[Openswan Users] unencrypted l2tp packets

Paul Wouters paul at xelerance.com
Tue Aug 22 14:16:10 EDT 2006

On Tue, 22 Aug 2006, Brett Curtis wrote:

> Rather then setting proc options in sysctl I echoed them in proc... AFAIK
> there is no difference. ( do not want to reboot )

Yup, that's fine.

> These 'test' rules allow me to connect
> $IPT -t mangle -A INPUT -i $EXTIF --proto esp -j MARK --set-mark 1
> $IPT -A INPUT -i $EXTIF -m mark --mark 1 -j LOG --log-prefix "Match 1:"
> $IPT -A INPUT -i $EXTIF -m mark --mark 1 -j ACCEPT
> echo "Applying custom chains to INPUT"
> $IPT -A INPUT -i $EXTIF -p udp --dport 500 -j LOG --log-prefix "PORT 500:"
> $IPT -A INPUT -i $EXTIF -p udp --dport 500 -j ACCEPT
> $IPT -A INPUT -i $EXTIF -p udp --dport 4500 -j LOG --log-prefix "PORT 4500:"
> $IPT -A INPUT -i $EXTIF -p udp --dport 4500 -j  ACCEPT
> $IPT -A INPUT -i $EXTIF -p udp --dport 1701 -j LOG \
>   --log-prefix "LTPD IS BROKE:"
> $IPT -A INPUT -i $EXTIF -p udp --dport 1701 -j ACCEPT
> # END TEST #

This is not a good test. The decrypted esp packets will *also* show up
as plaintext l2tp packets in the input chain after getting decrypted.

The idea of my rules was to mark all ESP packets. This mark survives
decrypting, so then we have l2tp packets with the mark. Since we allow
all packets with the mark with an ACCEPT rule, these get accepted. Then
you should *block* l2tp packets with an append (-A) rule. The result is
that when the l2tp was encrypted, the marked packet will be allowed,
but if it came in unencrypted, there is no accept rule for it and it
hits the drop rule for l2tp.

> Nothing is ever hitting my Match rule I put logging in and nothing comes up
> maybe my problem is there..
> I also didn't use a match and allowed all esp and still the same results...
> not sure if this is valid but I also tried tcpdump -i eth0 esp and nothing
> showed.. No esp packets.

netkey is a bit odd, but I believe for incoming you should see both encrypted
and decrypted packets. I guess you should verify your Windows l2tp connection

Also, to verify/check windows is using ipsec, you can enable OAKLEY.LOG
debugging and then check to see if it is attempting ipsec or not.


More information about the Users mailing list