[Openswan Users] openswan + l2tpd + iptables problem

Paul Wouters paul at xelerance.com
Wed Oct 4 14:53:29 EDT 2006


On Wed, 4 Oct 2006, mechanix at debian.org wrote:

> > > Oct  5 00:31:11 scotos l2tpd[790]: message_type_avp: message type 1 (Start-Control-Connection-Request)
> > >
> > > and it never gets any further. On the other system, after 2 of the above,
> > > I get a message type 3 (Start-Control-Connection-Connected) and the
> > > connection handshake continues and all.
> >
> > These might be MTU issues. Try setting the external mtu (eg ethX) to 1472.
> > Make sure the mtu/mru in options.l2tpd is about 1200-1300.
>
> That's a pppd options file, right? l2tpd even never got as far as launching
> pppd.

Yes. What's in your l2tpd.conf?

> Still, I tried setting mtu on eth1 to 1472 (was 1500), but it made ipsec
> negotiation fail, probably because the packets which contain certificates
> are too big. Log attached.

That should not happen unless you are using 2048 bit keys in your certificates,
which we strongly advise you not to do. Fragmentation of IKE packets in IKEv1
does not work very well. We use an mtu of 1472 on our l2tp servers without
problems. It ensures that the client isnt sending packets that will be
fragmented by the ISP due to excessive pptp/pppoe tunneling. You may never
fragment transport mode IPsec packets.

> I noticed something else in the log: the gateway appears to be negotiating
> the connection twice. I checked, the previous attempts showed the same
> symptom.
> Is there a way to make it not too? Even if the gateway would receive the
> same initiation packet twice?

No, because it could be a second client behind the same NAT router IP address.

I am not sure why your client appears to initiate twice though. What client
is this?

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list