[Openswan Users] unencrypted l2tp packets

Brett Curtis dashnu at gmail.com
Mon Aug 21 10:11:30 EDT 2006 

Hello
On Aug 3, 2006, at 2:53 PM, Paul Wouters wrote:

> On Tue, 1 Aug 2006, Brett Curtis wrote:
>
>> I am having this same problem on a test box........
>
> What do you expect to happen when you are connecting an l2tp tunnel  
> from
> within the same subnet? Do you have two IP addresses from the same  
> subnet,
> one carrinyg traffic encrypted for the other ip? Then what if you are
> then also sending traffic to another machine in the same subnet?  
> Should
> it go over the tunnel or not? I am not sure what Windows or OSX does
> for these cases.
>
> I would recommend creating a seperate subnet with IP addresses that
> will only be used with l2tp, so that it does not matter whether you  
> are
> connecting from the inside or the outside, you are just connecting
> from "some network" to the l2tp subnet.
>
> Paul

Paul I believe it was set up as if I was connecting from "some  
network" If I recall correctly I tested my other server the same way.

Anyways I went live with this and still have the same problems.

Anything specific that needs to be done on x86_64 kernel ?

< >   AES cipher algorithms
<M>   AES cipher algorithms (x86_64)

Do I need both of these?

After hours of debugging I am now comparing my x86 kernel and my  
x86_64 kernel.

I went a bit more modular in this kernel compared to my x86 kernel  
however ipsec appears to be loading the needed modules.

I am stumped any thoughts or suggestions from anyone would be great.

AllI see now in tcpdump is the following after a successful "IPsec SA  
established":

09:58:34.770542 IP rrcs-24-39-31-52.nys.biz.rr.com.47650 >  
server.myhost.net.ipsec-nat-t: UDP-encap: ESP 
(spi=0x5a111da5,seq=0x4), length 140

until ipsec deletes the connection.

I am thinking this is a kernel or firewall issues because both have  
changed..

My related firewall rules. Ipsec is running on the firewall :

INPUT POLICY
# VPN Traffic
$IPT -N external-vpn-traffic
$IPT -A external-vpn-traffic -i $EXTIF -m mark --mark 1 -j ACCEPT
$IPT -A external-vpn-traffic -i $EXTIF -d $EXTIP -p udp -m udp -- 
dport 4500 \
    -j ACCEPT
$IPT -A external-vpn-traffic -i $EXTIF -d $EXTIP -p udp -m udp -- 
dport 500 \
    -j ACCEPT

OUTPUT POLICY
# L2TP Traffic
$IPT -N allow-l2tp-traffic-out
$IPT -A allow-l2tp-traffic-out -s $EXTIP -p udp -m udp --sport 1701 \
    -j ACCEPT

# VPN Traffic
$IPT -N allow-vpn-traffic-out
$IPT -A allow-vpn-traffic-out -s $EXTIP -p udp -m udp --dport 500 \
    -j ACCEPT
$IPT -A allow-vpn-traffic-out -s $EXTIP -p udp -m udp --dport 4500 \
    -j ACCEPT

# ESP Traffic
$IPT -N allow-esp-traffic-out
$IPT -A allow-esp-traffic-out -p esp -j ACCEPT

PREROUTING
# Rule for VPN (Ipsec/l2tp)
$IPT -t mangle -A PREROUTING -i $EXTIF -p esp -j MARK --set-mark 1


TIA

Brett Curtis
dashnu at gmail.com
http://teh.sh.nu



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20060821/9e300d67/attachment.html

More information about the Users mailing list