[Openswan Users] unencrypted l2tp packets
dashnu at gmail.com
Mon Aug 21 13:57:10 EDT 2006
forgot to reply to list.. ughhhhhh
On Aug 21, 2006, at 10:22 AM, Paul Wouters wrote:
> On Mon, 21 Aug 2006, Brett Curtis wrote:
>> AllI see now in tcpdump is the following after a successful "IPsec SA
>> 09:58:34.770542 IP rrcs-24-39-31-52.nys.biz.rr.com.47650 >
>> server.myhost.net.ipsec-nat-t: UDP-encap: ESP
>> (spi=0x5a111da5,seq=0x4), length
>> until ipsec deletes the connection.
>> I am thinking this is a kernel or firewall issues because both
>> have changed..
>> My related firewall rules. Ipsec is running on the firewall :
> try disabling all of these rules and see if it works. If not, then
> run ipsec
> verify and check the various /proc settings. Perhaps fiddle with the
> external mtu set to 1472 and/or the internal mtu set to 1300.
Ok I tried my old working firewall. Still no go lt2p comes back from
the client on port 1701.
So I stopped the firewall totally... I connected however l2tp was
still communicating outside the tunnel.
I stand firm that my firewall is not the problem. Auth of l2tp
happened only because my firewall let 1701 udp in.
Nice to know XP allows you to connect that way :p
Ipsec verify looks fine.
Checking your system to see if IPsec got installed and started
Version check and ipsec on-path [OK]
Linux Openswan U2.4.4/K2.6.17-gentoo-r4 (netkey)
Checking for IPsec support in kernel [OK]
Checking for RSA private key (/etc/ipsec/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Checking for 'setkey' command for NETKEY IPsec stack support [OK]
Opportunistic Encryption Support
I also went through /proc on both machines and compared.. Still know go.
I have these set in /etc/sysctl on the working machine:
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
I do not have these set in systcl on the non-working machine. However
I do run echo commands in my firewall script to enable this. So no
I am a bit confused on the mtu stuff. Since i use netkey I need to
change my interfaces by hand correct ? Because overridemtu in the
ipsec config did not work.
If so is there any risk in changing the mtu ?
> Building and integrating Virtual Private Networks with Openswan:
dashnu at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users