Line 6: |
Line 6: |
| | | |
| L2TPD/IPSEC is secure method of connecting to your Koozali SME server. It is a suitable replacement for the existing PPTP VPN system on Koozali SME Server. | | L2TPD/IPSEC is secure method of connecting to your Koozali SME server. It is a suitable replacement for the existing PPTP VPN system on Koozali SME Server. |
| + | |
| + | PPTP is totally insecure and should not be used. |
| + | |
| + | L2TPD/IPSEC is like PPTP and really designed for roaming clients, each with their own IP. It is NOT suitable for Lan-Lan setups. Use pure IPSEC of OpenVPN instead. |
| + | |
| + | If you are using with NAT behind a firewall, you can ONLY use one client per NAT'd LAN (because the Lan will likely only have one Public facing IP address. |
| | | |
| L2TPD/IPSEC does not need any special software configuration on your clients. It is supported on a very large number of modern mobile phones and laptops. Please note that not every phone or device will support L2TPD/IPSEC out of the box. | | L2TPD/IPSEC does not need any special software configuration on your clients. It is supported on a very large number of modern mobile phones and laptops. Please note that not every phone or device will support L2TPD/IPSEC out of the box. |
Line 62: |
Line 68: |
| ===Keys=== | | ===Keys=== |
| | | |
− | * IPRange Start/Finish<br> | + | * IPRange Start/Finish |
| An IP range from your server. | | An IP range from your server. |
| Note it '''MUST NOT''' conflict with IPs issued by your DHCP server | | Note it '''MUST NOT''' conflict with IPs issued by your DHCP server |
Line 73: |
Line 79: |
| '''Make it long and complicated !''' | | '''Make it long and complicated !''' |
| db ipsec_connections setprop L2TPD-PSK password SomeLongComplicatedSecret | | db ipsec_connections setprop L2TPD-PSK password SomeLongComplicatedSecret |
| + | |
| * DNS | | * DNS |
| Defaults to the SME server. Can add extra servers if required | | Defaults to the SME server. Can add extra servers if required |
| config setprop xl2tpd DNS 8.8.8.8,8.8.4.4 | | config setprop xl2tpd DNS 8.8.8.8,8.8.4.4 |
| + | |
| * access | | * access |
| Defaults to private | | Defaults to private |
| | | |
− | * debug<Br> | + | * debug |
| Defaults to disabled | | Defaults to disabled |
| | | |
| ===Create Server Connection=== | | ===Create Server Connection=== |
| | | |
− | {{Note box|There can only be ONE Ipsec L2TPD-PSK connection}} | + | {{Note box|Remember that there can only be ONE IPSEC/L2TPD-PSK connection per public facing IP}} |
| | | |
| Note that some settings are preconfigured in the ipsec_connections database. | | Note that some settings are preconfigured in the ipsec_connections database. |
Line 126: |
Line 134: |
| | | |
| ==Create a connection from a device== | | ==Create a connection from a device== |
| + | |
| + | Note. This is really designed for remote roaming clients with their own individual public IP. |
| + | Ipsec/l2tpd can only cope with one public IP at a time. So you cannot connect two devices from the same LAN to the server. |
| + | For that you need a Lan-Lan setup and can use pure ipsec or openvpn. |
| + | |
| This is the basic setup for your remote device, e.g. laptop or tablet. | | This is the basic setup for your remote device, e.g. laptop or tablet. |
| + | |
| + | For Linux/Android it is pretty straight forward: |
| | | |
| Connection type: '''L2TP/IPSec PSK''' | | Connection type: '''L2TP/IPSec PSK''' |
Line 133: |
Line 148: |
| Username : Any user on your server with VPN Access set to Enabled | | Username : Any user on your server with VPN Access set to Enabled |
| Password : adminpassword (the password for the above user) | | Password : adminpassword (the password for the above user) |
| + | |
| + | For Windows it is a little more complicated if you are going to use this behind a NAT. |
| + | |
| + | This has links: |
| + | https://github.com/StreisandEffect/streisand/issues/291 |
| + | |
| + | You will need a new registry key: |
| + | |
| + | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent |
| + | RegValue: AssumeUDPEncapsulationContextOnSendRule |
| + | Type: DWORD |
| + | Data Value: 2 |
| + | |
| + | Note that after creating this key you will need to reboot the machine. Then create a VPN connection, type L2TP/Ipsec with pre-shared key. |
| | | |
| ==Stop the service== | | ==Stop the service== |