[Openswan Users] Problem with securing l2tpd (NETKEY 2.6)
Paul Wouters
paul at xelerance.com
Thu Jun 14 21:42:18 EDT 2007
On Fri, 15 Jun 2007, Adrian Gruntkowski wrote:
> Ok, maybe I wasn't clear enough. So my version of openswan:
>
> Linux Openswan U2.4.8/K2.6.18.custom1 (netkey)
>
> and l2tpd is 0.70-pre20031121-2.2 (from debian etch).
I recommend you upgrade to xl2tpd. See teh changelog for fixes done since it
forked (continued really) from l2tpd.
> Forgot to mention that default policy in my iptables chains (INPUT, FORWARD) is DENY.
>
> When I add entry that accepts traffic from public interface to udp 1701, all works
> just fine (however it's insecure).
1) mark ESP, udp 4500 and udp 500 packets on incoming interface
2) allow marked packets on FORWARD
3) drop port 1701 packets on FORWARD
That will only allow 1701 packets that came from marked (and decrypted/authenticated)
ipsec packets.
> and options.l2tpd:
>
> ipcp-accept-local
> ipcp-accept-remote
> ms-dns 80.51.70.2
> ms-wins 10.53.51.21
> auth
> crtscts
> idle 1800
> mtu 1400
> mru 1400
Try 1360 for those. 1400 isnt always enough on some servers I use.
Paul
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list