[Openswan Users] Security of xl2tpd without KLIPS?

Paul Wouters paul at xelerance.com
Tue Dec 4 13:34:57 EST 2007

On Sun, 2 Dec 2007, Aaron Gage wrote:

> I have been trying to set up IPSec/L2TP on Fedora 5 (i.e. NETKEY in
> kernel 2.6.20) for XP and OSX 10.4 roadwarriors that will probably be
> behind NAT.

> * Using Fedora 5 as my router/firewall/VPN server, which has kernel
> 2.6.20 and NETKEY.  Also using xl2tpd that ships with Fedora 5 so that
> I don't need a RADIUS server and addresses are allocated on my
> internal network automatically.

Should work, though you need openswan 2.4.10+ to be able to support OSX
using rightprotoport=17/0 (instead of the old 17/%any causing problems)

> * Using NETKEY means leaving L2TP vulnerable if OpenSwan goes down (my
> current status is very much like this poster's:
> http://lists.openswan.org/pipermail/users/2004-December/003147.html).
> I can't use the trick of routing ipsec0 to the internal network to let
> xl2tpd listen to an internal address.  I could get ipsec0 if I used

You can mark all ESP packets, then have a rule to accept all marked packets,
and append a rule that drops all udp port 1701 packets.

> * Using NAT-T for the roadwarriors.  I expect to be using the
> roadwarriors from behind cable modem or DSL routers while on travel.
> * Using KLIPS with NAT-T is not recommended/possible with kernel
> 2.6.20 (http://lists.openswan.org/pipermail/users/2007-May/012486.html).

That has been resolver in later versions. You should be fine with any kernel
up to 2.6.22 (as long as the pppol2tp kernel patch is not applied)

> * pluto that ships with Fedora 5 crashes if I use:
> rightprotoport=17/%any   right=%any   rightsubnet=vhost:%priv,%no
> which means that OSX probably will not work (and if it did, I would
> have to edit the registry to make XP work by adding
> forceenccaps=yes).

If openswan server is behind NAT, you will always have to patch some XP systems.

> configuration, but only if I set listen-addr= the external (in this
> case, DMZ between the router and the access point) address in
> xl2tpd.conf.  I would rather have no VPN than have listen-addr= the
> real outside address (I don't need this badly enough to compromise
> security).

Are you trying to hand out IP addresses via l2tp in the same subnet as
where you already are? That will not work.

> My question is this: what is the state of the art with respect to
> IPSec/L2TP, NETKEY, kernel 2.6.20 or newer, NAT-T, not exposing L2TP
> to the hostile interface, and getting the whole ball of wax to work
> with XP and OSX 10.4 roadwarriors?

The best solution would be KLIPS on 2.6.22 with openswan 2.4.10+ and
xl2tpd 1.1.12.

> If there is simply no way to do all of this at once, please let me
> know so I can stop trying.  About the only thing I am not doing to
> make this as hard as possible is to have the VPN server also behind
> NAT...and if I want OSX to work, I may as well.  I shouldn't mention
> that the VPN server is also on a dynamic IP -- I was just going to
> brazen that one out and hope that dyndns.org would help.

Make sure to restart openswan when its public ip changes in some ip.local

> I can post my various config files if desired, but they are all based
> on Jacco de Leeuw's very informative web pages.  Also, it works, just
> not the way I'd like (L2TP vulnerable, OSX might not work).

OSX works as of 2.4.10+

Building and integrating Virtual Private Networks with Openswan:

More information about the Users mailing list