[Openswan dev] Fwd: [Openswan Users] SAref working fine but device with public ip no
Vincent Tamet
vincent.tamet at ilimit.net
Mon Apr 23 11:12:54 EDT 2012
Hi,
Maybe this question must be in this userlist ?
Best regards
----- Mail transféré -----
De: "Vincent Tamet" <vincent.tamet at ilimit.net>
À: users at openswan.org
Cc: "Daniel Castro" <daniel.castro at ilimit.net>
Envoyé: Mercredi 18 Avril 2012 17:39:40
Objet: [Openswan Users] SAref working fine but device with public ip no
Hi,
We have prove the installation with:
netkey (without SAref): equips with public ip connect and works perfectly.
2 equips with the same ip, connect but only one have the ping working, and then one disconnect.
klips (without SAref): equips with public ip connect and works perfectly.
2 equips with the same ip, connect but only one have the ping working, and then one disconnect.
klips (with SAref): equips with public ip establish with ipsec but we haven't any log from the xl2tpd.
2 equips with the same ip, connect and works perfectly.
For the SAref we use an ubuntu with the both patch from the openswan source, and make it using the openswan documentation:
https://www.openswan.org/projects/openswan/wiki/Building_and_Installing_an_SAref_capable_KLIPS_version_for_DebianUbuntu#Optain-SAref-patches-from-Xelerance
Kernel: 2.6.32-33-pae-saref
Openswan 2.6.38
xl2tpd-1.3.1 from testing ubuntu
Do you have an idea where the problem come from ?
Any idea to diagnose this more deeper ?
Best regards.
# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan 2.6.38 (klips)
Checking for IPsec support in kernel [OK]
KLIPS: checking for NAT Traversal support [OK]
KLIPS: checking for OCF crypto offload support [N/A]
Kernel: IPsec SAref kernel support [OK]
Kernel: IPsec SAref Bind kernel support [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [FAILED]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [WARNING]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
* /etc/ipsec.conf
version 2.0
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/16,%v4:!172.16.3.0/24
#protostack=netkey
protostack=auto
interfaces="%defaultroute"
oe=off
conn L2TP-PSK-NAT
rightsubnet=vhost:%no,%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=IPETH0
leftnexthop=IPGW
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
compress=no
overlapip=yes # for SAref + MAST
sareftrack=yes
* /etc/xl2tpd/xl2tpd.conf
[global] ; Global parameters:
listen-addr = IPETH0
ipsec saref = yes
port = 1701
[lns default] ; Our fallthrough LNS definition
ip range = 172.16.3.2 - 172.16.3.254
local ip = 172.16.3.1
assign ip = yes
require authentication = yes
refuse pap = yes ; * Refuse PAP authentication
refuse chap = yes
ppp debug = yes ; * Turn on PPP debugging
pppoptfile = /etc/ppp/options.l2tpd ; * ppp options file
length bit = yes
* /etc/ppp/options.l2tpd
require-mschap-v2
ipcp-accept-local
ipcp-accept-remote
ms-dns 8.8.8.8
ms-dns 8.8.4.4
auth
hide-password
debug
name l2tpd
noccp
nocrtscts
nodefaultroute
idle 3600
connect-delay 5000
asyncmap 0
passive
lcp-echo-interval 5
lcp-echo-failure 10
lcp-max-terminate 2
lcp-max-failure 5
lcp-max-configure 10
mtu 1400
mru 1400
Vincent Tamet
_______________________________________________
More information about the Dev
mailing list