Have you tried enabling IP forwarding on the VPN server?<br><br><div class="gmail_quote">On 30 March 2011 11:34, Vincent Tamet <span dir="ltr"><<a href="mailto:vincent.tamet@ilimit.net">vincent.tamet@ilimit.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">Hi,<br>
Look like a MTU problem.<br>
Could you probe with ping with a size bigger to confirm this ?<br>
<br>
Next step you need to check your firewall to accept the icmp unreachable packet, like that the PMTU will work and solve the problem.<br>
About the solution to use, thought is the best way, another solution could be change the MSS size...<br>
<br>
Best regards.<br>
<br>
<br>
----- Mail original -----<br>
De: "Taekwondo AQR" <<a href="mailto:taekwondoaqr@gmail.com">taekwondoaqr@gmail.com</a>><br>
À: <a href="mailto:users@openswan.org">users@openswan.org</a><br>
Envoyé: Mercredi 30 Mars 2011 11:57:30<br>
Objet: [Openswan Users] Openswan - xl2tpd : can resolve , ping sites but can't browse them !<br>
<div><div></div><div class="h5"><br>
<br>
<br>
Hello,<br>
<br>
I have installed xl2tpd v1.2.7 (from epel repo) and compiled OpenSwan 2.6.33 on centos 5.5 i686 with 2.6.18 kernel. ( dedicated server on datacenter )<br>
<br>
Then configured xl2tpd and openswan. Now I can connect from windows xp / 7 to my server and also I can resolve and ping sites but can not browse them !<br>
<br>
I think it is not related to DNS entries, as I can ping hostname and it resolves to the IP and pings too. Nslookup also work correctly.<br>
But when I try to browse any site using firefox it stays on "Waiting for ..." status.<br>
<br>
Here is my ipsec.conf :<br>
---------------------------------------<br>
version 2.0<br>
config setup<br>
nat_traversal=yes<br>
virtual_private=%v4: <a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12" target="_blank">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12</a><br>
oe=off<br>
protostack=netkey<br>
<br>
conn L2TP-PSK-NAT<br>
rightsubnet=vhost:%priv<br>
also=L2TP-PSK-noNAT<br>
<br>
conn L2TP-PSK-noNAT<br>
authby=secret<br>
pfs=no<br>
auto=add<br>
keyingtries=3<br>
rekey=no<br>
ikelifetime=8h<br>
keylife=1h<br>
type=transport<br>
left=My.Server.IP.Address<br>
leftprotoport=17/1701<br>
right=%any<br>
rightprotoport=17/%any<br>
<br>
---------------------------------------<br>
<br>
<br>
<br>
And here the xl2tpd.conf :<br>
---------------------------------------<br>
[global]<br>
ipsec saref = yes<br>
<br>
[lns default]<br>
ip range = 10.1.2.2-10.1.2.255<br>
local ip = 10.1.2.1<br>
refuse chap = yes<br>
refuse pap = yes<br>
require authentication = yes<br>
ppp debug = yes<br>
pppoptfile = /etc/ppp/options.xl2tpd<br>
length bit = yes<br>
---------------------------------------<br>
<br>
<br>
<br>
And also here the options.xl2tpd :<br>
---------------------------------------<br>
require-mschap-v2<br>
ms-dns 8.8.8.8<br>
ms-dns 8.8.4.4<br>
asyncmap 0<br>
auth<br>
crtscts<br>
lock<br>
hide-password<br>
modem<br>
debug<br>
name l2tpd<br>
proxyarp<br>
lcp-echo-interval 30<br>
lcp-echo-failure 4<br>
---------------------------------------<br>
<br>
<br>
<br>
last lines of /var/log/secure :<br>
---------------------------------------<br>
Mar 30 05:31:51 ea pluto[593]: "L2TP-PSK-NAT"[2] 84.241.x.y #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2<br>
Mar 30 05:31:51 ea pluto[593]: "L2TP-PSK-NAT"[2] 84.241.x.y #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x060e648e <0xd0d110d3 xfrm=3DES_0-HMAC_MD$<br>
---------------------------------------<br>
<br>
<br>
'ipsec verify' result :<br>
---------------------------------------<br>
Version check and ipsec on-path [OK]<br>
Linux Openswan U2.6.33/K2.6.18-194.32.1.el5 (netkey)<br>
Checking for IPsec support in kernel [OK]<br>
SAref kernel support [N/A]<br>
NETKEY: Testing XFRM related proc values [OK]<br>
[OK]<br>
[OK]<br>
Checking that pluto is running [OK]<br>
Pluto listening for IKE on udp 500 [OK]<br>
Pluto listening for NAT-T on udp 4500 [OK]<br>
Two or more interfaces found, checking IP forwarding [OK]<br>
Checking NAT and MASQUERADEing<br>
Checking for 'ip' command [OK]<br>
Checking /bin/sh is not /bin/dash [OK]<br>
Checking for 'iptables' command [OK]<br>
Opportunistic Encryption Support [DISABLED]<br>
---------------------------------------<br>
<br>
<br>
<br>
<br>
It is also interesting point that when I comment "oe=off" , I can not connect using windows xp client.<br>
I tested this on 2 dedicated server and also 2 different clients .<br>
<br>
Thank you.<br>
<br>
</div></div>_______________________________________________<br>
<a href="mailto:Users@openswan.org">Users@openswan.org</a><br>
<a href="http://lists.openswan.org/mailman/listinfo/users" target="_blank">http://lists.openswan.org/mailman/listinfo/users</a><br>
Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>
Building and Integrating Virtual Private Networks with Openswan:<br>
<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>
_______________________________________________<br>
<a href="mailto:Users@openswan.org">Users@openswan.org</a><br>
<a href="http://lists.openswan.org/mailman/listinfo/users" target="_blank">http://lists.openswan.org/mailman/listinfo/users</a><br>
Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>
Building and Integrating Virtual Private Networks with Openswan:<br>
<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>
</blockquote></div><br><br clear="all"><br>-- <br>-- <br>Lance Garcia<br><br>