/[smecontribs]/rpms/smeserver-libreswan-xl2tpd/contribs9/smeserver-libreswan-xl2tpd-update-createlinks.patch
ViewVC logotype

Annotation of /rpms/smeserver-libreswan-xl2tpd/contribs9/smeserver-libreswan-xl2tpd-update-createlinks.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph

Revision 1.1 - (hide annotations) (download)
Fri Feb 14 18:20:56 2020 UTC (4 years, 8 months ago) by jcrisp
Branch: MAIN
CVS Tags: smeserver-libreswan-xl2tpd-0_5-9, smeserver-libreswan-xl2tpd-0_5-8, HEAD 
* Tue Feb 14 2020 John Crisp <jcrisp@safeandsoundit.co.uk> 0.5-8.sme
- Update for xl2tpd 1.3.15
- Update createlinks to regenerate masq on connection
- Modify Nat/non Nat sections
- remove rightsubnet as normal configuration item
- set IKE v1 only and other updates to ipsec.conf
- update file layouts to match samples
- load pppol2tp on startup if xl2tpd is enabled
- Bump requires to newer xl2tpd
1 jcrisp 1.1 diff -ruN smeserver-libreswan-xl2tpd-0.5.old/createlinks smeserver-libreswan-xl2tpd-0.5/createlinks
2     --- smeserver-libreswan-xl2tpd-0.5.old/createlinks 2020-02-14 19:15:57.738999647 +0100
3     +++ smeserver-libreswan-xl2tpd-0.5/createlinks 2020-02-14 19:18:05.512203866 +0100
4     @@ -2,38 +2,37 @@
5    
6     # Need some thought on when the templates should be expanded and when the action should be called.
7    
8     -# Need to
9     +# Need to
10    
11     # On ipsec-update expand xl2tpd.conf & secrets
12    
13     # Need to stop xl2tpd if disabled. Key ?
14    
15     -# On ip-up.xl2tpd expand and restart masq
16     -
17     use esmith::Build::CreateLinks qw(:all);
18    
19     -
20     #--------------------------------------------------
21     # templates for events
22     #--------------------------------------------------
23    
24     -
25     -
26     -foreach (qw(
27     - /etc/pam.d/ppp
28     - /etc/ppp/ip-up.local
29     - /etc/ppp/options.xl2tpd
30     - /etc/ppp/pap-secrets
31     - /etc/xl2tpd/xl2tpd.conf
32     - ))
33     -{
34     - templates2events("$_", qw(
35     - post-upgrade
36     - console-save
37     - bootstrap-console-save
38     - remoteaccess-update
39     - ipsec-update
40     - ));
41     +foreach (
42     + qw(
43     + /etc/pam.d/ppp
44     + /etc/ppp/ip-up.local
45     + /etc/ppp/options.xl2tpd
46     + /etc/ppp/pap-secrets
47     + /etc/xl2tpd/xl2tpd.conf
48     + /etc/sysconfig/modules/ip_xl2tpd.modules
49     + )
50     + ) {
51     + templates2events(
52     + "$_", qw(
53     + post-upgrade
54     + console-save
55     + bootstrap-console-save
56     + remoteaccess-update
57     + ipsec-update
58     + )
59     + );
60     }
61    
62     #--------------------------------------------------
63     @@ -42,21 +41,41 @@
64    
65     my $eventIpsec = "ipsec-update";
66    
67     -
68     #--------------------------------------------------
69     # actions for ip-up.xl2tpd event
70     #--------------------------------------------------
71    
72     my $eventXl2tpd = "ip-up.xl2tpd";
73     +safe_symlink( "adjust", "root/etc/e-smith/events/$eventXl2tpd/services2adjust/masq" );
74     +event_link( "xl2tpd-interface-access", $eventXl2tpd, "70" );
75     +
76     +# Runlevel init links.
77     +service_link_enhanced( "xl2tpd", "S95", "7" );
78     +service_link_enhanced( "xl2tpd", "K21", "6" );
79     +service_link_enhanced( "xl2tpd", "K21", "0" );
80     +service_link_enhanced( "xl2tpd", "K21", "1" );
81    
82     -# What was I thinking here ? Should be $eventIpsec or my $eventXl2tpd
83     -safe_symlink("adjust", "root/etc/e-smith/events/$eventXl2tpd/services2adjust/masq");
84     +# On ip-up.xl2tpd expand and restart masq
85     +
86     +foreach (
87     + qw(
88     + /etc/rc.d/init.d/masq
89     + )
90     + ) {
91     + templates2events(
92     + "$_", qw(
93     + ip-up.xl2tpd
94     + )
95     + );
96     +}
97    
98     -event_link("xl2tpd-interface-access", $eventXl2tpd, "70");
99    
100     -# Runlevel init links.
101     -service_link_enhanced("xl2tpd", "S95", "7");
102     -service_link_enhanced("xl2tpd", "K21", "6");
103     -service_link_enhanced("xl2tpd", "K21", "0");
104     -service_link_enhanced("xl2tpd", "K21", "1");
105     +#--------------------------------------------------
106     +# actions for ip-up.xl2tpd event
107     +# On ip-down clear the interface
108     +# masq gets restarted anyway via existing event
109     +#--------------------------------------------------
110     +
111     +my $eventXl2tpd = "ip-down";
112    
113     +event_link( "xl2tpd-interface-access", $eventXl2tpd, "70" );
114     diff -ruN smeserver-libreswan-xl2tpd-0.5.old/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/20defaultL2tpd smeserver-libreswan-xl2tpd-0.5/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/20defaultL2tpd
115     --- smeserver-libreswan-xl2tpd-0.5.old/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/20defaultL2tpd 2020-02-14 19:15:57.729999218 +0100
116     +++ smeserver-libreswan-xl2tpd-0.5/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/20defaultL2tpd 2020-02-14 19:18:05.512203866 +0100
117     @@ -29,17 +29,13 @@
118     else {
119    
120     # Currently most of these are hard coded but could come from the DB key
121     -
122     +
123     # For nat connections you can use "vhost:%no,%priv"
124     # See above
125     # https://github.com/libreswan/libreswan/blob/master/docs/examples/l2tp-psk.conf
126     # see https://libreswan.org/man/ipsec.conf.5.html -> leftsubnet
127     -
128     - $OUT .= "conn $ipsecprop-NAT";
129     - $OUT .= " rightsubnet=vhost:%priv";
130     - $OUT .= " also=$ipsecprop-noNAT";
131    
132     - $OUT .= "conn $ipsecprop-noNAT\n";
133     + $OUT .= "conn $ipsecprop\n";
134     $OUT .= " authby=secret\n";
135     $OUT .= " pfs=no\n";
136     $OUT .= " auto=add\n";
137     @@ -55,7 +51,7 @@
138     $OUT .= " left=%defaultroute\n";
139     $OUT .= " leftprotoport=17/1701\n";
140     $OUT .= " # Permit Ike v1 for older xl2tpd connections/clients\n";
141     - $OUT .= " ikev2=permit\n";
142     + $OUT .= " ikev2=never\n";
143    
144     $OUT .= " # Apple iOS doesn't send delete notify so we need dead peer detection\n";
145     $OUT .= " # to detect vanishing clients\n";
146     @@ -71,11 +67,10 @@
147    
148     # Some additional config entries if required
149     # right subnet would not normally be used as it is used above
150     -
151     - my $rightsubnet = $ipsecDB->get_prop( $ipsecprop, 'rightsubnet' ) || '';
152     - if ( $rightsubnet ne '' ) {
153     - $OUT .= " rightsubnet=$rightsubnet\n";
154     - }
155     +
156     + # Removing rightsubnet entirely. If required it is added in the -NAT section
157     + # Unlike standard ipsec we use the rightsubnet key to fix
158     + # the vhosts in /etc/ipsec.conf only
159    
160     my $leftsourceip = $ipsecDB->get_prop( $ipsecprop, 'leftsourceip' ) || '';
161     if ( $leftsourceip ne '' ) {
162     @@ -87,5 +82,13 @@
163     $OUT .= " leftsubnet=$leftsubnet\n";
164     }
165    
166     + # For L2TPD we really want vhost:%priv unless someone has a really good reason not too
167     + # We leave that option in
168     + my $rightsubnet = $ipsecDB->get_prop( $ipsecprop, 'rightsubnet' ) || "vhost:%priv";
169     +
170     + $OUT .= "conn $ipsecprop-NAT\n";
171     + $OUT .= " rightsubnet=$rightsubnet\n";
172     + $OUT .= " also=$ipsecprop\n";
173     +
174     }
175     }
176     diff -ruN smeserver-libreswan-xl2tpd-0.5.old/root/etc/e-smith/templates/etc/pam.d/ppp/10defaults smeserver-libreswan-xl2tpd-0.5/root/etc/e-smith/templates/etc/pam.d/ppp/10defaults
177     --- smeserver-libreswan-xl2tpd-0.5.old/root/etc/e-smith/templates/etc/pam.d/ppp/10defaults 2020-02-14 19:15:57.738999647 +0100
178     +++ smeserver-libreswan-xl2tpd-0.5/root/etc/e-smith/templates/etc/pam.d/ppp/10defaults 2020-02-14 19:18:05.512203866 +0100
179     @@ -23,7 +23,7 @@
180     }
181    
182     elsif ( $ipsecDB->get_prop( $ipsecprop, 'status' ) ne 'enabled' ) {
183     - $OUT .= "# l2tpd connection is disabled\n";
184     + $OUT .= "# ipsec l2tpd connection is disabled\n";
185     }
186    
187     else {
188     @@ -39,8 +39,5 @@
189     $OUT .= "account required pam_nologin.so\n";
190     $OUT .= "account include password-auth\n";
191     $OUT .= "session include password-auth\n";
192     -
193     -
194     }
195     -
196     }
197     diff -ruN smeserver-libreswan-xl2tpd-0.5.old/root/etc/e-smith/templates/etc/ppp/options.xl2tpd/10default smeserver-libreswan-xl2tpd-0.5/root/etc/e-smith/templates/etc/ppp/options.xl2tpd/10default
198     --- smeserver-libreswan-xl2tpd-0.5.old/root/etc/e-smith/templates/etc/ppp/options.xl2tpd/10default 2020-02-14 19:15:57.680996820 +0100
199     +++ smeserver-libreswan-xl2tpd-0.5/root/etc/e-smith/templates/etc/ppp/options.xl2tpd/10default 2020-02-14 19:18:05.511203793 +0100
200     @@ -5,7 +5,7 @@
201    
202     my $configDB = esmith::ConfigDB->open_ro or die("can't open Config DB");
203     my $ipsecDB = esmith::ConfigDB->open_ro('ipsec_connections') or die("cant connect to ipsec database");
204     -
205     +
206     my $ipsecDBkey = "ipsec";
207     my $xl2tpdDBkey = "xl2tpd";
208     my $ipsecprop = "L2TPD-PSK";
209     @@ -26,38 +26,54 @@
210     my $DNS = $configDB->get_prop( "xl2tpd", 'DNS' ) || '';
211     my $debug = $configDB->get_prop( "xl2tpd", 'debug' ) || 'disabled';
212     my $mtu = $configDB->get_prop( "xl2tpd", 'mtu' ) || '1400';
213     -
214     + my @DNSArray = split( /,/, $DNS );
215     +
216     $OUT .= "#x2ltpd\n";
217     $OUT .= "login\n";
218    
219     - if ( $debug eq 'enabled' ) {
220     - $OUT .= "debug\n";
221     - }
222     + # https://github.com/xelerance/xl2tpd/blob/master/examples/ppp-options.xl2tpd
223    
224     + $OUT .= "ipparam xl2tpd\n";
225     + $OUT .= "ipcp-accept-local\n";
226     + $OUT .= "ipcp-accept-remote\n";
227     if ( $InternalIP ne '' ) {
228     $OUT .= "ms-dns $InternalIP\n";
229     }
230     -
231     - my @DNSArray = split( /,/, $DNS );
232     -
233     - foreach my $IP (@DNSArray) {
234     - $OUT .= "ms-dns $IP\n";
235     + unless ($DNS eq ''){
236     + foreach my $IP (@DNSArray) {
237     + $OUT .= "ms-dns $IP\n";
238     + }
239     }
240     -
241     - $OUT .= "ipparam xl2tpd\n";
242     + $OUT .= "noccp\n";
243     $OUT .= "auth\n";
244     + $OUT .= "crtscts\n"; # depends on xl2tpd version
245     + $OUT .= "idle 800\n";
246     $OUT .= "mtu $mtu\n";
247     $OUT .= "mru $mtu\n";
248     + $OUT .= "nodefaultroute\n";
249     + if ( $debug eq 'enabled' ) {
250     + $OUT .= "debug\n";
251     + }
252     + $OUT .= "proxyarp\n";
253     + $OUT .= "connect-delay 5000\n";
254     +
255     + # Beyond here are additional parameters required
256     +
257     $OUT .= "hide-password\n";
258     $OUT .= "name l2tpd\n";
259     - $OUT .= "proxyarp\n";
260     - $OUT .= "lcp-echo-interval 30\n";
261     - $OUT .= "lcp-echo-failure 4\n";
262     +
263     + # Following the main examples we shoudln't need these
264     + # $OUT .= "lcp-echo-interval 30\n";
265     + # $OUT .= "lcp-echo-failure 4\n";
266     +
267     + # This section allows us to authenticate against SME users
268     $OUT .= "plugin radius.so\n";
269     $OUT .= "radius-config-file /etc/radiusclient-ng/radiusclient.conf\n";
270     $OUT .= "refuse-pap\n";
271     $OUT .= "refuse-chap\n";
272     $OUT .= "refuse-mschap\n";
273     $OUT .= "require-mschap-v2 # Need MSCHAP-v2 to initialise encryption key\n";
274     +
275     +
276     }
277     }
278     diff -ruN smeserver-libreswan-xl2tpd-0.5.old/root/etc/e-smith/templates/etc/sysconfig/modules/ip_xl2tpd.modules smeserver-libreswan-xl2tpd-0.5/root/etc/e-smith/templates/etc/sysconfig/modules/ip_xl2tpd.modules
279     --- smeserver-libreswan-xl2tpd-0.5.old/root/etc/e-smith/templates/etc/sysconfig/modules/ip_xl2tpd.modules 1970-01-01 01:00:00.000000000 +0100
280     +++ smeserver-libreswan-xl2tpd-0.5/root/etc/e-smith/templates/etc/sysconfig/modules/ip_xl2tpd.modules 2020-02-14 19:18:05.512203866 +0100
281     @@ -0,0 +1,19 @@
282     +{
283     + use strict;
284     + use warnings;
285     + use esmith::ConfigDB;
286     +
287     + my $configDB = esmith::ConfigDB->open_ro or die("can't open Config DB");
288     + my $ipsecDB = esmith::ConfigDB->open_ro('ipsec_connections') or die("cant connect to ipsec database");
289     + my $ipsecDBkey = "ipsec";
290     + my $xl2tpdDBkey = "xl2tpd";
291     + my $ipsecprop = "L2TPD-PSK";
292     +
293     + if ( $configDB->get_prop( $xl2tpdDBkey, 'status' ) eq 'enabled' ) {
294     + $OUT .= "#!/bin/sh\n";
295     + $OUT .= "exec /sbin/modprobe pppol2tp 2>&1\n";
296     + }
297     + else {
298     + $OUT .= "# xl2tpd is disabled\n";
299     + }
300     +}
301     diff -ruN smeserver-libreswan-xl2tpd-0.5.old/root/etc/e-smith/templates/etc/xl2tpd/xl2tpd.conf/20default smeserver-libreswan-xl2tpd-0.5/root/etc/e-smith/templates/etc/xl2tpd/xl2tpd.conf/20default
302     --- smeserver-libreswan-xl2tpd-0.5.old/root/etc/e-smith/templates/etc/xl2tpd/xl2tpd.conf/20default 2020-02-14 19:15:57.729999219 +0100
303     +++ smeserver-libreswan-xl2tpd-0.5/root/etc/e-smith/templates/etc/xl2tpd/xl2tpd.conf/20default 2020-02-14 19:18:05.512203866 +0100
304     @@ -22,19 +22,34 @@
305     }
306    
307     else {
308     - my $InternalIP = $configDB->get_prop( "InternalInterface", 'IPAddress' );
309     + my $listenAddr = $configDB->get_prop( 'ExternalInterface', 'IPAddress');
310     + my $InternalIP = $configDB->get_prop( 'InternalInterface', 'IPAddress' );
311     my $ipRangeStart = $ipsecDB->get_prop( $ipsecprop, 'IPRangeStart' );
312     my $ipRangeFinish = $ipsecDB->get_prop( $ipsecprop, 'IPRangeFinish' );
313     my $debug = $configDB->get_prop( $xl2tpdDBkey, 'debug' ) || 'disabled';
314     + my $maxRetries = $configDB->get_prop( $xl2tpdDBkey, 'maxRetries' ) || '5';
315    
316     + # https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_with_L2TP
317     + # Now have kernel support with modprobe pppol2tpd
318     + # So userspace and saref disabled/left at default
319     $OUT .= "[global]\n";
320     - $OUT .= "ipsec saref = yes\n";
321     - $OUT .= "force userspace = yes\n";
322     + $OUT .= ";ipsec saref = yes\n";
323     + $OUT .= ";force userspace = yes\n";
324     + $OUT .= "listen-addr = $listenAddr\n";
325     + $OUT .= "max retries = $maxRetries\n";
326     +
327     + if ( $debug eq 'enabled' ) {
328     + $OUT .= "debug avp = yes\n";
329     + $OUT .= "debug network = yes\n";
330     + $OUT .= "debug state = yes\n";
331     + $OUT .= "debug tunnel = yes\n";
332     + }
333     $OUT .= "\n";
334     $OUT .= "[lns default]\n";
335     $OUT .= "name=L2TP-VPN\n";
336     $OUT .= "ip range = $ipRangeStart-$ipRangeFinish\n";
337     $OUT .= "local ip = $InternalIP\n";
338     +
339     # Following removed for local radious authentication
340     # $OUT .= "unix authentication = yes\n";
341     $OUT .= "require authentication = yes\n";
342     diff -ruN smeserver-libreswan-xl2tpd-0.5.old/root/etc/e-smith/templates.metadata/etc/sysconfig/modules/ip_xl2tpd.modules smeserver-libreswan-xl2tpd-0.5/root/etc/e-smith/templates.metadata/etc/sysconfig/modules/ip_xl2tpd.modules
343     --- smeserver-libreswan-xl2tpd-0.5.old/root/etc/e-smith/templates.metadata/etc/sysconfig/modules/ip_xl2tpd.modules 1970-01-01 01:00:00.000000000 +0100
344     +++ smeserver-libreswan-xl2tpd-0.5/root/etc/e-smith/templates.metadata/etc/sysconfig/modules/ip_xl2tpd.modules 2020-02-14 19:18:05.511203793 +0100
345     @@ -0,0 +1 @@
346     +PERMS=0755
347     \ No newline at end of file
admin@koozali.org
 ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed