1 |
brianr |
1.1 |
diff -ruN smeserver-libreswan-xl2tpd-0.5.old/createlinks smeserver-libreswan-xl2tpd-0.5/createlinks |
2 |
|
|
--- smeserver-libreswan-xl2tpd-0.5.old/createlinks 2020-02-14 19:15:57.738999647 +0100 |
3 |
|
|
+++ smeserver-libreswan-xl2tpd-0.5/createlinks 2020-02-14 19:18:05.512203866 +0100 |
4 |
|
|
@@ -2,38 +2,37 @@ |
5 |
|
|
|
6 |
|
|
# Need some thought on when the templates should be expanded and when the action should be called. |
7 |
|
|
|
8 |
|
|
-# Need to |
9 |
|
|
+# Need to |
10 |
|
|
|
11 |
|
|
# On ipsec-update expand xl2tpd.conf & secrets |
12 |
|
|
|
13 |
|
|
# Need to stop xl2tpd if disabled. Key ? |
14 |
|
|
|
15 |
|
|
-# On ip-up.xl2tpd expand and restart masq |
16 |
|
|
- |
17 |
|
|
use esmith::Build::CreateLinks qw(:all); |
18 |
|
|
|
19 |
|
|
- |
20 |
|
|
#-------------------------------------------------- |
21 |
|
|
# templates for events |
22 |
|
|
#-------------------------------------------------- |
23 |
|
|
|
24 |
|
|
- |
25 |
|
|
- |
26 |
|
|
-foreach (qw( |
27 |
|
|
- /etc/pam.d/ppp |
28 |
|
|
- /etc/ppp/ip-up.local |
29 |
|
|
- /etc/ppp/options.xl2tpd |
30 |
|
|
- /etc/ppp/pap-secrets |
31 |
|
|
- /etc/xl2tpd/xl2tpd.conf |
32 |
|
|
- )) |
33 |
|
|
-{ |
34 |
|
|
- templates2events("$_", qw( |
35 |
|
|
- post-upgrade |
36 |
|
|
- console-save |
37 |
|
|
- bootstrap-console-save |
38 |
|
|
- remoteaccess-update |
39 |
|
|
- ipsec-update |
40 |
|
|
- )); |
41 |
|
|
+foreach ( |
42 |
|
|
+ qw( |
43 |
|
|
+ /etc/pam.d/ppp |
44 |
|
|
+ /etc/ppp/ip-up.local |
45 |
|
|
+ /etc/ppp/options.xl2tpd |
46 |
|
|
+ /etc/ppp/pap-secrets |
47 |
|
|
+ /etc/xl2tpd/xl2tpd.conf |
48 |
|
|
+ /etc/sysconfig/modules/ip_xl2tpd.modules |
49 |
|
|
+ ) |
50 |
|
|
+ ) { |
51 |
|
|
+ templates2events( |
52 |
|
|
+ "$_", qw( |
53 |
|
|
+ post-upgrade |
54 |
|
|
+ console-save |
55 |
|
|
+ bootstrap-console-save |
56 |
|
|
+ remoteaccess-update |
57 |
|
|
+ ipsec-update |
58 |
|
|
+ ) |
59 |
|
|
+ ); |
60 |
|
|
} |
61 |
|
|
|
62 |
|
|
#-------------------------------------------------- |
63 |
|
|
@@ -42,21 +41,41 @@ |
64 |
|
|
|
65 |
|
|
my $eventIpsec = "ipsec-update"; |
66 |
|
|
|
67 |
|
|
- |
68 |
|
|
#-------------------------------------------------- |
69 |
|
|
# actions for ip-up.xl2tpd event |
70 |
|
|
#-------------------------------------------------- |
71 |
|
|
|
72 |
|
|
my $eventXl2tpd = "ip-up.xl2tpd"; |
73 |
|
|
+safe_symlink( "adjust", "root/etc/e-smith/events/$eventXl2tpd/services2adjust/masq" ); |
74 |
|
|
+event_link( "xl2tpd-interface-access", $eventXl2tpd, "70" ); |
75 |
|
|
+ |
76 |
|
|
+# Runlevel init links. |
77 |
|
|
+service_link_enhanced( "xl2tpd", "S95", "7" ); |
78 |
|
|
+service_link_enhanced( "xl2tpd", "K21", "6" ); |
79 |
|
|
+service_link_enhanced( "xl2tpd", "K21", "0" ); |
80 |
|
|
+service_link_enhanced( "xl2tpd", "K21", "1" ); |
81 |
|
|
|
82 |
|
|
-# What was I thinking here ? Should be $eventIpsec or my $eventXl2tpd |
83 |
|
|
-safe_symlink("adjust", "root/etc/e-smith/events/$eventXl2tpd/services2adjust/masq"); |
84 |
|
|
+# On ip-up.xl2tpd expand and restart masq |
85 |
|
|
+ |
86 |
|
|
+foreach ( |
87 |
|
|
+ qw( |
88 |
|
|
+ /etc/rc.d/init.d/masq |
89 |
|
|
+ ) |
90 |
|
|
+ ) { |
91 |
|
|
+ templates2events( |
92 |
|
|
+ "$_", qw( |
93 |
|
|
+ ip-up.xl2tpd |
94 |
|
|
+ ) |
95 |
|
|
+ ); |
96 |
|
|
+} |
97 |
|
|
|
98 |
|
|
-event_link("xl2tpd-interface-access", $eventXl2tpd, "70"); |
99 |
|
|
|
100 |
|
|
-# Runlevel init links. |
101 |
|
|
-service_link_enhanced("xl2tpd", "S95", "7"); |
102 |
|
|
-service_link_enhanced("xl2tpd", "K21", "6"); |
103 |
|
|
-service_link_enhanced("xl2tpd", "K21", "0"); |
104 |
|
|
-service_link_enhanced("xl2tpd", "K21", "1"); |
105 |
|
|
+#-------------------------------------------------- |
106 |
|
|
+# actions for ip-up.xl2tpd event |
107 |
|
|
+# On ip-down clear the interface |
108 |
|
|
+# masq gets restarted anyway via existing event |
109 |
|
|
+#-------------------------------------------------- |
110 |
|
|
+ |
111 |
|
|
+my $eventXl2tpd = "ip-down"; |
112 |
|
|
|
113 |
|
|
+event_link( "xl2tpd-interface-access", $eventXl2tpd, "70" ); |
114 |
|
|
diff -ruN smeserver-libreswan-xl2tpd-0.5.old/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/20defaultL2tpd smeserver-libreswan-xl2tpd-0.5/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/20defaultL2tpd |
115 |
|
|
--- smeserver-libreswan-xl2tpd-0.5.old/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/20defaultL2tpd 2020-02-14 19:15:57.729999218 +0100 |
116 |
|
|
+++ smeserver-libreswan-xl2tpd-0.5/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/20defaultL2tpd 2020-02-14 19:18:05.512203866 +0100 |
117 |
|
|
@@ -29,17 +29,13 @@ |
118 |
|
|
else { |
119 |
|
|
|
120 |
|
|
# Currently most of these are hard coded but could come from the DB key |
121 |
|
|
- |
122 |
|
|
+ |
123 |
|
|
# For nat connections you can use "vhost:%no,%priv" |
124 |
|
|
# See above |
125 |
|
|
# https://github.com/libreswan/libreswan/blob/master/docs/examples/l2tp-psk.conf |
126 |
|
|
# see https://libreswan.org/man/ipsec.conf.5.html -> leftsubnet |
127 |
|
|
- |
128 |
|
|
- $OUT .= "conn $ipsecprop-NAT"; |
129 |
|
|
- $OUT .= " rightsubnet=vhost:%priv"; |
130 |
|
|
- $OUT .= " also=$ipsecprop-noNAT"; |
131 |
|
|
|
132 |
|
|
- $OUT .= "conn $ipsecprop-noNAT\n"; |
133 |
|
|
+ $OUT .= "conn $ipsecprop\n"; |
134 |
|
|
$OUT .= " authby=secret\n"; |
135 |
|
|
$OUT .= " pfs=no\n"; |
136 |
|
|
$OUT .= " auto=add\n"; |
137 |
|
|
@@ -55,7 +51,7 @@ |
138 |
|
|
$OUT .= " left=%defaultroute\n"; |
139 |
|
|
$OUT .= " leftprotoport=17/1701\n"; |
140 |
|
|
$OUT .= " # Permit Ike v1 for older xl2tpd connections/clients\n"; |
141 |
|
|
- $OUT .= " ikev2=permit\n"; |
142 |
|
|
+ $OUT .= " ikev2=never\n"; |
143 |
|
|
|
144 |
|
|
$OUT .= " # Apple iOS doesn't send delete notify so we need dead peer detection\n"; |
145 |
|
|
$OUT .= " # to detect vanishing clients\n"; |
146 |
|
|
@@ -71,11 +67,10 @@ |
147 |
|
|
|
148 |
|
|
# Some additional config entries if required |
149 |
|
|
# right subnet would not normally be used as it is used above |
150 |
|
|
- |
151 |
|
|
- my $rightsubnet = $ipsecDB->get_prop( $ipsecprop, 'rightsubnet' ) || ''; |
152 |
|
|
- if ( $rightsubnet ne '' ) { |
153 |
|
|
- $OUT .= " rightsubnet=$rightsubnet\n"; |
154 |
|
|
- } |
155 |
|
|
+ |
156 |
|
|
+ # Removing rightsubnet entirely. If required it is added in the -NAT section |
157 |
|
|
+ # Unlike standard ipsec we use the rightsubnet key to fix |
158 |
|
|
+ # the vhosts in /etc/ipsec.conf only |
159 |
|
|
|
160 |
|
|
my $leftsourceip = $ipsecDB->get_prop( $ipsecprop, 'leftsourceip' ) || ''; |
161 |
|
|
if ( $leftsourceip ne '' ) { |
162 |
|
|
@@ -87,5 +82,13 @@ |
163 |
|
|
$OUT .= " leftsubnet=$leftsubnet\n"; |
164 |
|
|
} |
165 |
|
|
|
166 |
|
|
+ # For L2TPD we really want vhost:%priv unless someone has a really good reason not too |
167 |
|
|
+ # We leave that option in |
168 |
|
|
+ my $rightsubnet = $ipsecDB->get_prop( $ipsecprop, 'rightsubnet' ) || "vhost:%priv"; |
169 |
|
|
+ |
170 |
|
|
+ $OUT .= "conn $ipsecprop-NAT\n"; |
171 |
|
|
+ $OUT .= " rightsubnet=$rightsubnet\n"; |
172 |
|
|
+ $OUT .= " also=$ipsecprop\n"; |
173 |
|
|
+ |
174 |
|
|
} |
175 |
|
|
} |
176 |
|
|
diff -ruN smeserver-libreswan-xl2tpd-0.5.old/root/etc/e-smith/templates/etc/pam.d/ppp/10defaults smeserver-libreswan-xl2tpd-0.5/root/etc/e-smith/templates/etc/pam.d/ppp/10defaults |
177 |
|
|
--- smeserver-libreswan-xl2tpd-0.5.old/root/etc/e-smith/templates/etc/pam.d/ppp/10defaults 2020-02-14 19:15:57.738999647 +0100 |
178 |
|
|
+++ smeserver-libreswan-xl2tpd-0.5/root/etc/e-smith/templates/etc/pam.d/ppp/10defaults 2020-02-14 19:18:05.512203866 +0100 |
179 |
|
|
@@ -23,7 +23,7 @@ |
180 |
|
|
} |
181 |
|
|
|
182 |
|
|
elsif ( $ipsecDB->get_prop( $ipsecprop, 'status' ) ne 'enabled' ) { |
183 |
|
|
- $OUT .= "# l2tpd connection is disabled\n"; |
184 |
|
|
+ $OUT .= "# ipsec l2tpd connection is disabled\n"; |
185 |
|
|
} |
186 |
|
|
|
187 |
|
|
else { |
188 |
|
|
@@ -39,8 +39,5 @@ |
189 |
|
|
$OUT .= "account required pam_nologin.so\n"; |
190 |
|
|
$OUT .= "account include password-auth\n"; |
191 |
|
|
$OUT .= "session include password-auth\n"; |
192 |
|
|
- |
193 |
|
|
- |
194 |
|
|
} |
195 |
|
|
- |
196 |
|
|
} |
197 |
|
|
diff -ruN smeserver-libreswan-xl2tpd-0.5.old/root/etc/e-smith/templates/etc/ppp/options.xl2tpd/10default smeserver-libreswan-xl2tpd-0.5/root/etc/e-smith/templates/etc/ppp/options.xl2tpd/10default |
198 |
|
|
--- smeserver-libreswan-xl2tpd-0.5.old/root/etc/e-smith/templates/etc/ppp/options.xl2tpd/10default 2020-02-14 19:15:57.680996820 +0100 |
199 |
|
|
+++ smeserver-libreswan-xl2tpd-0.5/root/etc/e-smith/templates/etc/ppp/options.xl2tpd/10default 2020-02-14 19:18:05.511203793 +0100 |
200 |
|
|
@@ -5,7 +5,7 @@ |
201 |
|
|
|
202 |
|
|
my $configDB = esmith::ConfigDB->open_ro or die("can't open Config DB"); |
203 |
|
|
my $ipsecDB = esmith::ConfigDB->open_ro('ipsec_connections') or die("cant connect to ipsec database"); |
204 |
|
|
- |
205 |
|
|
+ |
206 |
|
|
my $ipsecDBkey = "ipsec"; |
207 |
|
|
my $xl2tpdDBkey = "xl2tpd"; |
208 |
|
|
my $ipsecprop = "L2TPD-PSK"; |
209 |
|
|
@@ -26,38 +26,54 @@ |
210 |
|
|
my $DNS = $configDB->get_prop( "xl2tpd", 'DNS' ) || ''; |
211 |
|
|
my $debug = $configDB->get_prop( "xl2tpd", 'debug' ) || 'disabled'; |
212 |
|
|
my $mtu = $configDB->get_prop( "xl2tpd", 'mtu' ) || '1400'; |
213 |
|
|
- |
214 |
|
|
+ my @DNSArray = split( /,/, $DNS ); |
215 |
|
|
+ |
216 |
|
|
$OUT .= "#x2ltpd\n"; |
217 |
|
|
$OUT .= "login\n"; |
218 |
|
|
|
219 |
|
|
- if ( $debug eq 'enabled' ) { |
220 |
|
|
- $OUT .= "debug\n"; |
221 |
|
|
- } |
222 |
|
|
+ # https://github.com/xelerance/xl2tpd/blob/master/examples/ppp-options.xl2tpd |
223 |
|
|
|
224 |
|
|
+ $OUT .= "ipparam xl2tpd\n"; |
225 |
|
|
+ $OUT .= "ipcp-accept-local\n"; |
226 |
|
|
+ $OUT .= "ipcp-accept-remote\n"; |
227 |
|
|
if ( $InternalIP ne '' ) { |
228 |
|
|
$OUT .= "ms-dns $InternalIP\n"; |
229 |
|
|
} |
230 |
|
|
- |
231 |
|
|
- my @DNSArray = split( /,/, $DNS ); |
232 |
|
|
- |
233 |
|
|
- foreach my $IP (@DNSArray) { |
234 |
|
|
- $OUT .= "ms-dns $IP\n"; |
235 |
|
|
+ unless ($DNS eq ''){ |
236 |
|
|
+ foreach my $IP (@DNSArray) { |
237 |
|
|
+ $OUT .= "ms-dns $IP\n"; |
238 |
|
|
+ } |
239 |
|
|
} |
240 |
|
|
- |
241 |
|
|
- $OUT .= "ipparam xl2tpd\n"; |
242 |
|
|
+ $OUT .= "noccp\n"; |
243 |
|
|
$OUT .= "auth\n"; |
244 |
|
|
+ $OUT .= "crtscts\n"; # depends on xl2tpd version |
245 |
|
|
+ $OUT .= "idle 800\n"; |
246 |
|
|
$OUT .= "mtu $mtu\n"; |
247 |
|
|
$OUT .= "mru $mtu\n"; |
248 |
|
|
+ $OUT .= "nodefaultroute\n"; |
249 |
|
|
+ if ( $debug eq 'enabled' ) { |
250 |
|
|
+ $OUT .= "debug\n"; |
251 |
|
|
+ } |
252 |
|
|
+ $OUT .= "proxyarp\n"; |
253 |
|
|
+ $OUT .= "connect-delay 5000\n"; |
254 |
|
|
+ |
255 |
|
|
+ # Beyond here are additional parameters required |
256 |
|
|
+ |
257 |
|
|
$OUT .= "hide-password\n"; |
258 |
|
|
$OUT .= "name l2tpd\n"; |
259 |
|
|
- $OUT .= "proxyarp\n"; |
260 |
|
|
- $OUT .= "lcp-echo-interval 30\n"; |
261 |
|
|
- $OUT .= "lcp-echo-failure 4\n"; |
262 |
|
|
+ |
263 |
|
|
+ # Following the main examples we shoudln't need these |
264 |
|
|
+ # $OUT .= "lcp-echo-interval 30\n"; |
265 |
|
|
+ # $OUT .= "lcp-echo-failure 4\n"; |
266 |
|
|
+ |
267 |
|
|
+ # This section allows us to authenticate against SME users |
268 |
|
|
$OUT .= "plugin radius.so\n"; |
269 |
|
|
$OUT .= "radius-config-file /etc/radiusclient-ng/radiusclient.conf\n"; |
270 |
|
|
$OUT .= "refuse-pap\n"; |
271 |
|
|
$OUT .= "refuse-chap\n"; |
272 |
|
|
$OUT .= "refuse-mschap\n"; |
273 |
|
|
$OUT .= "require-mschap-v2 # Need MSCHAP-v2 to initialise encryption key\n"; |
274 |
|
|
+ |
275 |
|
|
+ |
276 |
|
|
} |
277 |
|
|
} |
278 |
|
|
diff -ruN smeserver-libreswan-xl2tpd-0.5.old/root/etc/e-smith/templates/etc/sysconfig/modules/ip_xl2tpd.modules smeserver-libreswan-xl2tpd-0.5/root/etc/e-smith/templates/etc/sysconfig/modules/ip_xl2tpd.modules |
279 |
|
|
--- smeserver-libreswan-xl2tpd-0.5.old/root/etc/e-smith/templates/etc/sysconfig/modules/ip_xl2tpd.modules 1970-01-01 01:00:00.000000000 +0100 |
280 |
|
|
+++ smeserver-libreswan-xl2tpd-0.5/root/etc/e-smith/templates/etc/sysconfig/modules/ip_xl2tpd.modules 2020-02-14 19:18:05.512203866 +0100 |
281 |
|
|
@@ -0,0 +1,19 @@ |
282 |
|
|
+{ |
283 |
|
|
+ use strict; |
284 |
|
|
+ use warnings; |
285 |
|
|
+ use esmith::ConfigDB; |
286 |
|
|
+ |
287 |
|
|
+ my $configDB = esmith::ConfigDB->open_ro or die("can't open Config DB"); |
288 |
|
|
+ my $ipsecDB = esmith::ConfigDB->open_ro('ipsec_connections') or die("cant connect to ipsec database"); |
289 |
|
|
+ my $ipsecDBkey = "ipsec"; |
290 |
|
|
+ my $xl2tpdDBkey = "xl2tpd"; |
291 |
|
|
+ my $ipsecprop = "L2TPD-PSK"; |
292 |
|
|
+ |
293 |
|
|
+ if ( $configDB->get_prop( $xl2tpdDBkey, 'status' ) eq 'enabled' ) { |
294 |
|
|
+ $OUT .= "#!/bin/sh\n"; |
295 |
|
|
+ $OUT .= "exec /sbin/modprobe pppol2tp 2>&1\n"; |
296 |
|
|
+ } |
297 |
|
|
+ else { |
298 |
|
|
+ $OUT .= "# xl2tpd is disabled\n"; |
299 |
|
|
+ } |
300 |
|
|
+} |
301 |
|
|
diff -ruN smeserver-libreswan-xl2tpd-0.5.old/root/etc/e-smith/templates/etc/xl2tpd/xl2tpd.conf/20default smeserver-libreswan-xl2tpd-0.5/root/etc/e-smith/templates/etc/xl2tpd/xl2tpd.conf/20default |
302 |
|
|
--- smeserver-libreswan-xl2tpd-0.5.old/root/etc/e-smith/templates/etc/xl2tpd/xl2tpd.conf/20default 2020-02-14 19:15:57.729999219 +0100 |
303 |
|
|
+++ smeserver-libreswan-xl2tpd-0.5/root/etc/e-smith/templates/etc/xl2tpd/xl2tpd.conf/20default 2020-02-14 19:18:05.512203866 +0100 |
304 |
|
|
@@ -22,19 +22,34 @@ |
305 |
|
|
} |
306 |
|
|
|
307 |
|
|
else { |
308 |
|
|
- my $InternalIP = $configDB->get_prop( "InternalInterface", 'IPAddress' ); |
309 |
|
|
+ my $listenAddr = $configDB->get_prop( 'ExternalInterface', 'IPAddress'); |
310 |
|
|
+ my $InternalIP = $configDB->get_prop( 'InternalInterface', 'IPAddress' ); |
311 |
|
|
my $ipRangeStart = $ipsecDB->get_prop( $ipsecprop, 'IPRangeStart' ); |
312 |
|
|
my $ipRangeFinish = $ipsecDB->get_prop( $ipsecprop, 'IPRangeFinish' ); |
313 |
|
|
my $debug = $configDB->get_prop( $xl2tpdDBkey, 'debug' ) || 'disabled'; |
314 |
|
|
+ my $maxRetries = $configDB->get_prop( $xl2tpdDBkey, 'maxRetries' ) || '5'; |
315 |
|
|
|
316 |
|
|
+ # https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_with_L2TP |
317 |
|
|
+ # Now have kernel support with modprobe pppol2tpd |
318 |
|
|
+ # So userspace and saref disabled/left at default |
319 |
|
|
$OUT .= "[global]\n"; |
320 |
|
|
- $OUT .= "ipsec saref = yes\n"; |
321 |
|
|
- $OUT .= "force userspace = yes\n"; |
322 |
|
|
+ $OUT .= ";ipsec saref = yes\n"; |
323 |
|
|
+ $OUT .= ";force userspace = yes\n"; |
324 |
|
|
+ $OUT .= "listen-addr = $listenAddr\n"; |
325 |
|
|
+ $OUT .= "max retries = $maxRetries\n"; |
326 |
|
|
+ |
327 |
|
|
+ if ( $debug eq 'enabled' ) { |
328 |
|
|
+ $OUT .= "debug avp = yes\n"; |
329 |
|
|
+ $OUT .= "debug network = yes\n"; |
330 |
|
|
+ $OUT .= "debug state = yes\n"; |
331 |
|
|
+ $OUT .= "debug tunnel = yes\n"; |
332 |
|
|
+ } |
333 |
|
|
$OUT .= "\n"; |
334 |
|
|
$OUT .= "[lns default]\n"; |
335 |
|
|
$OUT .= "name=L2TP-VPN\n"; |
336 |
|
|
$OUT .= "ip range = $ipRangeStart-$ipRangeFinish\n"; |
337 |
|
|
$OUT .= "local ip = $InternalIP\n"; |
338 |
|
|
+ |
339 |
|
|
# Following removed for local radious authentication |
340 |
|
|
# $OUT .= "unix authentication = yes\n"; |
341 |
|
|
$OUT .= "require authentication = yes\n"; |
342 |
|
|
diff -ruN smeserver-libreswan-xl2tpd-0.5.old/root/etc/e-smith/templates.metadata/etc/sysconfig/modules/ip_xl2tpd.modules smeserver-libreswan-xl2tpd-0.5/root/etc/e-smith/templates.metadata/etc/sysconfig/modules/ip_xl2tpd.modules |
343 |
|
|
--- smeserver-libreswan-xl2tpd-0.5.old/root/etc/e-smith/templates.metadata/etc/sysconfig/modules/ip_xl2tpd.modules 1970-01-01 01:00:00.000000000 +0100 |
344 |
|
|
+++ smeserver-libreswan-xl2tpd-0.5/root/etc/e-smith/templates.metadata/etc/sysconfig/modules/ip_xl2tpd.modules 2020-02-14 19:18:05.511203793 +0100 |
345 |
|
|
@@ -0,0 +1 @@ |
346 |
|
|
+PERMS=0755 |
347 |
|
|
\ No newline at end of file |