Hello,
the following question(s) are rather general, because I am totally new to the field of OpenSwan/OpenL2TP/PAP. My current problem is a general lack of understanding, how the mentioned daemons sits on top of each other and how the interact. Hopefully someone has the time/patience to layout the general structure of a configuration or can point me to the correct docs/HowTo.
I need somethin similar to
http://forums.openl2tp.org/viewtopic.php?f=4&t=66, but with IPsec protection, authentication and dynamic VLAN assignment.
First I am going to explain, what I have, then I am going to describe what I would like to achieve:
1) What I haveWe are a students dormitory with approx. 200 users (students). Each user can connect to our network through wired and wireless ethernet. Each user has its own VLAN assigned with a /29 or /28 subnet. All ports on our switch are protected by 802.1X. Hence each student can connect to our network at any point and will always be assigned into his/her private VLAN with 5 (8 minus 3) or 13 (16 minus 3) IPs. There are 3 IPs missing, because each VLAN (on level 2) corresponds to a subnet (on level 3), which needs a network base address, a broadcast address and the standard gateway. Authentication with dynamic VLAN assignment is done by FreeRADIUS. DHCP, IPv6 SLAAC and routing between subnets is provided by dedicated hardware and/or servers.
2) What I would like to haveI would like to extend our network by an VPN service such that each student can dial in from anywhere and is assigned to his/her dedicated VLAN. Because I want the road warrior to be part of his/her /29 or /28 network, I need some kind of bridging and that is where OpenL2TP comes into the play.
At the moment I have a dedicated, recent Linux box with a fresh installation. The NIC eth0 is a 100MBit fiber with the public, static IP 193.196.36.8. The NIC eth1 is a 1GBit copper connected to our ProCurve switch. The NIC eth1 and the switch port are configured for 802.1q. Each user VLAN is enabled on the NIC and on the switch port. Hence, actually I have the virtual NICs eth1.1000 up to eth1.1200. These are already running in promiscous mode.
Now, I would like to happen the following: At the road warriors site the VPN creates a virtual NIC. In lack of a better name, I will call it tap0. (I know the name will be different, but I am used to OpenVPN.) On ingress each ethernet package is untagged. The ethernet frame tunnels to our VPN server where it egress tap0.1xyz with a tag that matches the user's VLAN. There it is brigdged to the internal NIC eth1.1xyz and goes to the switch. Everything else (DHCP, etc.) is performed by services that already exist. In the opposed direction an ethernet frame comes from the switch tagged with the user's VLAN id. It egress eth1.xyz at the VPN server, it is brigded to tap0.xyz, then tunnels to the correct road warrior and egress tap0 untagged at the road warrior site.
Is this setup possible?
I found this
http://forums.openl2tp.org/viewtopic.php?f=4&t=66 which explains what I would like to have, if I only needed a static configuration between two sites without authentication, dynamic VLAN assignment or further protection. I found this howto
https://github.com/xelerance/Openswan/wiki/L2tp-ipsec-configuration-using-openswan-and-xl2tpd for OpenSwan, but for xl2tp and it does not really explain the interaction of the serveral daemons.
Kind regards, Matthias