[Openswan Users] Problem with securing l2tpd (NETKEY 2.6)

James james at nttmcl.com
Fri Jun 29 18:51:52 EDT 2007 

Adrian Gruntkowski wrote:
>> On Fri, 15 Jun 2007, Adrian Gruntkowski wrote:
>>     
>
>   
>>> Ok, maybe I wasn't clear enough. So my version of openswan:
>>>
>>> Linux Openswan U2.4.8/K2.6.18.custom1 (netkey)
>>>
>>> and l2tpd is 0.70-pre20031121-2.2 (from debian etch).
>>>       
>
>   
>> I recommend you upgrade to xl2tpd. See teh changelog for fixes done since it
>> forked (continued really) from l2tpd.
>>     
>
>   
>>> Forgot to mention that default policy in my iptables chains (INPUT, FORWARD) is DENY.
>>>
>>> When I add entry that accepts traffic from public interface to udp 1701, all works
>>> just fine (however it's insecure).
>>>       
>
>   
>> 1) mark ESP, udp 4500 and udp 500 packets on incoming interface
>> 2) allow marked packets on FORWARD
>> 3) drop port 1701 packets on FORWARD
>>     
>
>   
>> That will only allow 1701 packets that came from marked (and decrypted/authenticated)
>> ipsec packets.
>>     
>
> It worked! I didn't mark packets coming to 500 and 4500 udp, just esp.
> Thanks!
>
>   
>>> and options.l2tpd:
>>>
>>> ipcp-accept-local
>>> ipcp-accept-remote
>>> ms-dns  80.51.70.2
>>> ms-wins 10.53.51.21
>>> auth
>>> crtscts
>>> idle 1800
>>> mtu 1400
>>> mru 1400
>>>       
>
>   
>> Try 1360 for those. 1400 isnt always enough on some servers I use.
>>     
>
> Ok I'll test it.
>
> Again, thank You to everybody for such quick response.
>
> Greetings,
> adrian at ima.pl
> Adrian Gruntkowski
>
>
>
>
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>   
hey was wondering what the entries looked like in your iptables for that.
I'm pretty new at the iptables stuff but this is what i have.
Can't get it to forward the l2tp stuff

ETH1 = internet
ETH2 = lan

#L2TPD-REJECT
        $IPTABLES -A INPUT -i eth1 -p udp --dport 1701 -j REJECT
        $IPTABLES -A INPUT -i eth1 -p udp --dport 17 -j REJECT
        $IPTABLES -A OUTPUT -o eth1 -p udp --dport 1701 -j REJECT
        $IPTABLES -A OUTPUT -o eth1 -p udp --dport 17 -j REJECT

#Marking ESP
        $IPTABLES -A PREROUTING -t mangle -i eth1 -p esp -j MARK 
--set-mark 1
#Allow marked packets on FORWARD
        $IPTABLES -A FORWARD -i eth1 -m mark --mark 1 -j ACCEPT
        $IPTABLES -A FORWARD -i eth2 -j ACCEPT

#L2TPD-ACCEPT
        $IPTABLES -A OUTPUT -o eth2 -p udp --sport 1701 --dport 1701 -j 
ACCEPT
        $IPTABLES -A INPUT -i eth2 -p udp --sport 1701 --dport 1701 -j 
ACCEPT
        $IPTABLES -A OUTPUT -o eth2 -p udp --sport 17 --dport 17 -j ACCEPT
        $IPTABLES -A INPUT -i eth2 -p udp --sport 17 --dport 17 -j ACCEPT

More information about the Users mailing list