It is currently Mon Sep 25, 2017 3:33 am

All times are UTC [ DST ]




Post new topic Reply to topic  [ 2 posts ] 
Author Message
 Post subject: OpenSwan + OpenL2TP + PAP and VLAN bridging
PostPosted: Fri Aug 30, 2013 7:24 pm 

Joined: Fri Aug 30, 2013 6:42 pm
Posts: 1
Hello,

the following question(s) are rather general, because I am totally new to the field of OpenSwan/OpenL2TP/PAP. My current problem is a general lack of understanding, how the mentioned daemons sits on top of each other and how the interact. Hopefully someone has the time/patience to layout the general structure of a configuration or can point me to the correct docs/HowTo.

I need somethin similar to http://forums.openl2tp.org/viewtopic.php?f=4&t=66, but with IPsec protection, authentication and dynamic VLAN assignment.

First I am going to explain, what I have, then I am going to describe what I would like to achieve:

1) What I have

We are a students dormitory with approx. 200 users (students). Each user can connect to our network through wired and wireless ethernet. Each user has its own VLAN assigned with a /29 or /28 subnet. All ports on our switch are protected by 802.1X. Hence each student can connect to our network at any point and will always be assigned into his/her private VLAN with 5 (8 minus 3) or 13 (16 minus 3) IPs. There are 3 IPs missing, because each VLAN (on level 2) corresponds to a subnet (on level 3), which needs a network base address, a broadcast address and the standard gateway. Authentication with dynamic VLAN assignment is done by FreeRADIUS. DHCP, IPv6 SLAAC and routing between subnets is provided by dedicated hardware and/or servers.

2) What I would like to have

I would like to extend our network by an VPN service such that each student can dial in from anywhere and is assigned to his/her dedicated VLAN. Because I want the road warrior to be part of his/her /29 or /28 network, I need some kind of bridging and that is where OpenL2TP comes into the play.

At the moment I have a dedicated, recent Linux box with a fresh installation. The NIC eth0 is a 100MBit fiber with the public, static IP 193.196.36.8. The NIC eth1 is a 1GBit copper connected to our ProCurve switch. The NIC eth1 and the switch port are configured for 802.1q. Each user VLAN is enabled on the NIC and on the switch port. Hence, actually I have the virtual NICs eth1.1000 up to eth1.1200. These are already running in promiscous mode.

Now, I would like to happen the following: At the road warriors site the VPN creates a virtual NIC. In lack of a better name, I will call it tap0. (I know the name will be different, but I am used to OpenVPN.) On ingress each ethernet package is untagged. The ethernet frame tunnels to our VPN server where it egress tap0.1xyz with a tag that matches the user's VLAN. There it is brigdged to the internal NIC eth1.1xyz and goes to the switch. Everything else (DHCP, etc.) is performed by services that already exist. In the opposed direction an ethernet frame comes from the switch tagged with the user's VLAN id. It egress eth1.xyz at the VPN server, it is brigded to tap0.xyz, then tunnels to the correct road warrior and egress tap0 untagged at the road warrior site.

Is this setup possible?

I found this http://forums.openl2tp.org/viewtopic.php?f=4&t=66 which explains what I would like to have, if I only needed a static configuration between two sites without authentication, dynamic VLAN assignment or further protection. I found this howto https://github.com/xelerance/Openswan/wiki/L2tp-ipsec-configuration-using-openswan-and-xl2tpd for OpenSwan, but for xl2tp and it does not really explain the interaction of the serveral daemons.

Kind regards, Matthias


Top
 Profile  
 
 Post subject: Re: OpenSwan + OpenL2TP + PAP and VLAN bridging
PostPosted: Tue Jan 07, 2014 3:09 pm 
Site Admin

Joined: Sun Jul 27, 2008 1:39 pm
Posts: 122
You need a VPN which transports L2 (ethernet) frames. OpenVPN supports this, but it is a proprietary protocol.
It is possible to carry ethernet over PPP (so you could use L2TPv2) but on Linux, this is not possible without unsupported patches for pppd and the Linux kernel. Generic L2TP VPN clients don't support this configuration anyway (Windows, MAC etc).
L2TPv3 is exactly what you need, but this is not supported by OpenL2TP.
A commercial Linux L2TPv3 solution is available at http://www.prol2tp.com


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

All times are UTC [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group