[Openswan Users] l2tpd does not finish pppd connection

Rafael Andara rafael.andara at gmail.com
Tue May 15 21:48:49 EDT 2007


This is the output of ipsec verify:

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.4.6/K2.6.18-4-686 (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [FAILED]

  Please disable /proc/sys/net/ipv4/conf/*/send_redirects
  or NETKEY will cause the sending of bogus ICMP redirects!

NETKEY detected, testing for disabled ICMP accept_redirects     [FAILED]

  Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
  or NETKEY will accept bogus ICMP redirects!

Checking for RSA private key (/etc/ipsec.secrets)               [DISABLED]
  ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]


Both eth0 and eth1 have their mtu set to 1500

In the options.l2tpd the mtu is set to 1410

I have disable the firewall, but the problem occurs with and without
iptables.



On 5/15/07, Paul Wouters <paul at xelerance.com> wrote:
>
> On Tue, 15 May 2007, Rafael Andara wrote:
>
> > I was able to setup a lab vpn server with IPsec/l2tpd without any
> problem,
> > but when I put it on production my connection suddenly dies after a
> minute
> > or so, I was able to see that pppd was sending LCP EchoReq but it wasn't
> > getting any response.
> > I stoped testing and 2 days after it's worse the connection isn't
> > established, the chap challenge doesn't get to client and I see this
> with
> > tcpdump:
> >
> > 12:16:46.007191 IP vpn-server > roadwarrior:
> ESP(spi=0x3b2c8ac1,seq=0x6),
> > length 84
> > 12:16:46.009699 IP vpn-server > roadwarrior:
> ESP(spi=0x3b2c8ac1,seq=0x7),
> > length 68
> > 12:16:46.896071 IP roadwarrior > vpn-server:
> ESP(spi=0x707a54a7,seq=0x8),
> > length 84
> > 12:16:46.898789 arp who-has roadwarrior tell vpn-server
> > 12:16:47.898825 arp who-has roadwarrior tell vpn-server
> > 12:16:48.898892 arp who-has roadwarrior tell vpn-server
> > 12:16:49.902972 arp who-has roadwarrior tell vpn-server
> > 12:16:50.903013 arp who-has roadwarrior tell vpn-server
> > 12:16:51.903077 arp who-has roadwarrior tell vpn-server
> > 12:16:52.907159 arp who-has roadwarrior tell vpn-server
> >
> > VPN-server is a NAT server also, with iptables.
>
> - Run ipsec verify
> - Check/lower your external mtu to 1440
> - disable firewall rules to see if that is the problem
>
> Paul
>
>


-- 
Saludos.
Linux Registered User 422700
-RA-
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20070515/e445e5ce/attachment-0001.html 


More information about the Users mailing list