/[smecontribs]/rpms/smeserver-libreswan-xl2tpd/contribs9/smeserver-libreswan-xl2tpd-update-createlinks.patch
ViewVC logotype

Contents of /rpms/smeserver-libreswan-xl2tpd/contribs9/smeserver-libreswan-xl2tpd-update-createlinks.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (show annotations) (download)
Fri Feb 14 18:20:56 2020 UTC (4 years, 8 months ago) by jcrisp
Branch: MAIN
CVS Tags: smeserver-libreswan-xl2tpd-0_5-9, smeserver-libreswan-xl2tpd-0_5-8, HEAD
* Tue Feb 14 2020 John Crisp <jcrisp@safeandsoundit.co.uk> 0.5-8.sme
- Update for xl2tpd 1.3.15
- Update createlinks to regenerate masq on connection
- Modify Nat/non Nat sections
- remove rightsubnet as normal configuration item
- set IKE v1 only and other updates to ipsec.conf
- update file layouts to match samples
- load pppol2tp on startup if xl2tpd is enabled
- Bump requires to newer xl2tpd

1 diff -ruN smeserver-libreswan-xl2tpd-0.5.old/createlinks smeserver-libreswan-xl2tpd-0.5/createlinks
2 --- smeserver-libreswan-xl2tpd-0.5.old/createlinks 2020-02-14 19:15:57.738999647 +0100
3 +++ smeserver-libreswan-xl2tpd-0.5/createlinks 2020-02-14 19:18:05.512203866 +0100
4 @@ -2,38 +2,37 @@
5
6 # Need some thought on when the templates should be expanded and when the action should be called.
7
8 -# Need to
9 +# Need to
10
11 # On ipsec-update expand xl2tpd.conf & secrets
12
13 # Need to stop xl2tpd if disabled. Key ?
14
15 -# On ip-up.xl2tpd expand and restart masq
16 -
17 use esmith::Build::CreateLinks qw(:all);
18
19 -
20 #--------------------------------------------------
21 # templates for events
22 #--------------------------------------------------
23
24 -
25 -
26 -foreach (qw(
27 - /etc/pam.d/ppp
28 - /etc/ppp/ip-up.local
29 - /etc/ppp/options.xl2tpd
30 - /etc/ppp/pap-secrets
31 - /etc/xl2tpd/xl2tpd.conf
32 - ))
33 -{
34 - templates2events("$_", qw(
35 - post-upgrade
36 - console-save
37 - bootstrap-console-save
38 - remoteaccess-update
39 - ipsec-update
40 - ));
41 +foreach (
42 + qw(
43 + /etc/pam.d/ppp
44 + /etc/ppp/ip-up.local
45 + /etc/ppp/options.xl2tpd
46 + /etc/ppp/pap-secrets
47 + /etc/xl2tpd/xl2tpd.conf
48 + /etc/sysconfig/modules/ip_xl2tpd.modules
49 + )
50 + ) {
51 + templates2events(
52 + "$_", qw(
53 + post-upgrade
54 + console-save
55 + bootstrap-console-save
56 + remoteaccess-update
57 + ipsec-update
58 + )
59 + );
60 }
61
62 #--------------------------------------------------
63 @@ -42,21 +41,41 @@
64
65 my $eventIpsec = "ipsec-update";
66
67 -
68 #--------------------------------------------------
69 # actions for ip-up.xl2tpd event
70 #--------------------------------------------------
71
72 my $eventXl2tpd = "ip-up.xl2tpd";
73 +safe_symlink( "adjust", "root/etc/e-smith/events/$eventXl2tpd/services2adjust/masq" );
74 +event_link( "xl2tpd-interface-access", $eventXl2tpd, "70" );
75 +
76 +# Runlevel init links.
77 +service_link_enhanced( "xl2tpd", "S95", "7" );
78 +service_link_enhanced( "xl2tpd", "K21", "6" );
79 +service_link_enhanced( "xl2tpd", "K21", "0" );
80 +service_link_enhanced( "xl2tpd", "K21", "1" );
81
82 -# What was I thinking here ? Should be $eventIpsec or my $eventXl2tpd
83 -safe_symlink("adjust", "root/etc/e-smith/events/$eventXl2tpd/services2adjust/masq");
84 +# On ip-up.xl2tpd expand and restart masq
85 +
86 +foreach (
87 + qw(
88 + /etc/rc.d/init.d/masq
89 + )
90 + ) {
91 + templates2events(
92 + "$_", qw(
93 + ip-up.xl2tpd
94 + )
95 + );
96 +}
97
98 -event_link("xl2tpd-interface-access", $eventXl2tpd, "70");
99
100 -# Runlevel init links.
101 -service_link_enhanced("xl2tpd", "S95", "7");
102 -service_link_enhanced("xl2tpd", "K21", "6");
103 -service_link_enhanced("xl2tpd", "K21", "0");
104 -service_link_enhanced("xl2tpd", "K21", "1");
105 +#--------------------------------------------------
106 +# actions for ip-up.xl2tpd event
107 +# On ip-down clear the interface
108 +# masq gets restarted anyway via existing event
109 +#--------------------------------------------------
110 +
111 +my $eventXl2tpd = "ip-down";
112
113 +event_link( "xl2tpd-interface-access", $eventXl2tpd, "70" );
114 diff -ruN smeserver-libreswan-xl2tpd-0.5.old/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/20defaultL2tpd smeserver-libreswan-xl2tpd-0.5/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/20defaultL2tpd
115 --- smeserver-libreswan-xl2tpd-0.5.old/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/20defaultL2tpd 2020-02-14 19:15:57.729999218 +0100
116 +++ smeserver-libreswan-xl2tpd-0.5/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/20defaultL2tpd 2020-02-14 19:18:05.512203866 +0100
117 @@ -29,17 +29,13 @@
118 else {
119
120 # Currently most of these are hard coded but could come from the DB key
121 -
122 +
123 # For nat connections you can use "vhost:%no,%priv"
124 # See above
125 # https://github.com/libreswan/libreswan/blob/master/docs/examples/l2tp-psk.conf
126 # see https://libreswan.org/man/ipsec.conf.5.html -> leftsubnet
127 -
128 - $OUT .= "conn $ipsecprop-NAT";
129 - $OUT .= " rightsubnet=vhost:%priv";
130 - $OUT .= " also=$ipsecprop-noNAT";
131
132 - $OUT .= "conn $ipsecprop-noNAT\n";
133 + $OUT .= "conn $ipsecprop\n";
134 $OUT .= " authby=secret\n";
135 $OUT .= " pfs=no\n";
136 $OUT .= " auto=add\n";
137 @@ -55,7 +51,7 @@
138 $OUT .= " left=%defaultroute\n";
139 $OUT .= " leftprotoport=17/1701\n";
140 $OUT .= " # Permit Ike v1 for older xl2tpd connections/clients\n";
141 - $OUT .= " ikev2=permit\n";
142 + $OUT .= " ikev2=never\n";
143
144 $OUT .= " # Apple iOS doesn't send delete notify so we need dead peer detection\n";
145 $OUT .= " # to detect vanishing clients\n";
146 @@ -71,11 +67,10 @@
147
148 # Some additional config entries if required
149 # right subnet would not normally be used as it is used above
150 -
151 - my $rightsubnet = $ipsecDB->get_prop( $ipsecprop, 'rightsubnet' ) || '';
152 - if ( $rightsubnet ne '' ) {
153 - $OUT .= " rightsubnet=$rightsubnet\n";
154 - }
155 +
156 + # Removing rightsubnet entirely. If required it is added in the -NAT section
157 + # Unlike standard ipsec we use the rightsubnet key to fix
158 + # the vhosts in /etc/ipsec.conf only
159
160 my $leftsourceip = $ipsecDB->get_prop( $ipsecprop, 'leftsourceip' ) || '';
161 if ( $leftsourceip ne '' ) {
162 @@ -87,5 +82,13 @@
163 $OUT .= " leftsubnet=$leftsubnet\n";
164 }
165
166 + # For L2TPD we really want vhost:%priv unless someone has a really good reason not too
167 + # We leave that option in
168 + my $rightsubnet = $ipsecDB->get_prop( $ipsecprop, 'rightsubnet' ) || "vhost:%priv";
169 +
170 + $OUT .= "conn $ipsecprop-NAT\n";
171 + $OUT .= " rightsubnet=$rightsubnet\n";
172 + $OUT .= " also=$ipsecprop\n";
173 +
174 }
175 }
176 diff -ruN smeserver-libreswan-xl2tpd-0.5.old/root/etc/e-smith/templates/etc/pam.d/ppp/10defaults smeserver-libreswan-xl2tpd-0.5/root/etc/e-smith/templates/etc/pam.d/ppp/10defaults
177 --- smeserver-libreswan-xl2tpd-0.5.old/root/etc/e-smith/templates/etc/pam.d/ppp/10defaults 2020-02-14 19:15:57.738999647 +0100
178 +++ smeserver-libreswan-xl2tpd-0.5/root/etc/e-smith/templates/etc/pam.d/ppp/10defaults 2020-02-14 19:18:05.512203866 +0100
179 @@ -23,7 +23,7 @@
180 }
181
182 elsif ( $ipsecDB->get_prop( $ipsecprop, 'status' ) ne 'enabled' ) {
183 - $OUT .= "# l2tpd connection is disabled\n";
184 + $OUT .= "# ipsec l2tpd connection is disabled\n";
185 }
186
187 else {
188 @@ -39,8 +39,5 @@
189 $OUT .= "account required pam_nologin.so\n";
190 $OUT .= "account include password-auth\n";
191 $OUT .= "session include password-auth\n";
192 -
193 -
194 }
195 -
196 }
197 diff -ruN smeserver-libreswan-xl2tpd-0.5.old/root/etc/e-smith/templates/etc/ppp/options.xl2tpd/10default smeserver-libreswan-xl2tpd-0.5/root/etc/e-smith/templates/etc/ppp/options.xl2tpd/10default
198 --- smeserver-libreswan-xl2tpd-0.5.old/root/etc/e-smith/templates/etc/ppp/options.xl2tpd/10default 2020-02-14 19:15:57.680996820 +0100
199 +++ smeserver-libreswan-xl2tpd-0.5/root/etc/e-smith/templates/etc/ppp/options.xl2tpd/10default 2020-02-14 19:18:05.511203793 +0100
200 @@ -5,7 +5,7 @@
201
202 my $configDB = esmith::ConfigDB->open_ro or die("can't open Config DB");
203 my $ipsecDB = esmith::ConfigDB->open_ro('ipsec_connections') or die("cant connect to ipsec database");
204 -
205 +
206 my $ipsecDBkey = "ipsec";
207 my $xl2tpdDBkey = "xl2tpd";
208 my $ipsecprop = "L2TPD-PSK";
209 @@ -26,38 +26,54 @@
210 my $DNS = $configDB->get_prop( "xl2tpd", 'DNS' ) || '';
211 my $debug = $configDB->get_prop( "xl2tpd", 'debug' ) || 'disabled';
212 my $mtu = $configDB->get_prop( "xl2tpd", 'mtu' ) || '1400';
213 -
214 + my @DNSArray = split( /,/, $DNS );
215 +
216 $OUT .= "#x2ltpd\n";
217 $OUT .= "login\n";
218
219 - if ( $debug eq 'enabled' ) {
220 - $OUT .= "debug\n";
221 - }
222 + # https://github.com/xelerance/xl2tpd/blob/master/examples/ppp-options.xl2tpd
223
224 + $OUT .= "ipparam xl2tpd\n";
225 + $OUT .= "ipcp-accept-local\n";
226 + $OUT .= "ipcp-accept-remote\n";
227 if ( $InternalIP ne '' ) {
228 $OUT .= "ms-dns $InternalIP\n";
229 }
230 -
231 - my @DNSArray = split( /,/, $DNS );
232 -
233 - foreach my $IP (@DNSArray) {
234 - $OUT .= "ms-dns $IP\n";
235 + unless ($DNS eq ''){
236 + foreach my $IP (@DNSArray) {
237 + $OUT .= "ms-dns $IP\n";
238 + }
239 }
240 -
241 - $OUT .= "ipparam xl2tpd\n";
242 + $OUT .= "noccp\n";
243 $OUT .= "auth\n";
244 + $OUT .= "crtscts\n"; # depends on xl2tpd version
245 + $OUT .= "idle 800\n";
246 $OUT .= "mtu $mtu\n";
247 $OUT .= "mru $mtu\n";
248 + $OUT .= "nodefaultroute\n";
249 + if ( $debug eq 'enabled' ) {
250 + $OUT .= "debug\n";
251 + }
252 + $OUT .= "proxyarp\n";
253 + $OUT .= "connect-delay 5000\n";
254 +
255 + # Beyond here are additional parameters required
256 +
257 $OUT .= "hide-password\n";
258 $OUT .= "name l2tpd\n";
259 - $OUT .= "proxyarp\n";
260 - $OUT .= "lcp-echo-interval 30\n";
261 - $OUT .= "lcp-echo-failure 4\n";
262 +
263 + # Following the main examples we shoudln't need these
264 + # $OUT .= "lcp-echo-interval 30\n";
265 + # $OUT .= "lcp-echo-failure 4\n";
266 +
267 + # This section allows us to authenticate against SME users
268 $OUT .= "plugin radius.so\n";
269 $OUT .= "radius-config-file /etc/radiusclient-ng/radiusclient.conf\n";
270 $OUT .= "refuse-pap\n";
271 $OUT .= "refuse-chap\n";
272 $OUT .= "refuse-mschap\n";
273 $OUT .= "require-mschap-v2 # Need MSCHAP-v2 to initialise encryption key\n";
274 +
275 +
276 }
277 }
278 diff -ruN smeserver-libreswan-xl2tpd-0.5.old/root/etc/e-smith/templates/etc/sysconfig/modules/ip_xl2tpd.modules smeserver-libreswan-xl2tpd-0.5/root/etc/e-smith/templates/etc/sysconfig/modules/ip_xl2tpd.modules
279 --- smeserver-libreswan-xl2tpd-0.5.old/root/etc/e-smith/templates/etc/sysconfig/modules/ip_xl2tpd.modules 1970-01-01 01:00:00.000000000 +0100
280 +++ smeserver-libreswan-xl2tpd-0.5/root/etc/e-smith/templates/etc/sysconfig/modules/ip_xl2tpd.modules 2020-02-14 19:18:05.512203866 +0100
281 @@ -0,0 +1,19 @@
282 +{
283 + use strict;
284 + use warnings;
285 + use esmith::ConfigDB;
286 +
287 + my $configDB = esmith::ConfigDB->open_ro or die("can't open Config DB");
288 + my $ipsecDB = esmith::ConfigDB->open_ro('ipsec_connections') or die("cant connect to ipsec database");
289 + my $ipsecDBkey = "ipsec";
290 + my $xl2tpdDBkey = "xl2tpd";
291 + my $ipsecprop = "L2TPD-PSK";
292 +
293 + if ( $configDB->get_prop( $xl2tpdDBkey, 'status' ) eq 'enabled' ) {
294 + $OUT .= "#!/bin/sh\n";
295 + $OUT .= "exec /sbin/modprobe pppol2tp 2>&1\n";
296 + }
297 + else {
298 + $OUT .= "# xl2tpd is disabled\n";
299 + }
300 +}
301 diff -ruN smeserver-libreswan-xl2tpd-0.5.old/root/etc/e-smith/templates/etc/xl2tpd/xl2tpd.conf/20default smeserver-libreswan-xl2tpd-0.5/root/etc/e-smith/templates/etc/xl2tpd/xl2tpd.conf/20default
302 --- smeserver-libreswan-xl2tpd-0.5.old/root/etc/e-smith/templates/etc/xl2tpd/xl2tpd.conf/20default 2020-02-14 19:15:57.729999219 +0100
303 +++ smeserver-libreswan-xl2tpd-0.5/root/etc/e-smith/templates/etc/xl2tpd/xl2tpd.conf/20default 2020-02-14 19:18:05.512203866 +0100
304 @@ -22,19 +22,34 @@
305 }
306
307 else {
308 - my $InternalIP = $configDB->get_prop( "InternalInterface", 'IPAddress' );
309 + my $listenAddr = $configDB->get_prop( 'ExternalInterface', 'IPAddress');
310 + my $InternalIP = $configDB->get_prop( 'InternalInterface', 'IPAddress' );
311 my $ipRangeStart = $ipsecDB->get_prop( $ipsecprop, 'IPRangeStart' );
312 my $ipRangeFinish = $ipsecDB->get_prop( $ipsecprop, 'IPRangeFinish' );
313 my $debug = $configDB->get_prop( $xl2tpdDBkey, 'debug' ) || 'disabled';
314 + my $maxRetries = $configDB->get_prop( $xl2tpdDBkey, 'maxRetries' ) || '5';
315
316 + # https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_with_L2TP
317 + # Now have kernel support with modprobe pppol2tpd
318 + # So userspace and saref disabled/left at default
319 $OUT .= "[global]\n";
320 - $OUT .= "ipsec saref = yes\n";
321 - $OUT .= "force userspace = yes\n";
322 + $OUT .= ";ipsec saref = yes\n";
323 + $OUT .= ";force userspace = yes\n";
324 + $OUT .= "listen-addr = $listenAddr\n";
325 + $OUT .= "max retries = $maxRetries\n";
326 +
327 + if ( $debug eq 'enabled' ) {
328 + $OUT .= "debug avp = yes\n";
329 + $OUT .= "debug network = yes\n";
330 + $OUT .= "debug state = yes\n";
331 + $OUT .= "debug tunnel = yes\n";
332 + }
333 $OUT .= "\n";
334 $OUT .= "[lns default]\n";
335 $OUT .= "name=L2TP-VPN\n";
336 $OUT .= "ip range = $ipRangeStart-$ipRangeFinish\n";
337 $OUT .= "local ip = $InternalIP\n";
338 +
339 # Following removed for local radious authentication
340 # $OUT .= "unix authentication = yes\n";
341 $OUT .= "require authentication = yes\n";
342 diff -ruN smeserver-libreswan-xl2tpd-0.5.old/root/etc/e-smith/templates.metadata/etc/sysconfig/modules/ip_xl2tpd.modules smeserver-libreswan-xl2tpd-0.5/root/etc/e-smith/templates.metadata/etc/sysconfig/modules/ip_xl2tpd.modules
343 --- smeserver-libreswan-xl2tpd-0.5.old/root/etc/e-smith/templates.metadata/etc/sysconfig/modules/ip_xl2tpd.modules 1970-01-01 01:00:00.000000000 +0100
344 +++ smeserver-libreswan-xl2tpd-0.5/root/etc/e-smith/templates.metadata/etc/sysconfig/modules/ip_xl2tpd.modules 2020-02-14 19:18:05.511203793 +0100
345 @@ -0,0 +1 @@
346 +PERMS=0755
347 \ No newline at end of file

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed