[Openswan Users] openswan + l2tpd + iptables problem

Paul Wouters paul at xelerance.com
Wed Oct 4 11:51:47 EDT 2006

On Wed, 4 Oct 2006, mechanix at debian.org wrote:

> I'm having issues with a Windows XP Pro roadwarrior connecting to a
> linux 2.6 l2tp/openswan gateway.
> When I start the connection on the roadwarrior, the SA is established
> but then l2tpd never receives any packets - they hit the firewall
> running on the openswan gateway, on the outside interface, and appear to
> never have been encrypted:
> in /var/log/auth.log:
> Oct  4 22:55:30 scotos pluto[622]: "roadwarrior-l2tp"[4] RW.IP.ADDR.ESS #8: STATE_QUICK_R2: IPsec SA established {ESP=>0xfad55f45 <0x5544ebd3 xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}
> right afterwards, in /var/log/kern.log:
> Oct  4 22:55:30 scotos kernel: IN=eth1 OUT= MAC=00:15:c5:61:0a:de:00:90:d0:8e:75:c9:08:00 SRC=RW.IP.ADDR.ESS DST=GW.IP.ADDR.ESS LEN=139 TOS=0x00 PREC=0x00 TTL=102 ID=4703 PROTO=UDP SPT=1701 DPT=1701 LEN=119
> a little while later, back in /var/log/auth.log:
> Oct  4 22:55:52 scotos pluto[622]: "roadwarrior-l2tp"[3] RW.IP.ADDR.ESS #7: ERROR: asynchronous network error report on eth1 (sport=500) for message to RW.IP.ADDR.ESS port 500, complainant GW.IP.ADDR.ESS: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
> The same roadwarrior can connect fine to another gateway which is set up
> nearly identical to the one which does not work. The two gateways also
> successfully keep open a network to network tunnel between them.

nearly identical means KLIPS vs NETKEY?

Packets decrypted by NETKEY apepar to come "from the outside world" again. You will
need to allow them, so:

1) mark ESP packets using the -j MARK facility.
2) allow mark'ed packets in the firewall (the mark survives decryption)
3) keep blocking the l2tp port on the outer interface, but make sure
   that rule 2) is processed beforehand.

Or switch to KLIPS so you get ipsecX interfaces.


More information about the Users mailing list