[Openswan Users] Natted L2TP client fails

Wed Apr 19 17:50:17 CEST 2006

On Tue, 18 Apr 2006, Arun S wrote:

> I am running a VPN server version 2.4.5rc5 on a Linux box, kernel version 2.6.14. The server also runs a L2TP demon xl2tpd version 1.04. This server is not behind any firewalls (so no NAT).
>
> It is fine with all mobile clients that are not natted. With a mobile client behind a firewall (i.e., peer is natted), IPsec gets established. But L2TP fails.
>
> I have attached "ipsec barf" with this.

>From the barf:

> 1          192.168.1.127/32   -> 192.168.3.100/32   => tun0x1006 at 192.168.1.153
> 0          192.168.50.0/24    -> 192.168.100.0/24   => tun0x1002 at 192.168.1.129

> KLIPS detected, checking for NAT Traversal support          	[FAILED]

This might be wrong in the verify command.

> config setup
> 	interfaces="ipsec0=eth1"
> 	nat_traversal=yes
> 	strictcrlpolicy=no
> 	forwardcontrol=yes
> 	uniqueids=yes
> 	nocrsend=no

You have no nat_traversal=yes and virtual_private= entries, so NAT-T is
disabled.

> conn mobile
> 	right=%any
> 	rightsubnetwithin=0.0.0.0/0

Don't use rightsubnetwithin. Just use rightsubnet=vhost:%no,%priv.

> 	left=192.168.1.127
> 	leftsubnet=192.168.1.127/255.255.255.255
> 	leftnexthop=192.168.1.2
> 	dpddelay=30
> 	dpdtimeout=60
> 	dpdaction=clear
> 	esp=3des-md5
> 	type=tunnel
> 	authby=secret

NAT-T and authby=secret is not recommended.

> conn mobile-wxp
> 	rightprotoport=17/%any
> 	leftprotoport=17/0

use 17/1701 for leftprotoport.

> 	also=mobile
> 	pfs=no
> conn mobile-wxp2
> 	rightprotoport=17/%any
> 	leftprotoport=17/1701
> 	also=mobile
> 	pfs=no

Oh. jsut remove mobile-wxp entirely

> + egrep '^' all/rp_filter default/rp_filter eth0/rp_filter eth1/rp_filter ipsec0/rp_filter lo/rp_filter
> all/rp_filter:0
> default/rp_filter:1
> eth0/rp_filter:1
> eth1/rp_filter:0
> ipsec0/rp_filter:1

Ensure rp_filter is fully disabled.

> Red Hat Linux release 9 (Shrike)

> Chain FORWARD (policy DROP 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source               destination
>     0     0 ACCEPT     udp  --  eth1   ipsec0  0.0.0.0/0            0.0.0.0/0          udp dpt:4500
>     0     0 ACCEPT     all  --  ipsec0 *       0.0.0.0/0            0.0.0.0/0
>     0     0 ACCEPT     all  --  *      ipsec0  0.0.0.0/0            0.0.0.0/0
>     0     0 ACCEPT     all  --  ppp+   *       0.0.0.0/0            0.0.0.0/0
>     0     0 ACCEPT     all  --  *      ppp+    0.0.0.0/0            0.0.0.0/0
>     0     0 ACCEPT     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
>     0     0 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
>     0     0 ACCEPT     all  --  *      eth1    0.0.0.0/0            0.0.0.0/0
>     0     0 ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0

This table looks overly complex. I would just allow all FORWARD, and depend on
the INPUT and OUTPUT firewall rules to block undesired packets.

> # CONFIG_IP_ADVANCED_ROUTER is not set

You should enable advanced routing in your kernel

> CONFIG_IP_FIB_HASH=y
> # CONFIG_IP_PNP is not set
> # CONFIG_IP_MROUTE is not set
> CONFIG_IPSEC_NAT_TRAVERSAL=y
> CONFIG_INET_AH=m
> CONFIG_INET_ESP=m
> CONFIG_INET_IPCOMP=m
> CONFIG_INET_TUNNEL=m

Having AH/ESP/IPCOMP without hacing CONFIG_NETKEY makes no sense. I am
surprised it compiled.

> # The authpriv file has restricted access.
> authpriv.*						/var/log/secure

I am not sure why all the logs are missing, since they should be where we
expect them. Perhaps you deleted/cleaned the logfile and did not restart
syslogd so it still logged to the deleted logfile?

It would probably tell you "nat traversal disabled"

Paul

-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155