[Openswan Users] Cisco IP Redirect and L2TP

Lars Behrens lars at hfk-bremen.de
Fri Nov 30 07:19:40 EST 2007 

Hi,


we got a Debian Etch-Box here, kernel 2.6.18 with XL2TPD (1.1.12.dfsg. 
1-2) and openswan (1:2.4.8-dfsg-1).

Gateway-to-gateway-connections to a OpenSwan-server and to a Cisco  
Pix are working as well as connectiosn to roadwarriors with Win XP,  
using Microsofts L2TPD.


Three days ago, our provider changed "ip redirect" on his Cisco- 
Gigabit-Router to "no ip redirect". Immediately it was no longer  
possible to start the L2TP-Tunnel while the IPSEC-Tunnel works as usual.


The log shows that the the IPSec is established ... :

Nov 29 09:19:35 syncie pluto[21221]: "vista"[8] 1.2.3.4 #8:  
STATE_QUICK_R2: IPsec SA established {ESP=>0xd64b929e <0x90c8d184  
xfrm=3DES_0-HMAC_MD5 NATD=1.2.3.4:4500 DPD=none}


.. but than we got a timeout by establishing the L2TP-connection:

Nov 29 09:19:40 syncie pluto[21221]: ERROR: asynchronous network  
error report on eth0 (sport=4500) for message to 1.2.3.4 port 4500,  
complainant 22.22.22.22: No route to host [errno 113, origin ICMP  
type 3 code 1 (not authenticated)]Nov 29 09:19:47 syncie last message  
repeated 8 timesNov 29 09:19:51 syncie pluto[21221]: "vista"[8]  
1.2.3.4 #7: received Delete SA(0xd64b929e) payload: deleting IPSEC  
State #8


with plutodebug and traceroute one can see that the connections hangs  
at the outgoing side of the gateway as if a firewall would block the  
traffic; but there is no firewall.

yesterday the provider has reset the "no ip redirect" on the cisco- 
router again to "ip redirect" - immediately the l2tp-tunnel was  
working again.

curious enough, when he again sat "no ip redirect" on the cisco- 
router, two raodwarriors connecting via different DSL-providers still  
could connect (as they can just now). the third roadwarrior can´t  
until today; he only can connect when "ip redirect" is set on the  
cisco-router.


so it could be a problem between our OpenSwan/XL2TPD-implementation  
and the cisco-router. I tried it, by the way, with the former L2TPD,  
but got the same (negative) results.


any ideas about it ... ? I am not a 100% L2TPD-proffessionell and the  
provider only knows about his cisco-systems, but he never had  
experienced such a strange behaviour before :-(



thanx in advance!



greetings



lars behrens

More information about the Users mailing list