Koozali.org: home of the SME Server

VPN L2TP/IPSEC over PPTP status and assistance.

Offline tw-lewis

  • 12
  • +0/-0
VPN L2TP/IPSEC over PPTP status and assistance.
« on: April 24, 2017, 04:31:55 AM »
Development status with moving VPN to a more secure L2TP/IPSEC setup and away from PPTP. I see two years ago Reetp had been working on integrating L2TP into SME. Would anyone be able to give me an update on this?

I have tried Softether VPN with SME9 without success when following the documentation in contribs. Also due to the most ISPs actively blocking the more insecure PPTP/GRE protocols this no longer suits the growing needs for VPN access.

So my questions are:

What is the status of L2TP/IPSEC as a default feature in SME and how to I get it?
and
Has anyone else has this issue and what where there solutions?

Thanks ALL.

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #1 on: April 24, 2017, 08:49:09 AM »
Have you tried the various OpenVPN contribs ? They are secure, reliable and NAT firendly. You can use OpenVPN Bridge for roadwarriors, and OpenVPN Site to Site to connect two SME (or one SME with something else, like a PfSense). There's also a routed contrib for roadwarriors where bridge is not possible (iOA, Android, ChromeOS for example)
C'est la fin du monde !!! :lol:

Offline TerryF

  • grumpy old man
  • *
  • 1,821
  • +6/-0
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #2 on: May 18, 2017, 05:34:13 AM »
So my questions are:

What is the status of L2TP/IPSEC as a default feature in SME and how to I get it?
and
Has anyone else has this issue and what where there solutions?

Thanks ALL.

Installed Softether and setup following the wiki, sussed the gotcha that it had inadvertently introduced and borked access to apache etc port 443 is a no no.. :-)

Using it on three servers, two server/gateway one server only, using IPsec/L2TP, also played with the OpenVPN/MS-SSTP feature.. all work fine..make sure to do the setups for port forwarding on server and router when in server only mode.

Used the Management app from windows, just make sure to stop it listening on 443..setup another port if that is your want.

This is a good resource that describes using vpncmd from the cli - https://www.digitalocean.com/community/tutorials/how-to-setup-a-multi-protocol-vpn-server-using-softether

All in all a very useful tool for amateurs/users like me...if and when it gets setup as a contrib it will be a goto option for a VPN.
--
qui scribit bis legit

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #3 on: May 18, 2017, 10:41:30 AM »
Lewis,

as per our discussions on IRC a little while back I hadn't got any further as I had other priorities.

I am happy to try and do a bit more work but could do with a hand :-)

Rgds
John
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Online Jean-Philippe Pialasse

  • *
  • 2,747
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #4 on: May 18, 2017, 12:57:08 PM »
I am happy to try and do a bit more work but could do with a hand :-)

You should try with both hands, might be easier ;)

Joke apart, yes we should have a look, and also about softether. There is a bug related to allow to change default port for https.

Offline tw-lewis

  • 12
  • +0/-0
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #5 on: June 01, 2017, 12:47:06 AM »
Hello All,

I don't really have a dev budget for this so I am wondering who else is using l2tp/ipsec on SME and is using the native clients on android,mac and windows?
PP2P works well on a standard Internet connection but fails completely on 3g/4g with tethering on mobile devices.

The Ideal results would be to not have to install 3rd party apps and having to copy certs over onto all devices. This should work the same way as SME's current PPTP setup so we can easly manage client access. Would it be too hard to replace or choose between PPTP and L2TP/IPsec?

As above SoftetherVPN will not do as it requires a windows application to control it along with a very confusing per user setup. I also want to avoid openvpn with PDPadmin on SME as this also takes to long to setup individual clients.

Any help would be appreciated
Regards
Lewis

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #6 on: June 01, 2017, 01:41:11 AM »
I doubt very much anyone is currently using it. I had no real assistance when I was trying to get it working which generally means there is not much interest.

PPTP should not be used. It is a long busted flush. If we ever got L2TP/IPsec running PPTP would be rightly ditched by SME for sure.

I think I got pretty close to getting it running but fell foul of a bug in SME that was subsequently fixed. By then I had run out of play time.

I may get some time to look at where I was at over the next week.

The source is in github. It will generate most if not all of the required templates, but needs some refinement to the configs, and testing.

I don't want any money for doing anything. Just some time/help.

Note the libreswan ipsec contrib works for pure ipsec (I have used it daily for a few years). I may have some updates for it that haven't yet been pushed to cvs, but it would beed revisiting to ensure it works with L2TP configs.

If you want to try and help then let me know and I can guide you through what I have so far. But you are going to have to do some legwork.....

I suggest you go and speak to Michael and tell him I'll be there for a beer at Christmas :-)

B. Rgda
John
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #7 on: June 01, 2017, 04:20:57 PM »
FYI I have updated some stuff in the contrib but I suspect there will be a lot of breakages in there.

Available currently from my repo (I won't update CVS until this is a bit better)

https://www.reetspetit.com/smeserver/6/repoview/index.html

Safest thing is probably:

Have basic ipsec installed

Code: [Select]
yum --enablerepo=smecontribs install smeserver-libreswan
Download and install the smeserver-libreswan-xl2tpd rpm

https://www.reetspetit.com/smeserver/6/repoview/smeserver-libreswan-xl2tpd.html

Code: [Select]
yum localinstall smeserver-libreswan-xl2tpd
Add some settings as per the readme. Debug mode is enabled. Try a connection and see what goes bang (as something certainly will - probably post connection ip-up.xl2tpd issues)

Report a bug either here, or in the bug tracker (preferably)

When I get a minute I'll lob it on my test box and try it but I am too busy and spent enough time on this already.

Although sorting out the ip-up/down will take a bit of doing, the challenge is when you have a server as your DHCP server and is using a full range of IPs. Might need some catch coding in the contrib at some point.

B. Rgds
John
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #8 on: June 07, 2017, 09:24:37 PM »
Finally installed on a test box and realised the rpm was a mess. I have rebuilt it and it is far better now I think.

Current ver is 0.1-11

I have found a few gotchas interacting with pppd and pptpd which I am working on slowly, plus better interaction with the existing smeserver-libreswan contrib.

I'll continue to chisel away but be grateful for any assistance.

Note I fully expect this is broken so do NOT install on a production machine as there may be broken template fragments etc hanging about. A VM with roll back so you can do a clean install each time is a prerequisite. At this point I just want to get the basic templates looking right.

B. Rgds
John
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #9 on: June 08, 2017, 03:40:37 PM »
YESSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS

Get in there !!!!!!!!!!!!!!!!!!!!!!!!!!!!!

I got it to work !!!!!

Needs refining, but i connected !

Will post back more in due course.

B. Rgds
John
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #10 on: June 08, 2017, 03:57:33 PM »
Thanks John for your work on this. I think we should try to push your work into the core, to replace PPTP. While I personnaly prefer OpenVPN, the advantage of your solution is that there's a native client at least on Android and iOS, built right into the stock OS
C'est la fin du monde !!! :lol:

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #11 on: June 08, 2017, 05:07:30 PM »
Thanks John for your work on this. I think we should try to push your work into the core, to replace PPTP. While I personnaly prefer OpenVPN, the advantage of your solution is that there's a native client at least on Android and iOS, built right into the stock OS

Yes I understand but I see lots of people using PPTP still and this is a simple replacement that needs no other apps etc and works on most devices. It has to be better than PPTP and  may get some takeup!

I need to refine some stuff a bit, and it needs some better eyes than mine on it to make it to core, but I think it is worth looking at.

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #12 on: June 08, 2017, 05:37:08 PM »
Ok, if you want to play.

This bug refers for now:
https://bugs.contribs.org/show_bug.cgi?id=8890

You do NOT need PPTP enabled for this. You can go to your server manager and disable it forever and sing a thousand hallelujahs for secure communications ;-)

ONLY use a VM in server gateway mode

You need my repo to test install.

https://wiki.contribs.org/User:ReetP

Code: [Select]
yum --enablerepo=reetp,epel install smeserver-libreswan-xl2tpd
That should bring everything in.

post-upgrade and reboot

Make sure the IPs you are going to issue are NOT in your server DHCP range

You need at least one user on the system - for testing it can be admin

For now we need to set the right subnet to the same as the server local subnet

Check you have a basic connection:

Code: [Select]
db ipsec_configuration show
Code: [Select]
config show dhcpd
Check the IP range. Make sure the following IPs do not confiict with the server range found

Lets add some magic sauce substituting x for your local IP range:

Code: [Select]
db ipsec_connections set L2TPD-PSK status enabled IPRangeStart 192.168.x.180 IPRangeFinish 192.168.x.200  rightsubnet 192.168.x.0/24 passwd someLongSecret dpdaction clear dpddelay 10 dpdtimeout 90
Check the services are enabled:

Code: [Select]
config setprop xl2tpd status enabled;service xl2tpd start
Code: [Select]
config setprop ipsec status enabled
Code: [Select]
signal-event ipsec-update
Check you have some config files:

/etc/ipsec.conf
/etc/ipsec.d/ipsec.conf
/etc/ipsec.d/ipsec.secrets


Set up your phone.

Server Type L2TPD/UIpsec PSK
Server IP
Ipsec preshared key (use the one set above)
Username admin or other local user
Password admin password or other local user

Try connecting and watch:

Code: [Select]
/var/log/messages
The DNS is hard wired to Googly stuff server for now. You can modify this in:

/etc/xl2tpd/xl2tpd.conf

(the template is in templates-custom for now)

There is lot still to test - I have to make sure it doesn't break my existing ipsec configs for starters. If you ONLY want L2TPD/Ipsec that is about all you need to do.

Sure there will be lots of bugs, and a lot of them I won't know the answers too ;-)

If you see this one check the above bug and have a look online as it is know but doesn't stop it working as far as I can tell

Code: [Select]
xl2tpd[19441]: handle_avps: Bad exit status handling attribute 1 (Result Code) on mandatory packet.
Enjoy :-)
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline mdo

  • *
  • 355
  • +0/-0
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #13 on: June 08, 2017, 09:19:38 PM »
Thank's John for your work on this - I am excited to get beer in the fridge for your Xmas arrival soon! :-)

I am working with Lewis from our team in trying to find a PPTP replacement that can be used easily and ideally comes with native clients for the typical OS hence our preference for this. As much as I otherwise like OpenVPN, this would be easier to set up on individual, travelling user devices.

Thanks again for your most recent updates John, we will test asap and come back.

Michael     
...

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #14 on: June 09, 2017, 01:18:15 AM »
Hi Michael,

No probs. Any help appreciated. I'll try and fix whatever is broken.

Look forward to the beer !

B. Rgds
John
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation