[Openswan Users] openswan + l2tpd + iptables problem
mechanix at debian.org
mechanix at debian.org
Tue Oct 17 09:22:59 EDT 2006
Hi all,
Taking up the thread again, since it still does not work...
On Thu, Oct 05, 2006 at 09:18:04AM +0200, mechanix at debian.org wrote:
> On Wed, Oct 04, 2006 at 08:53:29PM +0200, Paul Wouters wrote:
> > On Wed, 4 Oct 2006, mechanix at debian.org wrote:
> >
> > > > > Oct 5 00:31:11 scotos l2tpd[790]: message_type_avp: message type 1 (Start-Control-Connection-Request)
> > > > >
> > > > > and it never gets any further. On the other system, after 2 of the above,
> > > > > I get a message type 3 (Start-Control-Connection-Connected) and the
> > > > > connection handshake continues and all.
> > > >
> > > > These might be MTU issues. Try setting the external mtu (eg ethX) to 1472.
> > > > Make sure the mtu/mru in options.l2tpd is about 1200-1300.
I've taken care of the MTU issues now; and SA negotiation succeeds.
I'm still stuck at l2tp being blocked by the iptables rules however.
I have these rules present:
...
iptables -t mangle -A PREROUTING -p ESP -j MARK --set-mark 50
iptables -t mangle -A PREROUTING -p IPENCAP -j MARK --set-mark 50
iptables -A INPUT -m mark --mark 50 -p udp --dport 1701 -j ACCEPT
...
These are all at the very beginning of their respective chains.
Initially I had only the -p ESP mangle rule; but I remembered that I had
IPENCAP traffic hitting the firewall last week before I got SA to work
which I had to unblock back then; so I added a mangle rule for it too.
Also, I tried -t mangle -A INPUT as well but with no success either.
The hosts that have been trying to connect were behing NAT; not sure if
that is part of the problem, but even then we need it to work for these
anyway.
> > > I noticed something else in the log: the gateway appears to be negotiating
> > > the connection twice. I checked, the previous attempts showed the same
> > > symptom.
> > > Is there a way to make it not too? Even if the gateway would receive the
> > > same initiation packet twice?
> >
> > No, because it could be a second client behind the same NAT router IP address.
>
> In this particular case, the client is not even behind NAT.
>
> > I am not sure why your client appears to initiate twice though. What client
> > is this?
>
> Windows XP Pro SP2 (with NAT-T patch), using DUN l2tp connection.
>
> I'm not sure the client _is_ actually initiating twice, though.
> I'm testing from Belgium, with the (faulty) gateway being in Singapore.
I have confirmed that this issue was with the GPRS connection in BE I was
testing from. People testing for me in SG or elsewhere, with a decent
connection, are not causing the double initiation entries.
Regards,
Filip
--
http://slider.rack66.net/~mechanix/blog/
More information about the Users
mailing list