-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathipsecXl2tpd.Notes
83 lines (49 loc) · 2.09 KB
/
ipsecXl2tpd.Notes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
There can only be one L2TPD connection
IP Ranges
Substitute x with your local lan address.
Make sure the IPs are NOT in your server DHCP range
Note that the dhcpd.conf template checks the IPs and uses pptpd sessions -1 when it calculates the range. We could potentially use that
e.g.
[root@test plugins]# config show dhcpd
dhcpd=service
Bootp=deny
end=192.168.97.100
start=192.168.97.65
status=disabled
Make sure you have a local user for pam auth
For now we need to set the right subnet to the same as the server local subnet. This is used in /etc/ipsec.conf for the virtualhosts, but ignored in /etc/ipsec.d/ipsec.conf for now
db ipsec_connections setprop L2TPD-PSK status disabled IPRangeStart 192.168.97.180 IPRangeFinish 192.168.97.200 passwd somesecret leftsourceip 192.168.97.1 leftsubnet 192.168.97.0/24
Enable the xl2tpd service
config setprop xl2tpd status enabled
And ipsec
config setprop ipsec status enabled
Run ipsec-update
Try and login.....
(You can regenerate the templates with remote-access update as this will generate the templates, but not stop/start/restart ipsec)
DNS server defaults to the server internal IP. You can add more servers like this:
config setprop xl2tpd DNS 208.67.222.222,208.67.220.220
Debug - defaults to disabled
You can enable debug like this
config setprop xl2tpd debug enabled
# Need to stop xl2tpd if disabled. Key for xl2tpd ?
SME Authent is in the latest 0.5.x
--- Use SME authent ---
xl2tpd.conf
remove
$OUT .= "unix authentication = yes\n";
options.xl2tpd
Add these at the bottom
$OUT .= "plugin radius.so\n";
$OUT .= "radius-config-file /etc/radiusclient-ng/radiusclient.conf\n";
$OUT .= "refuse-pap\n";
$OUT .= "refuse-chap\n";
$OUT .= "refuse-mschap\n";
$OUT .= "require-mschap-v2 # Need MSCHAP-v2 to initialise encryption key\n";
/etc/pam.d/ppp
Set to SME default (this is not normally templated)
[root@home pam.d]# cat /etc/pam.d/ppp
#%PAM-1.0
auth include password-auth
account required pam_nologin.so
account include password-auth
session include password-auth