859
edits
Changes
From SME Server
Jump to navigationJump to searchno edit summary
L2TPD/IPSEC is secure method of connecting to your Koozali SME server. It is a suitable replacement for the existing PPTP VPN system on Koozali SME Server.
L2TPD/IPSEC is secure method of connecting to your Koozali SME server. It is a suitable replacement for the existing PPTP VPN system on Koozali SME Server.
PPTP is totally insecure and should not be used.
L2TPD/IPSEC is like PPTP and really designed for roaming clients, each with their own IP. It is NOT suitable for Lan-Lan setups. Use pure IPSEC of OpenVPN instead.
If you are using with NAT behind a firewall, you can ONLY use one client per NAT'd LAN (because the Lan will likely only have one Public facing IP address.
L2TPD/IPSEC does not need any special software configuration on your clients. It is supported on a very large number of modern mobile phones and laptops. Please note that not every phone or device will support L2TPD/IPSEC out of the box.
L2TPD/IPSEC does not need any special software configuration on your clients. It is supported on a very large number of modern mobile phones and laptops. Please note that not every phone or device will support L2TPD/IPSEC out of the box.
===Keys===
===Keys===
* IPRange Start/Finish<br>
* IPRange Start/Finish
An IP range from your server.
An IP range from your server.
Note it '''MUST NOT''' conflict with IPs issued by your DHCP server
Note it '''MUST NOT''' conflict with IPs issued by your DHCP server
'''Make it long and complicated !'''
'''Make it long and complicated !'''
db ipsec_connections setprop L2TPD-PSK password SomeLongComplicatedSecret
db ipsec_connections setprop L2TPD-PSK password SomeLongComplicatedSecret
* DNS
* DNS
Defaults to the SME server. Can add extra servers if required
Defaults to the SME server. Can add extra servers if required
config setprop xl2tpd DNS 8.8.8.8,8.8.4.4
config setprop xl2tpd DNS 8.8.8.8,8.8.4.4
* access
* access
Defaults to private
Defaults to private
* debug<Br>
* debug
Defaults to disabled
Defaults to disabled
===Create Server Connection===
===Create Server Connection===
{{Note box|There can only be ONE Ipsec L2TPD-PSK connection}}
{{Note box|Remember that there can only be ONE IPSEC/L2TPD-PSK connection per public facing IP}}
Note that some settings are preconfigured in the ipsec_connections database.
Note that some settings are preconfigured in the ipsec_connections database.
==Create a connection from a device==
==Create a connection from a device==
Note. This is really designed for remote roaming clients with their own individual public IP.
Ipsec/l2tpd can only cope with one public IP at a time. So you cannot connect two devices from the same LAN to the server.
For that you need a Lan-Lan setup and can use pure ipsec or openvpn.
This is the basic setup for your remote device, e.g. laptop or tablet.
This is the basic setup for your remote device, e.g. laptop or tablet.
For Linux/Android it is pretty straight forward:
Connection type: '''L2TP/IPSec PSK'''
Connection type: '''L2TP/IPSec PSK'''
Username : Any user on your server with VPN Access set to Enabled
Username : Any user on your server with VPN Access set to Enabled
Password : adminpassword (the password for the above user)
Password : adminpassword (the password for the above user)
For Windows it is a little more complicated if you are going to use this behind a NAT.
This has links:
https://github.com/StreisandEffect/streisand/issues/291
You will need a new registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
RegValue: AssumeUDPEncapsulationContextOnSendRule
Type: DWORD
Data Value: 2
Note that after creating this key you will need to reboot the machine. Then create a VPN connection, type L2TP/Ipsec with pre-shared key.
==Stop the service==
==Stop the service==
