<HTML><BODY style="word-wrap: break-word; -khtml-nbsp-mode: space; -khtml-line-break: after-white-space; ">forgot to reply to list.. ughhhhhh<BR><DIV><DIV>On Aug 21, 2006, at 10:22 AM, Paul Wouters wrote:</DIV><BR class="Apple-interchange-newline"><BLOCKQUOTE type="cite"><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">On Mon, 21 Aug 2006, Brett Curtis wrote:</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV> <BLOCKQUOTE type="cite"><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">AllI see now in tcpdump is the following after a successful "IPsec SA</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">established":</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">09:58:34.770542 IP rrcs-24-39-31-52.nys.biz.rr.com.47650 ></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">server.myhost.net.ipsec-nat-t: UDP-encap: ESP(spi=0x5a111da5,seq=0x4), length</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">140</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">until ipsec deletes the connection.</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">I am thinking this is a kernel or firewall issues because both have changed..</DIV> </BLOCKQUOTE><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV> <BLOCKQUOTE type="cite"><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">My related firewall rules. Ipsec is running on the firewall :</DIV> </BLOCKQUOTE><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">try disabling all of these rules and see if it works. If not, then run ipsec</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">verify and check the various /proc settings. Perhaps fiddle with the</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">external mtu set to 1472 and/or the internal mtu set to 1300.</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV></BLOCKQUOTE><DIV><BR class="khtml-block-placeholder"></DIV><DIV>Ok I tried my old working firewall. Still no go lt2p comes back from the client on port 1701.</DIV><DIV>So I stopped the firewall totally... I connected however l2tp was still communicating outside the tunnel.</DIV><DIV>I stand firm that my firewall is not the problem. Auth of l2tp happened only because my firewall let 1701 udp in.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>Nice to know XP allows you to connect that way :p</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>Anyways...</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>Ipsec verify looks fine.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>Checking your system to see if IPsec got installed and started correctly:</DIV><DIV>Version check and ipsec on-path [OK]</DIV><DIV>Linux Openswan U2.4.4/K2.6.17-gentoo-r4 (netkey)</DIV><DIV>Checking for IPsec support in kernel [OK]</DIV><DIV>Checking for RSA private key (/etc/ipsec/ipsec.secrets) [OK]</DIV><DIV>Checking that pluto is running [OK]</DIV><DIV>Two or more interfaces found, checking IP forwarding [OK]</DIV><DIV>Checking NAT and MASQUERADEing </DIV><DIV>Checking for 'ip' command [OK]</DIV><DIV>Checking for 'iptables' command [OK]</DIV><DIV>Checking for 'setkey' command for NETKEY IPsec stack support [OK]</DIV><DIV>Opportunistic Encryption Support [DISABLED]</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>I also went through /proc on both machines and compared.. Still know go.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>I have these set in /etc/sysctl on the working machine:</DIV><DIV>net.ipv4.ip_forward = 1</DIV><DIV>net.ipv4.conf.default.rp_filter = 1</DIV><DIV>net.ipv4.conf.all.rp_filter = 1</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>I do not have these set in systcl on the non-working machine. However I do run echo commands in my firewall script to enable this. So no difference there.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>I am a bit confused on the mtu stuff. Since i use netkey I need to change my interfaces by hand correct ? Because overridemtu in the ipsec config did not work.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>If so is there any risk in changing the mtu ?</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>Thanks.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV><BR class="khtml-block-placeholder"></DIV><BR><BLOCKQUOTE type="cite"><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Paul</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">--<SPAN class="Apple-converted-space"> </SPAN></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Building and integrating Virtual Private Networks with Openswan:</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><A href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</A></DIV> </BLOCKQUOTE></DIV><BR><DIV> <SPAN class="Apple-style-span" style="border-collapse: separate; border-spacing: 0px 0px; color: rgb(0, 0, 0); font-family: Eurostile; font-size: 10px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-align: auto; -khtml-text-decorations-in-effect: none; text-indent: 0px; -apple-text-size-adjust: auto; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px; "><SPAN class="Apple-style-span" style="border-collapse: separate; border-spacing: 0px 0px; color: rgb(0, 0, 0); font-family: Eurostile; font-size: 10px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-align: auto; -khtml-text-decorations-in-effect: none; text-indent: 0px; -apple-text-size-adjust: auto; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px; "><DIV>Brett Curtis</DIV><DIV><A href="mailto:dashnu@gmail.com">dashnu@gmail.com</A></DIV><DIV><A href="http://teh.sh.nu">http://teh.sh.nu</A></DIV><DIV><BR class="khtml-block-placeholder"></DIV><BR class="Apple-interchange-newline"></SPAN></SPAN> </DIV><BR></BODY></HTML>