[Openswan Users] unencrypted l2tp packets

Brett Curtis dashnu at gmail.com
Tue Aug 1 10:29:30 CEST 2006 

I am having this same problem on a test box.

l2tpd version = net-dialup/xl2tpd-1.04

XP-Client (192.168.1.103) -----> ipsec/l2tp(192.168.1.19)eth0 -- eth1 
(172.17.187.0/24)

tcpdump:

09:04:48.864398 IP 192.168.1.19.1701 > 192.168.1.103.1701:  l2tp:[TLS] 
(1/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) |...
09:04:49.868422 IP 192.168.1.19.1701 > 192.168.1.103.1701:  l2tp:[TLS] 
(1/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) |...

I have this exact same configuration working in a production Env.  
However I never connect from the same subnet... And the only other  
differences are this box is 64bit EM64T and is _not_ running SELINUX.

Openswan seems fine:

Aug  1 09:07:02 defender64 pluto[14647]: "roadwarrior-osx-xp"[1]  
192.168.1.103 #6: STATE_QUICK_R2: IPsec SA established  
{ESP=>0x8bb63922 <0xdd103424 xfrm=3DES_0-HMAC_MD5  
NATD=192.168.1.103:500 DPD=none}


Is this expected behavior because I am connecting from the same subnet?

my l2tp log is as follows..

Aug  1 09:04:25 defender64 l2tpd[14882]: control_finish: Peer  
requested tunnel 1 twice, ignoring second one.
Aug  1 09:04:26 defender64 l2tpd[14882]: control_finish: Peer  
requested tunnel 1 twice, ignoring second one.Aug  1 09:04:30  
defender64 l2tpd[14882]: control_finish: Peer requested tunnel 1  
twice, ignoring second one.
Aug  1 09:04:30 defender64 l2tpd[14882]: Maximum retries exceeded for  
tunnel 2792.  Closing.
Aug  1 09:04:30 defender64 l2tpd[14882]: Connection 1 closed to  
192.168.1.103, port 1701 (Timeout)
Aug  1 09:04:35 defender64 l2tpd[14882]: Unable to deliver closing  
message for tunnel 2792. Destroying anyway.
Aug  1 09:04:45 defender64 l2tpd[14882]: Maximum retries exceeded for  
tunnel 54721.  Closing.

I have rp_filter = 0 in sysctl and ran;

for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo "0" > $f
done

In my search I think I recall Jacco saying openswan disables this by  
default anyways. Is this the case? In my firewall I echo "1" into */ 
rp_filter of course this start before openswan. So if that is useless  
I would prefer to take it out.

And also my search results only turned up the exact opposite problem.  
Users could connect from the same subnet but not externally.


TIA



On Feb 10, 2006, at 12:16 PM, Ben Willmore wrote:

> I'm trying to get a roadwarrior/nat-t setup going.  I've got a
> seemly-successful IPSec connection:
>
> ...
> Feb 10 08:58:27 lithium pluto[20621]: "L2TP-PSK"[2] aa.bb.cc.dd #2:
> STATE_QUICK_R2: IPsec SA established {ESP=>0x0a6d0476 <0x2c51161d
> xfrm=AES_128-HMAC_SHA1 NATD=mm.nn.oo.pp:4500 DPD=none}
>
> But l2tp never comes up properly.  Using ethereal on the gateway, I
> see ESP packets coming in from the client:
> 09:03:42.455659 IP mm.nn.oo.pp > aa.bb.cc.dd: ESP 
> (spi=0x11941194,seq=0x7c0000)
>
> ...but the only outgoing packets seem to be _unencrypted_ l2tp:
> 09:05:08.971051 IP aa.bb.c.dd.1701 > mm.nn.oo.pp.56004:
> l2tp:[TLS](150/0)Ns=0,Nr=1
> *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...
> 09:05:14.973778 IP aa.bb.cc.dd.1701 > mm.nn.oo.pp.56004:
> l2tp:[TLS](150/0)Ns=1,Nr=1
> *MSGTYPE(StopCCN) *ASSND_TUN_ID(30829) *RESULT_CODE(1/0 Timeout)
>
> l2tpd itself just goes in an endless loop of:
> Feb 10 09:05:14 lithium l2tpd[21734]: message_type_avp: message type 1
> (Start-Control-Connection-Request)
> ...
>
> Am I right in thinking that l2ptd is trying to send out unencrypted
> packets instead of going over IPSec?  If so, how can I get it to do
> the right thing?
>
> Or could it just be that the packets are getting filtered out  
> somewhere?
>
> Cheers,
>
> Ben
>
>
> /etc/ipsec.conf:
>
> ...
> conn L2TP-PSK
>   authby=secret
>   pfs=no
>   rekey=no
>   keyingtries=3
>   left=192.168.2.9
>   leftsubnet=external.ip.of.gateway/32
>   leftprotoport=17/1701
>   leftnexthop=192.168.2.1
>   right=%any
>   rightsubnet=vhost:%no,%priv
>   rightprotoport=17/%any
>   auto=add
>
> /etc/l2tp/l2tpd.conf:
> [lns default]
> ip range = 192.168.2.204-192.168.2.214
> local ip = 192.168.2.9
> require chap = yes
> refuse pap = yes
> require authentication = yes
> name = Test
> ppp debug = yes
> pppoptfile = /etc/ppp/options.l2tpd
> length bit = yes
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users

Brett Curtis
dashnu at gmail.com
http://teh.sh.nu



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20060801/38aaa664/attachment-0001.htm

More information about the Users mailing list