859
edits
Changes
Jump to navigation
Jump to search
smeserver-libreswan-lxl2tpd
{{Warning box| This does work, but I offer no guarantees on anything. I suggest the use in testing and on a VM only}}
==Version==
Currently v0.2
==About==
L2TPD/IPSEC can be used to replace the existing PPTP VPN system on Koozali SME Server
It does not need any special software configure or run
Virtually any mobile phone has L2TPD/Ipsec support
==Some notes:==
https://forums.contribs.org/index.php/topic,53021.0/all.html
https://bugs.contribs.org/show_bug.cgi?id=8890
https://github.com/reetp/smeserver-libreswan-xl2tpd/blob/master/ipsecXl2tpd.Notes
==Installation for testing==
{{Warning box|Do not use on a production server.}}
{{Note box|Server MUST be in Server/Gateway mode for this to be enabled}}
{{Note box|You do NOT need PPTP enabled for this. You can go to your server manager and disable it forever and sing a thousand hallelujahs for secure communications ;-)}}
config setprop pptpd status disabled sessions 0
You need my repo and the EPEL repo to test install.
https://wiki.contribs.org/User:ReetP
https://wiki.contribs.org/Epel
yum --enablerepo=reetp,epel install smeserver-libreswan-xl2tpd
That should bring everything in, including ipsec which is required
signal-event post-upgrade;signal-event reboot
==Configuration settings==
You need at least one user on the system - for testing it can be admin.
===Keys===
IPRangeStart/Finish
An IP range from your server. Note it MUST NOT conflict with IPs issued by your DHCP server
rightsubnet
The subnet of the remote / dialin network
passwd : IPsec pre shared key as per db connection below. Make it long and complicated !
DNS: defaults to the SME server. Can add extra servers if required
debug: defaults to disabled
===Create connection===
{{Note box|There can only be ONE L2TPD connection}}
On the server:
db ipsec_connections setprop L2TPD-PSK status disabled IPRangeStart 192.168.x.180 IPRangeFinish 192.168.x.200 rightsubnet 192.168.x.0/24 passwd somesecret dpdaction clear dpddelay 10 dpdtimeout 90
config setprop xl2tpd status enabled
config setprop ipsec status enabled
signal-event ipsec-update
You should now be able to create a connection from a device.
Connection type: L2TP/IPSec PSK
Server IP : Your server IP
IPsec preshared key : as per passwd set above
Username : admin (server user)
Password : adminpassword (server user password)
You can regenerate the server templates with:
signal-event remoteaccess-update
Note that this this will not stop or restart ipsec. Use ipsec-update to do this:
signal-event ipsec-update
===Stop the service===
config setprop xl2tpd status disabled
config setprop ipsec status disabled
signal-event ipsec-update
==Bugs==
Currently the code is not in CVS.
You can add to the bug noted above or ask in the forums.
The contrib basically works. The complications arise when you want to combine it with standard host-host ipsec connections.
The code probably needs reviewing and cleaning up by a greater mind than mine :-)
==ToDo==
Create a 'VPN access' group or somesuch and add users to a group - I think this this could be accommodated in the contrib at a later date.
Add server manager panel (with an IPsec panel too)
==Version==
Currently v0.2
==About==
L2TPD/IPSEC can be used to replace the existing PPTP VPN system on Koozali SME Server
It does not need any special software configure or run
Virtually any mobile phone has L2TPD/Ipsec support
==Some notes:==
https://forums.contribs.org/index.php/topic,53021.0/all.html
https://bugs.contribs.org/show_bug.cgi?id=8890
https://github.com/reetp/smeserver-libreswan-xl2tpd/blob/master/ipsecXl2tpd.Notes
==Installation for testing==
{{Warning box|Do not use on a production server.}}
{{Note box|Server MUST be in Server/Gateway mode for this to be enabled}}
{{Note box|You do NOT need PPTP enabled for this. You can go to your server manager and disable it forever and sing a thousand hallelujahs for secure communications ;-)}}
config setprop pptpd status disabled sessions 0
You need my repo and the EPEL repo to test install.
https://wiki.contribs.org/User:ReetP
https://wiki.contribs.org/Epel
yum --enablerepo=reetp,epel install smeserver-libreswan-xl2tpd
That should bring everything in, including ipsec which is required
signal-event post-upgrade;signal-event reboot
==Configuration settings==
You need at least one user on the system - for testing it can be admin.
===Keys===
IPRangeStart/Finish
An IP range from your server. Note it MUST NOT conflict with IPs issued by your DHCP server
rightsubnet
The subnet of the remote / dialin network
passwd : IPsec pre shared key as per db connection below. Make it long and complicated !
DNS: defaults to the SME server. Can add extra servers if required
debug: defaults to disabled
===Create connection===
{{Note box|There can only be ONE L2TPD connection}}
On the server:
db ipsec_connections setprop L2TPD-PSK status disabled IPRangeStart 192.168.x.180 IPRangeFinish 192.168.x.200 rightsubnet 192.168.x.0/24 passwd somesecret dpdaction clear dpddelay 10 dpdtimeout 90
config setprop xl2tpd status enabled
config setprop ipsec status enabled
signal-event ipsec-update
You should now be able to create a connection from a device.
Connection type: L2TP/IPSec PSK
Server IP : Your server IP
IPsec preshared key : as per passwd set above
Username : admin (server user)
Password : adminpassword (server user password)
You can regenerate the server templates with:
signal-event remoteaccess-update
Note that this this will not stop or restart ipsec. Use ipsec-update to do this:
signal-event ipsec-update
===Stop the service===
config setprop xl2tpd status disabled
config setprop ipsec status disabled
signal-event ipsec-update
==Bugs==
Currently the code is not in CVS.
You can add to the bug noted above or ask in the forums.
The contrib basically works. The complications arise when you want to combine it with standard host-host ipsec connections.
The code probably needs reviewing and cleaning up by a greater mind than mine :-)
==ToDo==
Create a 'VPN access' group or somesuch and add users to a group - I think this this could be accommodated in the contrib at a later date.
Add server manager panel (with an IPsec panel too)