[Openswan Users] l2tpd/ppp/openswan on redhat as 4

Christophe Ngo Van Duc cngovanduc at gmail.com
Fri Jan 20 03:32:34 CET 2006 

Dear all,

  I've been struggling with making work the following config for some
roadwarriors (winxp)
  openswan 2.4.5rc4
  l2tpd-0.69-12jdl.i386.rpm
  ppp-2.4.2-6.4.RHEL4
  kernel 2.6.9-5.ELsmp

  I can see that the VPN starts:

 Jan 20 03:05:54 cedric pluto[830]: "L2TP-PSK"[6] x.x.x.x #12:
STATE_QUICK_R2: IPsec SA established {ESP=>0xa087e7fe <0x4a7ab458
xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}

But then after a while the client disconnect. It seems that l2tpd is not
receiving packets


Jan 20 03:06:29 cedric pluto[830]: "L2TP-PSK"[6] x.x.x.x #11: received
Delete SA(0xa087e7fe) payload: deleting IPSEC State #12
Jan 20 03:06:29 cedric pluto[830]: "L2TP-PSK"[6] x.x.x.x #11: received and
ignored informational message
Jan 20 03:06:29 cedric pluto[830]: "L2TP-PSK"[6] x.x.x.x #11: received
Delete SA payload: deleting ISAKMP State #11
Jan 20 03:06:29 cedric pluto[830]: "L2TP-PSK"[6] x.x.x.x: deleting
connection "L2TP-PSK" instance with peer 82.238.30.8 {isakmp=#0/ipsec=#0}
Jan 20 03:06:29 cedric pluto[830]: packet from x.x.x.x:500: received and
ignored informational message
Jan 20 03:06:32 cedric pluto[830]: ERROR: asynchronous network error report
on eth1 (sport=500) for message to x.x.x.x port 500, complainant x.x.x.z: No
route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]

my firewall is configured as follow (eth1 unsecure eth2 secure)

$IPTABLES -N RH-Firewall-1-INPUT
$IPTABLES -A INPUT -j RH-Firewall-1-INPUT -i eth1
$IPTABLES -A FORWARD -j RH-Firewall-1-INPUT -i eth1
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
$IPTABLES -t mangle -A PREROUTING -i eth1 -p esp -j MARK --set-mark 1
$IPTABLES -A RH-Firewall-1-INPUT -i eth1 -m mark --mark 1 -j ACCEPT
$IPTABLES -A OUTPUT -s public_ext_ip -p udp -m udp --sport 1701 -j ACCEPT
$IPTABLES -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
$IPTABLES -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
$IPTABLES -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j
ACCEPT
$IPTABLES -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
$IPTABLES -A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT
$IPTABLES -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 53 -j ACCEPT
$IPTABLES -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j
ACCEPT
$IPTABLES -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport
22 -j ACCEPT
$IPTABLES -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport
80 -j ACCEPT
$IPTABLES -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport
21 -j ACCEPT
$IPTABLES -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport
25 -j ACCEPT
$IPTABLES -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport
5432 -j ACCEPT
$IPTABLES -A RH-Firewall-1-INPUT -p udp -m udp --dport 500 -j ACCEPT
$IPTABLES -A RH-Firewall-1-INPUT -p udp -m udp --dport 4500 -j ACCEPT
$IPTABLES -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 143 -j ACCEPT
$IPTABLES -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 110 -j ACCEPT
$IPTABLES -A RH-Firewall-1-INPUT -j REJECT --reject-with
icmp-host-prohibited
$IPTABLES -A INPUT -i eth2 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG

echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -d ! 10.0.0.0/24 -j MASQUERADE

I've tryied different set of rules to forward the packet entering to the
l2tpd daemon without success

Does anybody have any solution to that ?

Thanks in anticipation
Cheers,
Christophe.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20060120/554761f6/attachment-0001.htm

More information about the Users mailing list