[Openswan Users] can browse internet, cannot ping with l2tpd/pppd

David Bernick bernz at lextranet.com
Mon Aug 16 11:26:24 CEST 2004

Hello all,

Here is my network setup.

homemachine -> internet->firewall/SWAN->internal network (

The firewall/SWAN machine is linux 2.4.27 with pppd 2.4.2 and l2tpd 
0.69. So it's the latest stuff, as far as I can tell. eth0 is my 
internal interface, eth1 is my external interface. I have IPTABLES 
running for firewalling.

I can connect via a linux client and everything works well. I can browse 
the internal network, I can use the internet. All things work well.
When I use the built-in Windows2000 client, things get interesting.

I'm using the L2TP client that's built into windows. I can connect. I am 
verified via the chap-secrets file correctly. I can a DHCP address. 
Cool. Now, on that windows machine, I can use my webbrowser and bring up 
all sorts of webpages as if i'm on the internet. I am being routed, 
however, through the internet, to the OpenSwan box and back out to the 
internet via eth1. This is the desired behavior. So it works.

But when i try to use a address of any kind (although my VPN 
IP is, i can't seem to do anything.
Looking at the ppp0 tcpdump, I am definitely getting the request out, 
but no reply.

> tcpdump: listening on ppp0
> 09:10:41.089634 > icmp: echo request
> 09:10:42.247877 > icmp: echo request
> 09:10:43.747381 > icmp: echo request

when i ping, say, Yahoo, from the same machine, everything works:

> 09:22:27.704024 > icmp: echo request
> 09:22:27.731738 > icmp: echo reply
> 09:22:28.707991 > icmp: echo request
> 09:22:28.723848 > icmp: echo reply
> 09:22:29.771700 > icmp: echo request
> 09:22:29.787802 > icmp: echo reply
> 09:22:30.736141 > icmp: echo request
> 09:22:30.753490 > icmp: echo reply

So I imagine that it's probably a firewall issue more than anything, 
though my firewall doesn't seem to be showing me rejected packet logs. 
I'm pretty sure it's a FWDing issue, though I can't figure out where I'm 
missing IPTABLE rules. In fact, here is my IPTABLES section for the VPN:

>         # IKE negotiations
> /sbin/iptables -A INPUT  -p udp --sport 4500 --dport 4500 -j ACCEPT
> /sbin/iptables -A OUTPUT -p udp --sport 4500 --dport 4500 -j ACCEPT
> /sbin/iptables -A OUTPUT -s $EXTERNAL_IP -p udp -m udp --sport 1701 -j 
> /sbin/iptables -A INPUT  -p udp --sport 1:65535 --dport 500 -j ACCEPT
> /sbin/iptables -A OUTPUT -p udp --sport 1:65535 --dport 500 -j ACCEPT
>         # ESP encrypton and authentication
> /sbin/iptables -A INPUT  -p 50 -j ACCEPT
> /sbin/iptables -A OUTPUT -p 50 -j ACCEPT
>         # uncomment for AH authentication header
> /sbin/iptables -A INPUT  -p 51 -j ACCEPT
> /sbin/iptables -A OUTPUT -p 51 -j ACCEPT
>         # IKE negotiations
> /sbin/iptables -t filter -A INPUT -i ipsec+ -j ACCEPT
> /sbin/iptables -t filter -A INPUT -p udp --sport 500 --dport 500 -j ACCEPT
> /sbin/iptables -A OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
> /sbin/iptables -t filter -A INPUT -p udp --sport 4500 --dport 4500 -j 
> /sbin/iptables -A OUTPUT -p udp --sport 4500 --dport 4500 -j ACCEPT
>         # ESP encrypton and authentication
> /sbin/iptables -t filter -A INPUT -p 50 -j ACCEPT
> /sbin/iptables -A OUTPUT -p 50 -j ACCEPT
> /sbin/iptables -t nat -A PREROUTING -i ipsec+ -j ACCEPT
> /sbin/iptables -t nat -A POSTROUTING -o ipsec+ -j ACCEPT
> /sbin/iptables -t nat --append PREROUTING -i ipsec+ -p udp --sport 
> 1701 --dport 1701 -j DNAT --to-destination $EXTERNAL_IP
> /sbin/iptables -t filter -A OUTPUT -o ipsec+ -j ACCEPT
> /sbin/iptables -t filter -A FORWARD -i ipsec+ -j ACCEPT
> /sbin/iptables -t nat -A PREROUTING -i ipsec+ -j ACCEPT

Any help would be very appreciated!


More information about the Users mailing list