[Openswan Users] Re: Users Digest, Vol 21, Issue 4

Alan Whinery whinery at hawaii.edu
Tue Aug 2 11:02:20 CEST 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 

This is a little confusing; ipsec shouldn't be killing anything based
on auth or not at higher levels. If IPSec tears down an SA, it would
be because the PPP/L2TP didn't go. If the IKE transaction results in
an SA, then the next level is the RADIUS auth, which is for PPP, which
is inside the L2TP. There shouldn't be any L2TP auth event.

What makes you say that the RADIUS works fine? An entry in the
FreeRADIUS logs?

What Authentication method are you using in PPP? I use PAP, which
should be OK since it's inside 3DES IPSec...

I am only running a single Ethernet, so I can't comment on the inside
outside thing, but I have always used the Ethernet interface's real
address as the bind address.

The setup:

Pluto sez:
(...)
Aug  2 07:19:22 bender pluto[1745]: "roadwarrior-l2tp"[89] 12.10.6.24
#239: sent MR3, ISAKMP SA established

RADIUS (on different box, NTP synced) sez:

Tue Aug  2 07:19:23 2005: Received-Authentication: 3/8231 'whinery'
from 18.11.64.26 port 1
Tue Aug  2 07:19:23 2005: Authentication: 3/8231 'whinery' from
18.11.64.26 port 1 - OK -- total 0, holding 0
Aug  2 07:19:23 bender pluto[1745]: "roadwarrior-l2tp"[89] 12.10.6.24
#240: responding to Quick Mode {msgid:4b532793}
Aug  2 07:19:23 bender pluto[1745]: "roadwarrior-l2tp"[89] 12.10.6.24
#240: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Aug  2 07:19:23 bender pluto[1745]: "roadwarrior-l2tp"[89] 12.10.6.24
#240: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug  2 07:19:23 bender pluto[1745]: "roadwarrior-l2tp"[89] 12.10.6.24
#240: IPsec SA established {ESP=>0xabb8ecfd <0xc56d8531
xfrm=3DES_0-HMAC_MD5}

l2tpns sez:
2005-08-02 07:19:22 01/00    New tunnel from 12.10.6.24:1701 ID 1
2005-08-02 07:19:22 01/01 Login by whinery at 12.10.6.1 from
12.10.6.24 (leela)
2005-08-02 07:19:22 01/01 IPCP reject 130
2005-08-02 07:19:22 01/01 IPCP reject 132

RADIUS (on different box, NTP synced) sez:

Tue Aug  2 07:19:23 2005: Received-Authentication: 3/8231 'whinery'
from 18.11.64.26 port 1
Tue Aug  2 07:19:23 2005: Authentication: 3/8231 'whinery' from
18.11.64.26 port 1 - OK -- total 0, holding 0

The addresses are phony. It's not clear that things are logged purely
in order, since the time stamps don't line up, but I'm trying to
illustrate what I see during a successful connection...

Tim P wrote:


> I fixed this issue because I needed to set my bind address to
> either the outside address or a new address that resided on my
> internal subnet (forget which, dont have the machine accessible
> right now).
>
> I have a new problem in that the L2TP server never seems to do
> anything with the vpn request for l2tp authentication. I have a
> good ipsec tunnel (you said it looked good when you saw the output)
> and the radius authentication works fine but I can't seem to get
> L2TP to show anything in the logs when a request comes through.
> Essentially ipsec kills the tunnel after a minute or so when no
> authentication is completed.
>
> On 8/2/05, Jacco de Leeuw <jacco2 at dds.nl> wrote:
>
>>> Tim P wrote:
>>>
>>
>>>>> I am using L2TPNS for my L2TP server and when it brings up
>>>>> the tun0 interface (actually when I start the
>>>>> service/executable) it seems to kill my second nic in the
>>>>> box. I have eth0 as my "outside" nic and eth1 as my
>>>>> "inside" nic. When tun0 becomes active I am no longer able
>>>>> to ping on the inside network.
>>
>>>
>>> It "kills" your internal interface? What does that mean? You
>>> are pinging from what to what? The IPsec connection is not even
>>> up at that stage?
>>>
>>>
>>
>>>>> set bind_address 192.168.0.1
>>>>>
>>>>> I am hosting freeradius on the vpn box, I can use 127.0.0.1
>>>>> correct?
>>
>>>
>>> AFAIK, yes.
>>>
>>
>>>>> Bind_address I have set to my eth1 (inside) nic address, is
>>>>> that correct?
>>
>>>
>>> What if you use your 'outside' nic address?
>>>
>>> Jacco -- Jacco de Leeuw
>>> mailto:jacco2 at dds.nl Zaandam, The Netherlands
>>> http://www.jacco2.dds.nl
>>> _______________________________________________ Users mailing
>>> list Users at openswan.org
>>> http://lists.openswan.org/mailman/listinfo/users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
 
iD8DBQFC79FLo0Fj2RHXjC4RAqB9AKCPDPbIKuCM2JEeTz8yj8BPzl4ckgCgpmxS
3JwiTsfK18uzn23h8jkI+WE=
=B3HI
-----END PGP SIGNATURE-----



More information about the Users mailing list