[Openswan Users] unencrypted l2tp packets
Jacco de Leeuw
jacco2 at dds.nl
Fri Feb 10 22:33:42 CET 2006
Ben Willmore wrote:
> Feb 10 08:58:27 lithium pluto[20621]: "L2TP-PSK"[2] aa.bb.cc.dd #2:
> STATE_QUICK_R2: IPsec SA established {ESP=>0x0a6d0476 <0x2c51161d
> xfrm=AES_128-HMAC_SHA1 NATD=mm.nn.oo.pp:4500 DPD=none}
>
> But l2tp never comes up properly. Using ethereal on the gateway, I
> see ESP packets coming in from the client:
> 09:03:42.455659 IP mm.nn.oo.pp > aa.bb.cc.dd: ESP(spi=0x11941194,seq=0x7c0000)
>
> ...but the only outgoing packets seem to be _unencrypted_ l2tp:
If you are using NETKEY and you are sniffing directly on the IPsec
interface then the results are not reliable. The packets may actually
be encrypted after all.
> conn L2TP-PSK
> authby=secret
> pfs=no
> rekey=no
> keyingtries=3
> left=192.168.2.9
> leftsubnet=external.ip.of.gateway/32
>
> /etc/l2tp/l2tpd.conf:
> [lns default]
> ip range = 192.168.2.204-192.168.2.214
> local ip = 192.168.2.9
Is your server behind NAT? Did you read my remarks on NATed servers?
Anyway, you can't use left=x.x.x.x and local ip=x.x.x.x. These have
to be different IP addresses.
Jacco
--
Jacco de Leeuw mailto:jacco2 at dds.nl
Zaandam, The Netherlands http://www.jacco2.dds.nl
More information about the Users
mailing list