shared key as per ipsec db connection below. Every user will need this common password.<br> |
| '''Make it long and complicated !''' | | '''Make it long and complicated !''' |
| + | |
| db ipsec_connections setprop L2TPD-PSK password SomeLongComplicatedSecret | | db ipsec_connections setprop L2TPD-PSK password SomeLongComplicatedSecret |
| + | db ipsec_connections setprop L2TPD-PSK password `openssl rand -base64 64|sed '/.*$/N;s/\n//'` |
| + | |
| + | Ensure the connection is enabled: |
| + | |
| + | db ipsec_connections setprop L2TPD-PSK status enabled |
| + | |
| + | Ensure that the ipsec service is enabled: |
| + | |
| + | config setprop ipsec status enabled |
| + | |
| + | ======Xl2tps settings====== |
| + | |
| * DNS | | * DNS |
− | Defaults to the SME server. Can add extra servers if required
| + | Optional - defaults to the SME server. Can add extra servers if required |
| config setprop xl2tpd DNS 8.8.8.8,8.8.4.4 | | config setprop xl2tpd DNS 8.8.8.8,8.8.4.4 |
| + | |
| * access | | * access |
− | Defaults to private | + | Defaults to private. Not necessary to set public. |
| + | |
| + | * status |
| + | config setprop xl2tpd status enabled |
| + | |
| + | *UDPPort |
| + | Defaults to 1701 |
| | | |
− | * debug<Br> | + | * debug |
| Defaults to disabled | | Defaults to disabled |
| | | |
− | ===Create Server Connection===
| + | ==Create Server Connection== |
| | | |
− | {{Note box|There can only be ONE Ipsec L2TPD-PSK connection}} | + | {{Note box|Remember that there can only be ONE IPSEC/L2TPD-PSK connection per public facing IP}} |
| | | |
| Note that some settings are preconfigured in the ipsec_connections database. | | Note that some settings are preconfigured in the ipsec_connections database. |
Line 91: |
Line 130: |
| db ipsec_connections setprop L2TPD-PSK \ | | db ipsec_connections setprop L2TPD-PSK \ |
| status enabled \ | | status enabled \ |
− | IPRangeStart 192.168.101.180 \ | + | IPRangeStart 192.168.101.176 \ |
− | IPRangeFinish 192.168.101.200 \ | + | IPRangeFinish 192.168.101.90 \ |
− | rightsubnet 192.168.101.0/24 \ | + | rightsubnet 192.168.101.176/28 \ |
| passwd somesecret | | passwd somesecret |
| | | |
Line 123: |
Line 162: |
| | | |
| ==Create a connection from a device== | | ==Create a connection from a device== |
| + | |
| + | Note. This is really designed for remote roaming clients with their own individual public IP. |
| + | Ipsec/l2tpd can only cope with one public IP at a time. So you cannot connect two devices from the same LAN to the server. |
| + | For that you need a Lan-Lan setup and can use pure ipsec or openvpn. |
| + | |
| This is the basic setup for your remote device, e.g. laptop or tablet. | | This is the basic setup for your remote device, e.g. laptop or tablet. |
| + | |
| + | For Linux/Android it is pretty straight forward: |
| | | |
| Connection type: '''L2TP/IPSec PSK''' | | Connection type: '''L2TP/IPSec PSK''' |
Line 130: |
Line 176: |
| Username : Any user on your server with VPN Access set to Enabled | | Username : Any user on your server with VPN Access set to Enabled |
| Password : adminpassword (the password for the above user) | | Password : adminpassword (the password for the above user) |
| + | |
| + | For Windows it is a little more complicated if you are going to use this behind a NAT. |
| + | |
| + | This has links: |
| + | https://github.com/StreisandEffect/streisand/issues/291 |
| + | |
| + | You will need a new registry key: |
| + | |
| + | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent |
| + | RegValue: AssumeUDPEncapsulationContextOnSendRule |
| + | Type: DWORD |
| + | Data Value: 2 |
| + | |
| + | Note that after creating this key you will need to reboot the machine. Then create a VPN connection, type L2TP/Ipsec with pre-shared key. |
| | | |
| ==Stop the service== | | ==Stop the service== |
Line 142: |
Line 202: |
| | | |
| config setprop pptpd status disabled sessions 0 | | config setprop pptpd status disabled sessions 0 |
| + | |
| + | signal-event remoteaccess-update |
| | | |
| Take this action only *after* you have confirmed proper L2TP connection is working. | | Take this action only *after* you have confirmed proper L2TP connection is working. |