<HTML><BODY style="word-wrap: break-word; -khtml-nbsp-mode: space; -khtml-line-break: after-white-space; ">Hello<BR><DIV><DIV>On Aug 3, 2006, at 2:53 PM, Paul Wouters wrote:</DIV><BR class="Apple-interchange-newline"><BLOCKQUOTE type="cite"><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">On Tue, 1 Aug 2006, Brett Curtis wrote:</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV> <BLOCKQUOTE type="cite"><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">I am having this same problem on a test box........</DIV></BLOCKQUOTE><BLOCKQUOTE type="cite"> </BLOCKQUOTE><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">What do you expect to happen when you are connecting an l2tp tunnel from</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">within the same subnet? Do you have two IP addresses from the same subnet,</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">one carrinyg traffic encrypted for the other ip? Then what if you are</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">then also sending traffic to another machine in the same subnet? Should</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">it go over the tunnel or not? I am not sure what Windows or OSX does</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">for these cases.</DIV></BLOCKQUOTE><BLOCKQUOTE type="cite"><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">I would recommend creating a seperate subnet with IP addresses that</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">will only be used with l2tp, so that it does not matter whether you are</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">connecting from the inside or the outside, you are just connecting</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">from "some network" to the l2tp subnet.</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Paul</DIV> </BLOCKQUOTE><BR></DIV><DIV>Paul I believe it was set up as if I was connecting from "some network" If I recall correctly I tested my other server the same way.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>Anyways I went live with this and still have the same problems.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>Anything specific that needs to be done on x86_64 kernel ?</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>< > AES cipher algorithms</DIV><DIV><M> AES cipher algorithms (x86_64)</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>Do I need both of these?</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>After hours of debugging I am now comparing my x86 kernel and my x86_64 kernel.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>I went a bit more modular in this kernel compared to my x86 kernel however ipsec appears to be loading the needed modules.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>I am stumped any thoughts or suggestions from anyone would be great.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>AllI see now in tcpdump is the following after a successful "IPsec SA established":</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>09:58:34.770542 IP rrcs-24-39-31-52.nys.biz.rr.com.47650 > server.myhost.net.ipsec-nat-t: UDP-encap: ESP(spi=0x5a111da5,seq=0x4), length 140</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>until ipsec deletes the connection.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>I am thinking this is a kernel or firewall issues because both have changed..</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>My related firewall rules. Ipsec is running on the firewall :</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>INPUT POLICY</DIV><DIV># VPN Traffic</DIV><DIV>$IPT -N external-vpn-traffic</DIV><DIV>$IPT -A external-vpn-traffic -i $EXTIF -m mark --mark 1 -j ACCEPT</DIV><DIV>$IPT -A external-vpn-traffic -i $EXTIF -d $EXTIP -p udp -m udp --dport 4500 \</DIV><DIV> -j ACCEPT</DIV><DIV>$IPT -A external-vpn-traffic -i $EXTIF -d $EXTIP -p udp -m udp --dport 500 \</DIV><DIV> -j ACCEPT</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>OUTPUT POLICY</DIV><DIV># L2TP Traffic</DIV><DIV>$IPT -N allow-l2tp-traffic-out</DIV><DIV>$IPT -A allow-l2tp-traffic-out -s $EXTIP -p udp -m udp --sport 1701 \</DIV><DIV> -j ACCEPT</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV># VPN Traffic </DIV><DIV>$IPT -N allow-vpn-traffic-out</DIV><DIV>$IPT -A allow-vpn-traffic-out -s $EXTIP -p udp -m udp --dport 500 \</DIV><DIV> -j ACCEPT</DIV><DIV>$IPT -A allow-vpn-traffic-out -s $EXTIP -p udp -m udp --dport 4500 \</DIV><DIV> -j ACCEPT</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV># ESP Traffic </DIV><DIV>$IPT -N allow-esp-traffic-out</DIV><DIV>$IPT -A allow-esp-traffic-out -p esp -j ACCEPT</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>PREROUTING</DIV><DIV># Rule for VPN (Ipsec/l2tp)</DIV><DIV>$IPT -t mangle -A PREROUTING -i $EXTIF -p esp -j MARK --set-mark 1</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>TIA</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV> <SPAN class="Apple-style-span" style="border-collapse: separate; border-spacing: 0px 0px; color: rgb(0, 0, 0); font-family: Eurostile; font-size: 10px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-align: auto; -khtml-text-decorations-in-effect: none; text-indent: 0px; -apple-text-size-adjust: auto; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px; "><SPAN class="Apple-style-span" style="border-collapse: separate; border-spacing: 0px 0px; color: rgb(0, 0, 0); font-family: Eurostile; font-size: 10px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-align: auto; -khtml-text-decorations-in-effect: none; text-indent: 0px; -apple-text-size-adjust: auto; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px; "><DIV>Brett Curtis</DIV><DIV><A href="mailto:dashnu@gmail.com">dashnu@gmail.com</A></DIV><DIV><A href="http://teh.sh.nu">http://teh.sh.nu</A></DIV><DIV><BR class="khtml-block-placeholder"></DIV><BR class="Apple-interchange-newline"></SPAN></SPAN></DIV><BR></BODY></HTML>