[Openswan Users] unencrypted l2tp packets

Ben Willmore bwillmore at berkeley.edu
Fri Feb 10 14:43:36 CET 2006


Hi Jacco,

On 2/10/06, Jacco de Leeuw <jacco2 at dds.nl> wrote:
> Is your server behind NAT? Did you read my remarks on NATed servers?

Yes, it is and yes I did. Many thanks, they were invaluable in getting this far.

Previously, I chopped up the original config files to avoid rambling. 
Here are the complete ones, except for comments, and corrected as you
suggested.

ipsec.conf:
version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        #plutodebug="all"
        nat_traversal="yes"
        virtual_private=%v4:172.16.0.0/12

conn L2TP-PSK
  authby=secret
  pfs=no
  rekey=no
  keyingtries=3
  left=%defaultroute
  leftsubnet=xx.xx.xx.xx/32
  leftprotoport=17/1701
  right=%any
  rightsubnet=vhost:%no,%priv
  rightprotoport=17/%any
  auto=add

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

l2tpd.conf:
[global]                                ; Global parameters:
port = 1701                             ; * Bind to port 1701

[lns default]
ip range = 192.168.2.204-192.168.2.214
local ip = 192.168.2.203
require chap = yes
refuse pap = yes
require authentication = yes
name = Test
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes

I still have the same problem as before, i.e.:

Feb 10 14:38:02 lithium l2tpd[29354]: ourtid = 54641, entropy_buf = d571
Feb 10 14:38:02 lithium l2tpd[29354]: check_control: control, cid = 0,
Ns = 0, Nr = 0
Feb 10 14:38:02 lithium l2tpd[29354]: handle_avps: handling avp's for
tunnel 54641, call 0
Feb 10 14:38:02 lithium l2tpd[29354]: message_type_avp: message type 1
(Start-Control-Connection-Request)
Feb 10 14:38:02 lithium l2tpd[29354]: protocol_version_avp: peer is
using version 1, revision 0.
Feb 10 14:38:02 lithium l2tpd[29354]: framing_caps_avp: supported peer
frames:async sync
Feb 10 14:38:02 lithium l2tpd[29354]: hostname_avp: peer reports hostname ''
Feb 10 14:38:02 lithium l2tpd[29354]: assigned_tunnel_avp: using
peer's tunnel 173
Feb 10 14:38:02 lithium l2tpd[29354]: receive_window_size_avp: peer
wants RWS of 4.  Will use flow control.
Feb 10 14:38:03 lithium l2tpd[29354]: ourtid = 20127, entropy_buf = 4e9f
Feb 10 14:38:03 lithium l2tpd[29354]: check_control: control, cid = 0,
Ns = 0, Nr = 0
Feb 10 14:38:03 lithium l2tpd[29354]: handle_avps: handling avp's for
tunnel 20127, call 0
Feb 10 14:38:03 lithium l2tpd[29354]: message_type_avp: message type 1
(Start-Control-Connection-Request)
Feb 10 14:38:03 lithium l2tpd[29354]: protocol_version_avp: peer is
using version 1, revision 0.
... endless repeat untill client gives up

A couple of things strike me as strange, first, when l2tpd starts, it
claims to be listening on 0.0.0.0:
Feb 10 14:37:09 lithium l2tpd[29354]: l2tpd version 0.69 started on
lithium.jlg.berkeley.edu PID:29354
Feb 10 14:37:09 lithium l2tpd[29354]: Linux version 2.6.10-5-386 on a
i686, listening on IP address 0.0.0.0, port 1701

Also, 'hostname_avp: peer reports hostname '''.  The hostname _is_ set
on the client machine (OS X).

I'm using OpenSwan 2.4.5rc4 and the debian-special pre-0.7 l2tpd.

Am I making more mistakes, or is it most likely that the EPS packets
are getting filtered?  Many thanks for any insight,

Ben


More information about the Users mailing list