[Openswan Users] L2TP over IPsec over WLAN for OS-X Panther and others ...

Beat Zahnd beat.zahnd at phim.unibe.ch
Mon Jul 25 14:08:08 CEST 2005 

Jacco de Leeuw wrote:

 >> set bind_address 192.168.1.11
 >
 > This should be the external (wireless) address if you are using
 > NETKEY. If you are using KLIPS you can bind it to the internal
 > address and do a NAT mapping.

I changed the bind_address parameter of l2tpns to the wireless interface 
address. Now it works :-)

I seems that the default Debian sarge kernel does not have KLIPS. I 
assumed KLIPS is installad because the word KLIPS appeared in 
/var/log/syslog:

> Jul 23 23:02:47 localhost ipsec_setup: KLIPS ipsec0 on eth1 192.168.2.1/255.255.255.0 broadcast 192.168.2.255 
> Jul 23 23:02:48 localhost ipsec_setup: ...Openswan IPsec started
> Jul 23 23:02:48 localhost ipsec_setup: Starting Openswan IPsec U2.2.0/K2.6.8-powerpc...


Alan Whinery wrote:

> These days, my tun0 interface on the operational machine is using the
> bind address. It would be interesting to see one iteration of a 
> connection attempt in your pluto log messages.

This is what happens if my Mac with OSX 10.3.? connects:

> Jul 23 23:02:47 localhost ipsec__plutorun: Starting Pluto subsystem...
> Jul 23 23:02:48 localhost pluto[5783]: Starting Pluto (Openswan Version 2.2.0 X.509-1.5.4 PLUTO_USES_KEYRR)
> Jul 23 23:02:48 localhost pluto[5783]:   including NAT-Traversal patch (Version 0.6c) [disabled]
> Jul 23 23:02:48 localhost pluto[5783]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
> Jul 23 23:02:48 localhost pluto[5783]: Using Linux 2.6 IPsec interface code
> Jul 23 23:02:48 localhost pluto[5783]: Changing to directory '/etc/ipsec.d/cacerts'
> Jul 23 23:02:48 localhost pluto[5783]: Could not change to directory '/etc/ipsec.d/aacerts'
> Jul 23 23:02:49 localhost pluto[5783]: Changing to directory '/etc/ipsec.d/ocspcerts'
> Jul 23 23:02:49 localhost pluto[5783]: Changing to directory '/etc/ipsec.d/crls'
> Jul 23 23:02:49 localhost pluto[5783]:   Warning: empty directory
> Jul 23 23:02:49 localhost pluto[5783]: added connection description "wireless_vpn"
> Jul 23 23:02:50 localhost pluto[5783]: listening for IKE messages
> Jul 23 23:02:50 localhost pluto[5783]: adding interface eth1/eth1 192.168.2.1
> Jul 23 23:02:50 localhost pluto[5783]: adding interface eth0/eth0 192.168.1.10
> Jul 23 23:02:50 localhost pluto[5783]: adding interface lo/lo 127.0.0.1
> Jul 23 23:02:50 localhost pluto[5783]: adding interface lo/lo ::1
> Jul 23 23:02:50 localhost pluto[5783]: loading secrets from "/etc/ipsec.secrets"
> Jul 23 23:03:02 localhost pluto[5783]: packet from 192.168.2.2:500: ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662]
> Jul 23 23:03:02 localhost pluto[5783]: "wireless_vpn"[1] 192.168.2.2 #1: responding to Main Mode from unknown peer 192.168.2.2
> Jul 23 23:03:02 localhost pluto[5783]: "wireless_vpn"[1] 192.168.2.2 #1: transition from state (null) to state STATE_MAIN_R1
> Jul 23 23:03:02 localhost pluto[5783]: "wireless_vpn"[1] 192.168.2.2 #1: ignoring Vendor ID payload [KAME/racoon]
> Jul 23 23:03:02 localhost pluto[5783]: "wireless_vpn"[1] 192.168.2.2 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> Jul 23 23:03:02 localhost pluto[5783]: "wireless_vpn"[1] 192.168.2.2 #1: Peer ID is ID_IPV4_ADDR: '192.168.2.2'
> Jul 23 23:03:02 localhost pluto[5783]: "wireless_vpn"[1] 192.168.2.2 #1: I did not send a certificate because I do not have one.
> Jul 23 23:03:02 localhost pluto[5783]: "wireless_vpn"[1] 192.168.2.2 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> Jul 23 23:03:02 localhost pluto[5783]: "wireless_vpn"[1] 192.168.2.2 #1: sent MR3, ISAKMP SA established
> Jul 23 23:03:03 localhost pluto[5783]: "wireless_vpn"[1] 192.168.2.2 #2: responding to Quick Mode
> Jul 23 23:03:03 localhost pluto[5783]: "wireless_vpn"[1] 192.168.2.2 #2: transition from state (null) to state STATE_QUICK_R1
> Jul 23 23:03:04 localhost pluto[5783]: "wireless_vpn"[1] 192.168.2.2 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
> Jul 23 23:03:04 localhost pluto[5783]: "wireless_vpn"[1] 192.168.2.2 #2: IPsec SA established {ESP=>0x0df00043 <0x09c42dec}


Now, I'm digging trough iptables documentation to seal the wireless side 
of my gateway ...


Greetings, Beat

-- 
Beat ZAHND
Physics Institute
University of Bern                   phone  +41 31 631 3466
Sidlerstrasse 5                      fax    +41 31 631 4405
CH-3012 Bern (Switzerland)  mailto:beat.zahnd at phim.unibe.ch

More information about the Users mailing list