3,250
edits
Changes
Jump to navigation
Jump to search
Line 1:
Line 1: − + Line 9:
Line 9: − + − + − + − + Line 50:
Line 50: + Line 64:
Line 65: − + + + + + + + − The subnet of the remote / dialin network+ + + + + + + + + + + + + + + + − Defaults to the SME server. Can add extra servers if required+ − + + + + + + + − ===Create Server Connection===+ Line 102:
Line 130: − + − + − +
→IPsec settings
{{Languages}}
{{Languages}}
==Version==
==Version==
{{#smeversion: {{lc:{{FULLPAGENAME}}}} }}
{{#smeversion: smeserver-{{lc:{{FULLPAGENAME}}}} }}
==About==
==About==
PPTP is totally insecure and should not be used.
PPTP is totally insecure and should not be used.
L2TPD/IPSEC is like PPTP and really designed for roaming clients, each with their own IP. It is NOT suitable for Lan-Lan setups. Use pure IPSEC of OpenVPN instead.
L2TPD/IPSEC is like PPTP and really designed for roaming clients, each with their own IP. It is NOT suitable for Lan-Lan setups. Use pure IPSEC or OpenVPN instead.
If you are using with NAT behind a firewall, you can ONLY use one client per NAT'd LAN (because the Lan will likely only have one Public facing IP address.
If you are using with NAT behind a firewall, you can ONLY use one client per NAT'd Lan (because the Lan will likely only have one Public facing IP address.
L2TPD/IPSEC does not need any special software configuration on your clients. It is supported on a very large number of modern mobile phones and laptops. Please note that not every phone or device will support L2TPD/IPSEC out of the box.
L2TPD/IPSEC does not need any special software configuration on your clients. It is supported on a very large number of modern mobile phones and laptops although not every phone or device will support L2TPD/IPSEC out of the box. Please check your device for specifics.
The device first calls the server via ipsec and makes and encrypted connection. But it has no networking information. xl2tpd then makes a ppp connection through that encrypted ipsec connection and get its network information at this point.
The device first calls the server via IPSEC and makes a transport encrypted connection. But it has no networking information. xl2tpd then makes a PPP connection through that encrypted IPSEC connection and get its network information at this point.
Once implemented you can disable PPTP, which will be good for you and your users.
Once implemented you can disable PPTP, which will be good for you and your users.
yum install smeserver-extrarepositories-libreswan smeserver-extrarepositories-epel
yum install smeserver-extrarepositories-libreswan smeserver-extrarepositories-epel
db yum_repositories setprop libreswan status enabled Priority 10
signal-event yum-modify
signal-event yum-modify
config set UnsavedChanges no
config set UnsavedChanges no
==Configuration settings==
==Configuration settings==
You need at least one user on the system - for testing it can be admin. The user account needs VPN Client Access enabled in the Server Manager
You need at least one ordinary user on the system - for testing it can be admin. The user account needs VPN Client Access enabled in the Server Manager
===Keys===
===Keys===
These are the basic database keys required to setup the server
======IPsec settings======
* IPRange Start/Finish
* IPRange Start/Finish
An IP range from your server.
An IP range from your server.
Note it '''MUST NOT''' conflict with IPs issued by your DHCP server
Note it '''MUST NOT''' conflict with IPs issued by your DHCP server
db ipsec_connections setprop L2TPD-PSK IPRangeStart 192.168.1.176 IPRangeFinish 192.168.1.190
* rightsubnet
* rightsubnet
This must be the subnet in CIDR format and match the IP range allocated above eg:
db ipsec_connections setprop L2TPD-PSK rightsubnet 192.178.1.176/28
* passwd
* passwd
IPsec pre shared key as per ipsec db connection below. Every user will need this common password.<br>
IPsec pre shared key as per ipsec db connection below. Every user will need this common password.<br>
'''Make it long and complicated !'''
'''Make it long and complicated !'''
db ipsec_connections setprop L2TPD-PSK password SomeLongComplicatedSecret
db ipsec_connections setprop L2TPD-PSK password SomeLongComplicatedSecret
db ipsec_connections setprop L2TPD-PSK password `openssl rand -base64 64|sed '/.*$/N;s/\n//'`
Ensure the connection is enabled:
db ipsec_connections setprop L2TPD-PSK status enabled
Ensure that the ipsec service is enabled:
config setprop ipsec status enabled
======Xl2tps settings======
* DNS
* DNS
Optional - defaults to the SME server. Can add extra servers if required
config setprop xl2tpd DNS 8.8.8.8,8.8.4.4
config setprop xl2tpd DNS 8.8.8.8,8.8.4.4
* access
* access
Defaults to private
Defaults to private. Not necessary to set public.
* status
config setprop xl2tpd status enabled
*UDPPort
Defaults to 1701
* debug
* debug
Defaults to disabled
Defaults to disabled
==Create Server Connection==
{{Note box|Remember that there can only be ONE IPSEC/L2TPD-PSK connection per public facing IP}}
{{Note box|Remember that there can only be ONE IPSEC/L2TPD-PSK connection per public facing IP}}
db ipsec_connections setprop L2TPD-PSK \
db ipsec_connections setprop L2TPD-PSK \
status enabled \
status enabled \
IPRangeStart 192.168.101.180 \
IPRangeStart 192.168.101.176 \
IPRangeFinish 192.168.101.200 \
IPRangeFinish 192.168.101.90 \
rightsubnet 192.168.101.0/24 \
rightsubnet 192.168.101.176/28 \
passwd somesecret
passwd somesecret