[Openswan Users] unencrypted l2tp packets

Jacco de Leeuw jacco2 at dds.nl
Fri Feb 10 22:33:42 CET 2006


Ben Willmore wrote:

> Feb 10 08:58:27 lithium pluto[20621]: "L2TP-PSK"[2] aa.bb.cc.dd #2:
> STATE_QUICK_R2: IPsec SA established {ESP=>0x0a6d0476 <0x2c51161d
> xfrm=AES_128-HMAC_SHA1 NATD=mm.nn.oo.pp:4500 DPD=none}
> 
> But l2tp never comes up properly.  Using ethereal on the gateway, I
> see ESP packets coming in from the client:
> 09:03:42.455659 IP mm.nn.oo.pp > aa.bb.cc.dd: ESP(spi=0x11941194,seq=0x7c0000)
> 
> ...but the only outgoing packets seem to be _unencrypted_ l2tp:

If you are using NETKEY and you are sniffing directly on the IPsec
interface then the results are not reliable. The packets may actually
be encrypted after all.

> conn L2TP-PSK
>   authby=secret
>   pfs=no
>   rekey=no
>   keyingtries=3
>   left=192.168.2.9
>   leftsubnet=external.ip.of.gateway/32
> 
> /etc/l2tp/l2tpd.conf:
> [lns default]
> ip range = 192.168.2.204-192.168.2.214
> local ip = 192.168.2.9

Is your server behind NAT? Did you read my remarks on NATed servers?

Anyway, you can't use left=x.x.x.x and local ip=x.x.x.x. These have
to be different IP addresses.

Jacco
-- 
Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl


More information about the Users mailing list