[Openswan Users] Problem with L2TP / Transport mode

Mark van Proctor m.vanproctor at metech.com.au
Thu Sep 15 18:27:36 CEST 2005


I'm having trouble getting Openswan to communicate with a Windows XP SP2
client (not NATed). I can get it to connect using just an IPSec connection
(ipsec.exe over a standard tunnel connection), however it can not connect
using Windows' L2TP/IPSec connection (over a transport connection).
 
My default settings in ipsec.conf are:
 
conn %default
    keyingtries=3
    compress=yes
    disablearrivalcheck=no
    authby=rsasig
    leftrsasigkey=%cert
    rightrsasigkey=%cert
 
I have tested using the Windows ipsec.exe command to connect to a tunnel
connection set up as follows:
 
conn standard
    type=tunnel
    left=<external IP>
    leftcert=<PEM file>
    leftsubnet=<internal IP Subnet>
    right=%any
    rightsubnet=vhost:%no,%priv
    pfs=yes
    auto=add
 
I have tested using the Windows L2TP/IPSec VPN Client to connect to a
transport connection set up as follows:
 
conn l2tp
    type=transport
    left=<external IP>
    leftcert=<PEM file>
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/1701
    pfs=no
    auto=add
 
Basically, I am logging and allowing all the traffic that comes through
using the following IPtables scripts:
 
#Mark encrypted packets
/sbin/iptables -t mangle -A PREROUTING -i $IFEXTERN -p 50 -j MARK --set-mark
1
 
#Log and accept encrypted packets to host
/sbin/iptables -t INPUT -i $IFEXTERN -m mark --mark 1 -j LOG --log-prefix
"Marked Traffic: " --log-level notice --log-tcp-options --log-ip-options
/sbin/iptables -t INPUT -i $IFEXTERN -m mark --mark 1 -j ACCEPT
 
#Log and accept encrypted packets to internal network
/sbin/iptables -t FORWARD -i $IFEXTERN -o $IFINTERN -m mark --mark 1 -j LOG
--log-prefix "Marked Internal Traffic: " --log-level notice
--log-tcp-options --log-ip-options
/sbin/iptables -t FORWARD -i $IFEXTERN -o $IFINTERN -m mark --mark 1 -j
ACCEPT
 
When using the IPSec only connection (conn standard via ipsec.exe), the ESP
packets show up as marked as well as the actual packets contained in these
ESP packets, i.e. the encrypted packets show up as well as the decrypted
packets. This is good, it means the packets have been successfully decrypted
and that the packets are being delivered.
 
My problem, is that when using the L2TP/IPSec connection (conn l2tp via
L2TP/IPSec VPN Connection), the ESP packets show up as marked but I see no
reference to the packets contained in these ESP packets. i.e. the decrypted
packets are not showing up? This is bad because to me, this means that the
packets are not being successfully decrypted and that nothing is being
delivered.
 
My L2TP daemon running on the same machine is sitting idle and not receiving
any packets requesting the initiation of an L2TP session so I can not see
how there is any problem with the L2TP server, this definitely seems to be a
problem with getting the L2TP packets out of the IPSec connection.
 
Because the ESP packets are being received and I also see "STATE_QUICK_R2:
IPSec SA established" message in the /var/log/secure log, I am assuming that
the tunnel has been set up successfully, just nothing is being delivered
through the tunnel!
 
Is there any reason that the packets would then not be being decrypted
properly?
 
If I haven't mentioned it before, I am running on RHEL 4 with native 26sec
on kernel 2.6.9-11.EL and tested this on both openswan 2.3.1 (AT RPM from
rpmfind.net) and openswan 2.4.0 (built manually via RPM using SPEC file from
openswan.2.3.0-1.rhel.src.rpm on http://www.openswan.org)
 
Not sure if this is related, but when I disconnect the IPSec only connection
(conn standard via ipsec.exe), Openswan successfully removes the route from
/sbin/route and also the connection details from setkey -D and setkey -DP.
 
/var/log/secure shows the following when this occurs:
    received Delete SA(...) payload: deleting IPSEC State #2
    deleting connection "standard" instance with peer <client IP address>
{isakamp=#0/ipsec=#0}
    received and ignored informational message
    received Delete SA payload: deleting ISAKMP State #1
 
When I disconnect the L2TP/IPSec connection (conn l2tp via L2TP/IPSec
Client), the route still exists in /sbin/route as do the connection details
in setkey -D and setkey -DP.
 
/var/log/secure shows the following when this occurs:
    packet from <client IP address>:500: Informational Exchange is for an
unknown (expired?) SA
    received Delete SA payload: deleting ISAKMP State #3
    packet from <client IP address>:500: received and ignored informational
message
    packet from <client IP address>:500: Informational Exchange is for an
unknown (expired?) SA
 
Any ideas would be greatly appreciated!?!?!
 
If there is any more information that you need me to send, let me know...
 
Thanks in advance, 
 
Mark
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20050915/411a3583/attachment.htm


More information about the Users mailing list