Difference between revisions of "Libreswan-xl2tpd"

From SME Server
Jump to navigationJump to search
Line 24: Line 24:
 
https://github.com/reetp/smeserver-libreswan-xl2tpd/blob/master/ipsecXl2tpd.Notes
 
https://github.com/reetp/smeserver-libreswan-xl2tpd/blob/master/ipsecXl2tpd.Notes
  
Please report any problems by adding a bug to Bugzilla. See Bugs below.
+
Please report any problems by adding a bug to Bugzilla. See [https://wiki.contribs.org/Smeserver-libreswan-xl2tpd#Bugs Bugs] below.
  
 
==Installation==
 
==Installation==
  
{{Warning box|Please test thoroughly on a test server before deploying in production .}}
+
{{Warning box|Please test thoroughly on a test server before deploying in production.}}
  
 
{{Note box|Server MUST be in Server/Gateway mode for this to be enabled}}
 
{{Note box|Server MUST be in Server/Gateway mode for this to be enabled}}
Line 74: Line 74:
 
===Create Server Connection===
 
===Create Server Connection===
  
{{Note box|There can only be ONE Ipsec L2TPD connection}}
+
{{Note box|There can only be ONE Ipsec L2TPD-PSK connection}}
  
 
Here we assume your local network is 192.168.101.x
 
Here we assume your local network is 192.168.101.x
  
 
  db ipsec_connections set L2TPD-PSK xl2tpd \  
 
  db ipsec_connections set L2TPD-PSK xl2tpd \  
       status disabled \
+
       status enabled \
 
       IPRangeStart 192.168.101.180 \
 
       IPRangeStart 192.168.101.180 \
 
       IPRangeFinish 192.168.101.200  \
 
       IPRangeFinish 192.168.101.200  \

Revision as of 23:58, 29 November 2017


Version

libreswan-xl2tpd
The latest version of libreswan-xl2tpd is available in the SME repository, click on the version number(s) for more information.


About

L2TPD/IPSEC is method of connecting to your Koozali SME server. It is a suitable replacement for the existing PPTP VPN system on Koozali SME Server.

L2TPD/IPSEC does not need any special software configuration on your clients. It is supported on a very large number of modern mobile phones and laptops. Please note that not every phone or device will support L2TPD/IPSEC out of the box.

Once implemented you can disable PPTP, which will be good for you and your users.

Notes

The contrib basically works but there can be complications when you want to combine it with standard host-host ipsec connections. The issue that 'may' arise is if an IPSEC connection is matched prior to the L2TPD one. I do have them both running on my test box but need more feedback on this.

You can enable or disable VPN access for users via the Server Manager.

These links discuss the implementation and the creation of this page. https://forums.contribs.org/index.php/topic,53021.0/all.html

Some further reading can be found on this page:

https://github.com/reetp/smeserver-libreswan-xl2tpd/blob/master/ipsecXl2tpd.Notes

Please report any problems by adding a bug to Bugzilla. See Bugs below.

Installation

Warning.png Warning:
Please test thoroughly on a test server before deploying in production.



Important.png Note:
Server MUST be in Server/Gateway mode for this to be enabled


The smeserver-libreswan-xl2tpd contrib is currently in the development repo at Contribs

You will need the EPEL repo as well:

https://wiki.contribs.org/Epel

With the yum repo database updated, you can then run the installation of the package.

yum --enablerepo=smedev,epel install smeserver-libreswan-xl2tpd

That should bring everything in, including ipsec which is required

signal-event post-upgrade;signal-event reboot

Configuration settings

You need at least one user on the system - for testing it can be admin. The user account needs VPN Client Access enabled in the Server Manager

Keys

  • IPRange Start/Finish

An IP range from your server. Note it MUST NOT conflict with IPs issued by your DHCP server

  • rightsubnet

The subnet of the remote / dialin network

  • passwd

IPsec pre shared key as per ipsec db connection below. Every user will need this common password.
Make it long and complicated !

db ipsec_connections setprop L2TPD-PSK password SomeLongComplicatedSecret
  • DNS

Defaults to the SME server. Can add extra servers if required

config setprop xl2tpd DNS 8.8.8.8,8.8.4.4
  • access

Defaults to private

  • debug

Defaults to disabled

Create Server Connection

Important.png Note:
There can only be ONE Ipsec L2TPD-PSK connection


Here we assume your local network is 192.168.101.x

db ipsec_connections set L2TPD-PSK xl2tpd \ 
     status enabled \
     IPRangeStart 192.168.101.180 \
     IPRangeFinish 192.168.101.200  \
     rightsubnet 192.168.101.0/24 \
     passwd somesecret \
     dpdaction clear \
     dpddelay 10 \
     dpdtimeout 90


Important.png Note:
You CAN change some values as IPRangeStart and IPRangeFinish but you need to keep same subnet.

So if you change 101 on IPRangeStart, you must change it on IPRangeFinish and rightsubnet too!


Make sure the Start and Finish addresses do NOT conflict with your server dhcp range. You can see your server dhcpd range with:

config show dhcpd

Now we can enable the required services which will automatically add the correct firewall ports.

config setprop xl2tpd status enabled
config setprop ipsec status enabled
signal-event ipsec-update


Important.png Note:
Ipsec has access private as default; if you want to connect from wan, you need to change it to public


You can regenerate the server templates with:

signal-event remoteaccess-update

Note that this this will not stop or restart ipsec. Use ipsec-update to do this:

signal-event ipsec-update

Create a connection from a device

This is the basic setup for your remote device, e.g. laptop or tablet.

Connection type: L2TP/IPSec PSK
Server IP : Your server IP address
IPsec preshared key : as per passwd set above
Username : Any user on your server with VPN Access set to Enabled
Password : adminpassword (the password for the above  user)

Stop the service

config setprop xl2tpd status disabled
config setprop ipsec status disabled
signal-event ipsec-update

Disable PPTP

Once the implementation is complete and functional, you will not need PPTP enabled. You can go to your server manager and disable it forever and sing a thousand hallelujahs for secure communications ;-)

config setprop pptpd status disabled sessions 0

Take this action only *after* you have confirmed proper L2TP connection is working.

To Do List

A VPN Access Group may be worth looking at in the future

Add server manager panel (with an IPsec panel too)

Commit the code to the CVS.

The code probably needs reviewing and cleaning up by a greater mind than mine :-)


Bugs

Please raise bugs under the SME-Contribs section in bugzilla and select the libreswan-xl2tpd component or use this link


Below is an overview of the current issues for this contrib:

No open bugs found.

Changelog

Only released version in smecontrib are listed here.