[Openswan Users] Problem with L2TP / Transport mode

Mark van Proctor m.vanproctor at metech.com.au
Fri Sep 16 11:35:26 CEST 2005


Thanks Jacco for your response.

Comments inline: 

-----Original Message-----
From: Jacco de Leeuw [mailto:jacco2 at dds.nl] 
Sent: Thursday, 15 September 2005 9:20 PM
To: users at openswan.org
Subject: Re: [Openswan Users] Problem with L2TP / Transport mode

> I'm having trouble getting Openswan to communicate with a Windows XP 
> SP2 client (not NATed). I can get it to connect using just an IPSec 
> connection (ipsec.exe over a standard tunnel connection), however it 
> can not connect using Windows' L2TP/IPSec connection (over a transport 
> connection).

If you have been using the ipsec.exe tool and you want to switch back to
L2TP/IPsec you have to reenable the automatic L2TP/IPsec policy
(ProhibitIpSec in the registry). See also:

http://www.jacco2.dds.nl/networking/win2000xp-freeswan.html#Installation

[Mark]: This registry entry does not exist. As per my original email, the
L2TP packets are being sent, the server is receiving the ESP packets... They
are just not getting decrypted...

> I have tested using the Windows L2TP/IPSec VPN Client to connect to a 
> transport connection set up as follows:
>  

Unlike the ipsec.exe tool, the L2TP/IPsec policy does not know exactly which
certificate to use if there are multiple ones installed.
So add rightcert=<PEM file> or rightca=%same.

[Mark]: Openswan is reporting the correct certificate and, as per my
original email, is logging an "IPSec SA Established" so I don't think there
is an authentication issue.

> Basically, I am logging and allowing all the traffic that comes 
> through using the following IPtables scripts:

Well, to rule out problems with the firewall you could disable it
temporarily and see if things suddenly work.

[Mark]: Not really keen to do this. This is a live server that is used for
other purposes. I have allowed UDP based L2TP traffic (with the L2TP server
turned off, just logging packets to those ports) and nothing shows up. Also,
the fact that traffic comes through the Standard connection suggests to me
that my firewall is not the issue...

[Mark]: Any other ideas?



More information about the Users mailing list