New version attached, includes setting up l2tpd all the way to getting a call up.
Needs a heckuvalot more work.
Have started compiling wish list for the l2tpd manual - if I end up writing this, it will be in docbook format. This can be transformed into HTML, info or man pages using existing toolsets.
And I'm falling behind in my jobhunting.
Starting Blocks: There is an old HOWTO at http://mia.ece.uic.edu/~papers/volans/l2tpd.html
I collected * TACACS and RADIUS plugin for pppd from http://www.chelcom.ru/~anton/projects/pppd-tacacs+radius/ http://www.chelcom.ru/~anton/projects/files/pppd-tacacs+radius-1.4.1.tar.gz * MPPE + MSCHAP2 patches from http://www.shorewall.net/pub/shorewall/pptp/ * Original pppd 2.4.1 from ftp://ftp.samba.org/pub/ppp/ppp-2.4.1.tar.gz * freeradius 0.9.3 from ftp://ftp.freeradius.org/pub/radius/freeradius-0.9.3.tar.gz * PostgreSQL 7.4 was already installed on my Mac OS X machine * tcpdump was already installed on my Debian machines * l2tpd source variously from 0.69 on website, subversion latest, and an in-house version that I'll be submitting a patch for RSN. Note we are using 2.4.1 of pppd, not 2.4.2. This is because the plugins interface changed between the two versions (so perhaps it should have been 2.4.1 vs 2.5.0? but what's done is done). It shouldn't matter which machine the PostgreSQL server is installed on - let's see how wrong I am. [EMAIL PROTECTED]:/home/grail/src/l2tpd-radius-howto] 22:20 [0|26]% ls -l total 2468 drwxr-xr-x 15 grail staff 1024 Nov 21 07:16 freeradius-0.9.3 -rw-r--r-- 1 grail staff 1819922 Feb 11 22:13 freeradius-0.9.3.tar.gz drwxr-xr-x 16 grail staff 1024 Mar 25 2001 ppp-2.4.1 -rw-r--r-- 1 grail staff 495 Feb 11 22:13 ppp-2.4.1-MSCHAPv2-fix.patch -rw-r--r-- 1 grail staff 136956 Feb 11 22:19 ppp-2.4.1-openssl-0.9.6-mppe-patch -rw-r--r-- 1 grail staff 536746 Feb 11 22:11 ppp-2.4.1.tar.gz -rw-r--r-- 1 grail staff 6638 Feb 11 22:12 pppd-2.4.1-plugin-hooks.patch -rw-r--r-- 1 grail staff 7901 Feb 11 22:12 pppd-mppe-2.4.1-plugin-hooks.patch What We Are About To Do 1) Compile pppd with RADIUS support 2) Compile l2tpd 3) Set up an L2TP control session between two machines on the same network 4) Bring up a PPP interface between two machines on the same network 1. Compile pppd with RADIUS support cd ppp-2.4.1 patch -p1 < ../ppp-2.4.1-MSCHAPv2-fix.patch ./configure So let's just go for the RADIUS/TACACS patch... Configure your RADIUS server Magic happens here. Find out how to configure your RADIUS server elsewhere. I tried freeradius under Mac OS X and got the problem described here: http://lists.cistron.nl/pipermail/freeradius-users/2002-September/011609.html If anyone can figure that one out, let me know! After that botched attempt, I compiled freeradius under Debian GNU/Linux v3.0 instead. In retrospect, I probably would have been better off getting a backport. Nevermind. So now, I have a pppd that can do RADIUS/TACACS, and I have a RADIUS server. Next step for RADIUS will be configuring the radius server with a couple of users. 2. Compile l2tpd Get a copy of l2tpd. You will need subversion http://subversion.tigris.org/getting_subversion.html. I am not going to upgrade to Apache 2.0 just to be able to compile a copy of subversion to download one single source! So I cheated and got l2tpd 0.69 and applied a bunch of patches that I had lying around. http://www.mail-archive.com/[EMAIL PROTECTED]/msg00617.html - Applied PPP options path patch - Applied auth hostname patch 3. Set Up L2TP Control Session Once you've compiled it, copy l2tpd to two machines - one we'll call "A", the other we'll call "B". "A" will be the LNS, "B" will be the LAC for our setup tests. Now you have to set up the LAC/LNS relationship between the two. One of the things I found most confusing about l2tpd in its current incarnation is that "LAC" entries in the config file control the behaviour of this l2tpd when making calls to the machine named in the LAC entry. So on the LAC, your "B" site, we set things up like this: /etc/l2tp/l2tpd.conf: [global] auth file = /etc/l2tp/l2tp-secrets hostname = table [lac A] lns = A pppoptfile = /etc/l2tp/options.l2tpd.lac require chap = yes require auth = yes /etc/l2tp/options.l2tpd.lac noccp novj novjccomp nopcomp noaccomp 192.168.5.4: Note that you'll need to configure PPP to avoid using compression or encryption, since the L2TP packets are sent using UDP over an unknown network - they may arrive out of order, thus causing problems with decrypting the data. The LNS side of things is a little simpler (and more intuitive) since you name the LNS in the LNS record. Explanations later, here's the hard facts: /etc/l2tp/l2tpd.conf: [global] auth file = /etc/l2tp/l2tp-secrets hostname = merlin [lns merlin] exclusive = yes lac = 10.1.254.1-10.1.254.254 length bit = yes pppoptfile = /etc/ppp/options.l2tpd.lns require auth = yes require chap = yes /etc/l2tp/options.l2tpd.lns noccp novj novjccomp nopcomp noaccomp 192.168.5.1: Make sure l2tpd is running on both machines. Now comes the fun part: [EMAIL PROTECTED] echo "t A" > /var/run/l2tp-control Follow the traffic in tcpdump, which should look something like the following (note that I've edited the host names, so some things might not add up if you analyze the packet carefully): tcpdump -i eth0 -e -v -s 1500 host table and port 1701 tcpdump: listening on eth0 23:35:46.073548 0:0:e8:da:72:cf 0:80:c8:f6:1c:37 ip 136: B.1701 > A.1701: [udp sum ok] l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() FIRM_VER(1681) *HOST_NAME(B) VENDOR_NAME(l2tpd) *ASSND_TUN_ID(62946) *RECV_WIN_SIZE(4)|...|...|...|...|...|...|...|...|...|... (DF) (ttl 64, id 0, len 122) 23:35:46.074201 0:80:c8:f6:1c:37 0:0:e8:da:72:cf ip 139: A.1701 > B.1701: [udp sum ok] l2tp:[TLS](62946/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() FIRM_VER(1681) *HOST_NAME(A) VENDOR_NAME(l2tpd) *ASSND_TUN_ID(46936) *RECV_WIN_SIZE(4)|...|...|...|...|...|...|...|...|...|... (DF) (ttl 64, id 0, len 125) 23:35:46.101379 0:0:e8:da:72:cf 0:80:c8:f6:1c:37 ip 62: B.1701 > A.1701: [udp sum ok] l2tp:[TLS](46936/0)Ns=1,Nr=1 *MSGTYPE(SCCCN)|...|... (DF) (ttl 64, id 0, len 48) 23:35:46.102092 0:80:c8:f6:1c:37 0:0:e8:da:72:cf ip 54: A.1701 > B.1701: [udp sum ok] l2tp:[TLS](62946/0)Ns=1,Nr=2 ZLB (DF) (ttl 64, id 0, len 40) This is as per the RFC - the initiator sends an SCCRQ (Start Control Connection Request), the responder send a SCCRP (Start Control Connection Response), followed by the initiator sending a "Start Control Connection Notify" message. Also note how Ns and Nr are incremented for each message sent. Also note that L2TP control connections involve "messages" while the calls themselves involve "packets". Now that this control connection is established, it would be nice to make a call over it, but I haven't figured that bit out just yet - the call can be established, but using what configuration? Tear down the control connection instead: [EMAIL PROTECTED] echo "s" > /var/run/l2tp-control You should see the status being dumped into the system log. On my machine, this comes out in /var/log/syslog, amongst others. Get the local ID of the control session and disconnect it: [EMAIL PROTECTED] echo "d 12345" > /var/run/l2tp-control Now we are going to place an actual call - on the L2TP protocol level, this involves bringing up a control session, establishing a call, launching a PPP daemon at either end of the call, and finally setting up the PPP session over the call. From your point of view, it involves issuing one command: [EMAIL PROTECTED] echo "c A" > /var/run/l2tp-control If you're watching the log files, you should see pppd starting up, and the interfaces will be configured. ** XXX - I'm up to here - AMS ** Need notes about configuring l2tpd or pppd for issuing addresses from a range. Need notes about access control (should also write a manual page or something for this). Then configuring PPPD to actually use RADIUS for AAA Then end-to-end testing with L2TPD to ensure that RADIUS AAA records are being properly recorded. Asides: Setting up freeradius to handle an 802.1x network: http://www.jepstone.net/index.cgi/Wireless/WiFi/OSXRadius8021X.writeback
