smecontribs/smeserver-libreswan-xl2tpd
6
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

initial commit of file from CVS for smeserver-libreswan-xl2tpd on Sat Sep 7 20:33:35 AEST 2024

Browse Source
This commit is contained in:
Trevor Batley
2024-09-07 20:33:35 +10:00
parent a0366c8ad7
commit 3cfea3f615
31 changed files with 1116 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
root/etc/e-smith/db/configuration/defaults/xl2tpd/UDPPort Normal file
View File

@@ -0,0 +1 @@
1701

1
root/etc/e-smith/db/configuration/defaults/xl2tpd/access Normal file
View File

@@ -0,0 +1 @@
private

1
root/etc/e-smith/db/configuration/defaults/xl2tpd/status Normal file
View File

@@ -0,0 +1 @@
disabled

1
root/etc/e-smith/db/configuration/defaults/xl2tpd/type Normal file
View File

@@ -0,0 +1 @@
service

1
root/etc/e-smith/db/ipsec_connections/defaults/L2TPD-PSK/connectiontype Normal file
View File

@@ -0,0 +1 @@
transport

1
root/etc/e-smith/db/ipsec_connections/defaults/L2TPD-PSK/dpdaction Normal file
View File

@@ -0,0 +1 @@
clear

1
root/etc/e-smith/db/ipsec_connections/defaults/L2TPD-PSK/dpddelay Normal file
View File

@@ -0,0 +1 @@
10

1
root/etc/e-smith/db/ipsec_connections/defaults/L2TPD-PSK/dpdtimeout Normal file
View File

@@ -0,0 +1 @@
90

1
root/etc/e-smith/db/ipsec_connections/defaults/L2TPD-PSK/status Normal file
View File

@@ -0,0 +1 @@
disabled

1
root/etc/e-smith/db/ipsec_connections/defaults/L2TPD-PSK/type Normal file
View File

@@ -0,0 +1 @@
xl2tpd

63
root/etc/e-smith/events/actions/xl2tpd-interface-access Normal file
View File

@@ -0,0 +1,63 @@
#!/usr/bin/perl -w
#----------------------------------------------------------------------
# copyright (C) 2002 Mitel Networks Corporaton.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
# Technical support for this program is available from e-smith, inc.
# For details, please visit our web site at www.e-smith.com or
# call us on 1 888 ESMITH 1 (US/Canada toll free) or +1 613 564 8000
#----------------------------------------------------------------------
package esmith;
use strict;
use Errno;
use esmith::util;
use esmith::ConfigDB;
use constant SIGEVENT => '/sbin/e-smith/signal-event';
my $db = esmith::ConfigDB->open;
my $xl2tpd = $db->get('xl2tpd');
my %ifaces = map { $_ => 1 } split /,/, $xl2tpd->prop('Interfaces') || '';
my $event = $ARGV[0] || die "Event name must be given\n";
my $ipparam = $ARGV[6] || "(none)";
exit 0 unless ($ipparam eq "xl2tpd");
my $interface = $ARGV[1] || die "Couldn't determine interface name\n";
if ($event eq "ip-down")
{
# Remove this interface.
if (exists $ifaces{$interface})
{
delete $ifaces{$interface};
}
}
elsif ($event eq "ip-up.xl2tpd")
{
# Add this interface.
$ifaces{$interface} = 1;
}
else
{
die "Don't know what to do for event $event\n";
}
$xl2tpd->set_prop('Interfaces', join ',', keys %ifaces);
exit(0);

1
root/etc/e-smith/templates.metadata/etc/sysconfig/modules/ip_xl2tpd.modules Normal file
View File

@@ -0,0 +1 @@
PERMS=0755

94
root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/20defaultL2tpd Normal file
View File

@@ -0,0 +1,94 @@
{
use strict;
use warnings;
use esmith::ConfigDB;
my $configDB = esmith::ConfigDB->open_ro or die("can't open Config DB");
my $ipsecDB = esmith::ConfigDB->open_ro('ipsec_connections') or die("cant connect to ipsec database");
my $ipsecDBkey = "ipsec";
my $xl2tpdDBkey = "xl2tpd";
my $ipsecprop = "L2TPD-PSK";
my $systemMode = $configDB->get("SystemMode")->value;
if ( $systemMode ne 'servergateway' ) {
$OUT .= "# L2TPD - System not in Server Gateway mode\n";
}
elsif ( $configDB->get_prop( $ipsecDBkey, 'status' ) ne 'enabled' ) {
$OUT .= "# ipsec is disabled\n";
}
elsif ( $configDB->get_prop( $xl2tpdDBkey, 'status' ) ne 'enabled' ) {
$OUT .= "# xl2tpd is disabled\n";
}
elsif ( $ipsecDB->get_prop( $ipsecprop, 'status' ) ne 'enabled' ) {
$OUT .= "# l2tpd connection is disabled\n";
}
else {
# Currently most of these are hard coded but could come from the DB key
# For nat connections you can use "vhost:%no,%priv"
# See above
# https://github.com/libreswan/libreswan/blob/master/docs/examples/l2tp-psk.conf
# see https://libreswan.org/man/ipsec.conf.5.html -> leftsubnet
$OUT .= "conn $ipsecprop\n";
$OUT .= " authby=secret\n";
$OUT .= " pfs=no\n";
$OUT .= " auto=add\n";
$OUT .= " keyingtries=3\n";
$OUT .= " rekey=no\n";
$OUT .= " type=transport\n";
$OUT .= " encapsulation=yes\n";
$OUT .= " right=%any\n";
$OUT .= " rightprotoport=17/%any\n";
$OUT .= " # Using the magic port of \"0\" means \"any one single port\". This is\n";
$OUT .= " # a work around required for Apple OSX clients that use a randomly\n";
$OUT .= " # high port, but propose \"0\" instead of their port.\n";
$OUT .= " left=%defaultroute\n";
$OUT .= " leftprotoport=17/1701\n";
$OUT .= " # Permit Ike v1 for older xl2tpd connections/clients\n";
$OUT .= " ikev2=never\n";
$OUT .= " # Apple iOS doesn't send delete notify so we need dead peer detection\n";
$OUT .= " # to detect vanishing clients\n";
my $dpddelay = $ipsecDB->get_prop( $ipsecprop, 'dpddelay' ) || "10\n";
$OUT .= " dpddelay=$dpddelay\n";
my $dpdtimeout = $ipsecDB->get_prop( $ipsecprop, 'dpdtimeout' ) || "90\n";
$OUT .= " dpdtimeout=$dpdtimeout\n";
my $dpdaction = $ipsecDB->get_prop( $ipsecprop, 'dpdaction' ) || "clear\n";
$OUT .= " dpdaction=$dpdaction\n";
# Some additional config entries if required
# right subnet would not normally be used as it is used above
# Removing rightsubnet entirely. If required it is added in the -NAT section
# Unlike standard ipsec we use the rightsubnet key to fix
# the vhosts in /etc/ipsec.conf only
my $leftsourceip = $ipsecDB->get_prop( $ipsecprop, 'leftsourceip' ) || '';
if ( $leftsourceip ne '' ) {
$OUT .= " leftsourceip=$leftsourceip\n";
}
my $leftsubnet = $ipsecDB->get_prop( $ipsecprop, 'leftsubnet' ) || '';
if ( $leftsubnet ne '' ) {
$OUT .= " leftsubnet=$leftsubnet\n";
}
# For L2TPD we really want vhost:%priv unless someone has a really good reason not too
# We leave that option in
my $rightsubnet = $ipsecDB->get_prop( $ipsecprop, 'rightsubnet' ) || "vhost:%priv";
$OUT .= "conn $ipsecprop-NAT\n";
$OUT .= " rightsubnet=$rightsubnet\n";
$OUT .= " also=$ipsecprop\n";
}
}

37
root/etc/e-smith/templates/etc/ipsec.d/ipsec.secrets/20PasswordsL2tpd Normal file
View File

@@ -0,0 +1,37 @@
{
use strict;
use warnings;
use esmith::ConfigDB;
my $configDB = esmith::ConfigDB->open_ro or die("can't open Config DB");
my $ipsecDB = esmith::ConfigDB->open_ro('ipsec_connections') or die("cant connect to ipsec database");
my $ipsecDBkey = "ipsec";
my $xl2tpdDBkey = "xl2tpd";
my $ipsecprop = "L2TPD-PSK";
my $systemMode = $configDB->get("SystemMode")->value;
my $ExternalIP = $configDB->get_prop( "ExternalInterface", "IPAddress" );
if ( $systemMode ne 'servergateway' ) {
$OUT .= "# L2TPD - System not in Server Gateway mode\n";
}
elsif ( $configDB->get_prop( $ipsecDBkey, 'status' ) ne 'enabled' ) {
$OUT .= "# ipsec is disabled\n";
}
elsif ( $configDB->get_prop( $xl2tpdDBkey, 'status' ) ne 'enabled' ) {
$OUT .= "# xl2tpd is disabled\n";
}
elsif ( $ipsecDB->get_prop( $ipsecprop, 'status' ) ne 'enabled' ) {
$OUT .= "# l2tpd connection is disabled\n";
}
else {
my $right = $ipsecDB->get_prop( $ipsecprop, 'right' ) || '%any';
my $passwd = $ipsecDB->get_prop( $ipsecprop, 'passwd' ) || '';
$OUT .= "$ExternalIP $right \: PSK \"$passwd\"";
$OUT .= "\n";
}
}

43
root/etc/e-smith/templates/etc/pam.d/ppp/10defaults Normal file
View File

@@ -0,0 +1,43 @@
{
use strict;
use warnings;
use esmith::ConfigDB;
my $configDB = esmith::ConfigDB->open_ro or die("can't open Config DB");
my $ipsecDB = esmith::ConfigDB->open_ro('ipsec_connections') or die("cant connect to ipsec database");
my $ipsecDBkey = "ipsec";
my $xl2tpdDBkey = "xl2tpd";
my $ipsecprop = "L2TPD-PSK";
my $systemMode = $configDB->get("SystemMode")->value;
if ( $systemMode ne 'servergateway' ) {
$OUT .= "# L2TPD - System not in Server Gateway mode\n";
}
elsif ( $configDB->get_prop( $ipsecDBkey, 'status' ) ne 'enabled' ) {
$OUT .= "# ipsec is disabled\n";
}
elsif ( $configDB->get_prop( $xl2tpdDBkey, 'status' ) ne 'enabled' ) {
$OUT .= "# xl2tpd is disabled\n";
}
elsif ( $ipsecDB->get_prop( $ipsecprop, 'status' ) ne 'enabled' ) {
$OUT .= "# ipsec l2tpd connection is disabled\n";
}
else {
$OUT .= "#x2ltpd\n";
# This was the original L2TPD code
# $OUT .= "auth required pam_nologin.so\n";
# $OUT .= "auth required pam_unix.so\n";
# $OUT .= "account required pam_unix.so\n";
# $OUT .= "session required pam_unix.so\n";
# This is the original untemplated ppp code which works with L2TPD
$OUT .= "auth include password-auth\n";
$OUT .= "account required pam_nologin.so\n";
$OUT .= "account include password-auth\n";
$OUT .= "session include password-auth\n";
}
}

11
root/etc/e-smith/templates/etc/ppp/ip-up.local/30ipparam30xl2tpd Normal file
View File

@@ -0,0 +1,11 @@
{
my $status = ${'xl2tpd'}{'debug'} || 'disabled';
$OUT .= " xl2tpd)\n";
if ( $status eq 'enabled' ) {
$OUT .= " echo xl2tpd \"$@\" |logger -t \"xl2tpd-ip-up\" \n";
}
$OUT .= " /sbin/e-smith/signal-event ip-up.xl2tpd \"\$@\" \n";
$OUT .= " ;;";
}

78
root/etc/e-smith/templates/etc/ppp/options.xl2tpd/10default Normal file
View File

@@ -0,0 +1,78 @@
{
use strict;
use warnings;
use esmith::ConfigDB;
my $configDB = esmith::ConfigDB->open_ro or die("can't open Config DB");
my $ipsecDB = esmith::ConfigDB->open_ro('ipsec_connections') or die("cant connect to ipsec database");
my $ipsecDBkey = "ipsec";
my $xl2tpdDBkey = "xl2tpd";
my $ipsecprop = "L2TPD-PSK";
if ( $configDB->get_prop( $ipsecDBkey, 'status' ) ne 'enabled' ) {
$OUT .= "# ipsec is disabled\n";
}
elsif ( $configDB->get_prop( $xl2tpdDBkey, 'status' ) ne 'enabled' ) {
$OUT .= "# xl2tpd is disabled\n";
}
elsif ( $ipsecDB->get_prop( $ipsecprop, 'status' ) ne 'enabled' ) {
$OUT .= "# l2tpd connection is disabled\n";
}
else {
my $InternalIP = $configDB->get_prop( "InternalInterface", 'IPAddress' );
my $DNS = $configDB->get_prop( "xl2tpd", 'DNS' ) || '';
my $debug = $configDB->get_prop( "xl2tpd", 'debug' ) || 'disabled';
my $mtu = $configDB->get_prop( "xl2tpd", 'mtu' ) || '1400';
my @DNSArray = split( /,/, $DNS );
$OUT .= "#x2ltpd\n";
$OUT .= "login\n";
# https://github.com/xelerance/xl2tpd/blob/master/examples/ppp-options.xl2tpd
$OUT .= "ipparam xl2tpd\n";
$OUT .= "ipcp-accept-local\n";
$OUT .= "ipcp-accept-remote\n";
if ( $InternalIP ne '' ) {
$OUT .= "ms-dns $InternalIP\n";
}
unless ($DNS eq ''){
foreach my $IP (@DNSArray) {
$OUT .= "ms-dns $IP\n";
}
}
$OUT .= "noccp\n";
$OUT .= "auth\n";
$OUT .= "idle 800\n";
$OUT .= "mtu $mtu\n";
$OUT .= "mru $mtu\n";
$OUT .= "nodefaultroute\n";
if ( $debug eq 'enabled' ) {
$OUT .= "debug\n";
}
$OUT .= "proxyarp\n";
$OUT .= "connect-delay 5000\n";
# Beyond here are additional parameters required
$OUT .= "hide-password\n";
$OUT .= "name l2tpd\n";
# Following the main examples we shoudln't need these
# $OUT .= "lcp-echo-interval 30\n";
# $OUT .= "lcp-echo-failure 4\n";
# This section allows us to authenticate against SME users
$OUT .= "plugin radius.so\n";
$OUT .= "radius-config-file /etc/radiusclient-ng/radiusclient.conf\n";
$OUT .= "refuse-pap\n";
$OUT .= "refuse-chap\n";
$OUT .= "refuse-mschap\n";
$OUT .= "require-mschap-v2 # Need MSCHAP-v2 to initialise encryption key\n";
}
}

20
root/etc/e-smith/templates/etc/ppp/pap-secrets/10defaults Normal file
View File

@@ -0,0 +1,20 @@
{
use strict;
use warnings;
use esmith::ConfigDB;
my $configDB = esmith::ConfigDB->open_ro or die("can't open Config DB");
my $ipsecDB = esmith::ConfigDB->open_ro('ipsec_connections') or die("cant connect to ipsec database");
my $ipsecprop = "L2TPD-PSK";
if ( $ipsecDB->get_prop( $ipsecprop, 'status' ) ne 'enabled' ) {
$OUT .= "# l2tpd connection is disabled\n";
}
else {
$OUT .= "# x2ltpd - for use with PAM authentication\n";
# Not required for radius authent
# $OUT .= "\* l2tpd \"\" \*\n";
$OUT .= "\n";
}
}

14
root/etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowIPsecL2TPD Normal file
View File

@@ -0,0 +1,14 @@
{
my $xl2tpd_status = $xl2tpd{status} || '';
my $xl2tpd_dport = $xl2tpd{UDPPort} || '1701';
if ( $xl2tpd_status eq 'enabled' ) {
$OUT .= " # Ports for Libreswan / xl2tpd\n";
$OUT .= " # Allow 1701 or other port via ipsec\n";
$OUT .= " /sbin/iptables -A INPUT -m policy --dir in --pol ipsec -p udp --dport $xl2tpd_dport -j ACCEPT\n";
$OUT .= " # Disallow generic 1701 or other port\n";
$OUT .= " /sbin/iptables -A INPUT -p udp --dport $xl2tpd_dport -j DROP\n";
}
else {
$OUT .= " # 40AllowIPsecL2TPD access disabled\n";
}
}

19
root/etc/e-smith/templates/etc/sysconfig/modules/ip_xl2tpd.modules Normal file
View File

@@ -0,0 +1,19 @@
{
use strict;
use warnings;
use esmith::ConfigDB;
my $configDB = esmith::ConfigDB->open_ro or die("can't open Config DB");
my $ipsecDB = esmith::ConfigDB->open_ro('ipsec_connections') or die("cant connect to ipsec database");
my $ipsecDBkey = "ipsec";
my $xl2tpdDBkey = "xl2tpd";
my $ipsecprop = "L2TPD-PSK";
if ( $configDB->get_prop( $xl2tpdDBkey, 'status' ) eq 'enabled' ) {
$OUT .= "#!/bin/sh\n";
$OUT .= "exec /sbin/modprobe pppol2tp 2>&1\n";
}
else {
$OUT .= "# xl2tpd is disabled\n";
}
}

63
root/etc/e-smith/templates/etc/xl2tpd/xl2tpd.conf/20default Normal file
View File

@@ -0,0 +1,63 @@
{
use strict;
use warnings;
use esmith::ConfigDB;
my $configDB = esmith::ConfigDB->open_ro or die("can't open Config DB");
my $ipsecDB = esmith::ConfigDB->open_ro('ipsec_connections') or die("cant connect to ipsec database");
my $ipsecDBkey = "ipsec";
my $xl2tpdDBkey = "xl2tpd";
my $ipsecprop = "L2TPD-PSK";
if ( $configDB->get_prop( $ipsecDBkey, 'status' ) ne 'enabled' ) {
$OUT .= "# ipsec is disabled\n";
}
elsif ( $configDB->get_prop( $xl2tpdDBkey, 'status' ) ne 'enabled' ) {
$OUT .= "# xl2tpd is disabled\n";
}
elsif ( $ipsecDB->get_prop( $ipsecprop, 'status' ) ne 'enabled' ) {
$OUT .= "# No LTPD Ipsec connection found\n";
}
else {
my $listenAddr = $configDB->get_prop( 'ExternalInterface', 'IPAddress');
my $InternalIP = $configDB->get_prop( 'InternalInterface', 'IPAddress' );
my $ipRangeStart = $ipsecDB->get_prop( $ipsecprop, 'IPRangeStart' );
my $ipRangeFinish = $ipsecDB->get_prop( $ipsecprop, 'IPRangeFinish' );
my $debug = $configDB->get_prop( $xl2tpdDBkey, 'debug' ) || 'disabled';
my $maxRetries = $configDB->get_prop( $xl2tpdDBkey, 'maxRetries' ) || '5';
# https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_with_L2TP
# Now have kernel support with modprobe pppol2tpd
# So userspace and saref disabled/left at default
$OUT .= "[global]\n";
$OUT .= ";ipsec saref = yes\n";
$OUT .= ";force userspace = yes\n";
$OUT .= "listen-addr = $listenAddr\n";
$OUT .= "max retries = $maxRetries\n";
if ( $debug eq 'enabled' ) {
$OUT .= "debug avp = yes\n";
$OUT .= "debug network = yes\n";
$OUT .= "debug state = yes\n";
$OUT .= "debug tunnel = yes\n";
}
$OUT .= "\n";
$OUT .= "[lns default]\n";
$OUT .= "name=L2TP-VPN\n";
$OUT .= "ip range = $ipRangeStart-$ipRangeFinish\n";
$OUT .= "local ip = $InternalIP\n";
# Following removed for local radious authentication
# $OUT .= "unix authentication = yes\n";
$OUT .= "require authentication = yes\n";
if ( $debug eq 'enabled' ) {
$OUT .= "ppp debug = yes\n";
}
$OUT .= "pppoptfile = /etc/ppp/options.xl2tpd\n";
$OUT .= "length bit = yes\n";
}
}

0
root/etc/e-smith/templates/etc/xl2tpd/xl2tpd.conf/template-begin Normal file
View File