Now I am testing ipsec/l2tp with the server itself behind NAT. here's the new network topology:<br><br>clientA(192.168.9.106)----->clientGWA(A.111.111.111)-------->Server GW(S.111.111.111)------>l2tp/ipsec GW(192.168.11.19)<br>
<br>the l2tp/ipsec GW only have one internal interface eth1:192.168.11.19(eth0 is disabled)<br><br>and here's my ipsec.conf<br>==============================================<br>config setup<br> dumpdir=/var/run/pluto/<br>
nat_traversal=yes<br> virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10,%v4:!192.168.6.0/24">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10,%v4:!192.168.6.0/24</a><br>
oe=off<br> protostack=mast<br>conn l2tp-ipsec<br> left=192.168.11.19<br> leftprotoport=17/1701<br> right=%any<br> rightprotoport=17/%any<br> rightsubnet=vhost:%no,%priv<br>
pfs=no<br> rekey=no<br> sareftrack=yes<br> overlapip=yes<br> dpddelay=30<br> dpdtimeout=120<br> dpdaction=clear<br> type=transport<br> authby=secret<br> auto=add<br>
===============================================<br><br>/etc/ipsec.secrets<br>============================================<br>192.168.11.19 %any : PSK "test"<br>============================================<br><br>
<br>shorewall rule for NAT<br>================================================================<br>DNAT net loc:192.168.11.19 udp ipsec-nat-t - S.111.111.111<br>DNAT net loc:192.168.11.19 udp isakmp - S.111.111.111<br>
=================================================================<br><br>with this setup, clientA can connect, I can see that ipsec tunnel is up<br>========================================================<br>Jul 28 15:16:48 tvpn pluto[3311]: packet from A.111.111.111:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]<br>
Jul 28 15:16:48 tvpn pluto[3311]: packet from A.111.111.111:500: received Vendor ID payload [RFC 3947] method set to=109<br>Jul 28 15:16:48 tvpn pluto[3311]: packet from A.111.111.111:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109<br>
Jul 28 15:16:48 tvpn pluto[3311]: packet from A.111.111.111:500: ignoring Vendor ID payload [FRAGMENTATION]<br>Jul 28 15:16:48 tvpn pluto[3311]: packet from A.111.111.111:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]<br>
Jul 28 15:16:48 tvpn pluto[3311]: packet from A.111.111.111:500: ignoring Vendor ID payload [Vid-Initial-Contact]<br>Jul 28 15:16:48 tvpn pluto[3311]: packet from A.111.111.111:500: ignoring Vendor ID payload [IKE CGA version 1]<br>
Jul 28 15:16:48 tvpn pluto[3311]: "l2tp-ipsec"[1] A.111.111.111 #1: responding to Main Mode from unknown peer A.111.111.111<br>Jul 28 15:16:48 tvpn pluto[3311]: "l2tp-ipsec"[1] A.111.111.111 #1: OAKLEY_GROUP 20 not supported. Attribute OAKLEY_GROUP_DESCRIPTION<br>
Jul 28 15:16:48 tvpn pluto[3311]: "l2tp-ipsec"[1] A.111.111.111 #1: OAKLEY_GROUP 19 not supported. Attribute OAKLEY_GROUP_DESCRIPTION<br>Jul 28 15:16:48 tvpn pluto[3311]: "l2tp-ipsec"[1] A.111.111.111 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1<br>
Jul 28 15:16:48 tvpn pluto[3311]: "l2tp-ipsec"[1] A.111.111.111 #1: STATE_MAIN_R1: sent MR1, expecting MI2<br>Jul 28 15:16:48 tvpn pluto[3311]: "l2tp-ipsec"[1] A.111.111.111 #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed<br>
Jul 28 15:16:48 tvpn pluto[3311]: "l2tp-ipsec"[1] A.111.111.111 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2<br>Jul 28 15:16:48 tvpn pluto[3311]: "l2tp-ipsec"[1] A.111.111.111 #1: STATE_MAIN_R2: sent MR2, expecting MI3<br>
Jul 28 15:16:48 tvpn pluto[3311]: "l2tp-ipsec"[1] A.111.111.111 #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.9.106'<br>Jul 28 15:16:48 tvpn pluto[3311]: "l2tp-ipsec"[1] A.111.111.111 #1: switched from "l2tp-ipsec" to "l2tp-ipsec"<br>
Jul 28 15:16:48 tvpn pluto[3311]: "l2tp-ipsec"[2] A.111.111.111 #1: deleting connection "l2tp-ipsec" instance with peer A.111.111.111 {isakmp=#0/ipsec=#0}<br>Jul 28 15:16:48 tvpn pluto[3311]: "l2tp-ipsec"[2] A.111.111.111 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3<br>
Jul 28 15:16:48 tvpn pluto[3311]: "l2tp-ipsec"[2] A.111.111.111 #1: new NAT mapping for #1, was A.111.111.111:500, now A.111.111.111:4500<br>Jul 28 15:16:48 tvpn pluto[3311]: "l2tp-ipsec"[2] A.111.111.111 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_<br>
sha group=modp2048}<br>Jul 28 15:16:48 tvpn pluto[3311]: "l2tp-ipsec"[2] A.111.111.111 #1: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it<br>Jul 28 15:16:48 tvpn pluto[3311]: "l2tp-ipsec"[2] A.111.111.111 #1: the peer proposed: S.111.111.111/32:17/1701 -> <a href="http://192.168.9.106/32:17/0">192.168.9.106/32:17/0</a><br>
Jul 28 15:16:48 tvpn pluto[3311]: "l2tp-ipsec"[2] A.111.111.111 #1: NAT-Traversal: received 2 NAT-OA. using first, ignoring others<br>Jul 28 15:16:48 tvpn pluto[3311]: "l2tp-ipsec"[2] A.111.111.111 #2: responding to Quick Mode proposal {msgid:01000000}<br>
Jul 28 15:16:48 tvpn pluto[3311]: "l2tp-ipsec"[2] A.111.111.111 #2: us: 192.168.11.19<192.168.11.19>[+S=C]:17/1701<br>Jul 28 15:16:48 tvpn pluto[3311]: "l2tp-ipsec"[2] A.111.111.111 #2: them: A.111.111.111[192.168.9.106,+S=C]:17/1701===<a href="http://192.168.9.106/32">192.168.9.106/32</a><br>
Jul 28 15:16:48 tvpn pluto[3311]: "l2tp-ipsec"[2] A.111.111.111 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1<br>Jul 28 15:16:48 tvpn pluto[3311]: "l2tp-ipsec"[2] A.111.111.111 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2<br>
Jul 28 15:16:48 tvpn pluto[3311]: "l2tp-ipsec"[2] A.111.111.111 #2: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it<br>Jul 28 15:16:48 tvpn pluto[3311]: "l2tp-ipsec"[2] A.111.111.111 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2<br>
Jul 28 15:16:48 tvpn pluto[3311]: "l2tp-ipsec"[2] A.111.111.111 #2: <b>STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x718743b1 <0x43d05450 xfrm=AES_128-HMAC_SHA1 NATOA=192.168.9.106 NATD=A.111.111.111:4500 DPD=none}</b><br>
Jul 28 15:16:48 tvpn pluto[3311]: "l2tp-ipsec"[2] A.111.111.111 #1: the peer proposed: S.111.111.111/32:17/1701 -> <a href="http://192.168.9.106/32:17/1701">192.168.9.106/32:17/1701</a><br>Jul 28 15:16:48 tvpn pluto[3311]: "l2tp-ipsec"[2] A.111.111.111 #1: NAT-Traversal: received 2 NAT-OA. using first, ignoring others<br>
Jul 28 15:16:48 tvpn pluto[3311]: "l2tp-ipsec"[2] A.111.111.111 #3: responding to Quick Mode proposal {msgid:02000000}<br>Jul 28 15:16:48 tvpn pluto[3311]: "l2tp-ipsec"[2] A.111.111.111 #3: us: 192.168.11.19<192.168.11.19>[+S=C]:17/1701<br>
Jul 28 15:16:48 tvpn pluto[3311]: "l2tp-ipsec"[2] A.111.111.111 #3: them: A.111.111.111[192.168.9.106,+S=C]:17/1701===<a href="http://192.168.9.106/32">192.168.9.106/32</a><br>Jul 28 15:16:48 tvpn pluto[3311]: "l2tp-ipsec"[2] A.111.111.111 #3: keeping refhim=1 during rekey<br>
Jul 28 15:16:48 tvpn pluto[3311]: "l2tp-ipsec"[2] A.111.111.111 #3: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1<br>Jul 28 15:16:48 tvpn pluto[3311]: "l2tp-ipsec"[2] A.111.111.111 #3: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2<br>
Jul 28 15:16:49 tvpn pluto[3311]: "l2tp-ipsec"[2] A.111.111.111 #3: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it<br>==================================================================<br>
<br><br> but, there's nothing happen to xl2tpd. the log just stops at this line:<br>======================================================<br>Jul 28 14:38:13 tvpn xl2tpd[1660]: Listening on IP address 0.0.0.0, port 1701<br>
======================================================<br>seems client never contact the xl2tpd.<br><br><br>rp_filter, ip_forward are all setup correctly, I just don't know why.<br><br>also, tcpdump on mast0 shows no traffic.<br>
<br><br><br><br><br><br><div class="gmail_quote">2011/7/23 Paul Wouters <span dir="ltr"><<a href="mailto:paul@xelerance.com">paul@xelerance.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im">On Sat, 23 Jul 2011, Curu Wong wrote:<br>
<br></div>
Thanks for the feedback Curu!<div class="im"><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I used to setup l2tp-ipsec tunnels using x509, and I thought that with PSK, only one connection can up at the same time, so I used two connection xl2tp-gw1 and xl2tp-gw2 for<br>
test. In fact, I was wondering, if we can not use PSK with multiple client at the same time, how can microsoft's vpn server accomplish that?<br>
</blockquote>
<br></div>
By having right=%any you can, except that all roadwarriors have to use the same PSK. You can work<br>
around some of that with aggressive mode, but not when you want to use l2tp.<div class="im"><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
But I have a suggestion, can we add the check of rp_filter to "ipsec verify" when running with klips/mast stack? Because that may help some newbies who can't/doesn't find a<br>
proper doc/guide for their initial config.<br>
</blockquote>
<br></div>
Yes, I'll add it. We used to just change it and therefor not bug the user, but I<br>
think we might only do that for ipsecX and not mastX.<div class="im"><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
the l2tp/ipsec gateway's internal IP 192.168.6.18 is not involved here!<br>
Then I change /etc/xl2tpd/xl2tpd.conf on centos, set<br>
listen-addr = S.S.S.S<br>
restart xl2tpd, then everything works fine, just like the ubuntu one.<br>
</blockquote>
<br></div>
Yeah, that's a bug in xl2tpd. It is not properly using the HAVE_UDPFROMTO code like openswan does, so it is not<br>
using the source ip it received the packet on for reply packets when bound to ANY.<div class="im"><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
One more thing, no matter with ubuntu or CentOS, there's always this error message whenever ipsec service restarted<br>
I don't know if it matters:<br>
==============================<u></u>======================<br>
Jul 23 11:27:34 tvpn pluto[13271]: ERROR: PF_KEY K_SADB_X_PLUMBIF response for configure_mast_device included errno 17: File exists<br>
</blockquote>
<br></div>
We should probably suppress that error. It just means there is a mast0 interface already.<br><font color="#888888">
<br>
Paul<br>
</font></blockquote></div><br>