[Openswan Users] Problem with securing l2tpd (NETKEY 2.6)
Adrian Gruntkowski
adrian at ima.pl
Thu Jun 14 21:12:46 EDT 2007
>> Include this in your /etc/xl2tpd/xl2tpd.conf file. That will make
>> l2tp daemon listen on your internal ip. Make sure to restart your l2tpd service.
>> [global]
>> listen-addr = [internal ip]
>>This would work if it was KLIPS. I have been struggling with it for days
>>but couldn't make it work with NAT-T (module was crashing - couldn't find
>>any solution) so I've switched to NETKEY. The problem is, that there's
>>no ipsec interface anymore so I can't redirect traffic from tunnel
>>to l2tpd listening on internal interface.
> No, not really. I have: sudo ipsec --version Linux Openswan
> U2.4.7/K2.6.18 (netkey) with xl2tpd-1.1.05. Running fine, I have no
> problem at all with it. And xfrm is not related to selinux either,
> it is kernel hook for ipsec. I have the same setup as you; single interface openswan/xl2tp.
> Have you got pass IPSec SA? If you have then your xl2tp.conf need
> to examined properly. Post it here and you might get some help
Ok, maybe I wasn't clear enough. So my version of openswan:
Linux Openswan U2.4.8/K2.6.18.custom1 (netkey)
and l2tpd is 0.70-pre20031121-2.2 (from debian etch).
Forgot to mention that default policy in my iptables chains (INPUT, FORWARD) is DENY.
When I add entry that accepts traffic from public interface to udp 1701, all works
just fine (however it's insecure).
When I set listen-addr to internal interface and/or remove the above entry it doesn't
go further at all. Ipsec connection is established successfully in all cases.
My config l2ptd.conf:
[global]
;listen-addr = 10.53.51.20
[lns default]
ip range = 10.53.51.110-10.53.51.127
local ip = 10.53.51.20
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes
and options.l2tpd:
ipcp-accept-local
ipcp-accept-remote
ms-dns 80.51.70.2
ms-wins 10.53.51.21
auth
crtscts
idle 1800
mtu 1400
mru 1400
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
Greetings,
adrian at ima.pl
Adrian Gruntkowski
More information about the Users
mailing list