[Openswan Users] unencrypted l2tp packets

Ben Willmore bwillmore at berkeley.edu
Fri Feb 10 09:18:49 CET 2006


I'm trying to get a roadwarrior/nat-t setup going.  I've got a
seemly-successful IPSec connection:

...
Feb 10 08:58:27 lithium pluto[20621]: "L2TP-PSK"[2] aa.bb.cc.dd #2:
STATE_QUICK_R2: IPsec SA established {ESP=>0x0a6d0476 <0x2c51161d
xfrm=AES_128-HMAC_SHA1 NATD=mm.nn.oo.pp:4500 DPD=none}

But l2tp never comes up properly.  Using ethereal on the gateway, I
see ESP packets coming in from the client:
09:03:42.455659 IP mm.nn.oo.pp > aa.bb.cc.dd: ESP(spi=0x11941194,seq=0x7c0000)

...but the only outgoing packets seem to be _unencrypted_ l2tp:
09:05:08.971051 IP aa.bb.c.dd.1701 > mm.nn.oo.pp.56004:
l2tp:[TLS](150/0)Ns=0,Nr=1
*MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...
09:05:14.973778 IP aa.bb.cc.dd.1701 > mm.nn.oo.pp.56004:
l2tp:[TLS](150/0)Ns=1,Nr=1
*MSGTYPE(StopCCN) *ASSND_TUN_ID(30829) *RESULT_CODE(1/0 Timeout)

l2tpd itself just goes in an endless loop of:
Feb 10 09:05:14 lithium l2tpd[21734]: message_type_avp: message type 1
(Start-Control-Connection-Request)
...

Am I right in thinking that l2ptd is trying to send out unencrypted
packets instead of going over IPSec?  If so, how can I get it to do
the right thing?

Or could it just be that the packets are getting filtered out somewhere?

Cheers,

Ben


/etc/ipsec.conf:

...
conn L2TP-PSK
  authby=secret
  pfs=no
  rekey=no
  keyingtries=3
  left=192.168.2.9
  leftsubnet=external.ip.of.gateway/32
  leftprotoport=17/1701
  leftnexthop=192.168.2.1
  right=%any
  rightsubnet=vhost:%no,%priv
  rightprotoport=17/%any
  auto=add

/etc/l2tp/l2tpd.conf:
[lns default]
ip range = 192.168.2.204-192.168.2.214
local ip = 192.168.2.9
require chap = yes
refuse pap = yes
require authentication = yes
name = Test
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes


More information about the Users mailing list