[Openswan Users] OpenSwan 2.3.0 L2TP response in plaintext

Michel van der Breggen mbreggen at stoutencms.nl
Tue Mar 1 00:15:29 CET 2005 

Hi everybody,
I'm having trouble with a VPN setup between our company and my home. Both sides are behind a NAT router, which is configured to pass port 4500/500 en protocol 50 to server. Our server is a FC2 with openswan 2.3 and i use certficates for authentification. 
After some problems with the config i finaly got the SA to initiate, but now the problem is that rp-l2tp sends the answers back in plaintext to the external ipadres of my home router, instead of thru the tunnel. My home machine is a Win XP SP2 with nat-t patch.

network setup :
home-----------------------------router--------------------------------------router------------------------------server
192.168.0.1    192.168.0.100 80.61.112.xxx  80.139.41.xxx/192.168.1.100      192.168.1.1    

---------------------------------------------------------------------------------------------------------------------------------
ipsec.conf

version 2.0

config setup
   interfaces=%defaultroute
   nat_traversal=yes
   virtual_private=%v4:192.168.0.0/16
   klipsdebug=all

conn %default
   keyingtries=1
   compress=yes
   disablearrivalcheck=no
   authby=rsasig
   leftrsasigkey=%cert
   rightrsasigkey=%cert

include /etc/ipsec.d/examples/no_oe.conf

conn michel
   left=192.168.1.1
   leftsubnet=80.139.41.xxx/32
   leftcert=vpnserver.pem
   leftprotoport=17/1701
   leftnexthop=80.139.41.xxx
   right=%any
   rightsubnet=vhost:%no,%priv
   rightcert=user1.pem
   rightprotoport=17/1701
   pfs=no
   auto=add

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

rp-l2tp l2tp.conf

# comment

# Global section (by default, we start in global mode)
global

# Load handlers
load-handler "sync-pppd.so"
load-handler "cmd.so"

# Bind address
listen-port 1701

# Configure the sync-pppd handler.  You MUST have a "section sync-pppd" line
# even if you don't set any options.
section sync-pppd
#lns-pppd-opts "require-pap 10.0.0.1:10.0.0.2 lcp-echo-interval 30 lcp-echo-failure 6"
#lac-pppd-opts "user example name example noipdefault ipcp-accept-local ipcp-accept-remote lcp-echo-interval 30 lcp-echo-failure 6"

# Peer section
section peer
peer 80.61.112.xxx
# No secret - no authentication
port 1701
lac-handler sync-pppd
lns-handler sync-pppd
hide-avps no
strict-ip-check 0

# Configure the cmd handler.  You MUST have a "section cmd" line
# even if you don't set any options.
section cmd

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

When i use tcpdump it shows that the incoming connection comes from the tunnel but the packets that should be returned go un-encrypted to 80.61.112.xxx:1701
Does anybody know how to get these packages back thru the tunnel?? and is there an option so i don't have to specify an hardcoded ip-adres in the peer section?? if not it would be almost imposseble to include roaming users into the rp-l2tpd configuration

With kind regards,
Michel van der Breggen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20050301/058818fc/attachment.htm

More information about the Users mailing list