[Openswan Users] unencrypted l2tp packets

Brett Curtis dashnu at gmail.com
Tue Aug 22 17:34:04 EDT 2006

Your help is greatly appreciated.
On Aug 22, 2006, at 2:16 PM, Paul Wouters wrote:

> On Tue, 22 Aug 2006, Brett Curtis wrote:
>> Rather then setting proc options in sysctl I echoed them in  
>> proc... AFAIK
>> there is no difference. ( do not want to reboot )
> Yup, that's fine.

>> These 'test' rules allow me to connect
>> .......
> This is not a good test. The decrypted esp packets will *also* show up
> as plaintext l2tp packets in the input chain after getting decrypted.

Ok with these rules I noticed port 1701 log in my firewall however a  
tcpdump showed all traffic going over 4500 as it should.
So I understand what you are saying there.

> The idea of my rules was to mark all ESP packets. This mark survives
> decrypting, so then we have l2tp packets with the mark. Since we allow
> all packets with the mark with an ACCEPT rule, these get accepted.  
> Then
> you should *block* l2tp packets with an append (-A) rule. The  
> result is
> that when the l2tp was encrypted, the marked packet will be allowed,
> but if it came in unencrypted, there is no accept rule for it and it
> hits the drop rule for l2tp.

Ok I was able to test these rules...

iptables -t mangle -A INPUT --proto esp -j MARK --set-mark 1
iptables -A INPUT -i eth0 -m mark --mark 1 -j LOG --log-prefix "Mark 1:"
iptables -A INPUT -i eth0 -m mark --mark 1 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 1701 -j LOG --log-prefix  
"L2TP Drop:"
iptables -A INPUT -i eth0 -p udp --dport 1701 -j DROP

Same as yours just with a bit more logging. Interestingly enough  
Packets are never marked!
Fails the same way.. dropping of port 1701.

Seems mark in iptables is working I tested this by marking everything  
with a source address from my XP machine.

$IPT -t mangle -A INPUT -i $EXTIF -s -j MARK --set-mark 2
$IPT -A INPUT -i $EXTIF -m mark --mark 2 -j LOG --log-prefix "Match 2:"

and simple ping just to see if match is working as it should..

>> Nothing is ever hitting my Match rule I put logging in and nothing  
>> comes up
>> maybe my problem is there..
>> I also didn't use a match and allowed all esp and still the same  
>> results...
>> not sure if this is valid but I also tried tcpdump -i eth0 esp and  
>> nothing
>> showed.. No esp packets.
> netkey is a bit odd, but I believe for incoming you should see both  
> encrypted
> and decrypted packets. I guess you should verify your Windows l2tp  
> connection
> definition.

I doubled check the XP client and also tried with OSX.
> Also, to verify/check windows is using ipsec, you can enable  
> debugging and then check to see if it is attempting ipsec or not.

At this point would this log help? I could attach it..

So what i think... my esp packets are not matched and I have _no_  
idea why.  Ideas anyone?

If folks think I am on the write path I may try to roll back to an  
older kernel this weekend.

It has been a truly long day and I tend to lose my mind after so much  
debugging ;) so I will pick this up in the morning.

Thanks again, nice to have someone to bounce off of where as I am the  
only IT guy at the company.

> Paul

Brett Curtis
dashnu at gmail.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20060822/fad11fd4/attachment.html 

More information about the Users mailing list