diff -ruN smeserver-libreswan-xl2tpd-0.5.old/createlinks smeserver-libreswan-xl2tpd-0.5/createlinks --- smeserver-libreswan-xl2tpd-0.5.old/createlinks 2020-02-14 19:15:57.738999647 +0100 +++ smeserver-libreswan-xl2tpd-0.5/createlinks 2020-02-14 19:18:05.512203866 +0100 @@ -2,38 +2,37 @@ # Need some thought on when the templates should be expanded and when the action should be called. -# Need to +# Need to # On ipsec-update expand xl2tpd.conf & secrets # Need to stop xl2tpd if disabled. Key ? -# On ip-up.xl2tpd expand and restart masq - use esmith::Build::CreateLinks qw(:all); - #-------------------------------------------------- # templates for events #-------------------------------------------------- - - -foreach (qw( - /etc/pam.d/ppp - /etc/ppp/ip-up.local - /etc/ppp/options.xl2tpd - /etc/ppp/pap-secrets - /etc/xl2tpd/xl2tpd.conf - )) -{ - templates2events("$_", qw( - post-upgrade - console-save - bootstrap-console-save - remoteaccess-update - ipsec-update - )); +foreach ( + qw( + /etc/pam.d/ppp + /etc/ppp/ip-up.local + /etc/ppp/options.xl2tpd + /etc/ppp/pap-secrets + /etc/xl2tpd/xl2tpd.conf + /etc/sysconfig/modules/ip_xl2tpd.modules + ) + ) { + templates2events( + "$_", qw( + post-upgrade + console-save + bootstrap-console-save + remoteaccess-update + ipsec-update + ) + ); } #-------------------------------------------------- @@ -42,21 +41,41 @@ my $eventIpsec = "ipsec-update"; - #-------------------------------------------------- # actions for ip-up.xl2tpd event #-------------------------------------------------- my $eventXl2tpd = "ip-up.xl2tpd"; +safe_symlink( "adjust", "root/etc/e-smith/events/$eventXl2tpd/services2adjust/masq" ); +event_link( "xl2tpd-interface-access", $eventXl2tpd, "70" ); + +# Runlevel init links. +service_link_enhanced( "xl2tpd", "S95", "7" ); +service_link_enhanced( "xl2tpd", "K21", "6" ); +service_link_enhanced( "xl2tpd", "K21", "0" ); +service_link_enhanced( "xl2tpd", "K21", "1" ); -# What was I thinking here ? Should be $eventIpsec or my $eventXl2tpd -safe_symlink("adjust", "root/etc/e-smith/events/$eventXl2tpd/services2adjust/masq"); +# On ip-up.xl2tpd expand and restart masq + +foreach ( + qw( + /etc/rc.d/init.d/masq + ) + ) { + templates2events( + "$_", qw( + ip-up.xl2tpd + ) + ); +} -event_link("xl2tpd-interface-access", $eventXl2tpd, "70"); -# Runlevel init links. -service_link_enhanced("xl2tpd", "S95", "7"); -service_link_enhanced("xl2tpd", "K21", "6"); -service_link_enhanced("xl2tpd", "K21", "0"); -service_link_enhanced("xl2tpd", "K21", "1"); +#-------------------------------------------------- +# actions for ip-up.xl2tpd event +# On ip-down clear the interface +# masq gets restarted anyway via existing event +#-------------------------------------------------- + +my $eventXl2tpd = "ip-down"; +event_link( "xl2tpd-interface-access", $eventXl2tpd, "70" ); diff -ruN smeserver-libreswan-xl2tpd-0.5.old/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/20defaultL2tpd smeserver-libreswan-xl2tpd-0.5/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/20defaultL2tpd --- smeserver-libreswan-xl2tpd-0.5.old/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/20defaultL2tpd 2020-02-14 19:15:57.729999218 +0100 +++ smeserver-libreswan-xl2tpd-0.5/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/20defaultL2tpd 2020-02-14 19:18:05.512203866 +0100 @@ -29,17 +29,13 @@ else { # Currently most of these are hard coded but could come from the DB key - + # For nat connections you can use "vhost:%no,%priv" # See above # https://github.com/libreswan/libreswan/blob/master/docs/examples/l2tp-psk.conf # see https://libreswan.org/man/ipsec.conf.5.html -> leftsubnet - - $OUT .= "conn $ipsecprop-NAT"; - $OUT .= " rightsubnet=vhost:%priv"; - $OUT .= " also=$ipsecprop-noNAT"; - $OUT .= "conn $ipsecprop-noNAT\n"; + $OUT .= "conn $ipsecprop\n"; $OUT .= " authby=secret\n"; $OUT .= " pfs=no\n"; $OUT .= " auto=add\n"; @@ -55,7 +51,7 @@ $OUT .= " left=%defaultroute\n"; $OUT .= " leftprotoport=17/1701\n"; $OUT .= " # Permit Ike v1 for older xl2tpd connections/clients\n"; - $OUT .= " ikev2=permit\n"; + $OUT .= " ikev2=never\n"; $OUT .= " # Apple iOS doesn't send delete notify so we need dead peer detection\n"; $OUT .= " # to detect vanishing clients\n"; @@ -71,11 +67,10 @@ # Some additional config entries if required # right subnet would not normally be used as it is used above - - my $rightsubnet = $ipsecDB->get_prop( $ipsecprop, 'rightsubnet' ) || ''; - if ( $rightsubnet ne '' ) { - $OUT .= " rightsubnet=$rightsubnet\n"; - } + + # Removing rightsubnet entirely. If required it is added in the -NAT section + # Unlike standard ipsec we use the rightsubnet key to fix + # the vhosts in /etc/ipsec.conf only my $leftsourceip = $ipsecDB->get_prop( $ipsecprop, 'leftsourceip' ) || ''; if ( $leftsourceip ne '' ) { @@ -87,5 +82,13 @@ $OUT .= " leftsubnet=$leftsubnet\n"; } + # For L2TPD we really want vhost:%priv unless someone has a really good reason not too + # We leave that option in + my $rightsubnet = $ipsecDB->get_prop( $ipsecprop, 'rightsubnet' ) || "vhost:%priv"; + + $OUT .= "conn $ipsecprop-NAT\n"; + $OUT .= " rightsubnet=$rightsubnet\n"; + $OUT .= " also=$ipsecprop\n"; + } } diff -ruN smeserver-libreswan-xl2tpd-0.5.old/root/etc/e-smith/templates/etc/pam.d/ppp/10defaults smeserver-libreswan-xl2tpd-0.5/root/etc/e-smith/templates/etc/pam.d/ppp/10defaults --- smeserver-libreswan-xl2tpd-0.5.old/root/etc/e-smith/templates/etc/pam.d/ppp/10defaults 2020-02-14 19:15:57.738999647 +0100 +++ smeserver-libreswan-xl2tpd-0.5/root/etc/e-smith/templates/etc/pam.d/ppp/10defaults 2020-02-14 19:18:05.512203866 +0100 @@ -23,7 +23,7 @@ } elsif ( $ipsecDB->get_prop( $ipsecprop, 'status' ) ne 'enabled' ) { - $OUT .= "# l2tpd connection is disabled\n"; + $OUT .= "# ipsec l2tpd connection is disabled\n"; } else { @@ -39,8 +39,5 @@ $OUT .= "account required pam_nologin.so\n"; $OUT .= "account include password-auth\n"; $OUT .= "session include password-auth\n"; - - } - } diff -ruN smeserver-libreswan-xl2tpd-0.5.old/root/etc/e-smith/templates/etc/ppp/options.xl2tpd/10default smeserver-libreswan-xl2tpd-0.5/root/etc/e-smith/templates/etc/ppp/options.xl2tpd/10default --- smeserver-libreswan-xl2tpd-0.5.old/root/etc/e-smith/templates/etc/ppp/options.xl2tpd/10default 2020-02-14 19:15:57.680996820 +0100 +++ smeserver-libreswan-xl2tpd-0.5/root/etc/e-smith/templates/etc/ppp/options.xl2tpd/10default 2020-02-14 19:18:05.511203793 +0100 @@ -5,7 +5,7 @@ my $configDB = esmith::ConfigDB->open_ro or die("can't open Config DB"); my $ipsecDB = esmith::ConfigDB->open_ro('ipsec_connections') or die("cant connect to ipsec database"); - + my $ipsecDBkey = "ipsec"; my $xl2tpdDBkey = "xl2tpd"; my $ipsecprop = "L2TPD-PSK"; @@ -26,38 +26,54 @@ my $DNS = $configDB->get_prop( "xl2tpd", 'DNS' ) || ''; my $debug = $configDB->get_prop( "xl2tpd", 'debug' ) || 'disabled'; my $mtu = $configDB->get_prop( "xl2tpd", 'mtu' ) || '1400'; - + my @DNSArray = split( /,/, $DNS ); + $OUT .= "#x2ltpd\n"; $OUT .= "login\n"; - if ( $debug eq 'enabled' ) { - $OUT .= "debug\n"; - } + # https://github.com/xelerance/xl2tpd/blob/master/examples/ppp-options.xl2tpd + $OUT .= "ipparam xl2tpd\n"; + $OUT .= "ipcp-accept-local\n"; + $OUT .= "ipcp-accept-remote\n"; if ( $InternalIP ne '' ) { $OUT .= "ms-dns $InternalIP\n"; } - - my @DNSArray = split( /,/, $DNS ); - - foreach my $IP (@DNSArray) { - $OUT .= "ms-dns $IP\n"; + unless ($DNS eq ''){ + foreach my $IP (@DNSArray) { + $OUT .= "ms-dns $IP\n"; + } } - - $OUT .= "ipparam xl2tpd\n"; + $OUT .= "noccp\n"; $OUT .= "auth\n"; + $OUT .= "crtscts\n"; # depends on xl2tpd version + $OUT .= "idle 800\n"; $OUT .= "mtu $mtu\n"; $OUT .= "mru $mtu\n"; + $OUT .= "nodefaultroute\n"; + if ( $debug eq 'enabled' ) { + $OUT .= "debug\n"; + } + $OUT .= "proxyarp\n"; + $OUT .= "connect-delay 5000\n"; + + # Beyond here are additional parameters required + $OUT .= "hide-password\n"; $OUT .= "name l2tpd\n"; - $OUT .= "proxyarp\n"; - $OUT .= "lcp-echo-interval 30\n"; - $OUT .= "lcp-echo-failure 4\n"; + + # Following the main examples we shoudln't need these + # $OUT .= "lcp-echo-interval 30\n"; + # $OUT .= "lcp-echo-failure 4\n"; + + # This section allows us to authenticate against SME users $OUT .= "plugin radius.so\n"; $OUT .= "radius-config-file /etc/radiusclient-ng/radiusclient.conf\n"; $OUT .= "refuse-pap\n"; $OUT .= "refuse-chap\n"; $OUT .= "refuse-mschap\n"; $OUT .= "require-mschap-v2 # Need MSCHAP-v2 to initialise encryption key\n"; + + } } diff -ruN smeserver-libreswan-xl2tpd-0.5.old/root/etc/e-smith/templates/etc/sysconfig/modules/ip_xl2tpd.modules smeserver-libreswan-xl2tpd-0.5/root/etc/e-smith/templates/etc/sysconfig/modules/ip_xl2tpd.modules --- smeserver-libreswan-xl2tpd-0.5.old/root/etc/e-smith/templates/etc/sysconfig/modules/ip_xl2tpd.modules 1970-01-01 01:00:00.000000000 +0100 +++ smeserver-libreswan-xl2tpd-0.5/root/etc/e-smith/templates/etc/sysconfig/modules/ip_xl2tpd.modules 2020-02-14 19:18:05.512203866 +0100 @@ -0,0 +1,19 @@ +{ + use strict; + use warnings; + use esmith::ConfigDB; + + my $configDB = esmith::ConfigDB->open_ro or die("can't open Config DB"); + my $ipsecDB = esmith::ConfigDB->open_ro('ipsec_connections') or die("cant connect to ipsec database"); + my $ipsecDBkey = "ipsec"; + my $xl2tpdDBkey = "xl2tpd"; + my $ipsecprop = "L2TPD-PSK"; + + if ( $configDB->get_prop( $xl2tpdDBkey, 'status' ) eq 'enabled' ) { + $OUT .= "#!/bin/sh\n"; + $OUT .= "exec /sbin/modprobe pppol2tp 2>&1\n"; + } + else { + $OUT .= "# xl2tpd is disabled\n"; + } +} diff -ruN smeserver-libreswan-xl2tpd-0.5.old/root/etc/e-smith/templates/etc/xl2tpd/xl2tpd.conf/20default smeserver-libreswan-xl2tpd-0.5/root/etc/e-smith/templates/etc/xl2tpd/xl2tpd.conf/20default --- smeserver-libreswan-xl2tpd-0.5.old/root/etc/e-smith/templates/etc/xl2tpd/xl2tpd.conf/20default 2020-02-14 19:15:57.729999219 +0100 +++ smeserver-libreswan-xl2tpd-0.5/root/etc/e-smith/templates/etc/xl2tpd/xl2tpd.conf/20default 2020-02-14 19:18:05.512203866 +0100 @@ -22,19 +22,34 @@ } else { - my $InternalIP = $configDB->get_prop( "InternalInterface", 'IPAddress' ); + my $listenAddr = $configDB->get_prop( 'ExternalInterface', 'IPAddress'); + my $InternalIP = $configDB->get_prop( 'InternalInterface', 'IPAddress' ); my $ipRangeStart = $ipsecDB->get_prop( $ipsecprop, 'IPRangeStart' ); my $ipRangeFinish = $ipsecDB->get_prop( $ipsecprop, 'IPRangeFinish' ); my $debug = $configDB->get_prop( $xl2tpdDBkey, 'debug' ) || 'disabled'; + my $maxRetries = $configDB->get_prop( $xl2tpdDBkey, 'maxRetries' ) || '5'; + # https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_with_L2TP + # Now have kernel support with modprobe pppol2tpd + # So userspace and saref disabled/left at default $OUT .= "[global]\n"; - $OUT .= "ipsec saref = yes\n"; - $OUT .= "force userspace = yes\n"; + $OUT .= ";ipsec saref = yes\n"; + $OUT .= ";force userspace = yes\n"; + $OUT .= "listen-addr = $listenAddr\n"; + $OUT .= "max retries = $maxRetries\n"; + + if ( $debug eq 'enabled' ) { + $OUT .= "debug avp = yes\n"; + $OUT .= "debug network = yes\n"; + $OUT .= "debug state = yes\n"; + $OUT .= "debug tunnel = yes\n"; + } $OUT .= "\n"; $OUT .= "[lns default]\n"; $OUT .= "name=L2TP-VPN\n"; $OUT .= "ip range = $ipRangeStart-$ipRangeFinish\n"; $OUT .= "local ip = $InternalIP\n"; + # Following removed for local radious authentication # $OUT .= "unix authentication = yes\n"; $OUT .= "require authentication = yes\n"; diff -ruN smeserver-libreswan-xl2tpd-0.5.old/root/etc/e-smith/templates.metadata/etc/sysconfig/modules/ip_xl2tpd.modules smeserver-libreswan-xl2tpd-0.5/root/etc/e-smith/templates.metadata/etc/sysconfig/modules/ip_xl2tpd.modules --- smeserver-libreswan-xl2tpd-0.5.old/root/etc/e-smith/templates.metadata/etc/sysconfig/modules/ip_xl2tpd.modules 1970-01-01 01:00:00.000000000 +0100 +++ smeserver-libreswan-xl2tpd-0.5/root/etc/e-smith/templates.metadata/etc/sysconfig/modules/ip_xl2tpd.modules 2020-02-14 19:18:05.511203793 +0100 @@ -0,0 +1 @@ +PERMS=0755 \ No newline at end of file