[Openswan dev] Openswan 2.3.1/2.4.0rc1 instability with L2TP

Dirk Nehring dnehring at marcant.net
Fri Aug 19 18:05:47 CEST 2005 

Hi,

we use Openswan with l2tpd (or rp-l2tp) and a RADIUS server (Freeradius
or Microsoft IAS) as IPSec/L2TP-Server. There are no issues with
password authentification. We have a patch for ppp which allows us to
authentificate via EAP/TLS, so you can use a smartcard to establish a
VPN. There is a EAP-TLS connection between client and RADIUS
server. Unfortunately, with Freeradius, we have perhaps an MTU
problem. After successful authentification, packets are sent by pppd to
the client, but you do not see any packet there. If I change to
Microsoft IAS (which generates packets with another size), I works
without any problems. When I switch to strongswan, there is also no
problem with Freeradius (same config). I assume Openswan is handling MTU
in another way than Strongswan. Here is my config:

ipsec.conf
---------------------------------------------------------
version 2.0

config setup
        # klipsdebug=none
        plutodebug=control
        plutostderrlog=/var/log/pluto.log
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16

conn %default
        left=a.b.c.d

include /etc/ipsec.d/examples/no_oe.conf

conn L2TP
        right=%any
        rightsubnet=vhost:%no,%priv
        rightprotoport=17/1701
        leftprotoport=17/1701
        pfs=no
        keyingtries=3
        authby=secret
        dpddelay=30
        dpdtimeout=60
        dpdaction=clear
        ike=3des-md5
        esp=3des-md5,3des-sha1
        auto=add
---------------------------------------------------------

l2tpd.conf
---------------------------------------------------------
[global]
listen-addr = a.b.c.d

[lns default]
ip range = 10.x.y.2-10.x.y.126
local ip = 10.x.y.1
require chap = yes
refuse pap = yes
require authentication = yes
name = l2tpd
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes
---------------------------------------------------------

options.l2tpd
---------------------------------------------------------
name l2tpd
plugin /usr/lib/pppd/2.4.3/radius.so
plugin /usr/lib/pppd/2.4.3/radattr.so
debug
lock
proxyarp
ipcp-accept-local
ipcp-accept-remote
ms-dns 10.1.1.101
ms-wins 10.1.1.101
mtu 1376
mru 1376
require-eap
lcp-echo-failure 3
lcp-echo-interval 10
---------------------------------------------------------

Unfortunately, I have no clue how to give more hints to track down the
problem.

Dirk

More information about the Dev mailing list