initial commit of file from CVS for smeserver-libreswan-xl2tpd on Sat Sep 7 20:33:35 AEST 2024

2024-09-07 20:33:35 +10:00
parent a0366c8ad7
commit 3cfea3f615
31 changed files with 1116 additions and 2 deletions
--- a/root/etc/e-smith/db/configuration/defaults/xl2tpd/UDPPort
+++ b/root/etc/e-smith/db/configuration/defaults/xl2tpd/UDPPort
@@ -0,0 +1 @@
+1701
--- a/root/etc/e-smith/db/configuration/defaults/xl2tpd/access
+++ b/root/etc/e-smith/db/configuration/defaults/xl2tpd/access
@@ -0,0 +1 @@
+private
--- a/root/etc/e-smith/db/configuration/defaults/xl2tpd/status
+++ b/root/etc/e-smith/db/configuration/defaults/xl2tpd/status
@@ -0,0 +1 @@
+disabled
--- a/root/etc/e-smith/db/configuration/defaults/xl2tpd/type
+++ b/root/etc/e-smith/db/configuration/defaults/xl2tpd/type
@@ -0,0 +1 @@
+service
--- a/root/etc/e-smith/db/ipsec_connections/defaults/L2TPD-PSK/connectiontype
+++ b/root/etc/e-smith/db/ipsec_connections/defaults/L2TPD-PSK/connectiontype
@@ -0,0 +1 @@
+transport
--- a/root/etc/e-smith/db/ipsec_connections/defaults/L2TPD-PSK/dpdaction
+++ b/root/etc/e-smith/db/ipsec_connections/defaults/L2TPD-PSK/dpdaction
@@ -0,0 +1 @@
+clear
--- a/root/etc/e-smith/db/ipsec_connections/defaults/L2TPD-PSK/dpddelay
+++ b/root/etc/e-smith/db/ipsec_connections/defaults/L2TPD-PSK/dpddelay
@@ -0,0 +1 @@
+10
--- a/root/etc/e-smith/db/ipsec_connections/defaults/L2TPD-PSK/dpdtimeout
+++ b/root/etc/e-smith/db/ipsec_connections/defaults/L2TPD-PSK/dpdtimeout
@@ -0,0 +1 @@
+90
--- a/root/etc/e-smith/db/ipsec_connections/defaults/L2TPD-PSK/status
+++ b/root/etc/e-smith/db/ipsec_connections/defaults/L2TPD-PSK/status
@@ -0,0 +1 @@
+disabled
--- a/root/etc/e-smith/db/ipsec_connections/defaults/L2TPD-PSK/type
+++ b/root/etc/e-smith/db/ipsec_connections/defaults/L2TPD-PSK/type
@@ -0,0 +1 @@
+xl2tpd
--- a/root/etc/e-smith/events/actions/xl2tpd-interface-access
+++ b/root/etc/e-smith/events/actions/xl2tpd-interface-access
@@ -0,0 +1,63 @@
+#!/usr/bin/perl -w
+
+#----------------------------------------------------------------------
+# copyright (C) 2002 Mitel Networks Corporaton.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307  USA
+#
+# Technical support for this program is available from e-smith, inc.
+# For details, please visit our web site at www.e-smith.com or
+# call us on 1 888 ESMITH 1 (US/Canada toll free) or +1 613 564 8000
+#----------------------------------------------------------------------
+
+package esmith;
+
+use strict;
+use Errno;
+use esmith::util;
+use esmith::ConfigDB;
+
+use constant SIGEVENT => '/sbin/e-smith/signal-event';
+
+my $db = esmith::ConfigDB->open;
+my $xl2tpd = $db->get('xl2tpd');
+my %ifaces = map { $_ => 1 } split /,/, $xl2tpd->prop('Interfaces') || '';
+
+my $event = $ARGV[0] || die "Event name must be given\n";
+my $ipparam = $ARGV[6] || "(none)";
+exit 0 unless ($ipparam eq "xl2tpd");
+my $interface = $ARGV[1] || die "Couldn't determine interface name\n";
+
+if ($event eq "ip-down")
+{
+    # Remove this interface.
+    if (exists $ifaces{$interface})
+    {
+	delete $ifaces{$interface};
+    }
+}
+elsif ($event eq "ip-up.xl2tpd")
+{
+    # Add this interface.
+    $ifaces{$interface} = 1;
+}
+else
+{
+    die "Don't know what to do for event $event\n";
+}
+
+$xl2tpd->set_prop('Interfaces', join ',', keys %ifaces);
+
+exit(0);
--- a/root/etc/e-smith/templates.metadata/etc/sysconfig/modules/ip_xl2tpd.modules
+++ b/root/etc/e-smith/templates.metadata/etc/sysconfig/modules/ip_xl2tpd.modules
@@ -0,0 +1 @@
+PERMS=0755
--- a/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/20defaultL2tpd
+++ b/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/20defaultL2tpd
@@ -0,0 +1,94 @@
+{
+    use strict;
+    use warnings;
+    use esmith::ConfigDB;
+
+    my $configDB = esmith::ConfigDB->open_ro or die("can't open Config DB");
+    my $ipsecDB = esmith::ConfigDB->open_ro('ipsec_connections') or die("cant connect to ipsec database");
+    my $ipsecDBkey  = "ipsec";
+    my $xl2tpdDBkey = "xl2tpd";
+    my $ipsecprop   = "L2TPD-PSK";
+    my $systemMode  = $configDB->get("SystemMode")->value;
+
+    if ( $systemMode ne 'servergateway' ) {
+        $OUT .= "# L2TPD - System not in Server Gateway mode\n";
+    }
+
+    elsif ( $configDB->get_prop( $ipsecDBkey, 'status' ) ne 'enabled' ) {
+        $OUT .= "# ipsec is disabled\n";
+    }
+
+    elsif ( $configDB->get_prop( $xl2tpdDBkey, 'status' ) ne 'enabled' ) {
+        $OUT .= "# xl2tpd is disabled\n";
+    }
+
+    elsif ( $ipsecDB->get_prop( $ipsecprop, 'status' ) ne 'enabled' ) {
+        $OUT .= "# l2tpd connection is disabled\n";
+    }
+
+    else {
+
+        # Currently most of these are hard coded but could come from the DB key
+
+        # For nat connections you can use "vhost:%no,%priv"
+        # See above
+        # https://github.com/libreswan/libreswan/blob/master/docs/examples/l2tp-psk.conf
+        # see https://libreswan.org/man/ipsec.conf.5.html -> leftsubnet
+
+        $OUT .= "conn $ipsecprop\n";
+        $OUT .= "    authby=secret\n";
+        $OUT .= "    pfs=no\n";
+        $OUT .= "    auto=add\n";
+        $OUT .= "    keyingtries=3\n";
+        $OUT .= "    rekey=no\n";
+        $OUT .= "    type=transport\n";
+        $OUT .= "    encapsulation=yes\n";
+        $OUT .= "    right=%any\n";
+        $OUT .= "    rightprotoport=17/%any\n";
+        $OUT .= "    # Using the magic port of \"0\" means \"any one single port\". This is\n";
+        $OUT .= "    # a work around required for Apple OSX clients that use a randomly\n";
+        $OUT .= "    # high port, but propose \"0\" instead of their port.\n";
+        $OUT .= "    left=%defaultroute\n";
+        $OUT .= "    leftprotoport=17/1701\n";
+        $OUT .= "    # Permit Ike v1 for older xl2tpd connections/clients\n";
+        $OUT .= "    ikev2=never\n";
+
+        $OUT .= "    # Apple iOS doesn't send delete notify so we need dead peer detection\n";
+        $OUT .= "    # to detect vanishing clients\n";
+
+        my $dpddelay = $ipsecDB->get_prop( $ipsecprop, 'dpddelay' ) || "10\n";
+        $OUT .= "    dpddelay=$dpddelay\n";
+
+        my $dpdtimeout = $ipsecDB->get_prop( $ipsecprop, 'dpdtimeout' ) || "90\n";
+        $OUT .= "    dpdtimeout=$dpdtimeout\n";
+
+        my $dpdaction = $ipsecDB->get_prop( $ipsecprop, 'dpdaction' ) || "clear\n";
+        $OUT .= "    dpdaction=$dpdaction\n";
+
+        # Some additional config entries if required
+        # right subnet would not normally be used as it is used above
+
+        # Removing rightsubnet entirely. If required it is added in the -NAT section
+        # Unlike standard ipsec we use the rightsubnet key to fix
+        # the vhosts in /etc/ipsec.conf only
+
+        my $leftsourceip = $ipsecDB->get_prop( $ipsecprop, 'leftsourceip' ) || '';
+        if ( $leftsourceip ne '' ) {
+            $OUT .= "    leftsourceip=$leftsourceip\n";
+        }
+
+        my $leftsubnet = $ipsecDB->get_prop( $ipsecprop, 'leftsubnet' ) || '';
+        if ( $leftsubnet ne '' ) {
+            $OUT .= "    leftsubnet=$leftsubnet\n";
+        }
+
+        # For L2TPD we really want vhost:%priv unless someone has a really good reason not too
+        # We leave that option in
+        my $rightsubnet = $ipsecDB->get_prop( $ipsecprop, 'rightsubnet' ) || "vhost:%priv";
+
+        $OUT .= "conn $ipsecprop-NAT\n";
+        $OUT .= "    rightsubnet=$rightsubnet\n";
+        $OUT .= "    also=$ipsecprop\n";
+
+    }
+}
--- a/root/etc/e-smith/templates/etc/ipsec.d/ipsec.secrets/20PasswordsL2tpd
+++ b/root/etc/e-smith/templates/etc/ipsec.d/ipsec.secrets/20PasswordsL2tpd
@@ -0,0 +1,37 @@
+{
+    use strict;
+    use warnings;
+    use esmith::ConfigDB;
+
+    my $configDB = esmith::ConfigDB->open_ro or die("can't open Config DB");
+    my $ipsecDB = esmith::ConfigDB->open_ro('ipsec_connections') or die("cant connect to ipsec database");
+    my $ipsecDBkey  = "ipsec";
+    my $xl2tpdDBkey = "xl2tpd";
+    my $ipsecprop   = "L2TPD-PSK";
+
+    my $systemMode = $configDB->get("SystemMode")->value;
+    my $ExternalIP = $configDB->get_prop( "ExternalInterface", "IPAddress" );
+
+    if ( $systemMode ne 'servergateway' ) {
+        $OUT .= "# L2TPD - System not in Server Gateway mode\n";
+    }
+
+    elsif ( $configDB->get_prop( $ipsecDBkey, 'status' ) ne 'enabled' ) {
+        $OUT .= "# ipsec is disabled\n";
+    }
+
+    elsif ( $configDB->get_prop( $xl2tpdDBkey, 'status' ) ne 'enabled' ) {
+        $OUT .= "# xl2tpd is disabled\n";
+    }
+
+    elsif ( $ipsecDB->get_prop( $ipsecprop, 'status' ) ne 'enabled' ) {
+        $OUT .= "# l2tpd connection is disabled\n";
+    }
+
+    else {
+        my $right  = $ipsecDB->get_prop( $ipsecprop, 'right' )  || '%any';
+        my $passwd = $ipsecDB->get_prop( $ipsecprop, 'passwd' ) || '';
+        $OUT .= "$ExternalIP $right \: PSK \"$passwd\"";
+        $OUT .= "\n";
+    }
+}
--- a/root/etc/e-smith/templates/etc/pam.d/ppp/10defaults
+++ b/root/etc/e-smith/templates/etc/pam.d/ppp/10defaults
@@ -0,0 +1,43 @@
+{
+    use strict;
+    use warnings;
+    use esmith::ConfigDB;
+
+    my $configDB = esmith::ConfigDB->open_ro or die("can't open Config DB");
+    my $ipsecDB = esmith::ConfigDB->open_ro('ipsec_connections') or die("cant connect to ipsec database");
+    my $ipsecDBkey  = "ipsec";
+    my $xl2tpdDBkey = "xl2tpd";
+    my $ipsecprop   = "L2TPD-PSK";
+    my $systemMode  = $configDB->get("SystemMode")->value;
+
+    if ( $systemMode ne 'servergateway' ) {
+        $OUT .= "# L2TPD - System not in Server Gateway mode\n";
+    }
+
+    elsif ( $configDB->get_prop( $ipsecDBkey, 'status' ) ne 'enabled' ) {
+        $OUT .= "# ipsec is disabled\n";
+    }
+
+    elsif ( $configDB->get_prop( $xl2tpdDBkey, 'status' ) ne 'enabled' ) {
+        $OUT .= "# xl2tpd is disabled\n";
+    }
+
+    elsif ( $ipsecDB->get_prop( $ipsecprop, 'status' ) ne 'enabled' ) {
+        $OUT .= "# ipsec l2tpd connection is disabled\n";
+    }
+
+    else {
+        $OUT .= "#x2ltpd\n";
+# This was the original L2TPD code
+#        $OUT .= "auth    required        pam_nologin.so\n";
+#        $OUT .= "auth    required        pam_unix.so\n";
+#        $OUT .= "account required        pam_unix.so\n";
+#        $OUT .= "session required        pam_unix.so\n";
+
+# This is the original untemplated ppp code which works with L2TPD
+        $OUT .= "auth       include	password-auth\n";
+        $OUT .= "account    required	pam_nologin.so\n";
+        $OUT .= "account    include	password-auth\n";
+        $OUT .= "session    include	password-auth\n";
+    }
+}
--- a/root/etc/e-smith/templates/etc/ppp/ip-up.local/30ipparam30xl2tpd
+++ b/root/etc/e-smith/templates/etc/ppp/ip-up.local/30ipparam30xl2tpd
@@ -0,0 +1,11 @@
+{
+    my $status = ${'xl2tpd'}{'debug'} || 'disabled';
+
+        $OUT .= "    xl2tpd)\n";
+
+        if ( $status eq 'enabled' ) {
+            $OUT .= "        echo xl2tpd \"$@\" |logger -t \"xl2tpd-ip-up\" \n";
+        }
+        $OUT .= "       /sbin/e-smith/signal-event ip-up.xl2tpd \"\$@\" \n";
+        $OUT .= "                        ;;";
+}
--- a/root/etc/e-smith/templates/etc/ppp/options.xl2tpd/10default
+++ b/root/etc/e-smith/templates/etc/ppp/options.xl2tpd/10default
@@ -0,0 +1,78 @@
+{
+    use strict;
+    use warnings;
+    use esmith::ConfigDB;
+
+    my $configDB = esmith::ConfigDB->open_ro or die("can't open Config DB");
+    my $ipsecDB = esmith::ConfigDB->open_ro('ipsec_connections') or die("cant connect to ipsec database");
+
+    my $ipsecDBkey  = "ipsec";
+    my $xl2tpdDBkey = "xl2tpd";
+    my $ipsecprop   = "L2TPD-PSK";
+
+    if ( $configDB->get_prop( $ipsecDBkey, 'status' ) ne 'enabled' ) {
+        $OUT .= "# ipsec is disabled\n";
+    }
+
+    elsif ( $configDB->get_prop( $xl2tpdDBkey, 'status' ) ne 'enabled' ) {
+        $OUT .= "# xl2tpd is disabled\n";
+    }
+
+    elsif ( $ipsecDB->get_prop( $ipsecprop, 'status' ) ne 'enabled' ) {
+        $OUT .= "# l2tpd connection is disabled\n";
+    }
+    else {
+        my $InternalIP = $configDB->get_prop( "InternalInterface", 'IPAddress' );
+        my $DNS        = $configDB->get_prop( "xl2tpd",            'DNS' ) || '';
+        my $debug      = $configDB->get_prop( "xl2tpd",            'debug' ) || 'disabled';
+        my $mtu        = $configDB->get_prop( "xl2tpd",            'mtu' ) || '1400';
+        my @DNSArray = split( /,/, $DNS );
+        
+        $OUT .= "#x2ltpd\n";
+        $OUT .= "login\n";
+
+        # https://github.com/xelerance/xl2tpd/blob/master/examples/ppp-options.xl2tpd
+
+        $OUT .= "ipparam xl2tpd\n";
+        $OUT .= "ipcp-accept-local\n";
+        $OUT .= "ipcp-accept-remote\n";
+        if ( $InternalIP ne '' ) {
+            $OUT .= "ms-dns $InternalIP\n";
+        }
+        unless ($DNS eq ''){
+            foreach my $IP (@DNSArray) {
+                $OUT .= "ms-dns $IP\n";
+            }
+        }
+        $OUT .= "noccp\n";        
+        $OUT .= "auth\n";
+        $OUT .= "idle 800\n";
+        $OUT .= "mtu $mtu\n";
+        $OUT .= "mru $mtu\n";
+        $OUT .= "nodefaultroute\n";
+        if ( $debug eq 'enabled' ) {
+            $OUT .= "debug\n";
+        }
+        $OUT .= "proxyarp\n";
+        $OUT .= "connect-delay 5000\n";
+        
+        # Beyond here are additional parameters required
+        
+        $OUT .= "hide-password\n";
+        $OUT .= "name l2tpd\n";
+
+        # Following the main examples we shoudln't need these
+        # $OUT .= "lcp-echo-interval 30\n";
+        # $OUT .= "lcp-echo-failure 4\n";
+        
+        # This section allows us to authenticate against SME users
+        $OUT .= "plugin radius.so\n";
+        $OUT .= "radius-config-file /etc/radiusclient-ng/radiusclient.conf\n";
+        $OUT .= "refuse-pap\n";
+        $OUT .= "refuse-chap\n";
+        $OUT .= "refuse-mschap\n";
+        $OUT .= "require-mschap-v2 # Need MSCHAP-v2 to initialise encryption key\n";
+
+
+    }
+}
--- a/root/etc/e-smith/templates/etc/ppp/pap-secrets/10defaults
+++ b/root/etc/e-smith/templates/etc/ppp/pap-secrets/10defaults
@@ -0,0 +1,20 @@
+{
+    use strict;
+    use warnings;
+    use esmith::ConfigDB;
+
+    my $configDB = esmith::ConfigDB->open_ro or die("can't open Config DB");
+    my $ipsecDB = esmith::ConfigDB->open_ro('ipsec_connections') or die("cant connect to ipsec database");
+
+    my $ipsecprop = "L2TPD-PSK";
+
+    if ( $ipsecDB->get_prop( $ipsecprop, 'status' ) ne 'enabled' ) {
+        $OUT .= "# l2tpd connection is disabled\n";
+    }
+    else {
+        $OUT .= "# x2ltpd - for use with PAM authentication\n";
+        # Not required for radius authent
+        # $OUT .= "\*       l2tpd           \"\"              \*\n";        
+        $OUT .= "\n";
+    }
+}
--- a/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowIPsecL2TPD
+++ b/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowIPsecL2TPD
@@ -0,0 +1,14 @@
+{
+    my $xl2tpd_status = $xl2tpd{status} || '';
+    my $xl2tpd_dport = $xl2tpd{UDPPort} || '1701';
+    if ( $xl2tpd_status eq 'enabled' ) {
+        $OUT .= "  # Ports for Libreswan / xl2tpd\n";
+        $OUT .= "  # Allow 1701 or other port via ipsec\n";
+        $OUT .= "  /sbin/iptables -A INPUT -m policy --dir in --pol ipsec -p udp --dport $xl2tpd_dport -j ACCEPT\n";
+        $OUT .= "  # Disallow generic 1701 or other port\n";
+        $OUT .= "  /sbin/iptables -A INPUT -p udp --dport $xl2tpd_dport -j DROP\n";
+    }
+    else {
+        $OUT .= "  # 40AllowIPsecL2TPD access disabled\n";
+    }
+}
--- a/root/etc/e-smith/templates/etc/sysconfig/modules/ip_xl2tpd.modules
+++ b/root/etc/e-smith/templates/etc/sysconfig/modules/ip_xl2tpd.modules
@@ -0,0 +1,19 @@
+{
+    use strict;
+    use warnings;
+    use esmith::ConfigDB;
+
+    my $configDB = esmith::ConfigDB->open_ro or die("can't open Config DB");
+    my $ipsecDB = esmith::ConfigDB->open_ro('ipsec_connections') or die("cant connect to ipsec database");
+    my $ipsecDBkey  = "ipsec";
+    my $xl2tpdDBkey = "xl2tpd";
+    my $ipsecprop   = "L2TPD-PSK";
+
+    if ( $configDB->get_prop( $xl2tpdDBkey, 'status' ) eq 'enabled' ) {
+        $OUT .= "#!/bin/sh\n";
+        $OUT .= "exec /sbin/modprobe pppol2tp 2>&1\n";
+    }
+    else {
+        $OUT .= "# xl2tpd is disabled\n";
+    }
+}
--- a/root/etc/e-smith/templates/etc/xl2tpd/xl2tpd.conf/20default
+++ b/root/etc/e-smith/templates/etc/xl2tpd/xl2tpd.conf/20default
@@ -0,0 +1,63 @@
+{
+    use strict;
+    use warnings;
+    use esmith::ConfigDB;
+
+    my $configDB = esmith::ConfigDB->open_ro or die("can't open Config DB");
+    my $ipsecDB = esmith::ConfigDB->open_ro('ipsec_connections') or die("cant connect to ipsec database");
+    my $ipsecDBkey  = "ipsec";
+    my $xl2tpdDBkey = "xl2tpd";
+    my $ipsecprop   = "L2TPD-PSK";
+
+    if ( $configDB->get_prop( $ipsecDBkey, 'status' ) ne 'enabled' ) {
+        $OUT .= "# ipsec is disabled\n";
+    }
+
+    elsif ( $configDB->get_prop( $xl2tpdDBkey, 'status' ) ne 'enabled' ) {
+        $OUT .= "# xl2tpd is disabled\n";
+    }
+
+    elsif ( $ipsecDB->get_prop( $ipsecprop, 'status' ) ne 'enabled' ) {
+        $OUT .= "# No LTPD Ipsec connection found\n";
+    }
+
+    else {
+        my $listenAddr = $configDB->get_prop( 'ExternalInterface', 'IPAddress');
+        my $InternalIP = $configDB->get_prop( 'InternalInterface', 'IPAddress' );
+        my $ipRangeStart  = $ipsecDB->get_prop( $ipsecprop, 'IPRangeStart' );
+        my $ipRangeFinish = $ipsecDB->get_prop( $ipsecprop, 'IPRangeFinish' );
+        my $debug = $configDB->get_prop( $xl2tpdDBkey, 'debug' ) || 'disabled';
+        my $maxRetries = $configDB->get_prop( $xl2tpdDBkey, 'maxRetries' ) || '5';
+
+        # https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_with_L2TP
+        # Now have kernel support with modprobe pppol2tpd
+        # So userspace and saref disabled/left at default
+        $OUT .= "[global]\n";
+        $OUT .= ";ipsec saref = yes\n";
+        $OUT .= ";force userspace = yes\n";
+        $OUT .= "listen-addr = $listenAddr\n";
+        $OUT .= "max retries = $maxRetries\n";
+
+        if ( $debug eq 'enabled' ) {
+            $OUT .= "debug avp = yes\n";
+            $OUT .= "debug network = yes\n";
+            $OUT .= "debug state = yes\n";
+            $OUT .= "debug tunnel = yes\n";
+        }
+        $OUT .= "\n";
+        $OUT .= "[lns default]\n";
+        $OUT .= "name=L2TP-VPN\n";
+        $OUT .= "ip range = $ipRangeStart-$ipRangeFinish\n";
+        $OUT .= "local ip = $InternalIP\n";
+
+        # Following removed for local radious authentication
+        # $OUT .= "unix authentication = yes\n";
+        $OUT .= "require authentication = yes\n";
+        if ( $debug eq 'enabled' ) {
+            $OUT .= "ppp debug = yes\n";
+        }
+        $OUT .= "pppoptfile = /etc/ppp/options.xl2tpd\n";
+        $OUT .= "length bit = yes\n";
+
+    }
+}
--- a/root/etc/e-smith/templates/etc/xl2tpd/xl2tpd.conf/template-begin
+++ b/root/etc/e-smith/templates/etc/xl2tpd/xl2tpd.conf/template-begin
--- a/root/usr/lib/systemd/system/ipsec.service.d/50koozali.conf
+++ b/root/usr/lib/systemd/system/ipsec.service.d/50koozali.conf
@@ -0,0 +1,5 @@
+[Unit]
+After=network.target network.service wan.service
+[Install]
+WantedBy=sme-server.target
+
--- a/root/usr/lib/systemd/system/xl2tpd.service.d/50koozali.conf
+++ b/root/usr/lib/systemd/system/xl2tpd.service.d/50koozali.conf
@@ -0,0 +1,5 @@
+[Unit]
+After=network.target network.service wan.service
+[Install]
+WantedBy=sme-server.target
+