#------------------------------
asyncmap 0
auth
-crtscts
lock
passive
+pap
debug
#
# permet de chercher les bonnes lignes dans les fichiers des mot de passe
#
name serveur
#
# permet de specifier le device ppp , ce qui permet de mieux
# specifier les regles du firewalling
#
unit 16
#
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
noipx
#---------
#!/bin/sh
if [ ".$PPP_IPPARAM" = ".vpn-work" ]
then
# la route vers la gateway public ( aaa.bbb.ccc.ddd ) seulement via la connection par default
CMDROUTE=`netstat -nr | sed 's/^0.0.0.0 *\([1-9][^ ]*\) .* \([a-z][a-z]*[0-9]\)$/route add -host aaa.bbb.ccc.ddd gw \1 dev \2/p;d'`
$CMDROUTE
# la route pour les reseaux internes works
route add -net xxx.yyy.www.zzz/22 gw $PPP_REMOTE
route add -net xxx.yyy.www.zzz/24 gw $PPP_REMOTE
route add -net xxx.yyy.www.zzz/22 gw $PPP_REMOTE
fi
#
if [ ".$PPP_IPPARAM" = ".vpn-home" ]
then
# la route pour le reseau interne home
route add -net 192.168.1.0/24 gw $PPP_REMOTE
fi
#
;
; Sample l2tpd configuration file
;
; This example file should give you some idea of how the options for l2tpd
; should work. The best place to look for a list of all options is in
; the source code itself, until I have the time to write better documetation :)
; Specifically, the file "file.c" contains a list of commands at the end.
;
; You most definitely don't have to spell out everything as it is done here
;
; [global] ; Global parameters:
; port = 1701 ; * Bind to port 1701
; auth file = /etc/l2tpd/l2tp-secrets ; * Where our challenge secrets are
; access control = yes ; * Refuse connections without IP match
; rand source = dev ; Source for entropy for random
; ; numbers, options are:
; ; dev - reads of /dev/urandom
; ; sys - uses rand()
; ; egd - reads from egd socket
; ; egd is not yet implemented
;
; [lns default] ; Our fallthrough LNS definition
; exclusive = no ; * Only permit one tunnel per host
; ip range = 192.168.0.1-192.168.0.20 ; * Allocate from this IP range
; no ip range = 192.168.0.3-192.168.0.9 ; * Except these hosts
; ip range = 192.168.0.5 ; * But this one is okay
; ip range = lac1-lac2 ; * And anything from lac1 to lac2's IP
; lac = 192.168.1.4 - 192.168.1.8 ; * These can connect as LAC's
; no lac = untrusted.marko.net ; * This guy can't connect
; hidden bit = no ; * Use hidden AVP's?
; local ip = 192.168.1.2 ; * Our local IP to use
; length bit = yes ; * Use length bit in payload?
; require chap = yes ; * Require CHAP auth. by peer
; refuse pap = yes ; * Refuse PAP authentication
; refuse chap = no ; * Refuse CHAP authentication
; refuse authentication = no ; * Refuse authentication altogether
; require authentication = yes ; * Require peer to authenticate
; unix authentication = no ; * Use /etc/passwd for auth.
; name = myhostname ; * Report this as our hostname
; ppp debug = no ; * Turn on PPP debugging
; pppoptfile = /etc/ppp/options.l2tpd.lns ; * ppp options file
; call rws = 10 ; * RWS for call (-1 is valid)
; tunnel rws = 4 ; * RWS for tunnel (must be > 0)
; flow bit = yes ; * Include sequence numbers
; challenge = yes ; * Challenge authenticate peer ;
;
; [lac marko] ; Example VPN LAC definition
; lns = lns.marko.net ; * Who is our LNS?
; lns = lns2.marko.net ; * A backup LNS (not yet used)
; redial = yes ; * Redial if disconnected?
; redial timeout = 15 ; * Wait n seconds between redials
; max redials = 5 ; * Give up after n consecutive failures
; hidden bit = yes ; * User hidden AVP's?
; local ip = 192.168.1.1 ; * Force peer to use this IP for us
; remote ip = 192.168.1.2 ; * Force peer to use this as their IP
; length bit = no ; * Use length bit in payload?
; require pap = no ; * Require PAP auth. by peer
; require chap = yes ; * Require CHAP auth. by peer
; refuse pap = yes ; * Refuse PAP authentication
; refuse chap = no ; * Refuse CHAP authentication
; refuse authentication = no ; * Refuse authentication altogether
; require authentication = yes ; * Require peer to authenticate
; name = marko ; * Report this as our hostname
; ppp debug = no ; * Turn on PPP debugging
; pppoptfile = /etc/ppp/options.l2tpd.marko ; * ppp options file for this lac
; call rws = 10 ; * RWS for call (-1 is valid)
; tunnel rws = 4 ; * RWS for tunnel (must be > 0)
; flow bit = yes ; * Include sequence numbers
; challenge = yes ; * Challenge authenticate peer
;
; [lac cisco] ; Another quick LAC
; lns = cisco.marko.net ; * Required, but can take from default
; require authentication = yes
[lac work]
lns = aaa.bbb.ccc.ddd
name = erwanmas
ppp debug = yes
require authentication = no
require pap = no
require chap = no
pppoptfile = /etc/ppp/peers/vpn-work-via-l2tp
# comment
# Global section (by default, we start in global mode)
global
# Load handlers
load-handler "sync-pppd.so"
load-handler "cmd.so"
# Bind address
listen-port 1701
# Configure the sync-pppd handler. You MUST have a "section sync-pppd" line
# even if you don't set any options.
section sync-pppd
lns-pppd-opts "auth"
lac-pppd-opts "user example name example noipdefault ipcp-accept-local ipcp-accept-remote lcp-echo-interval 30 lcp-echo-failure 6"
# Peer section
section peer
peer aaa.bbb.ccc.ddd
hostname erwanmas-portable
port 1701
lns-handler sync-pppd
lac-handler sync-pppd
lac-opts "user erwanmas noauth file /etc/ppp/peers/vpn-work-via-l2tp"
# Configure the cmd handler. You MUST have a "section cmd" line
# even if you don't set any options.
section cmd