[Openswan Users] Security of xl2tpd without KLIPS?
paul at xelerance.com
Tue Dec 4 13:34:57 EST 2007
On Sun, 2 Dec 2007, Aaron Gage wrote:
> I have been trying to set up IPSec/L2TP on Fedora 5 (i.e. NETKEY in
> kernel 2.6.20) for XP and OSX 10.4 roadwarriors that will probably be
> behind NAT.
> * Using Fedora 5 as my router/firewall/VPN server, which has kernel
> 2.6.20 and NETKEY. Also using xl2tpd that ships with Fedora 5 so that
> I don't need a RADIUS server and addresses are allocated on my
> internal network automatically.
Should work, though you need openswan 2.4.10+ to be able to support OSX
using rightprotoport=17/0 (instead of the old 17/%any causing problems)
> * Using NETKEY means leaving L2TP vulnerable if OpenSwan goes down (my
> current status is very much like this poster's:
> I can't use the trick of routing ipsec0 to the internal network to let
> xl2tpd listen to an internal address. I could get ipsec0 if I used
You can mark all ESP packets, then have a rule to accept all marked packets,
and append a rule that drops all udp port 1701 packets.
> * Using NAT-T for the roadwarriors. I expect to be using the
> roadwarriors from behind cable modem or DSL routers while on travel.
> * Using KLIPS with NAT-T is not recommended/possible with kernel
> 2.6.20 (http://lists.openswan.org/pipermail/users/2007-May/012486.html).
That has been resolver in later versions. You should be fine with any kernel
up to 2.6.22 (as long as the pppol2tp kernel patch is not applied)
> * pluto that ships with Fedora 5 crashes if I use:
> rightprotoport=17/%any right=%any rightsubnet=vhost:%priv,%no
> which means that OSX probably will not work (and if it did, I would
> have to edit the registry to make XP work by adding
If openswan server is behind NAT, you will always have to patch some XP systems.
> configuration, but only if I set listen-addr= the external (in this
> case, DMZ between the router and the access point) address in
> xl2tpd.conf. I would rather have no VPN than have listen-addr= the
> real outside address (I don't need this badly enough to compromise
Are you trying to hand out IP addresses via l2tp in the same subnet as
where you already are? That will not work.
> My question is this: what is the state of the art with respect to
> IPSec/L2TP, NETKEY, kernel 2.6.20 or newer, NAT-T, not exposing L2TP
> to the hostile interface, and getting the whole ball of wax to work
> with XP and OSX 10.4 roadwarriors?
The best solution would be KLIPS on 2.6.22 with openswan 2.4.10+ and
> If there is simply no way to do all of this at once, please let me
> know so I can stop trying. About the only thing I am not doing to
> make this as hard as possible is to have the VPN server also behind
> NAT...and if I want OSX to work, I may as well. I shouldn't mention
> that the VPN server is also on a dynamic IP -- I was just going to
> brazen that one out and hope that dyndns.org would help.
Make sure to restart openswan when its public ip changes in some ip.local
> I can post my various config files if desired, but they are all based
> on Jacco de Leeuw's very informative web pages. Also, it works, just
> not the way I'd like (L2TP vulnerable, OSX might not work).
OSX works as of 2.4.10+
Building and integrating Virtual Private Networks with Openswan:
More information about the Users