Add IPSec/L2TP support

kitten · kitten · commit a64ecb036b6b · 2015-11-21T09:39:50.000+01:00
diff --git a/Dockerfile b/Dockerfile
@@ -4,7 +4,8 @@ RUN mkdir -p /conf
 
 RUN apt-get update && apt-get install -y \
   libgmp-dev \
-  iptables
+  iptables \
+  xl2tpd
 
 ENV STRONGSWAN_VERSION 5.3.4
 
@@ -13,7 +14,6 @@ RUN mkdir -p /usr/src/strongswan \
 	| tar -zxC /usr/src/strongswan --strip-components 1 \
 	&& cd /usr/src/strongswan \
 	&& ./configure --prefix=/usr --sysconfdir=/etc \
-		--enable-kernel-libipsec \
 		--enable-eap-radius \
 		--enable-eap-mschapv2 \
 		--enable-eap-identity \
@@ -30,9 +30,14 @@ RUN mkdir -p /usr/src/strongswan \
 	&& make install \
 	&& rm -rf /usr/src/strongswan
 
-# Configuration files
+# Strongswan Configuration
 ADD ipsec.conf /etc/ipsec.conf
 ADD strongswan.conf /etc/strongswan.conf
+
+# XL2TPD Configuration
+ADD xl2tpd.conf /etc/xl2tpd/xl2tpd.conf
+ADD options.xl2tpd /etc/ppp/options.xl2tpd
+
 ADD run.sh /run.sh
 
 # The password is later on replaced with a random string
@@ -41,6 +46,7 @@ ENV VPN_PASSWORD password
 ENV VPN_PSK password
 
 VOLUME ["/etc/ipsec.d"]
-EXPOSE 4500/udp 500/udp
+
+EXPOSE 4500/udp 500/udp 1701/udp
 
 CMD ["/run.sh"]
diff --git a/ipsec.conf b/ipsec.conf
@@ -1,31 +1,52 @@
 # ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	uniqueids=never
+	uniqueids=no
 	charondebug="cfg 2, dmn 2, ike 2, net 0"
 
 conn %default
 	dpdaction=clear
 	dpddelay=300s
 	rekey=no
 	left=%defaultroute
-	leftsubnet=0.0.0.0/0
 	leftfirewall=yes
 	right=%any
-	rightsubnet=10.0.0.0/24
-	rightsourceip=10.0.0.0/24
 	ikelifetime=60m
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
 	auto=add
 
+#######################################
+# L2TP Connections
+#######################################
+
+conn L2TP-IKEv1-PSK
+	type=transport
+	keyexchange=ikev1
+	authby=secret
+	leftprotoport=udp/l2tp
+	left=%any
+	right=%any
+	rekey=no
+	forceencaps=yes
+
+#######################################
+# Default non L2TP Connections
+#######################################
+
+conn Non-L2TP
+	leftsubnet=0.0.0.0/0
+	rightsubnet=10.0.0.0/24
+	rightsourceip=10.0.0.0/24
+
 #######################################
 # EAP Connections
 #######################################
 
 # This detects a supported EAP method
 conn IKEv2-EAP
+	also=Non-L2TP
 	keyexchange=ikev2
 	eap_identity=%any
 	rightauth=eap-dynamic
@@ -35,11 +56,13 @@ conn IKEv2-EAP
 #######################################
 
 conn IKEv2-PSK
+	also=Non-L2TP
 	keyexchange=ikev2
 	authby=secret
 
 # Cisco IPSec
 conn IKEv1-PSK-XAuth
+	also=Non-L2TP
 	keyexchange=ikev1
 	leftauth=psk
 	rightauth=psk
diff --git a/options.xl2tpd b/options.xl2tpd
@@ -0,0 +1,14 @@
+ipcp-accept-local
+ipcp-accept-remote
+ms-dns 8.8.8.8
+ms-dns 8.8.4.4
+noccp
+auth
+crtscts
+idle 1800
+mtu 1280
+mru 1280
+lock
+lcp-echo-failure 10
+lcp-echo-interval 60
+connect-delay 5000
diff --git a/run.sh b/run.sh
@@ -28,6 +28,17 @@ if [ "$VPN_PSK" = "password" ] || [ "$VPN_PSK" = "" ]; then
 	echo "No VPN_PSK set! Generated a random PSK key: $VPN_PSK"
 fi
 
+if [ "$VPN_PASSWORD" = "$VPN_PSK" ]; then
+	echo "It is not recommended to use the same secret as password and PSK key!"
+fi
+
+cat > /etc/ppp/chap-secrets <<EOF
+# This file holds secrets for L2TP authentication.
+# Username  Server  Secret  Hosts
+
+"$VPN_USER" "*" "$VPN_PASSWORD" "*"
+EOF
+
 cat > /etc/ipsec.secrets <<EOF
 # This file holds shared secrets or RSA private keys for authentication.
 # RSA private key for this host, authenticating it to any other host
@@ -41,6 +52,11 @@ $VPN_USER : EAP "$VPN_PASSWORD"
 $VPN_USER : XAUTH "$VPN_PASSWORD"
 EOF
 
+if [ -f "/etc/ipsec.d/l2tp-secrets" ]; then
+	echo "Overwriting standard /etc/ppp/l2tp-secrets with /etc/ipsec.d/l2tp-secrets"
+	cp -f /etc/ipsec.d/l2tp-secrets /etc/ppp/l2tp-secrets
+fi
+
 if [ -f "/etc/ipsec.d/ipsec.secrets" ]; then
 	echo "Overwriting standard /etc/ipsec.secrets with /etc/ipsec.d/ipsec.secrets"
 	cp -f /etc/ipsec.d/ipsec.secrets /etc/ipsec.secrets
@@ -56,4 +72,13 @@ if [ -f "/conf/strongswan.conf" ]; then
 	cp -f /conf/strongswan.conf /etc/strongswan.conf
 fi
 
-ipsec start --nofork
+if [ -f "/etc/ipsec.d/xl2tpd.conf" ]; then
+	echo "Overwriting standard /etc/xl2tpd/xl2tpd.conf with /etc/ipsec.d/xl2tpd.conf"
+	cp -f /etc/ipsec.d/xl2tpd.conf /etc/xl2tpd/xl2tpd.conf
+fi
+
+echo "Starting XL2TPD process..."
+mkdir -p /var/run/xl2tpd
+/usr/sbin/xl2tpd -c /etc/xl2tpd/xl2tpd.conf
+
+ipsec start --nofork\
diff --git a/strongswan.conf b/strongswan.conf
@@ -5,20 +5,12 @@
 
 charon {
 	load_modular = yes
+	send_vendor_id = yes
 	plugins {
 		include strongswan.d/charon/*.conf
 		attr {
 			dns = 8.8.8.8, 8.8.4.4
 		}
-		kernel-netlink {
-			fwmark = !0x42
-		}
-		socket-default {
-			fwmark = 0x42
-		}
-		kernel-libipsec {
-			allow_peer_ts = yes
-		}
 	}
 }
 
diff --git a/xl2tpd.conf b/xl2tpd.conf
@@ -0,0 +1,17 @@
+[global]
+port = 1701
+auth file = /etc/ppp/l2tp-secrets
+debug avp = yes
+debug network = yes
+debug state = yes
+debug tunnel = yes
+[lns default]
+ip range = 10.1.0.2-10.1.0.254
+local ip = 10.1.0.1
+require chap = yes
+refuse pap = yes
+require authentication = yes
+name = l2tpd
+;ppp debug = yes
+pppoptfile = /etc/ppp/options.xl2tpd
+length bit = yes
