<div dir="ltr">Hi,<div><br></div><div>This issue may more regarding xl2tpd rather than openswan, I hope here is a good place to ask.</div><div><br></div><div>I don't know if I hit a bug or it just configuration file error. When I try to connect a Linux road warrior(openswan + xl2tpd + pppd) to a linux VPN server(openswan + xl2tpd + pppd), xl2tpd in the server freezed, and take a large amount of CPU time during some kernel work.</div>
<div><br></div><div>And it generate endless tcpdump like this(which client try to ping the server, which become unsuccess later):</div><div><br></div><div><div>00:48:18.791170 IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1 > <a href="http://10.223.195.113">10.223.195.113</a>: ip-proto-17}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}</div>
<div>00:48:18.791186 IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP truncated-ip - 16 bytes missing! 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1 > <a href="http://10.223.195.113">10.223.195.113</a>: ip-proto-17}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}</div>
</div><div><br></div><div>I don't understand what's happened. OpenSwan in fact works well, and ipsec tunnel is already established. This happened when client try to connect(by using echo "c server" > l2tp_control), then try to ping vpn server(using VPN gateway ip, 10.1.2.1 shows above), then xl2tpd seems go crazy...<br>
</div><div><br></div><div>And with the same configuration file, if Linux client is behind NAT, it works well.</div><div><br></div><div>And if I use a Windows machine to connect server directly(not behind nat), it works well too.</div>
<div><br></div><div>I am really confused. Can someone shed a little light?</div><div><br></div><div>Ipsec client version: Linux Openswan U2.6.32/K2.6.18-194.el5 (netkey)</div><div>Ipsec server version: Linux Openswan U2.6.37/K3.2.0-4-686-pae (netkey)</div>
<div>xl2tpd client version: 1.3.1(some rpm for CentOS).<br></div><div>xl2tpd server version: 1.3.1(Debian stable)<br></div><div>pppd client version: pppd version 2.4.4<br></div><div>pppd server version: pppd version 2.4.5</div>
<div><br></div><div>Here are the configurations:</div><div><br></div><div>ipsec.conf on client:</div><div><br></div><div><div># Authentication is through a Preshared Key.</div><div><br></div><div>conn L2TP-PSK-CLIENT</div>
<div> #</div><div> # ----------------------------------------------------------</div><div> # Use a Preshared Key. Disable Perfect Forward Secrecy.</div><div> # Initiate rekeying.</div><div> # Connection type _must_ be Transport Mode.</div>
<div> #</div><div> authby=secret</div><div> pfs=no</div><div> rekey=yes</div><div> keyingtries=3</div><div> type=transport</div><div> #</div><div> # ----------------------------------------------------------</div>
<div> # The local Linux machine that connects as a client.</div><div> #</div><div> # The external network interface is used to connect to the server.</div><div> # If you want to use a different interface or if there is no</div>
<div> # defaultroute, you can use: left=your.ip.addr.ess</div><div> left=%defaultroute</div><div> #left=10.223.195.1</div><div> #</div><div> leftprotoport=17/1701</div><div> #leftprotoport=17/%any</div>
<div> #</div><div> # ----------------------------------------------------------</div><div> # The remote server.</div><div> #</div><div> # Connect to the server at this IP address.</div><div>
right=10.223.161.22</div><div> #</div><div> rightprotoport=17/1701</div><div> # ----------------------------------------------------------</div><div> #</div><div> # Change 'ignore' to 'add' to enable this configuration.</div>
<div> #</div><div> auto=add</div></div><div><br></div><div><br></div><div>Ipsec.conf on server:</div><div><div><br></div><div>conn L2TP-PSK</div><div> authby=secret</div><div> pfs=no</div><div>
rekey=no</div><div> keyingtries=3</div><div> #</div><div> # ----------------------------------------------------------</div><div> # The VPN server.</div><div> #</div><div> # Allow incoming connections on the external network interface.</div>
<div> # If you want to use a different interface or if there is no</div><div> # defaultroute, you can use: left=10.223.161.22</div><div> #</div><div> left=10.223.161.22</div><div> #</div>
<div> leftprotoport=17/1701</div><div> # If you insist on supporting non-updated Windows clients,</div><div> # you can use: leftprotoport=17/%any</div><div> #</div><div> # ----------------------------------------------------------</div>
<div> # The remote user(s).</div><div> #</div><div> # Allow incoming connections only from this IP address.</div><div> right=%any</div><div> # If you want to allow multiple connections from any IP address,</div>
<div> # you can use: right=%any</div><div> #</div><div> rightprotoport=17/%any</div><div> #</div><div> # ----------------------------------------------------------</div><div> # Change 'ignore' to 'add' to enable this configuration.</div>
<div> #</div><div> auto=add</div></div><div><br></div><div><br></div><div>xl2tpd config on client:</div><div><div>[lac L2TPserver]</div><div>lns = 10.223.161.22</div><div>require chap = yes</div><div>refuse pap = yes</div>
<div>require authentication = yes</div><div>name = test</div><div>ppp debug = yes</div><div>pppoptfile = /etc/ppp/options.xl2tpd.client</div><div>length bit = yes</div></div><div><br></div><div>pppd on client:</div><div><div>
ipcp-accept-local</div><div>ipcp-accept-remote</div><div>refuse-eap</div><div>noccp</div><div>noauth</div><div>crtscts</div><div>idle 1800</div><div>mtu 1410</div><div>mru 1410</div><div>nodefaultroute</div><div>debug</div>
<div>lock</div><div>#proxyarp</div><div>connect-delay 5000</div></div><div><br></div><div>Xl2tpd on server:</div><div><br></div><div><div>[lns default]</div><div>ip range = 10.1.2.2-10.1.2.8</div><div>local ip = 10.1.2.1</div>
<div>require chap = yes</div><div>refuse pap = yes</div><div>pppoptfile = /etc/ppp/options.xl2tpd</div></div><div><br></div><div>pppd on server:</div><div><div>proxyarp</div><div>ipcp-accept-local</div><div>ipcp-accept-remote</div>
<div>noccp</div><div>idle 1800</div><div>auth</div><div>crtscts</div><div>mtu 1410</div><div>mru 1410</div><div>nodefaultroute</div><div>debug</div><div>lock</div><div>connect-delay 5000</div><div>ms-dns 10.1.2.1</div></div>
<div><br></div><div>Thanks!</div><div><br></div><div>--Sheng</div></div>