[Openswan Users] unencrypted l2tp packets

[Paul Wouters]

On Mon, 21 Aug 2006, Brett Curtis wrote:

> Ok I tried my old working firewall. Still no go lt2p comes back from the
> client on port 1701.
> So I stopped the firewall totally... I connected however l2tp was still
> communicating outside the tunnel.
> I stand firm that my firewall is not the problem. Auth of l2tp happened only
> because my firewall let 1701 udp in.

Okay. run without any firewall, but do:

iptables -t mangle -A INPUT --proto esp -j mark --set-mark 1
iptables -A INPUT -i eth0 -m mark --mark 1 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --d-0rt 1701 -j DROP

This will drop all plaintext incominng l2tp packets and allow
all l2tp packets that came in encrypted.

> Nice to know XP allows you to connect that way :p

I don't think that is what is happening.

> Linux Openswan U2.4.4/K2.6.17-gentoo-r4 (netkey)

Newer versions of openswan check a little bit more proc options

> I have these set in /etc/sysctl on the working machine:
> net.ipv4.ip_forward = 1
> net.ipv4.conf.default.rp_filter = 1

Must be set to 0.

> net.ipv4.conf.all.rp_filter = 1

Same.

Add:

net.ipv4.conf.all.accept_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.all.send_redirects = 0

Those are sometimes needed for netkey because of interface confusion because
the way it decrypts and re-injects packets.

Another posisble thing to try:

net.ipv4.ip_no_pmtu_disc=1

> I am a bit confused on the mtu stuff. Since i use netkey I need to change my
> interfaces by hand correct ? Because overridemtu in the ipsec config did not
> work.

Yes. For best results, set the external mtu to 1472, and the internal mtu to 1400
and see what happens.

> If so is there any risk in changing the mtu ?

At most, broken machines break more. In practise, it should not make a difference.

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155