<HTML><BODY style="word-wrap: break-word; -khtml-nbsp-mode: space; -khtml-line-break: after-white-space; ">I am having this same problem on a test box.<DIV><BR class="khtml-block-placeholder"></DIV><DIV>l2tpd version = net-dialup/xl2tpd-1.04<DIV><BR class="khtml-block-placeholder"></DIV><DIV>XP-Client (192.168.1.103) -----> ipsec/l2tp(192.168.1.19)eth0 -- eth1(172.17.187.0/24)</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>tcpdump:</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>09:04:48.864398 IP 192.168.1.19.1701 > 192.168.1.103.1701: l2tp:[TLS](1/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) |...</DIV><DIV>09:04:49.868422 IP 192.168.1.19.1701 > 192.168.1.103.1701: l2tp:[TLS](1/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) |...</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>I have this exact same configuration working in a production Env. However I never connect from the same subnet... And the only other differences are this box is 64bit EM64T and is _not_ running SELINUX.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>Openswan seems fine:</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>Aug 1 09:07:02 defender64 pluto[14647]: "roadwarrior-osx-xp"[1] 192.168.1.103 #6: STATE_QUICK_R2: IPsec SA established {ESP=>0x8bb63922 <0xdd103424 xfrm=3DES_0-HMAC_MD5 NATD=192.168.1.103:500 DPD=none}</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>Is this expected behavior because I am connecting from the same subnet? </DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>my l2tp log is as follows..</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>Aug 1 09:04:25 defender64 l2tpd[14882]: control_finish: Peer requested tunnel 1 twice, ignoring second one.</DIV><DIV>Aug 1 09:04:26 defender64 l2tpd[14882]: control_finish: Peer requested tunnel 1 twice, ignoring second one.Aug 1 09:04:30 defender64 l2tpd[14882]: control_finish: Peer requested tunnel 1 twice, ignoring second one.</DIV><DIV>Aug 1 09:04:30 defender64 l2tpd[14882]: Maximum retries exceeded for tunnel 2792. Closing.</DIV><DIV>Aug 1 09:04:30 defender64 l2tpd[14882]: Connection 1 closed to 192.168.1.103, port 1701 (Timeout)</DIV><DIV>Aug 1 09:04:35 defender64 l2tpd[14882]: Unable to deliver closing message for tunnel 2792. Destroying anyway.</DIV><DIV>Aug 1 09:04:45 defender64 l2tpd[14882]: Maximum retries exceeded for tunnel 54721. Closing.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>I have rp_filter = 0 in sysctl and ran;</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>for f in /proc/sys/net/ipv4/conf/*/rp_filter; do</DIV><DIV>echo "0" > $f</DIV><DIV>done</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>In my search I think I recall Jacco saying openswan disables this by default anyways. Is this the case? In my firewall I echo "1" into */rp_filter of course this start before openswan. So if that is useless I would prefer to take it out.</DIV><DIV> </DIV><DIV>And also my search results only turned up the exact opposite problem. Users could connect from the same subnet but not externally.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>TIA</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV><BR><DIV><DIV>On Feb 10, 2006, at 12:16 PM, Ben Willmore wrote:</DIV><BR class="Apple-interchange-newline"><BLOCKQUOTE type="cite"><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">I'm trying to get a roadwarrior/nat-t setup going.<SPAN class="Apple-converted-space"> </SPAN>I've got a</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">seemly-successful IPSec connection:</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">...</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Feb 10 08:58:27 lithium pluto[20621]: "L2TP-PSK"[2] aa.bb.cc.dd #2:</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">STATE_QUICK_R2: IPsec SA established {ESP=>0x0a6d0476 <0x2c51161d</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">xfrm=AES_128-HMAC_SHA1 NATD=mm.nn.oo.pp:4500 DPD=none}</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">But l2tp never comes up properly.<SPAN class="Apple-converted-space"> </SPAN>Using ethereal on the gateway, I</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">see ESP packets coming in from the client:</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">09:03:42.455659 IP mm.nn.oo.pp > aa.bb.cc.dd: ESP(spi=0x11941194,seq=0x7c0000)</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">...but the only outgoing packets seem to be _unencrypted_ l2tp:</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">09:05:08.971051 IP aa.bb.c.dd.1701 > mm.nn.oo.pp.56004:<SPAN class="Apple-converted-space"> </SPAN></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">l2tp:[TLS](150/0)Ns=0,Nr=1</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">*MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">09:05:14.973778 IP aa.bb.cc.dd.1701 > mm.nn.oo.pp.56004:<SPAN class="Apple-converted-space"> </SPAN></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">l2tp:[TLS](150/0)Ns=1,Nr=1</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">*MSGTYPE(StopCCN) *ASSND_TUN_ID(30829) *RESULT_CODE(1/0 Timeout)</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">l2tpd itself just goes in an endless loop of:</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Feb 10 09:05:14 lithium l2tpd[21734]: message_type_avp: message type 1</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">(Start-Control-Connection-Request)</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">...</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Am I right in thinking that l2ptd is trying to send out unencrypted</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">packets instead of going over IPSec?<SPAN class="Apple-converted-space"> </SPAN>If so, how can I get it to do</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">the right thing?</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Or could it just be that the packets are getting filtered out somewhere?</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Cheers,</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Ben</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">/etc/ipsec.conf:</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">...</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">conn L2TP-PSK</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-converted-space"> </SPAN>authby=secret</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-converted-space"> </SPAN>pfs=no</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-converted-space"> </SPAN>rekey=no</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-converted-space"> </SPAN>keyingtries=3</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-converted-space"> </SPAN>left=192.168.2.9</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-converted-space"> </SPAN>leftsubnet=external.ip.of.gateway/32</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-converted-space"> </SPAN>leftprotoport=17/1701</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-converted-space"> </SPAN>leftnexthop=192.168.2.1</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-converted-space"> </SPAN>right=%any</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-converted-space"> </SPAN>rightsubnet=vhost:%no,%priv</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-converted-space"> </SPAN>rightprotoport=17/%any</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-converted-space"> </SPAN>auto=add</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">/etc/l2tp/l2tpd.conf:</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">[lns default]</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">ip range = 192.168.2.204-192.168.2.214</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">local ip = 192.168.2.9</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">require chap = yes</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">refuse pap = yes</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">require authentication = yes</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">name = Test</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">ppp debug = yes</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">pppoptfile = /etc/ppp/options.l2tpd</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">length bit = yes</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">_______________________________________________</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Users mailing list</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><A href="mailto:Users@openswan.org">Users@openswan.org</A></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><A href="http://lists.openswan.org/mailman/listinfo/users">http://lists.openswan.org/mailman/listinfo/users</A></DIV> </BLOCKQUOTE></DIV><BR><DIV> <SPAN class="Apple-style-span" style="border-collapse: separate; border-spacing: 0px 0px; color: rgb(0, 0, 0); font-family: Eurostile; font-size: 10px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-align: auto; -khtml-text-decorations-in-effect: none; text-indent: 0px; -apple-text-size-adjust: auto; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px; "><SPAN class="Apple-style-span" style="border-collapse: separate; border-spacing: 0px 0px; color: rgb(0, 0, 0); font-family: Eurostile; font-size: 10px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-align: auto; -khtml-text-decorations-in-effect: none; text-indent: 0px; -apple-text-size-adjust: auto; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px; "><DIV>Brett Curtis</DIV><DIV><A href="mailto:dashnu@gmail.com">dashnu@gmail.com</A></DIV><DIV><A href="http://teh.sh.nu">http://teh.sh.nu</A></DIV><DIV><BR class="khtml-block-placeholder"></DIV><BR class="Apple-interchange-newline"></SPAN></SPAN> </DIV><BR></DIV></DIV></BODY></HTML>