859
edits
Changes
From SME Server
Jump to navigationJump to search→Installation
==About==
==About==
L2TPD/IPSEC is method of connecting to your Koozali SME server. It is a suitable replacement for the existing PPTP VPN system on Koozali SME Server.
L2TPD/IPSEC is secure method of connecting to your Koozali SME server. It is a suitable replacement for the existing PPTP VPN system on Koozali SME Server.
L2TPD/IPSEC does not need any special software configuration on your clients. It is supported on a very large number of modern mobile phones and laptops. Please note that not every phone or device will support L2TPD/IPSEC out of the box.
L2TPD/IPSEC does not need any special software configuration on your clients. It is supported on a very large number of modern mobile phones and laptops. Please note that not every phone or device will support L2TPD/IPSEC out of the box.
The device first calls the server via ipsec and makes and encrypted connection. But it has no networking information. xl2tpd then makes a ppp connection through that encrypted ipsec connection and get its network information at this point.
Once implemented you can disable PPTP, which will be good for you and your users.
Once implemented you can disable PPTP, which will be good for you and your users.
===Notes===
===Notes===
The contrib basically works but there can be complications when you want to combine it with standard host-host ipsec connections. The issue that 'may' arise is if an IPSEC connection is matched prior to the L2TPD one. I do have them both running on my test box but need more feedback on this.
The contrib basically works but there, can be complications when you want to combine it with standard host-host ipsec connections. The issue that 'may' arise is if an IPSEC connection is matched prior to the L2TPD one. I do have both types running on my test box but need more feedback on this.
This is because pure ipsec usually relies on having connections from specific IP address / and or IDs / Certificates. To accept mobile clients, which could come from pretty well any IP address, we need to tell our L2TPD Ipsec configuration to accept connections from anywhere.
The potential issue is if you try a pure Ipsec connection that does not have a correct configuration in the database/configuration, it may try to connect via the L2TPD connection. That will not break anything, but you may experience odd results from the client.
Please note that you can enable or disable L2TPD VPN access for users via the Server Manager.
These links discuss the implementation and the creation of this page.
These links discuss the implementation and the creation of this page:
https://forums.contribs.org/index.php/topic,53021.0/all.html
https://forums.contribs.org/index.php/topic,53021.0/all.html
Some further reading can be found on this page:
Some further reading can be found on this page:
https://github.com/reetp/smeserver-libreswan-xl2tpd/blob/master/ipsecXl2tpd.Notes
https://github.com/reetp/smeserver-libreswan-xl2tpd/blob/master/ipsecXl2tpd.Notes
{{Note box|Server MUST be in Server/Gateway mode for this to be enabled}}
{{Note box|Server MUST be in Server/Gateway mode for this to be enabled}}
The smeserver-libreswan-xl2tpd contrib is currently in the development repo at Contribs
{{Note box|If you had installed an earlier version e.g 0.2x or lower then please uninstall first. The early dev versions used /etc/e-smith/templates-custom for their templates. Make sure there are no fragments lying about or you may get unexpected results.}}
The smeserver-libreswan-xl2tpd contrib is currently in the contribs repo.
Add the EPEL and Libreswan repos:
yum install smeserver-extrarepositories-libreswan smeserver-extrarepositories-epel
signal-event yum-modify
config set UnsavedChanges no
With the yum repo database updated, you can then run the installation of the package.
With the yum repo database updated, you can then run the installation of the package.
yum --enablerepo=smedev,epel install smeserver-libreswan-xl2tpd
yum --enablerepo=smecontribs,epel,libreswan install smeserver-libreswan-xl2tpd
That should bring everything in, including ipsec which is required
That should bring everything in, including ipsec which is required
{{Note box|Ipsec has access private as default; if you want to connect from wan, you need to change it to public }}
{{Note box|Ipsec has access private as default; if you want to connect from wan, you need to change it to public }}
config setprop ipsec status enabled
config setprop ipsec access public
xl2tpd does not have to be set public as the xl2tpd connection is made inside the ipsec tunnel.
Now we can enable the required services which will automatically add the correct firewall ports.
Now we can enable the required services which will automatically add the correct firewall ports.
==Disable PPTP==
==Disable PPTP==
Once the implementation is complete and functional, you will not need PPTP enabled. You can go to your server manager and disable it forever and sing a thousand hallelujahs for secure communications ;-)
Once the implementation is complete and functional, you will not need PPTP enabled. If your L2TPD setup is working then make sure that this is disabled or you may still leave ordinary pptp connections open.
You can go to your server manager and disable it forever and sing a thousand hallelujahs for secure communications ;-)
config setprop pptpd status disabled sessions 0
config setprop pptpd status disabled sessions 0
signal-event remoteaccess-update
Take this action only *after* you have confirmed proper L2TP connection is working.
Take this action only *after* you have confirmed proper L2TP connection is working.
== Issues ==
Ipsec and l2tpd is a vast and complicated subject. I have tried to simplify it to the best of my abilities. Mainly because I can't do complicated.
Please go and have a good read of the online documentation for [https://libreswan.org/ Libreswan]
I basically used an example like this [https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_with_L2TP Ipsec/L2tpd] although this never page existed when I first started building this contrib.
The first thing to do if you get stuck is check all your settings and your logs.
Go back and check your network settings. Check you passwords. Get someone else to make sure they are OK.
Is the ipsec secret correct?
Have you enabled remote VPN access for a user and checked the password?
Ipsec - check here first:
/var/log/pluto/pluto.log
Look for L2TPD-PSK entries and in particular this "STATE_QUICK_R2: IPsec SA established transport mode"
That means that you have a basic ipsec connection
L2tpd - check here:
/var/log/messages
Look for xl2tpd and pppd entries
Do you get as far as this "ip-up: xl2tpd ppp0 /dev/pts/2 150 192.168.97.1 192.168.97.180 xl2tpd"
If so you have a basic l2tpd connection
To debug have a look at the following:
db ipsec_connections show L2TPD-PSK
config show ipsec
config show xl2tpd
cat /etc/ipsec.d/ipsec.conf
cat /etc/ipsec.d/ipsec.secrets
Try restarting both ipsec and xl2tpd and watch your logs for errors:
service xl2tpd restart
service ipsec restart
If you are still stuck then ask on the forums, or if you have some template errors or other issues please raise a bug.
==To Do List==
==To Do List==
== Bugs ==
Please raise bugs under the SME-Contribs section in [http://bugs.contribs.org/enter_bug.cgi bugzilla]
Please raise bugs under the SME-Contribs section in [http://bugs.contribs.org/enter_bug.cgi bugzilla]
and select the {{lc:{{FULLPAGENAME}}}} component or use {{BugzillaFileBug|product=SME%20Contribs|component={{lc:{{FULLPAGENAME}}}}|title=this link}}
and select the {{lc:{{FULLPAGENAME}}}} component or use {{BugzillaFileBug|product=SME%20Contribs|component={{lc:{{FULLPAGENAME}}}}|title=this link}}
== Bugs (test entry) ==
Please raise bugs under the SME-Contribs section in [http://bugs.contribs.org/enter_bug.cgi bugzilla]
and select the smeserver-letsencrypt-xl2tpd component or use {{BugzillaFileBug|product=SME%20Contribs|component=smeserver-libreswan-xl2tpd|title=this link}}
{{#bugzilla:columns=id,product,version,status,summary |sort=id |order=desc |component=smeserver-libreswan-xl2tpd |disablecache=1|noresultsmessage="No open bugs found."}}
Below is an overview of the current issues for this contrib:{{#bugzilla:columns=id,product,version,status,summary|sort=id|order=desc|component={{lc:{{FULLPAGENAME}}}} |noresultsmessage=No open bugs found.}}
Below is an overview of the current issues for this contrib:{{#bugzilla:columns=id,product,version,status,summary|sort=id|order=desc|component={{lc:{{FULLPAGENAME}}}} |noresultsmessage=No open bugs found.}}
{{#smechangelog: {{lc:{{FULLPAGENAME}}}} }}
{{#smechangelog: {{lc:{{FULLPAGENAME}}}} }}
[[Category: Contrib]]
[[Category: Contrib]] [[Category:VPN]]
