[Openswan Users] Breaking L2TP connection

Matthias Haas mh at pompase.net
Wed Aug 17 09:26:44 CEST 2005


Hello Jacco,
> Matthias Haas wrote:
>
>> I am trying to establish an reliable l2tp connection. The problem I have
>> is that the connection breaks sometimes while doing the rekeying.
>> The system I am currently using is
>> openswan 2.2.1
>
> You will have to upgrade if this is not a typo.

To which version would you suggest to update to? 2.3.x lacks a lot of
stability as far as I can see. For instance the module counter that goes
crazy with kernel 2.4.x while having an connection established.
>
>> I am doing cert based authentication. The client is natted. IKE Lifetme
>> and IPSec Lifetime are set to 1h.
>
> You could try fiddling with the lifetimes. What if you use the default
> values? There will also be some NAT related fixes in the upcoming
> Openswan 2.4.0.

According to the oakley log the lifetime windows uses are 1h for ike and
1h for ipsec sa.
>
>> "l2tp_0-L2TP_0__gw-gw_213.179.141.11-0.0.0.0"[4] 213.179.141.14:4500
>> #15:
>> next payload type of ISAKMP Hash Payload has an unknown value: 170
>> Aug 16 16:05:23 do242 pluto[30180]:
>
> Could be an MTU problem.
For a testing reason I have lowered the mtu to 1200... so we will see :-)
>
>> Is there something wrong configured?
>
> Well, you could post your ipsec.conf.
Here it is:
I have to use leftnexthop %direct as my testscenario requires me to. No
gateway.

version 2
config setup
        plutowait=no
        uniqueids=yes
        nat_traversal=yes
        overridemtu=1200
        interfaces="ipsec0=eth1"
conn block
        auto=ignore

conn private
        auto=ignore

conn private-or-clear
        auto=ignore

conn clear-or-private
        auto=ignore

conn clear
        auto=ignore

conn packetdefault
        auto=ignore
conn l2tp_0-L2TP_1701__gw-gw_213.179.141.11-0.0.0.0
        left=213.179.141.11
        leftnexthop=%direct
        right=%any
        type=tunnel
        authby=rsasig
        leftcert=/etc/ipsec.d/server.crt
        leftsendcert=yes
        auto=add
        auth=esp
        pfs=no
        keylife=1h
        keyingtries=3
        ikelifetime=1h
        disablearrivalcheck=no
        leftprotoport=17/1701
        rightprotoport=17/1701
        rightrsasigkey=%cert
conn l2tp_0-L2TP_0__gw-gw_213.179.141.11-0.0.0.0
        left=213.179.141.11
        leftnexthop=%direct
        right=%any
        type=tunnel
        authby=rsasig
        leftcert=/etc/ipsec.d/server.crt
        leftsendcert=yes
        auto=add
        auth=esp
        pfs=no
        keylife=1h
        keyingtries=3
        ikelifetime=1h
        disablearrivalcheck=no
        leftprotoport=17/0
        rightprotoport=17/1701
        rightrsasigkey=%cert

Thank you for your help

Matthias

>
> Jacco
> --
> Jacco de Leeuw                         mailto:jacco2 at dds.nl
> Zaandam, The Netherlands           http://www.jacco2.dds.nl
>
>




More information about the Users mailing list