[Openswan Users] l2tp Linux client again..
Gbenga
stjames08 at yahoo.co.uk
Sun Sep 23 16:30:18 EDT 2007
Hi All,
I will be grateful if someone more knowledgeable could assist me with my query. I have a L2TP/Openswan server that work well with Windows xp/2k, but I have tried to configure a linux l2tp client with limited success.
The vpn server is behind nat with a single nic. The address on the single nic is on the network I am trying to provide access to 10.10.x.x, xlt2pd is version 1.1.05-1 on the server. IPSec connect ok and xl2tpd start up fine.
Linux Openswan U2.4.7/K2.6.18 (netkey)
On the iptables/firewall [nat device], I have the following rules that basically allow non-rfc 1918 through on proto 50, port 500 & 4500, then mark esp packet with dst 1701 and forward to vpn server.
firewall rule:
osogbetun at robbob:~$ sudo iptables -nL SYSENG-VPN
Chain SYSENG-VPN (2 references)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 MARK match 0x32 udp dpt:1701
ACCEPT all -- !10.0.0.0/8 10.10.1.57 state RELATED,ESTABLISHED
ACCEPT all -- !192.168.0.0/16 10.10.1.57 state RELATED,ESTABLISHED
ACCEPT all -- !172.16.0.0/12 10.10.1.57 state RELATED,ESTABLISHED
ACCEPT all -- 10.10.1.57 !10.0.0.0/8 state RELATED,ESTABLISHED
ACCEPT all -- 10.10.1.57 !192.168.0.0/16 state RELATED,ESTABLISHED
ACCEPT all -- 10.10.1.57 !172.16.0.0/12 state RELATED,ESTABLISHED
ACCEPT udp -- !10.0.0.0/8 10.10.1.57 udp dpt:500 state NEW
ACCEPT udp -- !192.168.0.0/16 10.10.1.57 udp dpt:500 state NEW
ACCEPT udp -- !172.16.0.0/12 10.10.1.57 udp dpt:500 state NEW
ACCEPT udp -- 10.10.1.57 !10.0.0.0/8 udp dpt:500 state NEW
ACCEPT udp -- 10.10.1.57 !192.168.0.0/16 udp dpt:500 state NEW
ACCEPT udp -- 10.10.1.57 !172.16.0.0/12 udp dpt:500 state NEW
ACCEPT udp -- !10.0.0.0/8 10.10.1.57 udp dpt:4500 state NEW
ACCEPT udp -- !192.168.0.0/16 10.10.1.57 udp dpt:4500 state NEW
ACCEPT udp -- !172.16.0.0/12 10.10.1.57 udp dpt:4500 state NEW
ACCEPT udp -- 10.10.1.57 !10.0.0.0/8 udp dpt:4500 state NEW
ACCEPT udp -- 10.10.1.57 !192.168.0.0/16 udp dpt:4500 state NEW
ACCEPT udp -- 10.10.1.57 !172.16.0.0/12 udp dpt:4500 state NEW
ACCEPT esp -- !10.0.0.0/8 10.10.1.57 state NEW
ACCEPT esp -- !192.168.0.0/16 10.10.1.57 state NEW
ACCEPT esp -- !172.16.0.0/12 10.10.1.57 state NEW
ACCEPT esp -- !10.0.0.0/8 10.10.1.57 state NEW
ACCEPT esp -- !192.168.0.0/16 10.10.1.57 state NEW
ACCEPT esp -- !172.16.0.0/12 10.10.1.57 state NEW
LOGDROP all -- 0.0.0.0/0 0.0.0.0/0
PREROUTING rules:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1701 MARK match 0x32 to:
10.10.1.57
DNAT udp -- !10.0.0.0/8 $PUB_INT udp dpt:500 to:10.10.1.57
DNAT udp -- !192.168.0.0/16 $PUB_INT udp dpt:500 to:10.10.1.57
DNAT udp -- !172.16.0.0/12 $PUB_INT udp dpt:500 to:10.10.1.57
DNAT udp -- !10.0.0.0/8 $PUB_INT udp dpt:4500 to:10.10.1.57
DNAT udp -- !192.168.0.0/16 $PUB_INT udp dpt:4500 to:10.10.1.57
DNAT udp -- !172.16.0.0/12 $PUB_INT udp dpt:4500 to:10.10.1.57
MANGLE rules:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
MARK udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:4500 MARK set 0x32
MARK esp -- 0.0.0.0/0 0.0.0.0/0 MARK set 0x32
MARK udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:500 MARK set 0x32
tail -f /var/log/deamon.log on the vpn server shows this:
Sep 23 21:16:47 laptop xl2tpd[6431]: Forked by Scott Balmos and David Stipp, (C) 2001
Sep 23 21:16:47 laptop xl2tpd[6431]: Inherited by Jeff McAdams, (C) 2002
Sep 23 21:16:47 laptop xl2tpd[6431]: Forked again by Xelerance (www.xelerance.com) (C) 2006
Sep 23 21:16:47 laptop xl2tpd[6431]: Listening on IP address 0.0.0.0, port 1701
Sep 23 21:16:52 laptop xl2tpd[6431]: Connecting to host 10.10.1.57, port 1701
Sep 23 21:16:57 laptop xl2tpd[6431]: Maximum retries exceeded for tunnel 19621. Closing.
Sep 23 21:16:57 laptop xl2tpd[6431]: Connection 0 closed to 10.10.1.57, port 1701 (Timeout)
Sep 23 21:17:02 laptop xl2tpd[6431]: Unable to deliver closing message for tunnel 19621. Destroying anyway.
tcpdump on he vpn server shows that the packets are hitting the vpn server.
21:10:00.627047 IP 194.125.35.110.10001 > 10.10.1.57.4500: UDP-encap: ESP(spi=0xe4cd0758,seq=0x5f), length 180
21:10:01.627156 IP 194.125.35.110.10001 > 10.10.1.57.4500: UDP-encap: ESP(spi=0xe4cd0758,seq=0x60), length 180
21:10:02.627647 IP 194.125.35.110.10001 > 10.10.1.57.4500: UDP-encap: ESP(spi=0xe4cd0758,seq=0x61), length 180
21:10:03.630092 IP 194.125.35.110.10001 > 10.10.1.57.4500: UDP-encap: ESP(spi=0xe4cd0758,seq=0x62), length 180
21:10:03.709360 IP 194.125.35.110.10001 > 10.10.1.57.4500: isakmp-nat-keep-alive
21:10:03.711540 IP 194.125.35.110.10001 > 10.10.1.57.4500: isakmp-nat-keep-alive
21:10:04.630602 IP 194.125.35.110.10001 > 10.10.1.57.4500: UDP-encap: ESP(spi=0xe4cd0758,seq=0x63), length 180
21:10:05.633054 IP 194.125.35.110.10001 > 10.10.1.57.4500: UDP-encap: ESP(spi=0xe4cd0758,seq=0x64), length 116
21:10:06.636862 IP 194.125.35.110.10001 > 10.10.1.57.4500: UDP-encap: ESP(spi=0xe4cd0758,seq=0x65), length 116
21:10:07.637026 IP 194.125.35.110.10001 > 10.10.1.57.4500: UDP-encap: ESP(spi=0xe4cd0758,seq=0x66), length 116
21:10:08.640782 IP 194.125.35.110.10001 > 10.10.1.57.4500: UDP-encap: ESP(spi=0xe4cd0758,seq=0x67), length 116
21:10:09.639813 IP 194.125.35.110.10001 > 10.10.1.57.4500: UDP-encap: ESP(spi=0xe4cd0758,seq=0x68), length 116
route on the vpn server:
0.0.0.0 via 10.10.1.240 dev eth1
10.9.181.32/29 via 10.10.1.3 dev eth1
172.23.233.0/24 via 10.10.1.3 dev eth1
10.9.32.0/24 via 10.10.1.66 dev eth1
10.10.0.0/16 dev eth1 proto kernel scope link src 10.10.1.57
10.11.0.0/16 via 10.10.1.3 dev eth1
10.9.0.0/16 via 10.10.1.3 dev eth1
default via 10.10.1.240 dev eth1
One thing I notice is that when I am connected via windows xp, there an explicit route back to the remote peer in ip route list, there is none when I try with linux which I think might be the source of the issue.
This same configuration works very well for windows xp/2k.
Linux client details are: Openswan v2.4.9/xl2tpd v1.1.11 [Linux Openswan U2.4.9/K2.6.20-16-generic (netkey)]
Apologies for the long email, I thought if I provide enough info at the beginning it will save requests for more down the troubleshooting line.
Rgds,
Gbenga
___________________________________________________________
Want ideas for reducing your carbon footprint? Visit Yahoo! For Good http://uk.promotions.yahoo.com/forgood/environment.html
More information about the Users
mailing list