[Openswan Users] unencrypted l2tp packets
Ben Willmore
ben at opendarwin.org
Fri Feb 10 09:16:38 CET 2006
I'm trying to get a roadwarrior/nat-t setup going. I've got a
seemly-successful IPSec connection:
...
Feb 10 08:58:27 lithium pluto[20621]: "L2TP-PSK"[2] aa.bb.cc.dd #2:
STATE_QUICK_R2: IPsec SA established {ESP=>0x0a6d0476 <0x2c51161d
xfrm=AES_128-HMAC_SHA1 NATD=mm.nn.oo.pp:4500 DPD=none}
But l2tp never comes up properly. Using ethereal on the gateway, I
see ESP packets coming in from the client:
09:03:42.455659 IP mm.nn.oo.pp > aa.bb.cc.dd: ESP(spi=0x11941194,seq=0x7c0000)
...but the only outgoing packets seem to be _unencrypted_ l2tp:
09:05:08.971051 IP aa.bb.c.dd.1701 > mm.nn.oo.pp.56004:
l2tp:[TLS](150/0)Ns=0,Nr=1
*MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...
09:05:14.973778 IP aa.bb.cc.dd.1701 > mm.nn.oo.pp.56004:
l2tp:[TLS](150/0)Ns=1,Nr=1
*MSGTYPE(StopCCN) *ASSND_TUN_ID(30829) *RESULT_CODE(1/0 Timeout)
l2tpd itself just goes in an endless loop of:
Feb 10 09:05:14 lithium l2tpd[21734]: message_type_avp: message type 1
(Start-Control-Connection-Request)
...
Am I right in thinking that l2ptd is trying to send out unencrypted
packets instead of going over IPSec? If so, how can I get it to do
the right thing?
Or could it just be that the packets are getting filtered out somewhere?
Cheers,
Ben
/etc/ipsec.conf:
...
conn L2TP-PSK
authby=secret
pfs=no
rekey=no
keyingtries=3
left=192.168.2.9
leftsubnet=external.ip.of.gateway/32
leftprotoport=17/1701
leftnexthop=192.168.2.1
right=%any
rightsubnet=vhost:%no,%priv
rightprotoport=17/%any
auto=add
/etc/l2tp/l2tpd.conf:
[lns default]
ip range = 192.168.2.204-192.168.2.214
local ip = 192.168.2.9
require chap = yes
refuse pap = yes
require authentication = yes
name = Test
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes
More information about the Users
mailing list