[Openswan dev] Openswan 2.3.1/2.4.0rc1 instability with L2TP

Norbert Wegener nw at sbs.de
Sun Aug 21 18:02:47 CEST 2005


We have a similar configuration.
I can confirm this  behaviour for 2.4.0rc1 with KLIPS and the actual 
version of freeradius.
Former versions without KLIPS seem not to be affected.
As freeradius is also involved here, I post this message to  
freeradius-devel.
Norbert

Dirk Nehring wrote:

>Hi,
>
>we use Openswan with l2tpd (or rp-l2tp) and a RADIUS server (Freeradius
>or Microsoft IAS) as IPSec/L2TP-Server. There are no issues with
>password authentification. We have a patch for ppp which allows us to
>authentificate via EAP/TLS, so you can use a smartcard to establish a
>VPN. There is a EAP-TLS connection between client and RADIUS
>server. Unfortunately, with Freeradius, we have perhaps an MTU
>problem. After successful authentification, packets are sent by pppd to
>the client, but you do not see any packet there. If I change to
>Microsoft IAS (which generates packets with another size), I works
>without any problems. When I switch to strongswan, there is also no
>problem with Freeradius (same config). I assume Openswan is handling MTU
>in another way than Strongswan. Here is my config:
>
>ipsec.conf
>---------------------------------------------------------
>version 2.0
>
>config setup
>        # klipsdebug=none
>        plutodebug=control
>        plutostderrlog=/var/log/pluto.log
>        nat_traversal=yes
>        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
>
>conn %default
>        left=a.b.c.d
>
>include /etc/ipsec.d/examples/no_oe.conf
>
>conn L2TP
>        right=%any
>        rightsubnet=vhost:%no,%priv
>        rightprotoport=17/1701
>        leftprotoport=17/1701
>        pfs=no
>        keyingtries=3
>        authby=secret
>        dpddelay=30
>        dpdtimeout=60
>        dpdaction=clear
>        ike=3des-md5
>        esp=3des-md5,3des-sha1
>        auto=add
>---------------------------------------------------------
>
>l2tpd.conf
>---------------------------------------------------------
>[global]
>listen-addr = a.b.c.d
>
>[lns default]
>ip range = 10.x.y.2-10.x.y.126
>local ip = 10.x.y.1
>require chap = yes
>refuse pap = yes
>require authentication = yes
>name = l2tpd
>ppp debug = yes
>pppoptfile = /etc/ppp/options.l2tpd
>length bit = yes
>---------------------------------------------------------
>
>options.l2tpd
>---------------------------------------------------------
>name l2tpd
>plugin /usr/lib/pppd/2.4.3/radius.so
>plugin /usr/lib/pppd/2.4.3/radattr.so
>debug
>lock
>proxyarp
>ipcp-accept-local
>ipcp-accept-remote
>ms-dns 10.1.1.101
>ms-wins 10.1.1.101
>mtu 1376
>mru 1376
>require-eap
>lcp-echo-failure 3
>lcp-echo-interval 10
>---------------------------------------------------------
>
>Unfortunately, I have no clue how to give more hints to track down the
>problem.
>
>Dirk
>_______________________________________________
>Dev mailing list
>Dev at openswan.org
>http://lists.openswan.org/mailman/listinfo/dev
>  
>



More information about the Dev mailing list