<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
<br>
<blockquote cite="mid:4819C8A8.2010507@dds.nl" type="cite">
<blockquote type="cite">
<pre wrap="">Okey, the problems seems to be solved... partially! I added
leftnexthop=x2.x2.x2.x2 The server network interfaces are: eth0:
x2.x2.x2.x2 - external interface with real IP
</pre>
</blockquote>
<pre wrap=""><!---->I still don't understand your setup. The server has a leftnexthop
to its own network interface?
</pre>
</blockquote>
<big><tt><small>Actually, yes... Is this not good? I do not understand
well what leftnexthop is for as far as I'm new to Openswan...<br>
<br>
Let me describe by server in details once again (real "world" IP
addresses are replaced for privacy):<br>
<br>
eth0: 68.68.44.42 (net </small></tt></big><big><tt><small>68.68.44.0/24;
external gw 68.68.44.41</small></tt></big><big><tt><small>)<br>
eth1: 68.68.12.1 (net 68.68.12.0/24)<br>
eth1:0-2 (virtual interfaces): 192.168.0.1 (192.168.0.0/20); 10.44.68.1
(10.44.68.0/24) and 172.27.172.1 (172.27.172.0/24)<br>
ipsec0 (=eth1): </small></tt></big><big><tt><small>68.68.12.1 (net
68.68.12.0/24)<br>
<br>
eth0 is external interface connected to our ISP. eth1 is internal
interface which does have real world IP addresses.<br>
<br>
Openswan listens to 68.68.12.1. L2TP server also listens to 68.68.12.1.<br>
<br>
What value should be for leftnexthop? I don't know which should be but
with the current value (</small></tt></big><big><tt><small>68.68.44.42</small></tt></big><big><tt><small>)
IPSec works just fine.<br>
</small></tt></big>
<blockquote cite="mid:4819C8A8.2010507@dds.nl" type="cite">
<pre wrap="">What is it exactly that you want to achieve? Allow VPN users in
from the Internet to the internal network? Allow VPN users on
the internal (possibly untrusted such as wireless?) network out
to the Internet?
</pre>
</blockquote>
<big><tt><small>Ideally I want both... But currently I want to have VPN
for external (from Internet) users.</small></tt></big><br>
<blockquote cite="mid:4819C8A8.2010507@dds.nl" type="cite">
<blockquote type="cite">
<pre wrap="">eth1: x.x.x.x - internal interface with real IP and networks:
</pre>
</blockquote>
<pre wrap=""><!---->The internal interface has a real world IP address?
</pre>
</blockquote>
<tt>Right! </tt><big><tt><small>68.68.12.1 from the config above.<br>
</small></tt></big>
<blockquote cite="mid:4819C8A8.2010507@dds.nl" type="cite">
<blockquote type="cite">
<pre wrap="">Packets arriving to L2TPd server on ipsec0 visually go from client's router
real IP (y.y.y.y) and port 1701 and go to x.x.x.x:1701. They are leaving
the server from interface eth0. I can understand why they do...
</pre>
</blockquote>
<pre wrap=""><!---->L2TP packets should not leave the server unencrypted unless you
explicitly forward them to some other L2TP server (which is rare).
</pre>
</blockquote>
<tt>I do know this... But they do.<br>
<br>
As I understand L2TP packets go to the server through IPSec. There they
are decrypted and transfered to L2TP server through ipsec0 interface
(and I do see them there).<br>
<br>
The problem is that they are leaving the server (the response actually)
from eth0. This is actually correct because the default route points to
</tt><big><tt><small>68.68.44.41 (that is to interface eth0). And
therefore (I guess) they are not encrypted. They should be leaving the
server from ipsec0, right?<br>
<br>
Here is tcpdump:<br>
<br>
Packets arriving to ipsec0:<br>
<br>
</small></tt><font face="Terminus"><small><small>1:33:57.905681 IP
92.30.44.50.1701 > 68.68.12.1.1701: l2tp:[TLS](0/0)Ns=0,Nr=0
*MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S) *BEARER_CAP() |...<br>
21:33:58.920239 IP </small></small></font></big><big><font
face="Terminus"><small><small>92.30.44.50</small></small></font></big><big><font
face="Terminus"><small><small>.1701 > </small></small></font></big><big><font
face="Terminus"><small><small>68.68.12.1</small></small></font></big><big><font
face="Terminus"><small><small>.1701: l2tp:[TLS](0/0)Ns=0,Nr=0
*MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S) *BEARER_CAP() |...<br>
21:34:00.908124 IP </small></small></font></big><big><font
face="Terminus"><small><small>92.30.44.50</small></small></font></big><big><font
face="Terminus"><small><small>.1701 > </small></small></font></big><big><font
face="Terminus"><small><small>68.68.12.1</small></small></font></big><big><font
face="Terminus"><small><small>.1701: l2tp:[TLS](0/0)Ns=0,Nr=0
*MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S) *BEARER_CAP() |...</small></small></font><tt><small><br>
<br>
Packets leaving from eth0:<br>
</small></tt><small><font face="Terminus"><small><br>
21:33:57.906384 IP </small></font></small></big><big><font
face="Terminus"><small><small>68.68.12.1</small></small></font></big><big><small><font
face="Terminus"><small>.1701 > </small></font></small></big><big><font
face="Terminus"><small><small>92.30.44.50</small></small></font></big><big><small><font
face="Terminus"><small>.1701: l2tp:[TLS](51/0)Ns=0,Nr=1
*MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...<br>
21:33:58.912664 IP </small></font></small></big><big><font
face="Terminus"><small><small>68.68.12.1</small></small></font></big><big><small><font
face="Terminus"><small>.1701 > </small></font></small></big><big><font
face="Terminus"><small><small>92.30.44.50</small></small></font></big><big><small><font
face="Terminus"><small>.1701: l2tp:[TLS](51/0)Ns=0,Nr=1
*MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...<br>
21:33:58.920973 IP </small></font></small></big><big><font
face="Terminus"><small><small>68.68.12.1</small></small></font></big><big><small><font
face="Terminus"><small>.1701 > </small></font></small></big><big><font
face="Terminus"><small><small>92.30.44.50</small></small></font></big><big><small><font
face="Terminus"><small>.1701: l2tp:[TLS](51/0)Ns=0,Nr=1 ZLB<br>
21:33:59.920664 IP </small></font></small></big><big><font
face="Terminus"><small><small>68.68.12.1</small></small></font></big><big><small><font
face="Terminus"><small>.1701 > </small></font></small></big><big><font
face="Terminus"><small><small>92.30.44.50</small></small></font></big><big><small><font
face="Terminus"><small>.1701: l2tp:[TLS](51/0)Ns=0,Nr=1
*MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...<br>
21:34:00.908905 IP </small></font></small></big><big><font
face="Terminus"><small><small>68.68.12.1</small></small></font></big><big><small><font
face="Terminus"><small>.1701 > </small></font></small></big><big><font
face="Terminus"><small><small>92.30.44.50</small></small></font></big><big><small><font
face="Terminus"><small>.1701: l2tp:[TLS](51/0)Ns=0,Nr=1 ZLB<br>
21:34:00.928642 IP </small></font></small></big><big><font
face="Terminus"><small><small>68.68.12.1</small></small></font></big><big><small><font
face="Terminus"><small>.1701 > </small></font></small></big><big><font
face="Terminus"><small><small>92.30.44.50</small></small></font></big><big><small><font
face="Terminus"><small>.1701: l2tp:[TLS](51/0)Ns=0,Nr=1
*MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...<br>
21:34:01.936666 IP </small></font></small></big><big><font
face="Terminus"><small><small>68.68.12.1</small></small></font></big><big><small><font
face="Terminus"><small>.1701 > </small></font></small></big><big><font
face="Terminus"><small><small>92.30.44.50</small></small></font></big><big><small><font
face="Terminus"><small>.1701: l2tp:[TLS](51/0)Ns=0,Nr=1
*MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...<br>
21:34:02.944765 IP </small></font></small></big><big><font
face="Terminus"><small><small>68.68.12.1</small></small></font></big><big><small><font
face="Terminus"><small>.1701 > </small></font></small></big><big><font
face="Terminus"><small><small>92.30.44.50</small></small></font></big><big><small><font
face="Terminus"><small>.1701: l2tp:[TLS](51/0)Ns=1,Nr=1
*MSGTYPE(StopCCN) *ASSND_TUN_ID(36263) *RESULT_CODE(1/0 Timeout)<br>
21:34:03.952657 IP </small></font></small></big><big><font
face="Terminus"><small><small>68.68.12.1</small></small></font></big><big><small><font
face="Terminus"><small>.1701 > </small></font></small></big><big><font
face="Terminus"><small><small>92.30.44.50</small></small></font></big><big><small><font
face="Terminus"><small>.1701: l2tp:[TLS](51/0)Ns=1,Nr=1
*MSGTYPE(StopCCN) *ASSND_TUN_ID(36263) *RESULT_CODE(1/0 Timeout)<br>
21:34:04.922763 IP </small></font></small></big><big><font
face="Terminus"><small><small>68.68.12.1</small></small></font></big><big><small><font
face="Terminus"><small>.1701 > </small></font></small></big><big><font
face="Terminus"><small><small>92.30.44.50</small></small></font></big><big><small><font
face="Terminus"><small>.1701: l2tp:[TLS](51/0)Ns=0,Nr=1 ZLB</small></font></small><tt><small><br>
<br>
Currently I think about playing with iproute/iptables to make packets
leave from ipsec0 (changing route for them)...<br>
</small></tt></big>
<blockquote cite="mid:4819C8A8.2010507@dds.nl" type="cite">
<blockquote type="cite">
<pre wrap="">PPTP (as an alternative to IPSec/L2TP) can be used in local network for
providing Internet access (like PPPoE). In this case the client connects
from the zone which is actually used on the server. So I wonder if
IPSec/L2TP can be used as VPN over Ethernet
</pre>
</blockquote>
<pre wrap=""><!---->I don't know what you mean exactly, but L2TP/IPsec can do the same
things as PPTP.
</pre>
</blockquote>
<small>Actually here I was wondering if it is possible to have the
following:<br>
<br>
VPN client (eg, 192.168.0.25, that is eth1) -> VPN server
(68.68.12.1, also eth1)<br>
In this case the client would get some special IP (eg, 10.44.68.25)
through L2TP/PPP and will be able to use Internet through this new
channel. Seems this is possible.<br>
<br>
Here are my updated configs:<br>
<br>
ipsec.conf:<br>
<br>
<font face="Terminus">version 2.0<br>
<br>
config setup<br>
nat_traversal=yes<br>
interfaces=ipsec0=eth1<br>
rp_filter=0<br>
syslog=local6.info<br>
dumpdir=/etc/ipsec.d<br>
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.44.68.0/24,%v4:!192.168.0.0/20,%v4:!172.27.172.0/24<br>
strictcrlpolicy=yes<br>
<br>
conn nung-server<br>
type=tunnel<br>
left=68.68.12.1<br>
leftnexthop=68.68.44.42<br>
leftcert=ipsec-cert.pem<br>
right=%any<br>
rightsubnet=vhost:%no,%priv<br>
rightrsasigkey=%cert<br>
leftprotoport=17/1701<br>
rightprotoport=17/1701<br>
authby=rsasig<br>
keyingtries=3<br>
pfs=no<br>
auto=add<br>
rekey=no<br>
<br>
# Disable Opportunistic Encryption<br>
include /etc/ipsec.d/examples/no_oe.conf<br>
</font><br>
l2tpd.conf:<br>
<br>
<font face="Terminus">[global]<br>
listen-addr = 68.68.12.1<br>
port = 1701<br>
auth file = /etc/l2tpd/l2tp-secrets<br>
rand source = dev<br>
<br>
[lns default]<br>
exclusive = no<br>
ip range = 10.44.68.3-10.44.68.254<br>
local ip = 10.44.68.2<br>
require chap = yes<br>
refuse pap = yes<br>
require authentication = yes<br>
name = base.domain<br>
pppoptfile = /etc/ppp/options.l2tpd<br>
length bit = yes<br>
</font><br>
I guess there is no problem with Openswan/IPSec for now... Currently I
have a problem with L2TP...<br>
<br>
Thanks,<br>
Andriy<br>
</small>
</body>
</html>