[Openswan Users] Securing L2TP when using Netkey

Paul Wouters paul at xelerance.com
Tue Mar 6 14:12:44 EST 2007

On Tue, 6 Mar 2007, baron.openswan at mailnull.com wrote:

> I've recently managed to get the following combination of things working properly to the point where a roadwarrior can successfully connect to my network just as if they were internal clients. However, one things keeps bugging me and that's the fact that the only way I can seem to make things work is to have the L2TP daemon listening on my external interface.

> The network I'm protecting is I want roadwarriors to get a address. In my current config, that all works fine, except like I mentioned, I don't like having the L2TP daemon listening on my ppp0 interface.
> Based on what I've ready, I understand that KLIPS supports ipsec style intefaces and Netkey does not. My question to you folks is whether or not there is a reasonable way to protect my L2TP daemon without using KLIPS.
> I've seen a few people recommend some special iptables rules, but haven't seen any that really address my configuration.

You can MARK esp and udp port 4500 packets, and then allow only marked UDP packets with port 1701.

Building and integrating Virtual Private Networks with Openswan:

More information about the Users mailing list