[Openswan Users] openswan + l2tpd + iptables problem

Wed Oct 4 12:11:14 EDT 2006

What kernel version is on the working machine? How about the non- 
working ? Do you use NAT-T ?

I only ask this because I can not match ESP packets in kernel 2.6.17  
which are ecapsulated inside UDP 4500  (I do not know if ESP without  
NAT-T matches no way to test for me)

A few esp (x_tables) bugs in iptables 1.3.5 seems to have been fixed  
in 1.3.6 that may relate

I am not %100 sure this is the cause of my problems but I can not put  
my finger on anything else.

On another machine with kernel 2.6.18 iptables-1.3.6 I can match ESP  
without nat-t.

I need to update my gateway to know for sure if this is my problem.

Just wondering if you are also seeing this on the 2.6.17 series kernel..

Thanks

Brett Curtis
dashnu at gmail.com
http://teh.sh.nu

On Oct 4, 2006, at 11:51 AM, Paul Wouters wrote:

> On Wed, 4 Oct 2006, mechanix at debian.org wrote:
>
>> I'm having issues with a Windows XP Pro roadwarrior connecting to a
>> linux 2.6 l2tp/openswan gateway.
>>
>> When I start the connection on the roadwarrior, the SA is established
>> but then l2tpd never receives any packets - they hit the firewall
>> running on the openswan gateway, on the outside interface, and  
>> appear to
>> never have been encrypted:
>>
>> in /var/log/auth.log:
>> Oct  4 22:55:30 scotos pluto[622]: "roadwarrior-l2tp"[4]  
>> RW.IP.ADDR.ESS #8: STATE_QUICK_R2: IPsec SA established  
>> {ESP=>0xfad55f45 <0x5544ebd3 xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}
>>
>> right afterwards, in /var/log/kern.log:
>> Oct  4 22:55:30 scotos kernel: IN=eth1 OUT= MAC=00:15:c5:61:0a:de: 
>> 00:90:d0:8e:75:c9:08:00 SRC=RW.IP.ADDR.ESS DST=GW.IP.ADDR.ESS  
>> LEN=139 TOS=0x00 PREC=0x00 TTL=102 ID=4703 PROTO=UDP SPT=1701  
>> DPT=1701 LEN=119
>>
>> a little while later, back in /var/log/auth.log:
>> Oct  4 22:55:52 scotos pluto[622]: "roadwarrior-l2tp"[3]  
>> RW.IP.ADDR.ESS #7: ERROR: asynchronous network error report on  
>> eth1 (sport=500) for message to RW.IP.ADDR.ESS port 500,  
>> complainant GW.IP.ADDR.ESS: No route to host [errno 113, origin  
>> ICMP type 3 code 1 (not authenticated)]
>>
>> The same roadwarrior can connect fine to another gateway which is  
>> set up
>> nearly identical to the one which does not work. The two gateways  
>> also
>> successfully keep open a network to network tunnel between them.
>
> nearly identical means KLIPS vs NETKEY?
>
> Packets decrypted by NETKEY apepar to come "from the outside world"  
> again. You will
> need to allow them, so:
>
> 1) mark ESP packets using the -j MARK facility.
> 2) allow mark'ed packets in the firewall (the mark survives  
> decryption)
> 3) keep blocking the l2tp port on the outer interface, but make sure
>    that rule 2) is processed beforehand.
>
> Or switch to KLIPS so you get ipsecX interfaces.
>
> Paul
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327? 
> n=283155