[Openswan Users] openswan + l2tpd + iptables problem

Brett Curtis dashnu at gmail.com
Wed Oct 18 13:34:09 EDT 2006 

Guys I replied to this thread back when it was first posted.

I am wondering if someone could explain why the mark of port 4500 is now needed?

Before x_tables was introduced in the kernel marking proto 50 worked
for both NAT and non-NAT.

Was there a change in the way ESP match works?

Are there risks in matching port 4500 and allowing in?

Thanks.

On 10/18/06, Jacco de Leeuw <jacco2 at dds.nl> wrote:
>
> Filip wrote:
>
> > And here is one important rule missing:
> > iptables -t mangle -A PREROUTING -p UDP -i eth1 --dport 4500 --set-mark 50
>
> I now remember that I wanted to inform Chris Andrews about this...
> (http://www.funknet.org/doc/tunnel/l2tp.xml)
> Sorry about that.
>
> > plugin winbind.so
> > ntlm_auth-helper '/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1'
>
> Is this against a Samba server? Just curious.
>
> > sent [CCP ConfReq id=0x1 <deflate 15> <deflate(old#) 15> <bsd v1 15>]
>
> Hm, I didn't realise that pppd defaulted to PPP compression enabled.
>
> > rcvd [CCP ConfReq id=0x11 <mppe +H -M -S -L -D +C>]
> > sent [CCP ConfRej id=0x11 <mppe +H -M -S -L -D +C>]
>
> The Windows client keeps asking for MPPE encryption. Did you configure
> the VPN Wizard to use "Advanced (custom settings)" or
> "Geavanceerd (aangepaste instellingen)"? Disable "Encryption required"
> or "Codering vereisen".
>
> Alternative, you could add "noccp" to options.ppp.l2tpd
>
> > Oct 18 15:24:37 scotos l2tpd[16079]: child_handler : pppd exited for call 1 with code 16
> > Oct 18 15:24:38 scotos l2tpd[16079]: write_packet: tty is not open yet.
> > Oct 18 15:24:41 scotos l2tpd[16079]: write_packet: tty is not open yet.
> > Oct 18 15:24:42 scotos l2tpd[16079]: control_xmit: Maximum retries exceeded for tunnel 57393.  Closing.
> > Oct 18 15:24:43 scotos l2tpd[16079]: get_call: can't find call 43087 in tunnel 57393
> > Oct 18 15:24:47 scotos l2tpd[16079]: control_xmit: Unable to deliver closing message for tunnel 57393. Destroying anyway.
> > Oct 18 15:24:48 scotos l2tpd[16079]: get_call:can't find tunnel 57393
>
> Hm, this is not a graceful exit of l2tpd. Are you using Debian's
> l2tpd-pre0.70? I believe a number of issues have been fixed in
> Xelerance's version xl2tpd.
>
> Jacco
> --
> Jacco de Leeuw                         mailto:jacco2 at dds.nl
> Zaandam, The Netherlands           http://www.jacco2.dds.nl
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>

More information about the Users mailing list