[Openswan Users] openswan + l2tpd + iptables problem

mechanix at debian.org mechanix at debian.org
Wed Oct 4 12:54:02 EDT 2006


On Wed, Oct 04, 2006 at 05:51:47PM +0200, Paul Wouters wrote:
> On Wed, 4 Oct 2006, mechanix at debian.org wrote:
> 
> > I'm having issues with a Windows XP Pro roadwarrior connecting to a
> > linux 2.6 l2tp/openswan gateway.
> >
> > When I start the connection on the roadwarrior, the SA is established
> > but then l2tpd never receives any packets - they hit the firewall
> > running on the openswan gateway, on the outside interface, and appear to
> > never have been encrypted:
> >
> > in /var/log/auth.log:
> > Oct  4 22:55:30 scotos pluto[622]: "roadwarrior-l2tp"[4] RW.IP.ADDR.ESS #8: STATE_QUICK_R2: IPsec SA established {ESP=>0xfad55f45 <0x5544ebd3 xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}
> >
> > right afterwards, in /var/log/kern.log:
> > Oct  4 22:55:30 scotos kernel: IN=eth1 OUT= MAC=00:15:c5:61:0a:de:00:90:d0:8e:75:c9:08:00 SRC=RW.IP.ADDR.ESS DST=GW.IP.ADDR.ESS LEN=139 TOS=0x00 PREC=0x00 TTL=102 ID=4703 PROTO=UDP SPT=1701 DPT=1701 LEN=119
> >
> > a little while later, back in /var/log/auth.log:
> > Oct  4 22:55:52 scotos pluto[622]: "roadwarrior-l2tp"[3] RW.IP.ADDR.ESS #7: ERROR: asynchronous network error report on eth1 (sport=500) for message to RW.IP.ADDR.ESS port 500, complainant GW.IP.ADDR.ESS: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
> >
> > The same roadwarrior can connect fine to another gateway which is set up
> > nearly identical to the one which does not work. The two gateways also
> > successfully keep open a network to network tunnel between them.
> 
> nearly identical means KLIPS vs NETKEY?

No, both NETKEY. Nearly identical means the working one is running x86 vs
the other amd64; Debian stable (but with the openswan 2.4 package from
backports.org which is in essence a rebuild of the testing version -
needed because 2.4 on the other gateway makes the 2.2 from stable crash,
see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=360735) on the
working one vs Debian testing on the other, since the hardware is nowhere
near working with stable; and single CPU on the working one vs dual-core
on the other.

But you have made me think of another difference which I did not think of
before - the working one is running 2.4 (stock Debian kernel, has NETKEY
patch for 2.4) and the other 2.6.

> Packets decrypted by NETKEY apepar to come "from the outside world" again. You will
> need to allow them, so:
> 
> 1) mark ESP packets using the -j MARK facility.
> 2) allow mark'ed packets in the firewall (the mark survives decryption)
> 3) keep blocking the l2tp port on the outer interface, but make sure
>    that rule 2) is processed beforehand.

This is not needed on the system running 2.4 NETKEY...

However, it did seem to make a difference - the l2tp packets no longer hit
the firewall.
Still, I'm not there: l2tpd never seems to succeed on establishing a
connection. I get a lot of debugging output, but what sticks out is these
ones repeating itself about 6 times:

Oct  5 00:31:11 scotos l2tpd[790]: message_type_avp: message type 1 (Start-Control-Connection-Request)

and it never gets any further. On the other system, after 2 of the above,
I get a message type 3 (Start-Control-Connection-Connected) and the
connection handshake continues and all.


Regards,

Filip


More information about the Users mailing list