[Openswan Users] Cisco IP Redirect and L2TP

Lars Behrens lars at hfk-bremen.de
Mon Dec 3 03:45:50 EST 2007 

hi, guys,


>> Nov 29 09:19:40 syncie pluto[21221]: ERROR: asynchronous network
>> error report on eth0 (sport=4500) for message to 1.2.3.4 port 4500,
>> complainant 22.22.22.22: No route to host [errno 113, origin ICMP
>> type 3 code 1 (not authenticated)]
>
> This looks like udp port 4500 for NAT-T is no longer allowed.

this message is indeed typical for a firewall that blocks the port 
(s); but there *is* no firewall on the way between our openswan- 
gateway and the dial-up-clients. the only changes that happens from a  
working setup to a non-working setup ist when "ip redirect" is sat on  
the gigabit-interface on a cisco-router.

>> curious enough, when he again sat "no ip redirect" on the cisco-
>> router, two raodwarriors connecting via different DSL-providers still
>> could connect (as they can just now). the third roadwarrior can´t
>> until today; he only can connect when "ip redirect" is set on the
>> cisco-router.
>
> I bet the working roadwarriors were on direct pppoe/pptp and had a
> public IP address, while the third was behind NAT.

no, sorry, you didnt get it ;-)

all the roadwarriors were and are natted.

szenario 1, Openswan to Cisco IPSec: Our LAN // Gateway // NaT => the  
big, bad world => Gateway with Cisco PIX // NaT => works always

szenario 2, Openswan to L2TP-Client: Our LAN // Gateway // NaT => the  
big, bad world => Dial-Up-DSL-Router One // NaT => it works with "ip  
redirect" on the cisco
szenario 3, Openswan to L2TP-Client: Our LAN // Gateway // NaT => the  
big, bad world => Dial-Up-DSL-Router Two // NaT => it works with "ip  
redirect" on the cisco

szenario 4, Openswan to L2TP-Client: Our LAN // Gateway // NaT => the  
big, bad world => Dial-Up-DSL-Router One // NaT => it still works  
with "no ip redirect" on the cisco
szenario 5, Openswan to L2TP-Client: Our LAN // Gateway // NaT => the  
big, bad world => Dial-Up-DSL-Router One // NaT => connection fails  
with "no ip redirect" on the cisco

I made a test-szenario here at work: i installed another debianbox  
with openswan/xl2tp, eth0 facing to the public net, *but* with no  
router/gateway between it and the "big" openswangateway; the  
connection works.

so we am very sure that the problem is the "no ip redirect" setting  
on the cisco-router (and this is layer 2).

searching the web for "l2tpd, cisco, no ip redirect" gives more or  
less no results; our cisco-using provider does neither have any ideas.

I tried different MTU/MRU on my OpenSwan-machine, but that doesnt  
solve the problem.


So maybe it is possible to define some kind of packethandling on the  
openswan-box? the "no ip redirect" setting on the cisco is done for  
security reasons and should not be disabled for always.



greetings



lars

More information about the Users mailing list