[Openswan Users] can browse internet, cannot ping with l2tpd/pppd

David Bernick bernz at lextranet.com
Mon Aug 16 13:30:05 CEST 2004


> With plain IPsec, I presume?

yes.

>> /sbin/iptables -A OUTPUT -s $EXTERNAL_IP -p udp -m udp --sport 1701 
>> -j ACCEPT
>
>
> Shouldn't this be DROP?

probably. i just wanted to make sure, for testing reasons, that things 
were open and that this wasn't the problem.

> Could you post your ipsec.conf and your l2tpd.conf? 

ipsec.conf:
version 2.0
 
config setup
        interfaces=%defaultroute
        nat_traversal=yes
        
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:10.51.0.0/24
 
conn %default
        keyingtries=1
        compress=yes
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert
 
conn roadwarrior-net
        leftsubnet=10.51.0.0/24
        also=roadwarrior
 
conn roadwarrior-l2tp
        pfs=no
        leftprotoport=17/0
        rightprotoport=17/1701
        also=roadwarrior
 
conn roadwarrior-l2tp-updatedwin
        pfs=no
        leftprotoport=17/1701
        rightprotoport=17/1701
        also=roadwarrior
 
conn roadwarrior-all
        leftsubnet=0.0.0.0/0
        also=roadwarrior
 
conn roadwarrior
        left=%defaultroute
        leftcert=mycert.pem
        right=%any
        rightsubnet=vhost:%no,%priv
        auto=add
 
 
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

l2tpd.conf:
[global]
; listen-addr = 10.51.0.199
 
[lns default]
ip range = 10.51.0.80-10.51.0.99
local ip = 10.51.0.79
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes

> Can you ping the IP address of eth0 and the IP address of 'local ip'?

I can ping the eth0 (10.51.0.199) and 'local ip' (10.51.0.79) from 
anywhere in the local network (10.51.0.0/24). I can ping those addresses 
from a linux-based vpn client (ipsec). It's only when i'm logged in with 
the windows client that I can't ping from the windows client. I cannot 
ping 10.51.0.166 from any machines except for the actual 10.51.0.166 
machine (the windows client)

> Are you using proxyarp in options.l2tpd?


I don't think so: options.l2tpd


ipcp-accept-local
ipcp-accept-remote
auth
crtscts
idle 1800
mtu 1400
mru 1400
nodefaultroute
nodetach
debug
lock
connect-delay 5000
dump
logfd 2
logfile /var/log/l2tpd.log

> Do you see the MAC addresses in your ARP cache?

no...


More information about the Users mailing list