[Openswan Users] Problem with securing l2tpd (NETKEY 2.6)

Adrian Gruntkowski adrian at ima.pl
Fri Jun 15 04:37:06 EDT 2007


> On Fri, 15 Jun 2007, Adrian Gruntkowski wrote:

>> Ok, maybe I wasn't clear enough. So my version of openswan:
>>
>> Linux Openswan U2.4.8/K2.6.18.custom1 (netkey)
>>
>> and l2tpd is 0.70-pre20031121-2.2 (from debian etch).

> I recommend you upgrade to xl2tpd. See teh changelog for fixes done since it
> forked (continued really) from l2tpd.

>> Forgot to mention that default policy in my iptables chains (INPUT, FORWARD) is DENY.
>>
>> When I add entry that accepts traffic from public interface to udp 1701, all works
>> just fine (however it's insecure).

> 1) mark ESP, udp 4500 and udp 500 packets on incoming interface
> 2) allow marked packets on FORWARD
> 3) drop port 1701 packets on FORWARD

> That will only allow 1701 packets that came from marked (and decrypted/authenticated)
> ipsec packets.

It worked! I didn't mark packets coming to 500 and 4500 udp, just esp.
Thanks!

>> and options.l2tpd:
>>
>> ipcp-accept-local
>> ipcp-accept-remote
>> ms-dns  80.51.70.2
>> ms-wins 10.53.51.21
>> auth
>> crtscts
>> idle 1800
>> mtu 1400
>> mru 1400

> Try 1360 for those. 1400 isnt always enough on some servers I use.

Ok I'll test it.

Again, thank You to everybody for such quick response.

Greetings,
adrian at ima.pl
Adrian Gruntkowski







More information about the Users mailing list