Koozali.org formerly Contribs.org

VPN L2TP/IPSEC over PPTP status and assistance.

Offline ReetP

  • *
  • 2,191
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #15 on: June 09, 2017, 05:45:39 PM »
OK,

I have had a big thrash today - added a load of checks on the templates so they are empty unless stuff is enabled etc.

I have missed a patch to the smeserver-libreswan contrib in the password section so I have fixed that.

Lastly I am having to rework a load of bits in the ipsec-update script to allow for L2TPD. I also think I found some of my own bugs in there, but I am going to need a hand fixing some of the code. I'll explain later.

Once I have done what I can with ipsec-update I'll build some new RPMs but it may not be until next week now.

I'll keep you posted.

B. Rgds
John
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline mdo

  • *
  • 355
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #16 on: June 09, 2017, 09:54:45 PM »
Sounds great. No rush please. We will wait for you.

Thanks
Michael
...

Offline ReetP

  • *
  • 2,191
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #17 on: June 10, 2017, 12:53:47 AM »
LOL.....  been trying to get my pool finished & full !!

I'd be pleased if you try it as above and let me know if a) it works for you and b) any errors.

You may see one on install for masq templates that I know about.

The work I am doing is to make the templates aware of enabled/disabled status, some more configurable options, and to make the sneserver-libreswan package more L2TP aware, especially the ipsec-update event.

If you try it just use a single L2TP ipsec connectoid. Any more may confuse ipsec-update currently, but a single one should work.... it does on my test box.

Let me know.

B. Rgds
John
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 2,191
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #18 on: June 12, 2017, 05:23:04 PM »
Please see bug https://bugs.contribs.org/show_bug.cgi?id=8890

I have updated xl2tpd and libreswan rpms and I hope that they vaguely work.

https://github.com/reetp/smeserver-libreswan-xl2tpd/blob/smeserver-libreswan-xl2tpd-0.1/ipsecXl2tpd.Notes

Install.

Add your options to:

db ipsec_connections setprop L2TPD-PSK status disabled IPRangeStart 192.168.x.180 IPRangeFinish 192.168.x.200  rightsubnet 192.168.x.0/24 passwd somesecret dpdaction clear dpddelay 10 dpdtimeout 90 DNS 208.67.222.222,208.67.220.220

config setprop xl2tpd status enabled
config setprop ipsec status enabled

signal-event ipsec-update

Pray.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Daniel B.

  • *
  • 1,690
    • Firewall Services, la sécurité des réseaux
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #19 on: June 12, 2017, 05:25:37 PM »
Two small questions:

  • Why do you have to set the netmask at the contrib level. I think you told it must be the same as the local network, if so, the templates of the contrib can directly read InternalInterface settings
  • Why don't you push the IP of SME as DNS servers to the clients, instead of external DNS ?
C'est la fin du monde !!! :lol:

Offline ReetP

  • *
  • 2,191
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #20 on: June 12, 2017, 07:31:29 PM »
Two small questions:

Why do you have to set the netmask at the contrib level. I think you told it must be the same as the local network, if so, the templates of the contrib can directly read InternalInterface settings[/li][/list]

It probably could but a) I am no expert hence asking for help and b) I tried to keep everything separate for the time being.... it may need extra stuff for ipsec in general but can't remember. Still very much a work in progress....

Quote
Why don't you push the IP of SME as DNS servers to the clients, instead of external DNS ?

It does default to the local IP if you look. I added the ability to use other DNS if required

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 2,191
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #21 on: June 14, 2017, 01:22:12 AM »
Slightly updated smeserver-libreswan rpm available - see https://bugs.contribs.org/show_bug.cgi?id=8890

Note the version number has not been raised so you need to clean metadata/reinstall

I have probably reached the limits of my ability with all of this.

It fundamentally works, but needs lots of refinements.

The L2TPD part on its own is pretty straightforward. The complex part is allowing for pure ipsec connections at the same time (though ironically you have to get a working ipsec setup before you can run L2TPD)

I think the ipsec-update script probably needs a review/rewrite along with createlinks/services/logging etc etc. The complexity in ipsec-update is due to the script trying to reset individual connections without upsetting /disconnecting others.

I have tried to make sure that any templates used are empty if connection or services are disabled.

I am happy to explain the logic and various settings to anyone interested - it is a pretty huge subject and I managed to refine it down to a set of defaults that work pretty well out of the box.

This should all work fairly seamlessly on the CLI before attempts are made to build panels because the core code may change quite comprehensively and destroy any panel work.

If the xl2tpd contrib is felt to be working sufficiently well then it should get a version bump and then go in to CVS

Please feedback here or in the bug tracker.

JC
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline TerryF

  • grumpy old man
  • *
  • 1,122
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #22 on: June 14, 2017, 04:06:05 AM »
Thumbs up  :cool:
--
qui scribit bis legit

Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #23 on: June 14, 2017, 06:04:01 AM »
Note the version number has not been raised so you need to clean metadata/reinstall

Numbers come cheap. *Always* bump the revision number if you make changes! :-)

Offline ReetP

  • *
  • 2,191
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #24 on: June 14, 2017, 02:34:27 PM »
Numbers come cheap. *Always* bump the revision number if you make changes! :-)

Strangely Charlie, there is a method in my madness ;-)

I have been test building in my own repo as I have made truck loads of changes, reverting some, modding the other, as this amateur hack fumbles his way about.

If it was just in git then fine, but I have a script etc to copy from git to CVS , make a patch etc, and it gets in a right mucking fuddle with CVS if I keep bumping the version numbers - there would be a whole huge pile of patches in there by now :-)

I didn't want to end up with a big mess in CVS - I just want to push one changeset and bump.

So I have worked in git, mock built on my test box, and tested from there. Now it is about right I'll push it all to CVS (at least the Libreswan parts - xl2tpd is not in CVS yet)

I've built a xl2tpd v0.2 now. That can go in to CVS but someone will have to do it for me.


...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Jean-Philippe Pialasse

  • *
  • 1,400
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #25 on: June 14, 2017, 05:48:14 PM »
John,
first thanks for your huge work on this


If it was just in git then fine, but I have a script etc to copy from git to CVS , make a patch etc, and it gets in a right mucking fuddle with CVS if I keep bumping the version numbers - there would be a whole huge pile of patches in there by now :-)
I didn't want to end up with a big mess in CVS - I just want to push one changeset and bump.
that is not a problem, we love huge amount of patches rather than a big one, easier to see what have been done and revert one or two changes. Further more, it is easily deleted when bumping a complete version simply by importing a new source rpm. The buildsystem will be able to clean all at once and put the new source in place.


So I have worked in git, mock built on my test box, and tested from there. Now it is about right I'll push it all to CVS (at least the Libreswan parts - xl2tpd is not in CVS yet)

I've built a xl2tpd v0.2 now. That can go in to CVS but someone will have to do it for me.
well, when you have time I can guide you trough this, I know you already have the rights to do it on the buildsys, and this is just a matter to do it once you will see it is easier than translating git to cvs ;)

Offline ReetP

  • *
  • 2,191
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #26 on: June 14, 2017, 06:31:41 PM »
Yes I get that..... but I currently use git as a scratchpad.

I often revert stuff or otherwise bugger about. When I have something as a workable patch I push it.

Currently expended as much time as I can (wife is now nagging me), and off to the UK next week so have no time to do any much more now.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Jean-Philippe Pialasse

  • *
  • 1,400
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #27 on: June 14, 2017, 06:55:08 PM »
we all have a life ( and some a wife too), anytime, just make a sign when available, and I will try to make room!

Offline ReetP

  • *
  • 2,191
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #28 on: June 28, 2017, 01:16:23 PM »
Wiki page:

https://wiki.contribs.org/Smeserver-libreswan-xl2tpd

Needs a good tidy up though
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Jáder

  • *
  • 1,059
    • LinuxFacil
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #29 on: June 30, 2017, 03:06:58 AM »
I have done some formatting on wiki page.

I have one question: why this requires SERVER-GATEWAY mode ?
I use to connect my servers as SERVER-ONLY and use a pfSense as firewall most of time.
BTW: It's not because pfSense is better than SME, it's because it support some nice tricks like load balance and 2 internet links! ;)

Regards,

Jáder
...