[Openswan Users] Problem with securing l2tpd (NETKEY 2.6)

Adrian Gruntkowski adrian at ima.pl
Thu Jun 14 21:12:46 EDT 2007


>> Include this in your /etc/xl2tpd/xl2tpd.conf file. That will make
>> l2tp daemon listen on your internal ip. Make sure to restart your l2tpd service.

>> [global]
>> listen-addr = [internal ip]

>>This would work if it was KLIPS. I have been struggling with it for days
>>but couldn't make it work with NAT-T (module was crashing - couldn't find
>>any solution) so I've switched to NETKEY. The problem is, that there's
>>no ipsec interface anymore so I can't redirect traffic from tunnel
>>to l2tpd listening on internal interface.

> No, not really. I have: sudo ipsec --version  Linux Openswan
> U2.4.7/K2.6.18 (netkey) with xl2tpd-1.1.05. Running fine, I have no
> problem at all with it. And xfrm is not related to selinux either,
> it is kernel hook for ipsec. I have the same setup as you; single interface openswan/xl2tp.

> Have you got pass IPSec SA? If you have then your xl2tp.conf need
> to examined properly. Post it here and you might get some help

Ok, maybe I wasn't clear enough. So my version of openswan:

Linux Openswan U2.4.8/K2.6.18.custom1 (netkey)

and l2tpd is 0.70-pre20031121-2.2 (from debian etch).

Forgot to mention that default policy in my iptables chains (INPUT, FORWARD) is DENY.

When I add entry that accepts traffic from public interface to udp 1701, all works
just fine (however it's insecure).
When I set listen-addr to internal interface and/or remove the above entry it doesn't
go further at all. Ipsec connection is established successfully in all cases.

My config l2ptd.conf:

[global]
;listen-addr = 10.53.51.20

[lns default]
ip range = 10.53.51.110-10.53.51.127
local ip = 10.53.51.20
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes

and options.l2tpd:

ipcp-accept-local
ipcp-accept-remote
ms-dns  80.51.70.2
ms-wins 10.53.51.21
auth
crtscts
idle 1800
mtu 1400
mru 1400
nodefaultroute
debug
lock
proxyarp
connect-delay 5000

Greetings,
adrian at ima.pl
Adrian Gruntkowski





More information about the Users mailing list