Koozali.org formerly Contribs.org

VPN L2TP/IPSEC over PPTP status and assistance.

Offline DanB35

  • ****
  • 764
    • http://www.familybrown.org
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #30 on: June 30, 2017, 04:19:03 AM »
I have one question: why this requires SERVER-GATEWAY mode ?
If your SME server is in server-only mode, it isn't routing traffic in and out of your network.  Although it's no doubt possible to implement a VPN server in that case, it seems like your edge device (i.e., your pfSense box) is a better place for that to go (which is what I'm doing, also on a pfSense box).
......

Offline ReetP

  • *
  • 2,053
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #31 on: June 30, 2017, 10:17:43 AM »
If your SME server is in server-only mode, it isn't routing traffic in and out of your network.  Although it's no doubt possible to implement a VPN server in that case, it seems like your edge device (i.e., your pfSense box) is a better place for that to go (which is what I'm doing, also on a pfSense box).

Yup, that sums it up.

Yes I am sure it could be configured for server only. Not sure about the ipsec setup but no doubt 'doable'.

Security wise I have some servers the same as Jader but in that instance I'd use the firewall/router as it undoubtedly has VPN built in and would be easier to do.

This is really for those who need to VPN in but have no other system to handle it.

Thanks to Jader for the tidy up. Any issues to report?

B. Rgds
John
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #32 on: August 09, 2017, 11:48:09 PM »
Hello All,

I'm back!
I have just updated SME to latest version and now getting no connection to the L2TP server with ReetP's contrib.
Looks like servers are running and no errors in logs but there is no open port on lsof -i for 1701.

Anyone else run into this issue?
Thanks guys.

Offline ReetP

  • *
  • 2,053
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #33 on: August 10, 2017, 12:09:13 AM »
I can't do anything right now as it is late my time.

I also have the one and only G. Zartman himself winging his way to mine for the weekend....

 'It isn't working' doesn't help debugging....

Can you go through exactly what you did to install please.

config ipsec show
config xl2tpd show

cat /etc/ipsec.conf
cat /etc/ipsec.d/ipsec.conf & secrets

Check in /var/log/pluto/pluto.log

Check ipsec is running with:

ipsec whack --status

It will help you a great deal to also read the libreswan docs.

You will get a better understanding of the config directives.

That should keep you busy for a bit.....

Rgds
John

P.S. tell Michael the beer bill is rising.... :-)
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 2,053
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #34 on: August 10, 2017, 05:55:03 PM »
Hello All,

I'm back!
I have just updated SME to latest version and now getting no connection to the L2TP server with ReetP's contrib.
Looks like servers are running and no errors in logs but there is no open port on lsof -i for 1701.

Anyone else run into this issue?
Thanks guys.

BTW you probably don't want lsof - that lists open files. My testbox shows nothing even though l2tpd is running.

check

Code: [Select]
netstat -an |grep 1701
[root@test ~]# netstat -an |grep 1701
udp        0      0 0.0.0.0:1701                0.0.0.0:* 

You can also check 4500 & 500

Rgds
John
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #35 on: August 10, 2017, 11:06:39 PM »
cat /etc/ipsec.conf
config setup
    protostack=netkey
    plutodebug=none
    #klipsdebug=none
    plutostderrlog=/var/log/pluto/pluto.log
    dumpdir=/var/run/pluto/
    nat_traversal=yes
    virtual_private=%v4:172.16.1.0/22
include /etc/ipsec.d/ipsec.conf

cat /etc/ipsec.d/ipsec.conf
conn L2TPD-PSK
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    type=transport
    forceencaps=yes
    right=%any
    rightsubnet=vhost:%no,%priv
    rightprotoport=17/%any
    # Using the magic port of "0" means "any one single port". This is
    # a work around required for Apple OSX clients that use a randomly
    # high port, but propose "0" instead of their port.
    left=%defaultroute
    leftprotoport=17/1701
    # Apple iOS doesn't send delete notify so we need dead peer detection
    # to detect vanishing clients
    dpddelay=10
    dpdtimeout=90
    dpdaction=clear

Check in /var/log/pluto/pluto.log
Aug 11 09:01:03: "L2TPD-PSK"[7] 43.243.56.130 #16: received Delete SA(0xb1bad446) payload: deleting IPSEC State #20
Aug 11 09:01:03: "L2TPD-PSK"[7] 43.243.56.130 #16: deleting other state #20 (STATE_QUICK_R2) "L2TPD-PSK"[7] 43.243.56.130
Aug 11 09:01:03: "L2TPD-PSK"[7] 43.243.56.130 #16: ESP traffic information: in=0B out=0B
Aug 11 09:01:03: "L2TPD-PSK"[7] 43.243.56.130 #16: received and ignored empty informational notification payload
Aug 11 09:01:13: "L2TPD-PSK"[7] 43.243.56.130 #16: the peer proposed: 43.243.56.132/32:17/1701 -> 192.168.222.22/32:17/1701
Aug 11 09:01:13: "L2TPD-PSK"[7] 43.243.56.130 #16: NAT-Traversal: received 2 NAT-OA. Using first, ignoring others
Aug 11 09:01:13: "L2TPD-PSK"[7] 43.243.56.130 #22: responding to Quick Mode proposal {msgid:06000000}
Aug 11 09:01:13: "L2TPD-PSK"[7] 43.243.56.130 #22:     us: 43.243.56.132:17/1701
Aug 11 09:01:13: "L2TPD-PSK"[7] 43.243.56.130 #22:   them: 43.243.56.130[192.168.222.22]:17/1701===192.168.222.22/32
Aug 11 09:01:13: "L2TPD-PSK"[7] 43.243.56.130 #22:   them: 43.243.56.130[192.168.222.22]:17/1701===192.168.222.22/32
Aug 11 09:01:13: "L2TPD-PSK"[7] 43.243.56.130 #22: keeping refhim=0 during rekey
Aug 11 09:01:13: "L2TPD-PSK"[7] 43.243.56.130 #22: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Aug 11 09:01:13: "L2TPD-PSK"[7] 43.243.56.130 #22: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 transport mode {ESP/NAT=>0x3a7b3832 <0xf29e9a67 xfrm=AES_256-HMAC_SHA1 NATOA=192.168.222.22 NATD=43.243.56.130:4500 DPD=active}
Aug 11 09:01:13: "L2TPD-PSK"[7] 43.243.56.130 #22: Configured DPD (RFC 3706) support not enabled because remote peer did not advertise DPD support
Aug 11 09:01:13: "L2TPD-PSK"[7] 43.243.56.130 #22: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug 11 09:01:13: "L2TPD-PSK"[7] 43.243.56.130 #22: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x3a7b3832 <0xf29e9a67 xfrm=AES_256-HMAC_SHA1 NATOA=192.168.222.22 NATD=43.243.56.130:4500 DPD=active}
Aug 11 09:01:13: "L2TPD-PSK"[7] 43.243.56.130 #16: received Delete SA(0xa9382650) payload: deleting IPSEC State #21
Aug 11 09:01:13: "L2TPD-PSK"[7] 43.243.56.130 #16: deleting other state #21 (STATE_QUICK_R2) "L2TPD-PSK"[7] 43.243.56.130
Aug 11 09:01:13: "L2TPD-PSK"[7] 43.243.56.130 #16: ESP traffic information: in=0B out=0B
Aug 11 09:01:13: "L2TPD-PSK"[7] 43.243.56.130 #16: ESP traffic information: in=0B out=0B
Aug 11 09:01:13: "L2TPD-PSK"[7] 43.243.56.130 #16: received and ignored empty informational notification payload
Aug 11 09:01:23: "L2TPD-PSK"[7] 43.243.56.130 #16: received Delete SA(0x3a7b3832) payload: deleting IPSEC State #22
Aug 11 09:01:23: "L2TPD-PSK"[7] 43.243.56.130 #16: deleting other state #22 (STATE_QUICK_R2) "L2TPD-PSK"[7] 43.243.56.130
Aug 11 09:01:23: "L2TPD-PSK"[7] 43.243.56.130 #16: ESP traffic information: in=0B out=0B
Aug 11 09:01:23: "L2TPD-PSK" #16: deleting state (STATE_MAIN_R3)
Aug 11 09:01:23: "L2TPD-PSK"[7] 43.243.56.130: deleting connection "L2TPD-PSK"[7] 43.243.56.130 instance with peer 43.243.56.130 {isakmp=#0/ipsec=#0}
Aug 11 09:01:23: packet from 43.243.56.130:4500: received and ignored empty informational notification payload

ipsec whack --status
000 using kernel interface: netkey
000 interface lo/lo 127.0.0.1@4500
000 interface lo/lo 127.0.0.1@500
000 interface eth0/eth0 172.16.0.2@4500
000 interface eth0/eth0 172.16.0.2@500
000 interface eth1/eth1 43.243.56.132@4500
000 interface eth1/eth1 43.243.56.132@500
000
000
000 fips mode=disabled;
000 SElinux=disabled
000
000 config setup options:
000
000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d, dumpdir=/var/run/pluto/, statsbin=unset
000 sbindir=/usr/sbin, libexecdir=/usr/libexec/ipsec
000 pluto_version=3.18, pluto_vendorid=OE-Libreswan-3.18
000 nhelpers=-1, uniqueids=yes, perpeerlog=no, shuntlifetime=900s, xfrmlifetime=300s
000 ddos-cookies-threshold=50000, ddos-max-halfopen=25000, ddos-mode=auto
000 ikeport=500, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>, nflog-all=0
000 secctx-attr-type=32001
000 myid = (none)
000 debug none
000
000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
000 virtual-private (%priv):
000 - allowed subnet: 172.16.0.0/22
000
000 ESP algorithms supported:
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=128, keysizemax=128
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm AH/ESP auth: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm AH/ESP auth: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm AH/ESP auth: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm AH/ESP auth: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm AH/ESP auth: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm AH/ESP auth: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm AH/ESP auth: id=9, name=AUTH_ALGORITHM_AES_XCBC, keysizemin=128, keysizemax=128
000 algorithm AH/ESP auth: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0
000
000 IKE algorithms supported:
000
000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=16, v2name=AES_CCM_C, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=15, v2name=AES_CCM_B, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=14, v2name=AES_CCM_A, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: v1id=24, v1name=OAKLEY_CAMELLIA_CTR, v2id=24, v2name=CAMELLIA_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=20, v1name=OAKLEY_AES_GCM_C, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=19, v1name=OAKLEY_AES_GCM_B, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=18, v1name=OAKLEY_AES_GCM_A, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC, v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC, v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH, v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashlen=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashlen=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashlen=32
000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashlen=48
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashlen=64
000 algorithm IKE hash: id=9, name=DISABLED-OAKLEY_AES_XCBC, hashlen=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 Connection list:
000
000 "L2TPD-PSK": 43.243.56.132:17/1701---43.243.56.134...%virtual:17/%any===vhost:?; unrouted; eroute owner: #0
000 "L2TPD-PSK":     oriented; my_ip=unset; their_ip=unset
000 "L2TPD-PSK":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "L2TPD-PSK":   modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset;
000 "L2TPD-PSK":   labeled_ipsec:no;
000 "L2TPD-PSK":   policy_label:unset;
000 "L2TPD-PSK":   ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3;
000 "L2TPD-PSK":   retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "L2TPD-PSK":   sha2-truncbug:no; initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "L2TPD-PSK":   policy: PSK+ENCRYPT+DONT_REKEY+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "L2TPD-PSK":   conn_prio: 32,32; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "L2TPD-PSK":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no;
000 "L2TPD-PSK":   dpd: action:clear; delay:10; timeout:90; nat-t: force_encaps:yes; nat_keepalive:yes; ikev1_natt:both
000 "L2TPD-PSK":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000 Total IPsec connections: loaded 1, active 0
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(0), half-open(0), open(0), authenticated(0), anonymous(0)
000 IPsec SAs: total(0), authenticated(0), anonymous(0)
000
000 Bare Shunt list:
000

Sorry for the log spam but pluto.log shows the connection attempt but no connection. Sorry used netstat and found ports open.. funny now lsof is showing the port.

Offline ReetP

  • *
  • 2,053
Re: VPN L2TP/IPSEC over PPTP status and assistance.
« Reply #36 on: August 12, 2017, 02:22:33 AM »
Hmmm Ok.

Couple of things. Here's my test ipsec setup :


[root@test ~]# db networks show
192.168.97.0=network
    Mask=255.255.255.0
    SystemLocalNetwork=yes

[root@test ~]# db ipsec_connections show
L2TPD-PSK=xl2tpd
    IPRangeFinish=192.168.97.200
    IPRangeStart=192.168.97.180
    PreviousState=enabled
    connectiontype=transport
    dpdaction=clear
    dpddelay=10
    dpdtimeout=90
    passwd=#somelongpassword#
    rightsubnet=192.168.97.0/24
    status=enabled

[root@test ~]# config show ipsec
ipsec=service
    UDPPort=500
    UDPPorts=500,4500
    access=public
    auto=start
    connectiontype=tunnel
    debug=none
    dpdaction=restart
    dpddelay=30
    dpdtimeout=10
    ike=aes256-sha2_256-modp2048
    ikelifetime=3600s
    ipsecversion=yes
    left=%defaultroute
    pfs=yes
    phase2=aes-256
    salifetime=28800s
    security=secret
    status=enabled
xl2tpd=service
    DNS=208.67.222.222,208.67.220.220
    UDPPort=1701
    debug=enabled
    status=enabled

/etc/ipsec/ipsec.conf
conn L2TPD-PSK
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    type=transport
    forceencaps=yes
    right=%any
    rightsubnet=vhost:%any,%priv
    rightprotoport=17/%any
    # Using the magic port of "0" means "any one single port". This is
    # a work around required for Apple OSX clients that use a randomly
    # high port, but propose "0" instead of their port.
    left=%defaultroute
    leftprotoport=17/1701
    # Apple iOS doesn't send delete notify so we need dead peer detection
    # to detect vanishing clients
    dpddelay=10
    dpdtimeout=90
    dpdaction=clear

/etc/ipsec.conf
config setup
    protostack=netkey
    plutodebug=none
    #klipsdebug=none
    plutostderrlog=/var/log/pluto/pluto.log
    dumpdir=/var/run/pluto/
    nat_traversal=yes
    virtual_private=%v4:192.168.97.0/24

include /etc/ipsec.d/ipsec.conf

/etc/ipsec.d/ipsec.secrets

212.83.164.73 %any : PSK "#somelongpassword#"

Make sure your DHCP range is outside that of normal SME connections.

[root@test xl2tpd]# cat /etc/xl2tpd/xl2tpd.conf
[global]
ipsec saref = yes
force userspace = yes


[lns default]
name=L2TP-VPN
ip range = 192.168.97.180-192.168.97.200
local ip = 192.168.97.1
unix authentication = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

There are some other xl2tpd files that need checking. Most show 'disabled' if something is not right. Check the templates against the actual files to see they look OK.

/etc/pam.d/ppp
/etc/ppp/ip-up.local
/etc/ppp/options.xl2tpd
/etc/ppp/papa-secrets
/etc/rc.d/init/masq
/etc/xl2tpd/xl2tpd.conf

Also check /var/log/messages for some activity on connection - pppd, ip-up etc

Rgds
John
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation