[Openswan Users] L2TP + Openswan

Jacco de Leeuw jacco2 at dds.nl
Tue Dec 14 23:52:58 CET 2004

On Tue, Dec 14, 2004 at 04:36:54PM -0200, Giovani Moda - MR Inform?tica wrote:

> >What happens if you comment out the listen-addr? Is A.B.C.D your external
> >address?
> Well, I've just done it, and it worked. Then I assigned to my external
> interfce, and it worked as well. If I bind it to my local interface, it
> doesn't work. Why is that? I chose to set it to my internal interface for
> security concerns, as you've pointed on your site. Wasn't it supposed to
> work when binded to my local address?

No, this does not work. There is no ipsec0 in 26sec so you cannot
use the listen-addr trick and forward packets to L2TP daemon listening
on the internal interface.
> I have added these these lines at my iptables script for tests, but it
> didn't work either:
> iptables -t mangle -A PREROUTING -i eth0 -p esp -j MARK --set-mark 1
> iptables -A INPUT -i eth0 -p esp -j ACCEPT
> iptables -A INPUT -i eth0 -m mark --mark 1 -j ACCEPT
> iptables -A FORWARD -i eth0 -m mark --mark 1 -j ACCEPT

These were suggested to me by Chris Andrews but for me they
never worked. He is using racoon but I can't imagine that that
makes any difference. Or is Openswan stripping those marks?

> Anyway, my port 1701 is firewalled, but I'd sleep much better knowing that
> l2tp would only listen to my internal interface. Is that only possible with
> ipsec#?

I'm afraid so. That means downgrading to Openswan 1 or testing the
2.3.0 developers release which contains KLIPS support for kernel 2.6.
Obviously this requires recompiling the kernel. (But hey, then you
can add legacy PTYs too! :-).
> By setting peer and mask 0 at l2tp.conf (rp-l2tp), wouldn't it
> support multiple connections? It would, of course, imply a possible security
> risk, that's why I'm conserned to bind l2tpd to my external interface.

Setting in l2tp.conf is not allowed. That is, rp-l2tp bombed on me
when I used it.
> For tests purpose, It worked just fine. But the security risk is to high.
> Shit happens, and I can't only rely on my firewall. Any thoughts?

Actually, you are relying on Openswan because as long as Openswan is
running, the daemon is only accessible through IPsec. But if Openswan
is down for some reason (shit happens, as you said), your L2TP server
is exposed and you're hosed. 

Jacco de Leeuw            mailto:jacco2 at dds.nl
Zaandam, The Netherlands  http://www.jacco2.dds.nl

More information about the Users mailing list