Koozali.org: home of the SME Server

VPN L2TP/IPSEC over PPTP status and assistance.

Offline tw-lewis

  • 12
  • +0/-0
VPN L2TP/IPSEC over PPTP status and assistance.
« on: April 24, 2017, 04:31:55 AM »
Development status with moving VPN to a more secure L2TP/IPSEC setup and away from PPTP. I see two years ago Reetp had been working on integrating L2TP into SME. Would anyone be able to give me an update on this?

I have tried Softether VPN with SME9 without success when following the documentation in contribs. Also due to the most ISPs actively blocking the more insecure PPTP/GRE protocols this no longer suits the growing needs for VPN access.

So my questions are:

What is the status of L2TP/IPSEC as a default feature in SME and how to I get it?
and
Has anyone else has this issue and what where there solutions?

Thanks ALL.

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #1 on: April 24, 2017, 08:49:09 AM »
Have you tried the various OpenVPN contribs ? They are secure, reliable and NAT firendly. You can use OpenVPN Bridge for roadwarriors, and OpenVPN Site to Site to connect two SME (or one SME with something else, like a PfSense). There's also a routed contrib for roadwarriors where bridge is not possible (iOA, Android, ChromeOS for example)
C'est la fin du monde !!! :lol:

Offline TerryF

  • grumpy old man
  • *
  • 1,821
  • +6/-0
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #2 on: May 18, 2017, 05:34:13 AM »
So my questions are:

What is the status of L2TP/IPSEC as a default feature in SME and how to I get it?
and
Has anyone else has this issue and what where there solutions?

Thanks ALL.

Installed Softether and setup following the wiki, sussed the gotcha that it had inadvertently introduced and borked access to apache etc port 443 is a no no.. :-)

Using it on three servers, two server/gateway one server only, using IPsec/L2TP, also played with the OpenVPN/MS-SSTP feature.. all work fine..make sure to do the setups for port forwarding on server and router when in server only mode.

Used the Management app from windows, just make sure to stop it listening on 443..setup another port if that is your want.

This is a good resource that describes using vpncmd from the cli - https://www.digitalocean.com/community/tutorials/how-to-setup-a-multi-protocol-vpn-server-using-softether

All in all a very useful tool for amateurs/users like me...if and when it gets setup as a contrib it will be a goto option for a VPN.
--
qui scribit bis legit

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #3 on: May 18, 2017, 10:41:30 AM »
Lewis,

as per our discussions on IRC a little while back I hadn't got any further as I had other priorities.

I am happy to try and do a bit more work but could do with a hand :-)

Rgds
John
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Jean-Philippe Pialasse

  • *
  • 2,747
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #4 on: May 18, 2017, 12:57:08 PM »
I am happy to try and do a bit more work but could do with a hand :-)

You should try with both hands, might be easier ;)

Joke apart, yes we should have a look, and also about softether. There is a bug related to allow to change default port for https.

Offline tw-lewis

  • 12
  • +0/-0
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #5 on: June 01, 2017, 12:47:06 AM »
Hello All,

I don't really have a dev budget for this so I am wondering who else is using l2tp/ipsec on SME and is using the native clients on android,mac and windows?
PP2P works well on a standard Internet connection but fails completely on 3g/4g with tethering on mobile devices.

The Ideal results would be to not have to install 3rd party apps and having to copy certs over onto all devices. This should work the same way as SME's current PPTP setup so we can easly manage client access. Would it be too hard to replace or choose between PPTP and L2TP/IPsec?

As above SoftetherVPN will not do as it requires a windows application to control it along with a very confusing per user setup. I also want to avoid openvpn with PDPadmin on SME as this also takes to long to setup individual clients.

Any help would be appreciated
Regards
Lewis

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #6 on: June 01, 2017, 01:41:11 AM »
I doubt very much anyone is currently using it. I had no real assistance when I was trying to get it working which generally means there is not much interest.

PPTP should not be used. It is a long busted flush. If we ever got L2TP/IPsec running PPTP would be rightly ditched by SME for sure.

I think I got pretty close to getting it running but fell foul of a bug in SME that was subsequently fixed. By then I had run out of play time.

I may get some time to look at where I was at over the next week.

The source is in github. It will generate most if not all of the required templates, but needs some refinement to the configs, and testing.

I don't want any money for doing anything. Just some time/help.

Note the libreswan ipsec contrib works for pure ipsec (I have used it daily for a few years). I may have some updates for it that haven't yet been pushed to cvs, but it would beed revisiting to ensure it works with L2TP configs.

If you want to try and help then let me know and I can guide you through what I have so far. But you are going to have to do some legwork.....

I suggest you go and speak to Michael and tell him I'll be there for a beer at Christmas :-)

B. Rgda
John
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #7 on: June 01, 2017, 04:20:57 PM »
FYI I have updated some stuff in the contrib but I suspect there will be a lot of breakages in there.

Available currently from my repo (I won't update CVS until this is a bit better)

https://www.reetspetit.com/smeserver/6/repoview/index.html

Safest thing is probably:

Have basic ipsec installed

Code: [Select]
yum --enablerepo=smecontribs install smeserver-libreswan
Download and install the smeserver-libreswan-xl2tpd rpm

https://www.reetspetit.com/smeserver/6/repoview/smeserver-libreswan-xl2tpd.html

Code: [Select]
yum localinstall smeserver-libreswan-xl2tpd
Add some settings as per the readme. Debug mode is enabled. Try a connection and see what goes bang (as something certainly will - probably post connection ip-up.xl2tpd issues)

Report a bug either here, or in the bug tracker (preferably)

When I get a minute I'll lob it on my test box and try it but I am too busy and spent enough time on this already.

Although sorting out the ip-up/down will take a bit of doing, the challenge is when you have a server as your DHCP server and is using a full range of IPs. Might need some catch coding in the contrib at some point.

B. Rgds
John
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #8 on: June 07, 2017, 09:24:37 PM »
Finally installed on a test box and realised the rpm was a mess. I have rebuilt it and it is far better now I think.

Current ver is 0.1-11

I have found a few gotchas interacting with pppd and pptpd which I am working on slowly, plus better interaction with the existing smeserver-libreswan contrib.

I'll continue to chisel away but be grateful for any assistance.

Note I fully expect this is broken so do NOT install on a production machine as there may be broken template fragments etc hanging about. A VM with roll back so you can do a clean install each time is a prerequisite. At this point I just want to get the basic templates looking right.

B. Rgds
John
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #9 on: June 08, 2017, 03:40:37 PM »
YESSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS

Get in there !!!!!!!!!!!!!!!!!!!!!!!!!!!!!

I got it to work !!!!!

Needs refining, but i connected !

Will post back more in due course.

B. Rgds
John
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #10 on: June 08, 2017, 03:57:33 PM »
Thanks John for your work on this. I think we should try to push your work into the core, to replace PPTP. While I personnaly prefer OpenVPN, the advantage of your solution is that there's a native client at least on Android and iOS, built right into the stock OS
C'est la fin du monde !!! :lol:

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #11 on: June 08, 2017, 05:07:30 PM »
Thanks John for your work on this. I think we should try to push your work into the core, to replace PPTP. While I personnaly prefer OpenVPN, the advantage of your solution is that there's a native client at least on Android and iOS, built right into the stock OS

Yes I understand but I see lots of people using PPTP still and this is a simple replacement that needs no other apps etc and works on most devices. It has to be better than PPTP and  may get some takeup!

I need to refine some stuff a bit, and it needs some better eyes than mine on it to make it to core, but I think it is worth looking at.

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #12 on: June 08, 2017, 05:37:08 PM »
Ok, if you want to play.

This bug refers for now:
https://bugs.contribs.org/show_bug.cgi?id=8890

You do NOT need PPTP enabled for this. You can go to your server manager and disable it forever and sing a thousand hallelujahs for secure communications ;-)

ONLY use a VM in server gateway mode

You need my repo to test install.

https://wiki.contribs.org/User:ReetP

Code: [Select]
yum --enablerepo=reetp,epel install smeserver-libreswan-xl2tpd
That should bring everything in.

post-upgrade and reboot

Make sure the IPs you are going to issue are NOT in your server DHCP range

You need at least one user on the system - for testing it can be admin

For now we need to set the right subnet to the same as the server local subnet

Check you have a basic connection:

Code: [Select]
db ipsec_configuration show
Code: [Select]
config show dhcpd
Check the IP range. Make sure the following IPs do not confiict with the server range found

Lets add some magic sauce substituting x for your local IP range:

Code: [Select]
db ipsec_connections set L2TPD-PSK status enabled IPRangeStart 192.168.x.180 IPRangeFinish 192.168.x.200  rightsubnet 192.168.x.0/24 passwd someLongSecret dpdaction clear dpddelay 10 dpdtimeout 90
Check the services are enabled:

Code: [Select]
config setprop xl2tpd status enabled;service xl2tpd start
Code: [Select]
config setprop ipsec status enabled
Code: [Select]
signal-event ipsec-update
Check you have some config files:

/etc/ipsec.conf
/etc/ipsec.d/ipsec.conf
/etc/ipsec.d/ipsec.secrets


Set up your phone.

Server Type L2TPD/UIpsec PSK
Server IP
Ipsec preshared key (use the one set above)
Username admin or other local user
Password admin password or other local user

Try connecting and watch:

Code: [Select]
/var/log/messages
The DNS is hard wired to Googly stuff server for now. You can modify this in:

/etc/xl2tpd/xl2tpd.conf

(the template is in templates-custom for now)

There is lot still to test - I have to make sure it doesn't break my existing ipsec configs for starters. If you ONLY want L2TPD/Ipsec that is about all you need to do.

Sure there will be lots of bugs, and a lot of them I won't know the answers too ;-)

If you see this one check the above bug and have a look online as it is know but doesn't stop it working as far as I can tell

Code: [Select]
xl2tpd[19441]: handle_avps: Bad exit status handling attribute 1 (Result Code) on mandatory packet.
Enjoy :-)
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline mdo

  • *
  • 355
  • +0/-0
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #13 on: June 08, 2017, 09:19:38 PM »
Thank's John for your work on this - I am excited to get beer in the fridge for your Xmas arrival soon! :-)

I am working with Lewis from our team in trying to find a PPTP replacement that can be used easily and ideally comes with native clients for the typical OS hence our preference for this. As much as I otherwise like OpenVPN, this would be easier to set up on individual, travelling user devices.

Thanks again for your most recent updates John, we will test asap and come back.

Michael     
...

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #14 on: June 09, 2017, 01:18:15 AM »
Hi Michael,

No probs. Any help appreciated. I'll try and fix whatever is broken.

Look forward to the beer !

B. Rgds
John
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #15 on: June 09, 2017, 05:45:39 PM »
OK,

I have had a big thrash today - added a load of checks on the templates so they are empty unless stuff is enabled etc.

I have missed a patch to the smeserver-libreswan contrib in the password section so I have fixed that.

Lastly I am having to rework a load of bits in the ipsec-update script to allow for L2TPD. I also think I found some of my own bugs in there, but I am going to need a hand fixing some of the code. I'll explain later.

Once I have done what I can with ipsec-update I'll build some new RPMs but it may not be until next week now.

I'll keep you posted.

B. Rgds
John
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline mdo

  • *
  • 355
  • +0/-0
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #16 on: June 09, 2017, 09:54:45 PM »
Sounds great. No rush please. We will wait for you.

Thanks
Michael
...

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #17 on: June 10, 2017, 12:53:47 AM »
LOL.....  been trying to get my pool finished & full !!

I'd be pleased if you try it as above and let me know if a) it works for you and b) any errors.

You may see one on install for masq templates that I know about.

The work I am doing is to make the templates aware of enabled/disabled status, some more configurable options, and to make the sneserver-libreswan package more L2TP aware, especially the ipsec-update event.

If you try it just use a single L2TP ipsec connectoid. Any more may confuse ipsec-update currently, but a single one should work.... it does on my test box.

Let me know.

B. Rgds
John
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #18 on: June 12, 2017, 05:23:04 PM »
Please see bug https://bugs.contribs.org/show_bug.cgi?id=8890

I have updated xl2tpd and libreswan rpms and I hope that they vaguely work.

https://github.com/reetp/smeserver-libreswan-xl2tpd/blob/smeserver-libreswan-xl2tpd-0.1/ipsecXl2tpd.Notes

Install.

Add your options to:

db ipsec_connections setprop L2TPD-PSK status disabled IPRangeStart 192.168.x.180 IPRangeFinish 192.168.x.200  rightsubnet 192.168.x.0/24 passwd somesecret dpdaction clear dpddelay 10 dpdtimeout 90 DNS 208.67.222.222,208.67.220.220

config setprop xl2tpd status enabled
config setprop ipsec status enabled

signal-event ipsec-update

Pray.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #19 on: June 12, 2017, 05:25:37 PM »
Two small questions:

  • Why do you have to set the netmask at the contrib level. I think you told it must be the same as the local network, if so, the templates of the contrib can directly read InternalInterface settings
  • Why don't you push the IP of SME as DNS servers to the clients, instead of external DNS ?
C'est la fin du monde !!! :lol:

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #20 on: June 12, 2017, 07:31:29 PM »
Two small questions:

Why do you have to set the netmask at the contrib level. I think you told it must be the same as the local network, if so, the templates of the contrib can directly read InternalInterface settings[/li][/list]

It probably could but a) I am no expert hence asking for help and b) I tried to keep everything separate for the time being.... it may need extra stuff for ipsec in general but can't remember. Still very much a work in progress....

Quote
Why don't you push the IP of SME as DNS servers to the clients, instead of external DNS ?

It does default to the local IP if you look. I added the ability to use other DNS if required

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #21 on: June 14, 2017, 01:22:12 AM »
Slightly updated smeserver-libreswan rpm available - see https://bugs.contribs.org/show_bug.cgi?id=8890

Note the version number has not been raised so you need to clean metadata/reinstall

I have probably reached the limits of my ability with all of this.

It fundamentally works, but needs lots of refinements.

The L2TPD part on its own is pretty straightforward. The complex part is allowing for pure ipsec connections at the same time (though ironically you have to get a working ipsec setup before you can run L2TPD)

I think the ipsec-update script probably needs a review/rewrite along with createlinks/services/logging etc etc. The complexity in ipsec-update is due to the script trying to reset individual connections without upsetting /disconnecting others.

I have tried to make sure that any templates used are empty if connection or services are disabled.

I am happy to explain the logic and various settings to anyone interested - it is a pretty huge subject and I managed to refine it down to a set of defaults that work pretty well out of the box.

This should all work fairly seamlessly on the CLI before attempts are made to build panels because the core code may change quite comprehensively and destroy any panel work.

If the xl2tpd contrib is felt to be working sufficiently well then it should get a version bump and then go in to CVS

Please feedback here or in the bug tracker.

JC
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline TerryF

  • grumpy old man
  • *
  • 1,821
  • +6/-0
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #22 on: June 14, 2017, 04:06:05 AM »
Thumbs up  :cool:
--
qui scribit bis legit

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #23 on: June 14, 2017, 06:04:01 AM »
Note the version number has not been raised so you need to clean metadata/reinstall

Numbers come cheap. *Always* bump the revision number if you make changes! :-)

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #24 on: June 14, 2017, 02:34:27 PM »
Numbers come cheap. *Always* bump the revision number if you make changes! :-)

Strangely Charlie, there is a method in my madness ;-)

I have been test building in my own repo as I have made truck loads of changes, reverting some, modding the other, as this amateur hack fumbles his way about.

If it was just in git then fine, but I have a script etc to copy from git to CVS , make a patch etc, and it gets in a right mucking fuddle with CVS if I keep bumping the version numbers - there would be a whole huge pile of patches in there by now :-)

I didn't want to end up with a big mess in CVS - I just want to push one changeset and bump.

So I have worked in git, mock built on my test box, and tested from there. Now it is about right I'll push it all to CVS (at least the Libreswan parts - xl2tpd is not in CVS yet)

I've built a xl2tpd v0.2 now. That can go in to CVS but someone will have to do it for me.


...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Jean-Philippe Pialasse

  • *
  • 2,747
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #25 on: June 14, 2017, 05:48:14 PM »
John,
first thanks for your huge work on this


If it was just in git then fine, but I have a script etc to copy from git to CVS , make a patch etc, and it gets in a right mucking fuddle with CVS if I keep bumping the version numbers - there would be a whole huge pile of patches in there by now :-)
I didn't want to end up with a big mess in CVS - I just want to push one changeset and bump.
that is not a problem, we love huge amount of patches rather than a big one, easier to see what have been done and revert one or two changes. Further more, it is easily deleted when bumping a complete version simply by importing a new source rpm. The buildsystem will be able to clean all at once and put the new source in place.


So I have worked in git, mock built on my test box, and tested from there. Now it is about right I'll push it all to CVS (at least the Libreswan parts - xl2tpd is not in CVS yet)

I've built a xl2tpd v0.2 now. That can go in to CVS but someone will have to do it for me.
well, when you have time I can guide you trough this, I know you already have the rights to do it on the buildsys, and this is just a matter to do it once you will see it is easier than translating git to cvs ;)

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #26 on: June 14, 2017, 06:31:41 PM »
Yes I get that..... but I currently use git as a scratchpad.

I often revert stuff or otherwise bugger about. When I have something as a workable patch I push it.

Currently expended as much time as I can (wife is now nagging me), and off to the UK next week so have no time to do any much more now.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Jean-Philippe Pialasse

  • *
  • 2,747
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #27 on: June 14, 2017, 06:55:08 PM »
we all have a life ( and some a wife too), anytime, just make a sign when available, and I will try to make room!

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #28 on: June 28, 2017, 01:16:23 PM »
Wiki page:

https://wiki.contribs.org/Smeserver-libreswan-xl2tpd

Needs a good tidy up though
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Jáder

  • *
  • 1,099
  • +0/-0
    • LinuxFacil
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #29 on: June 30, 2017, 03:06:58 AM »
I have done some formatting on wiki page.

I have one question: why this requires SERVER-GATEWAY mode ?
I use to connect my servers as SERVER-ONLY and use a pfSense as firewall most of time.
BTW: It's not because pfSense is better than SME, it's because it support some nice tricks like load balance and 2 internet links! ;)

Regards,

Jáder
...

Offline DanB35

  • ****
  • 764
  • +0/-0
    • http://www.familybrown.org
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #30 on: June 30, 2017, 04:19:03 AM »
I have one question: why this requires SERVER-GATEWAY mode ?
If your SME server is in server-only mode, it isn't routing traffic in and out of your network.  Although it's no doubt possible to implement a VPN server in that case, it seems like your edge device (i.e., your pfSense box) is a better place for that to go (which is what I'm doing, also on a pfSense box).
......

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #31 on: June 30, 2017, 10:17:43 AM »
If your SME server is in server-only mode, it isn't routing traffic in and out of your network.  Although it's no doubt possible to implement a VPN server in that case, it seems like your edge device (i.e., your pfSense box) is a better place for that to go (which is what I'm doing, also on a pfSense box).

Yup, that sums it up.

Yes I am sure it could be configured for server only. Not sure about the ipsec setup but no doubt 'doable'.

Security wise I have some servers the same as Jader but in that instance I'd use the firewall/router as it undoubtedly has VPN built in and would be easier to do.

This is really for those who need to VPN in but have no other system to handle it.

Thanks to Jader for the tidy up. Any issues to report?

B. Rgds
John
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline tw-lewis

  • 12
  • +0/-0
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #32 on: August 09, 2017, 11:48:09 PM »
Hello All,

I'm back!
I have just updated SME to latest version and now getting no connection to the L2TP server with ReetP's contrib.
Looks like servers are running and no errors in logs but there is no open port on lsof -i for 1701.

Anyone else run into this issue?
Thanks guys.

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #33 on: August 10, 2017, 12:09:13 AM »
I can't do anything right now as it is late my time.

I also have the one and only G. Zartman himself winging his way to mine for the weekend....

 'It isn't working' doesn't help debugging....

Can you go through exactly what you did to install please.

config ipsec show
config xl2tpd show

cat /etc/ipsec.conf
cat /etc/ipsec.d/ipsec.conf & secrets

Check in /var/log/pluto/pluto.log

Check ipsec is running with:

ipsec whack --status

It will help you a great deal to also read the libreswan docs.

You will get a better understanding of the config directives.

That should keep you busy for a bit.....

Rgds
John

P.S. tell Michael the beer bill is rising.... :-)
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #34 on: August 10, 2017, 05:55:03 PM »
Hello All,

I'm back!
I have just updated SME to latest version and now getting no connection to the L2TP server with ReetP's contrib.
Looks like servers are running and no errors in logs but there is no open port on lsof -i for 1701.

Anyone else run into this issue?
Thanks guys.

BTW you probably don't want lsof - that lists open files. My testbox shows nothing even though l2tpd is running.

check

Code: [Select]
netstat -an |grep 1701
[root@test ~]# netstat -an |grep 1701
udp        0      0 0.0.0.0:1701                0.0.0.0:* 

You can also check 4500 & 500

Rgds
John
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline tw-lewis

  • 12
  • +0/-0
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #35 on: August 10, 2017, 11:06:39 PM »
cat /etc/ipsec.conf
config setup
    protostack=netkey
    plutodebug=none
    #klipsdebug=none
    plutostderrlog=/var/log/pluto/pluto.log
    dumpdir=/var/run/pluto/
    nat_traversal=yes
    virtual_private=%v4:172.16.1.0/22
include /etc/ipsec.d/ipsec.conf

cat /etc/ipsec.d/ipsec.conf
conn L2TPD-PSK
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    type=transport
    forceencaps=yes
    right=%any
    rightsubnet=vhost:%no,%priv
    rightprotoport=17/%any
    # Using the magic port of "0" means "any one single port". This is
    # a work around required for Apple OSX clients that use a randomly
    # high port, but propose "0" instead of their port.
    left=%defaultroute
    leftprotoport=17/1701
    # Apple iOS doesn't send delete notify so we need dead peer detection
    # to detect vanishing clients
    dpddelay=10
    dpdtimeout=90
    dpdaction=clear

Check in /var/log/pluto/pluto.log
Aug 11 09:01:03: "L2TPD-PSK"[7] 43.243.56.130 #16: received Delete SA(0xb1bad446) payload: deleting IPSEC State #20
Aug 11 09:01:03: "L2TPD-PSK"[7] 43.243.56.130 #16: deleting other state #20 (STATE_QUICK_R2) "L2TPD-PSK"[7] 43.243.56.130
Aug 11 09:01:03: "L2TPD-PSK"[7] 43.243.56.130 #16: ESP traffic information: in=0B out=0B
Aug 11 09:01:03: "L2TPD-PSK"[7] 43.243.56.130 #16: received and ignored empty informational notification payload
Aug 11 09:01:13: "L2TPD-PSK"[7] 43.243.56.130 #16: the peer proposed: 43.243.56.132/32:17/1701 -> 192.168.222.22/32:17/1701
Aug 11 09:01:13: "L2TPD-PSK"[7] 43.243.56.130 #16: NAT-Traversal: received 2 NAT-OA. Using first, ignoring others
Aug 11 09:01:13: "L2TPD-PSK"[7] 43.243.56.130 #22: responding to Quick Mode proposal {msgid:06000000}
Aug 11 09:01:13: "L2TPD-PSK"[7] 43.243.56.130 #22:     us: 43.243.56.132:17/1701
Aug 11 09:01:13: "L2TPD-PSK"[7] 43.243.56.130 #22:   them: 43.243.56.130[192.168.222.22]:17/1701===192.168.222.22/32
Aug 11 09:01:13: "L2TPD-PSK"[7] 43.243.56.130 #22:   them: 43.243.56.130[192.168.222.22]:17/1701===192.168.222.22/32
Aug 11 09:01:13: "L2TPD-PSK"[7] 43.243.56.130 #22: keeping refhim=0 during rekey
Aug 11 09:01:13: "L2TPD-PSK"[7] 43.243.56.130 #22: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Aug 11 09:01:13: "L2TPD-PSK"[7] 43.243.56.130 #22: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 transport mode {ESP/NAT=>0x3a7b3832 <0xf29e9a67 xfrm=AES_256-HMAC_SHA1 NATOA=192.168.222.22 NATD=43.243.56.130:4500 DPD=active}
Aug 11 09:01:13: "L2TPD-PSK"[7] 43.243.56.130 #22: Configured DPD (RFC 3706) support not enabled because remote peer did not advertise DPD support
Aug 11 09:01:13: "L2TPD-PSK"[7] 43.243.56.130 #22: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug 11 09:01:13: "L2TPD-PSK"[7] 43.243.56.130 #22: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x3a7b3832 <0xf29e9a67 xfrm=AES_256-HMAC_SHA1 NATOA=192.168.222.22 NATD=43.243.56.130:4500 DPD=active}
Aug 11 09:01:13: "L2TPD-PSK"[7] 43.243.56.130 #16: received Delete SA(0xa9382650) payload: deleting IPSEC State #21
Aug 11 09:01:13: "L2TPD-PSK"[7] 43.243.56.130 #16: deleting other state #21 (STATE_QUICK_R2) "L2TPD-PSK"[7] 43.243.56.130
Aug 11 09:01:13: "L2TPD-PSK"[7] 43.243.56.130 #16: ESP traffic information: in=0B out=0B
Aug 11 09:01:13: "L2TPD-PSK"[7] 43.243.56.130 #16: ESP traffic information: in=0B out=0B
Aug 11 09:01:13: "L2TPD-PSK"[7] 43.243.56.130 #16: received and ignored empty informational notification payload
Aug 11 09:01:23: "L2TPD-PSK"[7] 43.243.56.130 #16: received Delete SA(0x3a7b3832) payload: deleting IPSEC State #22
Aug 11 09:01:23: "L2TPD-PSK"[7] 43.243.56.130 #16: deleting other state #22 (STATE_QUICK_R2) "L2TPD-PSK"[7] 43.243.56.130
Aug 11 09:01:23: "L2TPD-PSK"[7] 43.243.56.130 #16: ESP traffic information: in=0B out=0B
Aug 11 09:01:23: "L2TPD-PSK" #16: deleting state (STATE_MAIN_R3)
Aug 11 09:01:23: "L2TPD-PSK"[7] 43.243.56.130: deleting connection "L2TPD-PSK"[7] 43.243.56.130 instance with peer 43.243.56.130 {isakmp=#0/ipsec=#0}
Aug 11 09:01:23: packet from 43.243.56.130:4500: received and ignored empty informational notification payload

ipsec whack --status
000 using kernel interface: netkey
000 interface lo/lo 127.0.0.1@4500
000 interface lo/lo 127.0.0.1@500
000 interface eth0/eth0 172.16.0.2@4500
000 interface eth0/eth0 172.16.0.2@500
000 interface eth1/eth1 43.243.56.132@4500
000 interface eth1/eth1 43.243.56.132@500
000
000
000 fips mode=disabled;
000 SElinux=disabled
000
000 config setup options:
000
000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d, dumpdir=/var/run/pluto/, statsbin=unset
000 sbindir=/usr/sbin, libexecdir=/usr/libexec/ipsec
000 pluto_version=3.18, pluto_vendorid=OE-Libreswan-3.18
000 nhelpers=-1, uniqueids=yes, perpeerlog=no, shuntlifetime=900s, xfrmlifetime=300s
000 ddos-cookies-threshold=50000, ddos-max-halfopen=25000, ddos-mode=auto
000 ikeport=500, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>, nflog-all=0
000 secctx-attr-type=32001
000 myid = (none)
000 debug none
000
000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
000 virtual-private (%priv):
000 - allowed subnet: 172.16.0.0/22
000
000 ESP algorithms supported:
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=128, keysizemax=128
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm AH/ESP auth: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm AH/ESP auth: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm AH/ESP auth: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm AH/ESP auth: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm AH/ESP auth: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm AH/ESP auth: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm AH/ESP auth: id=9, name=AUTH_ALGORITHM_AES_XCBC, keysizemin=128, keysizemax=128
000 algorithm AH/ESP auth: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0
000
000 IKE algorithms supported:
000
000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=16, v2name=AES_CCM_C, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=15, v2name=AES_CCM_B, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=14, v2name=AES_CCM_A, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: v1id=24, v1name=OAKLEY_CAMELLIA_CTR, v2id=24, v2name=CAMELLIA_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=20, v1name=OAKLEY_AES_GCM_C, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=19, v1name=OAKLEY_AES_GCM_B, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=18, v1name=OAKLEY_AES_GCM_A, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC, v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC, v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH, v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashlen=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashlen=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashlen=32
000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashlen=48
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashlen=64
000 algorithm IKE hash: id=9, name=DISABLED-OAKLEY_AES_XCBC, hashlen=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 Connection list:
000
000 "L2TPD-PSK": 43.243.56.132:17/1701---43.243.56.134...%virtual:17/%any===vhost:?; unrouted; eroute owner: #0
000 "L2TPD-PSK":     oriented; my_ip=unset; their_ip=unset
000 "L2TPD-PSK":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "L2TPD-PSK":   modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset;
000 "L2TPD-PSK":   labeled_ipsec:no;
000 "L2TPD-PSK":   policy_label:unset;
000 "L2TPD-PSK":   ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3;
000 "L2TPD-PSK":   retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "L2TPD-PSK":   sha2-truncbug:no; initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "L2TPD-PSK":   policy: PSK+ENCRYPT+DONT_REKEY+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "L2TPD-PSK":   conn_prio: 32,32; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "L2TPD-PSK":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no;
000 "L2TPD-PSK":   dpd: action:clear; delay:10; timeout:90; nat-t: force_encaps:yes; nat_keepalive:yes; ikev1_natt:both
000 "L2TPD-PSK":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000 Total IPsec connections: loaded 1, active 0
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(0), half-open(0), open(0), authenticated(0), anonymous(0)
000 IPsec SAs: total(0), authenticated(0), anonymous(0)
000
000 Bare Shunt list:
000

Sorry for the log spam but pluto.log shows the connection attempt but no connection. Sorry used netstat and found ports open.. funny now lsof is showing the port.

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #36 on: August 12, 2017, 02:22:33 AM »
Hmmm Ok.

Couple of things. Here's my test ipsec setup :


[root@test ~]# db networks show
192.168.97.0=network
    Mask=255.255.255.0
    SystemLocalNetwork=yes

[root@test ~]# db ipsec_connections show
L2TPD-PSK=xl2tpd
    IPRangeFinish=192.168.97.200
    IPRangeStart=192.168.97.180
    PreviousState=enabled
    connectiontype=transport
    dpdaction=clear
    dpddelay=10
    dpdtimeout=90
    passwd=#somelongpassword#
    rightsubnet=192.168.97.0/24
    status=enabled

[root@test ~]# config show ipsec
ipsec=service
    UDPPort=500
    UDPPorts=500,4500
    access=public
    auto=start
    connectiontype=tunnel
    debug=none
    dpdaction=restart
    dpddelay=30
    dpdtimeout=10
    ike=aes256-sha2_256-modp2048
    ikelifetime=3600s
    ipsecversion=yes
    left=%defaultroute
    pfs=yes
    phase2=aes-256
    salifetime=28800s
    security=secret
    status=enabled
xl2tpd=service
    DNS=208.67.222.222,208.67.220.220
    UDPPort=1701
    debug=enabled
    status=enabled

/etc/ipsec/ipsec.conf
conn L2TPD-PSK
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    type=transport
    forceencaps=yes
    right=%any
    rightsubnet=vhost:%any,%priv
    rightprotoport=17/%any
    # Using the magic port of "0" means "any one single port". This is
    # a work around required for Apple OSX clients that use a randomly
    # high port, but propose "0" instead of their port.
    left=%defaultroute
    leftprotoport=17/1701
    # Apple iOS doesn't send delete notify so we need dead peer detection
    # to detect vanishing clients
    dpddelay=10
    dpdtimeout=90
    dpdaction=clear

/etc/ipsec.conf
config setup
    protostack=netkey
    plutodebug=none
    #klipsdebug=none
    plutostderrlog=/var/log/pluto/pluto.log
    dumpdir=/var/run/pluto/
    nat_traversal=yes
    virtual_private=%v4:192.168.97.0/24

include /etc/ipsec.d/ipsec.conf

/etc/ipsec.d/ipsec.secrets

212.83.164.73 %any : PSK "#somelongpassword#"

Make sure your DHCP range is outside that of normal SME connections.

[root@test xl2tpd]# cat /etc/xl2tpd/xl2tpd.conf
[global]
ipsec saref = yes
force userspace = yes


[lns default]
name=L2TP-VPN
ip range = 192.168.97.180-192.168.97.200
local ip = 192.168.97.1
unix authentication = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

There are some other xl2tpd files that need checking. Most show 'disabled' if something is not right. Check the templates against the actual files to see they look OK.

/etc/pam.d/ppp
/etc/ppp/ip-up.local
/etc/ppp/options.xl2tpd
/etc/ppp/papa-secrets
/etc/rc.d/init/masq
/etc/xl2tpd/xl2tpd.conf

Also check /var/log/messages for some activity on connection - pppd, ip-up etc

Rgds
John
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation