Topic: SME SoftEther L2TP VPN

[beckynet]

Hello World,

PPTP being compromise and is not very reliable through a NAT.

I want to use SoftEther https://www.softether.org/.

SoftEther offer many VPN protocol and his installation is relatively easy the final administration is under a remote windows.
On SME 8 I could make it work.
But under EMS 9.1 I can not.
In fact at start SoftEther creates a TAP device (soft_tap), I assign an address to this tap and I created a new range in the dhcpd.conf.
But the SME DHCP only listens on em1 impossible to force it to also listen tap_soft.
I tried to add em1 and tap_soft in DHCPARGS but nothing change SME listen only on em1.

How to force DHCP to listen the dhcp tap_soft and em1 ?

Thanks in advance

Olivier

[Stefano]

hi.. can you share how you tried to make it work so we can take a look and help you?


moreover: can you please tell us how did you make it work on SME8 so we can help you to replicate it on SME9? (and we can document it too in the wiki)

thank you

[ReetP]

Or use something already built and working

http://wiki.contribs.org/OpenVPN_Routed
http://wiki.contribs.org/OpenVPN_SiteToSite
http://wiki.contribs.org/OpenVPN_Bridge

Routed works well but depends on what access your clients require.

I have been working on a ipsec/xl2tpd contrib but still have a way to go yet.

[Stefano]

searching a bit with google leads me to understand that there are no rpms for softether and that you must compile it..

so, are you trying to install a more secure vpn (why not openvpn, for example?) installing developments tools on your server? 

[beckynet]

I've a SME server in a VM that I use to compile SoftEther.

On SME

cp /opt
wget http://www.softether-download.com/files/softether/v4.18-9570-rtm-2015.07.26-tree/Linux/SoftEther_VPN_Server/32bit_-_Intel_x86/softether-vpnserver-v4.18-9570-rtm-2015.07.26-linux-x86-32bit.tar.gz
tar zxvf softether-vpnserver-v4.18-9570-rtm-2015.07.26-linux-x86-32bit.tar.gz
cd /opt/vpnserver

yum install autoconf automake gcc

make (read and accept the licence)

open some tcp port 5555 (For the management)
open some udp port 500, 1701, 4500 (For L2TP)

in /opt/vpnserver
./vpnserver start

On Windows Computer

download and install Windows Management Tools
http://www.softether-download.com/files/softether/v4.18-9570-rtm-2015.07.26-tree/Windows/SoftEther_VPN_Server_and_VPN_Bridge/softether-vpnserver_vpnbridge-v4.18-9570-rtm-2015.07.26-windows-x86_x64-intel.exe

Create a New connection with port number 5555
At first time insert blank password and create new password.

In local bridge setting create bridge with new tap device named soft
in IPsec / LT2P Setting IPSec Pre shared key indicate something.

On SME
I've made custom file in dhcpd.conf
cd /etc/e-smith/templates-custom/etc/dhcpd.conf/

nano 30BeginLocalSubnet

Code: [Select]

{
    my $ipaddrBits  = esmith::util::IPquadToAddr ($LocalIP);
    my $netmaskBits = esmith::util::IPquadToAddr ($LocalNetmask);

    local $network   = esmith::util::IPaddrToQuad ($ipaddrBits & $netmaskBits);

    $OUT .= "subnet 192.168.2.0 netmask 255.255.255.0\n\{";
}

nano 35Broadcast

Code: [Select]

{
    my $ipaddrBits  = esmith::util::IPquadToAddr ($LocalIP);
    my $netmaskBits = esmith::util::IPquadToAddr ($LocalNetmask);

    local $broadcast = esmith::util::IPaddrToQuad ($ipaddrBits | (~ $netmaskBits));

    $OUT .= "    option broadcast-address    192.168.2.255;";
}

nano 35DomainName

Code: [Select]

{
    $OUT .= "    option domain-name          \"$DomainName\";";
}

nano 35DomainNameServers

Code: [Select]

    option domain-name-servers  { $LocalIP };

nano 35LeaseTimeDefault

Code: [Select]

    default-lease-time          { 86400 };

nano 35LeaseTimeMax

Code: [Select]

    max-lease-time              { 7*86400 };

nano 35NetbiosDDServer

Code: [Select]

{
    return "" unless $DHCP_WINSServer;

    return "    option netbios-dd-server    $DHCP_WINSServer;";
}

nano 35NetbiosNameServers

Code: [Select]

{
    return "" unless $DHCP_WINSServer;

    return "    option netbios-name-servers $DHCP_WINSServer;";
}

nano 35NetbiosNodeType

Code: [Select]

{
    my $server_role = $smb{ServerRole} || 'WS';

    return "" unless $server_role =~ m{^(PDC|ADS)$};

    return "    option netbios-node-type    8;";
}

nano 35Netmask

Code: [Select]

    option subnet-mask          { $LocalNetmask };

nano 36Forwarding

Code: [Select]

    option ip-forwarding        true;
    option router-discovery     true;

nano 37Range

Code: [Select]

{
    $OUT .= "    range    192.168.2.100 192.168.2.200;";
}

nano 38Routers

Code: [Select]

{
    my $router = (defined $SystemMode && $SystemMode =~ /servergateway/)
        ? $LocalIP :
            defined $GatewayIP ? $GatewayIP : undef;

    $OUT = "";
    if ($router)
    {
        $OUT .= "    option routers 192.168.2.1;";
    }
}

nano 39EndLocalSubnet

Code: [Select]

\}

expand-template /etc/dhcpd.conf

/etc/init.d/dhcpd restart

add address to tap_soft
ifcfg tap_soft add 192.168.2.1

Add Rules to iptables
iptables -A FORWARD -i em1 -o tap_soft -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i tap_soft -o em1 -j ACCEPT

Identification is done, but I can't receive IP Address from dhcp server.

cat /opt/vpnserver/server_log/vpn_20151215.log
2015-12-15 19:01:25.860 L2TP PPP Session [XX.XX.XX.XX:1701]: Trying to request an IP address from the DHCP server.
2015-12-15 19:01:30.869 L2TP PPP Session [XX.XX.XX.XX:1701]: Acquiring an IP address from the DHCP server failed. To accept a PPP session, you need to have a DHCP server. Make sure that a DHCP server is working normally in the Ethernet segment which the Virtual Hub belongs to.

[ReetP]

Couple of things.

You have obviously done a lot of work on this. Can you please add it to a wiki page please for others to benefit. Just ask for an account and someone can help you format it if required. You could also ask for access to CVS so that your code could be imported/compiled on the build system and a contrib RPM built. Again please ask.

I get the feeling that this may be your primary issue - you have a connection but no packets are flowing :

L2TP PPP Session [XX.XX.XX.XX:1701]: Acquiring an IP address from the DHCP server failed.

I think that your 1701 packets are not traversing the firewall.

I had a struggle with getting iptables to work until I found out you do not need to create many rules yourself.

Create a service and tell it what ports you want it to use and your server will create the rules for you. Check with iptables

e.g. for my pure ipsec :

config ipsec show

ipsec=service
    UDPPort=500
    access=public
    status=enabled

These should help :
http://wiki.contribs.org/DB_Variables_Configuration#Additional_information_on_customizing_iptables
http://wiki.contribs.org/Useful_Commands#Create_a_service_with_db_command_and_set_network_access

So you could set a service entry like 'softether' and add the relevant ports. I think you need 500 & 4500 (setprop UDPPorts 500 4500)

See here at the bottom :

https://www.softether.org/4-docs/2-howto/9.L2TPIPsec_Setup_Guide_for_SoftEther_VPN_Server/1.Setup_L2TP%2F%2F%2F%2FIPsec_VPN_Server_on_SoftEther_VPN_Server


I have a couple of masq template fragments as follows - these enable or disable the rules depending on whether the service is enabled/disabled. This was because the ipsec packets were showing up as ESP. You may or may not need similar depending on what you find in your logs. Have a look in /var/log/secure to see if any packets are being dropped.

(Still not sure I need this one)
[root@test masq]# cat 40AllowIPsec

Code: [Select]

{
    my $ipsec_access = $ipsec{access};

    if ( $ipsec_access eq 'public' ) {
        $OUT .= "  # Do not NAT VPN traffic\n";
        $OUT .=
"  /sbin/iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT\n";
    }
}


[root@test masq]# cat 56AllowESP

Code: [Select]

# based on /etc/e-smith/templates/etc/rc.d/init.d/masq/55AllowGRE

{
my $ipsec_access = $ipsec{access};

if ($ipsec_access eq 'public')  {

  $OUT .= "    /sbin/iptables --new-chain esp-in\n";
  $OUT .= "    /sbin/iptables --append INPUT -p ESP -j esp-in\n";
  $OUT .= "    /sbin/iptables --append INPUT -p ESP -j denylog\n";
  $OUT .= "    /sbin/iptables --append esp-in \! -d \$OUTERNET -j denylog\n";
  $OUT .= "    /sbin/iptables --append esp-in -j denylog\n";
 }
}

[root@test masq]# cat 90adjustESP

Code: [Select]

# based on /etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustGRE
{
    my $ipsec_access = $ipsec{access};
    my $ipsec_status = $ipsec{status};
        if ( $ipsec_access eq 'public' ) {
       
        my $target = ( $ipsec_status eq 'enabled' ) ? "ACCEPT" : "denylog";

        $OUT .= "    /sbin/iptables --replace esp-in 1 ! -d \$OUTERNET -j denylog\n";
        $OUT .= "    /sbin/iptables --replace esp-in 2 -j $target\n";
    }
}

You may find something here (nothing to do with me) about ifcfg

http://wiki.contribs.org/Ipsec

You could also also have a look at Daniels openvpn routed contrib for ways to sort out firewalling.

B. Rgds
John

[beckynet]

I'm interrest to share this project.

But actually it don't run on SME 9.1.

if I stop iptables all run fine.

I must investigate, and after I share in the wiki

Thanks Olivier

[Stefano]

Well, if I were in your shoes I'd try to adapt smeserver-openvpn templates/fragments

[guest22]

I must investigate, and after I share in the wiki

My advise would be to just simply start writing your notes and findings on a new wiki page. That way others can pitch in and learn and add to the page whilst you are off-line. That's what the wiki if for, collaborative editing documentation.

Waiting until one can deliver a complete working and tested how-to from your notes will take a long time and often one will no longer shift all info over to the wiki.

[ReetP]

I'm interrest to share this project.

But actually it don't run on SME 9.1.

It does run but...

if I stop iptables all run fine.

This is where your problem is, as per my comments above.

I must investigate, and after I share in the wiki

Make sure you check /var/log/iptables/current as well - this will tell you which packets are being blocked.

B. Rgds
John

[guest22]

My advise would be to just simply start writing your notes and findings on a new wiki page.

Here you go to get you started http://wiki.contribs.org/SoftEther_VPN

[ReetP]

Here you go to get you started http://wiki.contribs.org/SoftEther_VPN

Nice one HSF

[beckynet]

Hello World

http://wiki.contribs.org/SoftEther_VPN is Online and runnable.
Some TODO to make before make contribs

Thanks Olivier

[larieu]

From wiki and from this post I am not able to understand if the authentication is done against standard SME server users or you need to keep another user/pass/certificate.... set

Can anyone point the right direction to look in this issue?

[beckynet]

From wiki and from this post I am not able to understand if the authentication is done against standard SME server users or you need to keep another user/pass/certificate.... set

Can anyone point the right direction to look in this issue?

Actually you must set another list of user. After test I can't use the internal SME LDAP.

Olivier