[Openswan Users] Problem with securing l2tpd (NETKEY 2.6)
Adrian Gruntkowski
adrian at ima.pl
Fri Jun 15 04:37:06 EDT 2007
> On Fri, 15 Jun 2007, Adrian Gruntkowski wrote:
>> Ok, maybe I wasn't clear enough. So my version of openswan:
>>
>> Linux Openswan U2.4.8/K2.6.18.custom1 (netkey)
>>
>> and l2tpd is 0.70-pre20031121-2.2 (from debian etch).
> I recommend you upgrade to xl2tpd. See teh changelog for fixes done since it
> forked (continued really) from l2tpd.
>> Forgot to mention that default policy in my iptables chains (INPUT, FORWARD) is DENY.
>>
>> When I add entry that accepts traffic from public interface to udp 1701, all works
>> just fine (however it's insecure).
> 1) mark ESP, udp 4500 and udp 500 packets on incoming interface
> 2) allow marked packets on FORWARD
> 3) drop port 1701 packets on FORWARD
> That will only allow 1701 packets that came from marked (and decrypted/authenticated)
> ipsec packets.
It worked! I didn't mark packets coming to 500 and 4500 udp, just esp.
Thanks!
>> and options.l2tpd:
>>
>> ipcp-accept-local
>> ipcp-accept-remote
>> ms-dns 80.51.70.2
>> ms-wins 10.53.51.21
>> auth
>> crtscts
>> idle 1800
>> mtu 1400
>> mru 1400
> Try 1360 for those. 1400 isnt always enough on some servers I use.
Ok I'll test it.
Again, thank You to everybody for such quick response.
Greetings,
adrian at ima.pl
Adrian Gruntkowski
More information about the Users
mailing list