[Openswan Users] openswan + l2tpd + iptables problem

Paul Wouters paul at xelerance.com
Tue Oct 17 09:56:47 EDT 2006


On Tue, 17 Oct 2006, mechanix at debian.org wrote:

> I've taken care of the MTU issues now; and SA negotiation succeeds.
>
> I'm still stuck at l2tp being blocked by the iptables rules however.
> I have these rules present:
>
> ...
> iptables -t mangle -A PREROUTING -p ESP -j MARK --set-mark 50
> iptables -t mangle -A PREROUTING -p IPENCAP -j MARK --set-mark 50
> iptables -A INPUT -m mark --mark 50 -p udp --dport 1701 -j ACCEPT
> ...

IPIP (ipencap) is not used by IPsec / Openswan). perhaps you are confused
with IPsec encapsulated in udp port 4500?

> These are all at the very beginning of their respective chains.
>
> Initially I had only the -p ESP mangle rule; but I remembered that I had
> IPENCAP traffic hitting the firewall last week before I got SA to work
> which I had to unblock back then; so I added a mangle rule for it too.
> Also, I tried -t mangle -A INPUT as well but with no success either.
>
> The hosts that have been trying to connect were behing NAT; not sure if
> that is part of the problem, but even then we need it to work for these
> anyway.

You should allow udp port 4500.

> > Windows XP Pro SP2 (with NAT-T patch), using DUN l2tp connection.
> >
> > I'm not sure the client _is_ actually initiating twice, though.
> > I'm testing from Belgium, with the (faulty) gateway being in Singapore.
>
> I have confirmed that this issue was with the GPRS connection in BE I was
> testing from. People testing for me in SG or elsewhere, with a decent
> connection, are not causing the double initiation entries.

Good.

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list