[Openswan Users] unencrypted l2tp packets
paul at xelerance.com
Mon Aug 21 14:27:34 EDT 2006
On Mon, 21 Aug 2006, Brett Curtis wrote:
> Ok I tried my old working firewall. Still no go lt2p comes back from the
> client on port 1701.
> So I stopped the firewall totally... I connected however l2tp was still
> communicating outside the tunnel.
> I stand firm that my firewall is not the problem. Auth of l2tp happened only
> because my firewall let 1701 udp in.
Okay. run without any firewall, but do:
iptables -t mangle -A INPUT --proto esp -j mark --set-mark 1
iptables -A INPUT -i eth0 -m mark --mark 1 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --d-0rt 1701 -j DROP
This will drop all plaintext incominng l2tp packets and allow
all l2tp packets that came in encrypted.
> Nice to know XP allows you to connect that way :p
I don't think that is what is happening.
> Linux Openswan U2.4.4/K2.6.17-gentoo-r4 (netkey)
Newer versions of openswan check a little bit more proc options
> I have these set in /etc/sysctl on the working machine:
> net.ipv4.ip_forward = 1
> net.ipv4.conf.default.rp_filter = 1
Must be set to 0.
> net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.all.send_redirects = 0
Those are sometimes needed for netkey because of interface confusion because
the way it decrypts and re-injects packets.
Another posisble thing to try:
> I am a bit confused on the mtu stuff. Since i use netkey I need to change my
> interfaces by hand correct ? Because overridemtu in the ipsec config did not
Yes. For best results, set the external mtu to 1472, and the internal mtu to 1400
and see what happens.
> If so is there any risk in changing the mtu ?
At most, broken machines break more. In practise, it should not make a difference.
Building and integrating Virtual Private Networks with Openswan:
More information about the Users