[Openswan Users] unencrypted l2tp packets

Brett Curtis dashnu at gmail.com
Mon Aug 21 13:57:10 EDT 2006 

forgot to reply to list.. ughhhhhh
On Aug 21, 2006, at 10:22 AM, Paul Wouters wrote:

> On Mon, 21 Aug 2006, Brett Curtis wrote:
>
>> AllI see now in tcpdump is the following after a successful "IPsec SA
>> established":
>>
>> 09:58:34.770542 IP rrcs-24-39-31-52.nys.biz.rr.com.47650 >
>> server.myhost.net.ipsec-nat-t: UDP-encap: ESP 
>> (spi=0x5a111da5,seq=0x4), length
>> 140
>>
>> until ipsec deletes the connection.
>>
>> I am thinking this is a kernel or firewall issues because both  
>> have changed..
>
>> My related firewall rules. Ipsec is running on the firewall :
>
> try disabling all of these rules and see if it works. If not, then  
> run ipsec
> verify and check the various /proc settings. Perhaps fiddle with the
> external mtu set to 1472 and/or the internal mtu set to 1300.
>

Ok I tried my old working firewall. Still no go lt2p comes back from  
the client on port 1701.
So I stopped the firewall totally... I connected however l2tp was  
still communicating outside the tunnel.
I stand firm that my firewall is not the problem. Auth of l2tp  
happened only because my firewall let 1701 udp in.

Nice to know XP allows you to connect that way :p

Anyways...

Ipsec verify looks fine.

Checking your system to see if IPsec got installed and started  
correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.4.4/K2.6.17-gentoo-r4 (netkey)
Checking for IPsec support in kernel                            [OK]
Checking for RSA private key (/etc/ipsec/ipsec.secrets)         [OK]
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Checking for 'setkey' command for NETKEY IPsec stack support    [OK]
Opportunistic Encryption Support                                 
[DISABLED]

I also went through /proc on both machines and compared.. Still know go.

I have these set in /etc/sysctl on the working machine:
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1

I do not have these set in systcl on the non-working machine. However  
I do run echo commands in my firewall script to enable this. So no  
difference there.

I am a bit confused on the mtu stuff. Since i use netkey I need to  
change my interfaces by hand correct ? Because overridemtu in the  
ipsec config did not work.

If so is there any risk in changing the mtu ?

Thanks.



> Paul
> -- 
> Building and integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327? 
> n=283155

Brett Curtis
dashnu at gmail.com
http://teh.sh.nu



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20060821/b9e8c9b4/attachment.html

More information about the Users mailing list