3,250
edits
Changes
Jump to navigation
Jump to search
Line 1:
Line 1: − + Line 7:
Line 7: − L2TPD/IPSEC does not need any special software configuration on your clients. It is supported on a very large number of modern mobile phones and laptops. Please note that not every phone or device will support L2TPD/IPSEC out of the box.+ − + + + + + + + Line 17:
Line 23: − + Line 39:
Line 45: − + − You will need the EPEL repo as well:+ + + + + + − https://wiki.contribs.org/Epel − + Line 55:
Line 65: − + − + + + + + + + − The subnet of the remote / dialin network+ + + + + + + + + + + + + + + + + − Defaults to the SME server. Can add extra servers if required+ + − + − + + + + + + + − ===Create Server Connection===+ − + Line 91:
Line 130: − + − + − + Line 123:
Line 162: + + + + + + + Line 130:
Line 176: + + + + + + + + + + + + + + Line 142:
Line 202: + + Line 209:
Line 271: − === Bugs ===+ + + + + + + + + + Line 220:
Line 291: − +
→IPsec settings
{{Languages}}
{{Languages}}
==Version==
==Version==
{{#smeversion: {{lc:{{FULLPAGENAME}}}} }}
{{#smeversion: smeserver-{{lc:{{FULLPAGENAME}}}} }}
==About==
==About==
L2TPD/IPSEC is secure method of connecting to your Koozali SME server. It is a suitable replacement for the existing PPTP VPN system on Koozali SME Server.
L2TPD/IPSEC is secure method of connecting to your Koozali SME server. It is a suitable replacement for the existing PPTP VPN system on Koozali SME Server.
PPTP is totally insecure and should not be used.
The device first calls the server via ipsec and makes and encrypted connection. But it has no networking information. xl2tpd then makes a ppp connection through that encrypted ipsec connection and get its network information at this point.
L2TPD/IPSEC is like PPTP and really designed for roaming clients, each with their own IP. It is NOT suitable for Lan-Lan setups. Use pure IPSEC or OpenVPN instead.
If you are using with NAT behind a firewall, you can ONLY use one client per NAT'd Lan (because the Lan will likely only have one Public facing IP address.
L2TPD/IPSEC does not need any special software configuration on your clients. It is supported on a very large number of modern mobile phones and laptops although not every phone or device will support L2TPD/IPSEC out of the box. Please check your device for specifics.
The device first calls the server via IPSEC and makes a transport encrypted connection. But it has no networking information. xl2tpd then makes a PPP connection through that encrypted IPSEC connection and get its network information at this point.
Once implemented you can disable PPTP, which will be good for you and your users.
Once implemented you can disable PPTP, which will be good for you and your users.
The contrib basically works but there, can be complications when you want to combine it with standard host-host ipsec connections. The issue that 'may' arise is if an IPSEC connection is matched prior to the L2TPD one. I do have both types running on my test box but need more feedback on this.
The contrib basically works but there, can be complications when you want to combine it with standard host-host ipsec connections. The issue that 'may' arise is if an IPSEC connection is matched prior to the L2TPD one. I do have both types running on my test box but need more feedback on this.
This is because pure ipsec usually relies on having connections from specific IP address / and or IDs / Certificates. To accept mobile clients, which could come from pretty well any IP address, we need to tell out L2TPD Ipsec configuration to accept connections from anywhere.
This is because pure ipsec usually relies on having connections from specific IP address / and or IDs / Certificates. To accept mobile clients, which could come from pretty well any IP address, we need to tell our L2TPD Ipsec configuration to accept connections from anywhere.
The potential issue is if you try a pure Ipsec connection that does not have a correct configuration in the database/configuration, it may try to connect via the L2TPD connection. That will not break anything, but you may experience odd results from the client.
The potential issue is if you try a pure Ipsec connection that does not have a correct configuration in the database/configuration, it may try to connect via the L2TPD connection. That will not break anything, but you may experience odd results from the client.
{{Note box|If you had installed an earlier version e.g 0.2x or lower then please uninstall first. The early dev versions used /etc/e-smith/templates-custom for their templates. Make sure there are no fragments lying about or you may get unexpected results.}}
{{Note box|If you had installed an earlier version e.g 0.2x or lower then please uninstall first. The early dev versions used /etc/e-smith/templates-custom for their templates. Make sure there are no fragments lying about or you may get unexpected results.}}
The smeserver-libreswan-xl2tpd contrib is currently in the development repo at Contribs
The smeserver-libreswan-xl2tpd contrib is currently in the contribs repo.
Add the EPEL and Libreswan repos:
yum install smeserver-extrarepositories-libreswan smeserver-extrarepositories-epel
db yum_repositories setprop libreswan status enabled Priority 10
signal-event yum-modify
config set UnsavedChanges no
With the yum repo database updated, you can then run the installation of the package.
With the yum repo database updated, you can then run the installation of the package.
yum --enablerepo=smedev,epel install smeserver-libreswan-xl2tpd
yum --enablerepo=smecontribs,epel,libreswan install smeserver-libreswan-xl2tpd
That should bring everything in, including ipsec which is required
That should bring everything in, including ipsec which is required
==Configuration settings==
==Configuration settings==
You need at least one user on the system - for testing it can be admin. The user account needs VPN Client Access enabled in the Server Manager
You need at least one ordinary user on the system - for testing it can be admin. The user account needs VPN Client Access enabled in the Server Manager
===Keys===
===Keys===
* IPRange Start/Finish<br>
These are the basic database keys required to setup the server
======IPsec settings======
* IPRange Start/Finish
An IP range from your server.
An IP range from your server.
Note it '''MUST NOT''' conflict with IPs issued by your DHCP server
Note it '''MUST NOT''' conflict with IPs issued by your DHCP server
db ipsec_connections setprop L2TPD-PSK IPRangeStart 192.168.1.176 IPRangeFinish 192.168.1.190
* rightsubnet
* rightsubnet
This must be the subnet in CIDR format and match the IP range allocated above eg:
db ipsec_connections setprop L2TPD-PSK rightsubnet 192.178.1.176/28
* passwd
* passwd
IPsec pre shared key as per ipsec db connection below. Every user will need this common password.<br>
IPsec pre shared key as per ipsec db connection below. Every user will need this common password.<br>
'''Make it long and complicated !'''
'''Make it long and complicated !'''
db ipsec_connections setprop L2TPD-PSK password SomeLongComplicatedSecret
db ipsec_connections setprop L2TPD-PSK password SomeLongComplicatedSecret
db ipsec_connections setprop L2TPD-PSK password `openssl rand -base64 64|sed '/.*$/N;s/\n//'`
Ensure the connection is enabled:
db ipsec_connections setprop L2TPD-PSK status enabled
Ensure that the ipsec service is enabled:
config setprop ipsec status enabled
======Xl2tps settings======
* DNS
* DNS
Optional - defaults to the SME server. Can add extra servers if required
config setprop xl2tpd DNS 8.8.8.8,8.8.4.4
config setprop xl2tpd DNS 8.8.8.8,8.8.4.4
* access
* access
Defaults to private
Defaults to private. Not necessary to set public.
* debug<Br>
* status
config setprop xl2tpd status enabled
*UDPPort
Defaults to 1701
* debug
Defaults to disabled
Defaults to disabled
==Create Server Connection==
{{Note box|There can only be ONE Ipsec L2TPD-PSK connection}}
{{Note box|Remember that there can only be ONE IPSEC/L2TPD-PSK connection per public facing IP}}
Note that some settings are preconfigured in the ipsec_connections database.
Note that some settings are preconfigured in the ipsec_connections database.
db ipsec_connections setprop L2TPD-PSK \
db ipsec_connections setprop L2TPD-PSK \
status enabled \
status enabled \
IPRangeStart 192.168.101.180 \
IPRangeStart 192.168.101.176 \
IPRangeFinish 192.168.101.200 \
IPRangeFinish 192.168.101.90 \
rightsubnet 192.168.101.0/24 \
rightsubnet 192.168.101.176/28 \
passwd somesecret
passwd somesecret
==Create a connection from a device==
==Create a connection from a device==
Note. This is really designed for remote roaming clients with their own individual public IP.
Ipsec/l2tpd can only cope with one public IP at a time. So you cannot connect two devices from the same LAN to the server.
For that you need a Lan-Lan setup and can use pure ipsec or openvpn.
This is the basic setup for your remote device, e.g. laptop or tablet.
This is the basic setup for your remote device, e.g. laptop or tablet.
For Linux/Android it is pretty straight forward:
Connection type: '''L2TP/IPSec PSK'''
Connection type: '''L2TP/IPSec PSK'''
Username : Any user on your server with VPN Access set to Enabled
Username : Any user on your server with VPN Access set to Enabled
Password : adminpassword (the password for the above user)
Password : adminpassword (the password for the above user)
For Windows it is a little more complicated if you are going to use this behind a NAT.
This has links:
https://github.com/StreisandEffect/streisand/issues/291
You will need a new registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
RegValue: AssumeUDPEncapsulationContextOnSendRule
Type: DWORD
Data Value: 2
Note that after creating this key you will need to reboot the machine. Then create a VPN connection, type L2TP/Ipsec with pre-shared key.
==Stop the service==
==Stop the service==
config setprop pptpd status disabled sessions 0
config setprop pptpd status disabled sessions 0
signal-event remoteaccess-update
Take this action only *after* you have confirmed proper L2TP connection is working.
Take this action only *after* you have confirmed proper L2TP connection is working.
== Bugs ==
Please raise bugs under the SME-Contribs section in [http://bugs.contribs.org/enter_bug.cgi bugzilla]
Please raise bugs under the SME-Contribs section in [http://bugs.contribs.org/enter_bug.cgi bugzilla]
and select the {{lc:{{FULLPAGENAME}}}} component or use {{BugzillaFileBug|product=SME%20Contribs|component={{lc:{{FULLPAGENAME}}}}|title=this link}}
and select the {{lc:{{FULLPAGENAME}}}} component or use {{BugzillaFileBug|product=SME%20Contribs|component={{lc:{{FULLPAGENAME}}}}|title=this link}}
== Bugs (test entry) ==
Please raise bugs under the SME-Contribs section in [http://bugs.contribs.org/enter_bug.cgi bugzilla]
and select the smeserver-letsencrypt-xl2tpd component or use {{BugzillaFileBug|product=SME%20Contribs|component=smeserver-libreswan-xl2tpd|title=this link}}
{{#bugzilla:columns=id,product,version,status,summary |sort=id |order=desc |component=smeserver-libreswan-xl2tpd |disablecache=1|noresultsmessage="No open bugs found."}}
Below is an overview of the current issues for this contrib:{{#bugzilla:columns=id,product,version,status,summary|sort=id|order=desc|component={{lc:{{FULLPAGENAME}}}} |noresultsmessage=No open bugs found.}}
Below is an overview of the current issues for this contrib:{{#bugzilla:columns=id,product,version,status,summary|sort=id|order=desc|component={{lc:{{FULLPAGENAME}}}} |noresultsmessage=No open bugs found.}}
{{#smechangelog: {{lc:{{FULLPAGENAME}}}} }}
{{#smechangelog: {{lc:{{FULLPAGENAME}}}} }}
[[Category: Contrib]]
[[Category: Contrib]] [[Category:VPN]]