Changes

From SME Server
Jump to navigationJump to search

Libreswan-xl2tpd (view source)

Revision as of 05:05, 15 July 2022

2,057 bytes added ,  05:05, 15 July 2022
→‎IPsec settings
Line 1: Line 1:  
{{Languages}}
 
{{Languages}}
 
==Version==
 
==Version==
{{#smeversion: {{lc:{{FULLPAGENAME}}}} }}
+
{{#smeversion: smeserver-{{lc:{{FULLPAGENAME}}}} }}
    
==About==
 
==About==
Line 7: Line 7:  
L2TPD/IPSEC is secure method of connecting to your Koozali SME server. It is a suitable replacement for the existing PPTP VPN system on Koozali SME Server.
 
L2TPD/IPSEC is secure method of connecting to your Koozali SME server. It is a suitable replacement for the existing PPTP VPN system on Koozali SME Server.
   −
L2TPD/IPSEC does not need any special software configuration on your clients. It is supported on a very large number of modern mobile phones and laptops. Please note that not every phone or device will support L2TPD/IPSEC out of the box.
+
PPTP is totally insecure and should not be used.
   −
The device first calls the server via ipsec and makes and encrypted connection. But it has no networking information. xl2tpd then makes a ppp connection through that encrypted ipsec connection and get its network information at this point.
+
L2TPD/IPSEC is like PPTP and really designed for roaming clients, each with their own IP. It is NOT suitable for Lan-Lan setups. Use pure IPSEC or OpenVPN instead.
 +
 
 +
If you are using with NAT behind a firewall, you can ONLY use one client per NAT'd Lan (because the Lan will likely only have one Public facing IP address.
 +
 
 +
L2TPD/IPSEC does not need any special software configuration on your clients. It is supported on a very large number of modern mobile phones and laptops although not every phone or device will support L2TPD/IPSEC out of the box. Please check your device for specifics.
 +
 
 +
The device first calls the server via IPSEC and makes a transport encrypted connection. But it has no networking information. xl2tpd then makes a PPP connection through that encrypted IPSEC connection and get its network information at this point.
    
Once implemented you can disable PPTP, which will be good for you and your users.
 
Once implemented you can disable PPTP, which will be good for you and your users.
Line 44: Line 50:     
  yum  install smeserver-extrarepositories-libreswan smeserver-extrarepositories-epel
 
  yum  install smeserver-extrarepositories-libreswan smeserver-extrarepositories-epel
 +
db yum_repositories setprop libreswan status enabled Priority 10
 
  signal-event yum-modify
 
  signal-event yum-modify
 
  config set UnsavedChanges no
 
  config set UnsavedChanges no
Line 58: Line 65:  
==Configuration settings==
 
==Configuration settings==
   −
You need at least one user on the system - for testing it can be admin. The user account needs VPN Client Access enabled in the Server Manager
+
You need at least one ordinary user on the system - for testing it can be admin. The user account needs VPN Client Access enabled in the Server Manager
    
===Keys===
 
===Keys===
   −
* IPRange Start/Finish<br>
+
These are the basic database keys required to setup the server
 +
 
 +
======IPsec settings======
 +
 
 +
* IPRange Start/Finish
 
An IP range from your server.
 
An IP range from your server.
 
Note it '''MUST NOT''' conflict with IPs issued by your DHCP server
 
Note it '''MUST NOT''' conflict with IPs issued by your DHCP server
 +
 +
db ipsec_connections setprop L2TPD-PSK IPRangeStart 192.168.1.176 IPRangeFinish 192.168.1.190
    
* rightsubnet
 
* rightsubnet
The subnet of the remote / dialin network
+
This must be the subnet in CIDR format and match the IP range allocated above eg:
 +
 
 +
db ipsec_connections setprop L2TPD-PSK rightsubnet 192.178.1.176/28
    
* passwd
 
* passwd
 +
 
IPsec pre shared key as per ipsec db connection below. Every user will need this common password.<br>
 
IPsec pre shared key as per ipsec db connection below. Every user will need this common password.<br>
 
'''Make it long and complicated !'''
 
'''Make it long and complicated !'''
 +
 
  db ipsec_connections setprop L2TPD-PSK password SomeLongComplicatedSecret
 
  db ipsec_connections setprop L2TPD-PSK password SomeLongComplicatedSecret
 +
db ipsec_connections setprop L2TPD-PSK password `openssl rand -base64 64|sed  '/.*$/N;s/\n//'`
 +
 +
Ensure the connection is enabled:
 +
 +
db ipsec_connections setprop L2TPD-PSK status enabled
 +
 +
Ensure that the ipsec service is enabled:
 +
 +
config setprop ipsec status enabled
 +
 +
======Xl2tps settings======
 +
 
* DNS
 
* DNS
Defaults to the SME server. Can add extra servers if required
+
Optional - defaults to the SME server. Can add extra servers if required
 
  config setprop xl2tpd DNS 8.8.8.8,8.8.4.4
 
  config setprop xl2tpd DNS 8.8.8.8,8.8.4.4
 +
 
* access
 
* access
Defaults to private
+
Defaults to private. Not necessary to set public.
   −
* debug<Br>
+
* status
 +
config setprop xl2tpd status enabled
 +
 
 +
*UDPPort
 +
Defaults to 1701
 +
 
 +
* debug
 
Defaults to disabled
 
Defaults to disabled
   −
===Create Server Connection===
+
==Create Server Connection==
   −
{{Note box|There can only be ONE Ipsec L2TPD-PSK connection}}
+
{{Note box|Remember that there can only be ONE IPSEC/L2TPD-PSK connection per public facing IP}}
    
Note that some settings are preconfigured in the ipsec_connections database.
 
Note that some settings are preconfigured in the ipsec_connections database.
Line 94: Line 130:  
  db ipsec_connections setprop L2TPD-PSK \  
 
  db ipsec_connections setprop L2TPD-PSK \  
 
       status enabled \
 
       status enabled \
       IPRangeStart 192.168.101.180 \
+
       IPRangeStart 192.168.101.176 \
       IPRangeFinish 192.168.101.200 \
+
       IPRangeFinish 192.168.101.90 \
       rightsubnet 192.168.101.0/24 \
+
       rightsubnet 192.168.101.176/28 \
 
       passwd somesecret
 
       passwd somesecret
   Line 126: Line 162:     
==Create a connection from a device==
 
==Create a connection from a device==
 +
 +
Note. This is really designed for remote roaming clients with their own individual public IP.
 +
Ipsec/l2tpd can only cope with one public IP at a time. So you cannot connect two devices from the same LAN to the server.
 +
For that you need a Lan-Lan setup and can use pure ipsec or openvpn.
 +
 
This is the basic setup for your remote device, e.g. laptop or tablet.
 
This is the basic setup for your remote device, e.g. laptop or tablet.
 +
 +
For Linux/Android it is pretty straight forward:
    
  Connection type: '''L2TP/IPSec PSK'''
 
  Connection type: '''L2TP/IPSec PSK'''
Line 133: Line 176:  
  Username : Any user on your server with VPN Access set to Enabled
 
  Username : Any user on your server with VPN Access set to Enabled
 
  Password : adminpassword (the password for the above  user)
 
  Password : adminpassword (the password for the above  user)
 +
 +
For Windows it is a little more complicated if you are going to use this behind a NAT.
 +
 +
This has links:
 +
https://github.com/StreisandEffect/streisand/issues/291
 +
 +
You will need a new registry key:
 +
 +
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
 +
RegValue: AssumeUDPEncapsulationContextOnSendRule
 +
Type: DWORD
 +
Data Value: 2
 +
 +
Note that after creating this key you will need to reboot the machine. Then create a VPN connection, type L2TP/Ipsec with pre-shared key.
    
==Stop the service==
 
==Stop the service==
Unnilennium
Super Admin, Wiki & Docs Team, Bureaucrats, Interface administrators, Administrators
3,250

edits

Retrieved from "https://wiki.koozali.org/Special:MobileDiff/37954...41422"

Navigation menu