[Openswan Users] Trouble with IPSEC/xl2tpd and multiple connections

The Adept adept at stephans.org
Mon Feb 19 14:29:28 EST 2007


Hello,

  I've recently set up an openswan/l2tpd VPN using certificates.  
Everything appears to work quite well except when multiple clients 
attempt to connect simultaneously.  A single client can stay on forever 
if another doesn't connect.  Once a second client attempts to connect, 
both clients start renegotiating continually.   If logs would help I can 
provide them in another email, I'm hoping I have something simple wrong 
that I've overlooked.

Here's some information on my system:

  Gentoo Linux with 2.6.19 kernel (NETKEY IPSEC obviously)
  openswan 2.4.7
  xl2tpd 1.1.06
  ppp 2.4.4-r4

The VPN box has one interface on the internet (default route) and the 
other interface sits on an RFC1918 net (10.161.32.0).  I've changed a 
couple pieces of information to obscure where this is installed but 
nothing that effects the configs.

Thanks in advance for any help, this is getting to be pretty frustrating.

Dan

Here's my /etc/ipsec/ipsec.conf
+----------------------------------------------------------------------------+
version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        interfaces=%defaultroute
        nat_traversal=yes
        
virtual_private=%v4:10.0.0.0/8,%v4:!10.161.0.0/16,%v4:192.168.0.0/16,%v4
:172.16.0.0/12

conn %default
        keyingtries=1
        compress=yes
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert

conn roadwarrior-net
        leftsubnet=10.161.32.0/255.255.255.0
        also=roadwarrior

conn roadwarrior-all
        leftsubnet=0.0.0.0/0
        also=roadwarrior

conn roadwarrior
        left=%defaultroute
        leftcert=vpn_cert.pem
        right=%any
        rightsubnet=vhost:%no,%priv
        auto=add
        pfs=yes

conn roadwarrior-l2tp
        type=transport
        left=%defaultroute
        leftcert=vpn_cert.pem
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/1701
        pfs=no
        auto=add

conn roadwarrior-l2tp-oldwin
        left=%defaultroute
        leftcert=vpn_cert.pem
        leftprotoport=17/0
        right=%any
        rightprotoport=17/1701
        rightsubnet=vhost:%no,%priv
        pfs=no
        auto=add

conn block
        auto=ignore

conn private
        auto=ignore

conn private-or-clear
        auto=ignore

conn clear
        auto=ignore

conn packetdefault
        auto=ignore

#Disable Opportunistic Encryption
include /etc/ipsec/ipsec.d/examples/no_oe.conf

+----------------------------------------------------------------------------+

Here's my xl2tpd conf

+----------------------------------------------------------------------------+

[global]
auth file = /etc/l2tpd/l2tp-secrets
;listen-addr =  10.161.32.2
[lns default]
exclusive = yes
ip range = 10.161.32.50-10.161.32.250
local ip = 10.161.32.2
require chap = yes
refuse pap = yes
require authentication = yes
name = Corpname
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.lns
length bit = yes
+----------------------------------------------------------------------------+

Here's my options.l2tpd.lns

+----------------------------------------------------------------------------+
ipcp-accept-local
ipcp-accept-remote
ms-dns 10.161.10.50
ms-wins 10.161.10.100
auth
noccp
crtscts
idle 1800
mtu 1400
mru 1400
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
nologfd





More information about the Users mailing list