[Openswan Users] Breaking L2TP connection
Matthias Haas
mh at pompase.net
Wed Aug 17 09:26:44 CEST 2005
Hello Jacco,
> Matthias Haas wrote:
>
>> I am trying to establish an reliable l2tp connection. The problem I have
>> is that the connection breaks sometimes while doing the rekeying.
>> The system I am currently using is
>> openswan 2.2.1
>
> You will have to upgrade if this is not a typo.
To which version would you suggest to update to? 2.3.x lacks a lot of
stability as far as I can see. For instance the module counter that goes
crazy with kernel 2.4.x while having an connection established.
>
>> I am doing cert based authentication. The client is natted. IKE Lifetme
>> and IPSec Lifetime are set to 1h.
>
> You could try fiddling with the lifetimes. What if you use the default
> values? There will also be some NAT related fixes in the upcoming
> Openswan 2.4.0.
According to the oakley log the lifetime windows uses are 1h for ike and
1h for ipsec sa.
>
>> "l2tp_0-L2TP_0__gw-gw_213.179.141.11-0.0.0.0"[4] 213.179.141.14:4500
>> #15:
>> next payload type of ISAKMP Hash Payload has an unknown value: 170
>> Aug 16 16:05:23 do242 pluto[30180]:
>
> Could be an MTU problem.
For a testing reason I have lowered the mtu to 1200... so we will see :-)
>
>> Is there something wrong configured?
>
> Well, you could post your ipsec.conf.
Here it is:
I have to use leftnexthop %direct as my testscenario requires me to. No
gateway.
version 2
config setup
plutowait=no
uniqueids=yes
nat_traversal=yes
overridemtu=1200
interfaces="ipsec0=eth1"
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
conn l2tp_0-L2TP_1701__gw-gw_213.179.141.11-0.0.0.0
left=213.179.141.11
leftnexthop=%direct
right=%any
type=tunnel
authby=rsasig
leftcert=/etc/ipsec.d/server.crt
leftsendcert=yes
auto=add
auth=esp
pfs=no
keylife=1h
keyingtries=3
ikelifetime=1h
disablearrivalcheck=no
leftprotoport=17/1701
rightprotoport=17/1701
rightrsasigkey=%cert
conn l2tp_0-L2TP_0__gw-gw_213.179.141.11-0.0.0.0
left=213.179.141.11
leftnexthop=%direct
right=%any
type=tunnel
authby=rsasig
leftcert=/etc/ipsec.d/server.crt
leftsendcert=yes
auto=add
auth=esp
pfs=no
keylife=1h
keyingtries=3
ikelifetime=1h
disablearrivalcheck=no
leftprotoport=17/0
rightprotoport=17/1701
rightrsasigkey=%cert
Thank you for your help
Matthias
>
> Jacco
> --
> Jacco de Leeuw mailto:jacco2 at dds.nl
> Zaandam, The Netherlands http://www.jacco2.dds.nl
>
>
More information about the Users
mailing list