[Openswan Users] xl2tpd timeouts over openswan ipsec

Tuomo Soini tis at foobar.fi
Thu Aug 21 02:33:40 EDT 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Rob Emanuele wrote:
| Greetings,
|
| I'm running Fedora 9 with openswan and xl2tpd as a VPN server.  My
| ipsec transport comes up fine but xt2tpd timesout.
|
| I see some questions about this online but no firm solutions.  The
| only solution I've seen talks about setting leftnexthop which errors
| out if set to %defaultroute.

if you are using openswan from fedora 9 that's normal because fedora has
patch which totally removes support for %defaultroute with netkey. But I
can see some other problems with your config.

| config setup
|         # Debug-logging controls:  "none" for (almost) none, "all" for
| lots.
|         # klipsdebug=none
|         #plutodebug="control parsing"
|         # For Red Hat Enterprise Linux and Fedora, leave
| protostack=netkey
|         protostack=netkey
|         nat_traversal=yes
|
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
|         uniqueids=yes
|
| conn %default
|      keyingtries=1
|      compress=yes
|      disablearrivalcheck=no
|      authby=secret
|      pfs=no
|

compress=yes doesn't work with windows... That makes it impossible to
communicate with road warriors. Default setting, compress=no is only
valid option here.

| conn roadwarrior-l2tp
|      pfs=no
|      leftprotoport=17/0
|      rightprotoport=17/1701
|      also=roadwarrior
|
| conn macintosh-l2tp
|      pfs=no
|      leftprotoport=17/1701
|      rightprotoport=17/%any
|      also=roadwarrior

I think this must be rightprotoport=17/0

| conn roadwarrior
|      left=66.66.66.66
|      right=%any
|      rightsubnet=vhost:%priv,%no
|      auto=add
|      type=transport

vhost:%priv,%no doesn't seem to work for me. It's a bug, work-around is:

conn roadwarriornat
	left=66.66.66.66
	right=%any
	rightsubnet=vhost:%priv
	auto=add
	type=transport

conn roadwarrior
	left=66.66.66.66
	right=%any
	rightsubnet=vhost:%no
	auto=add
	type=transport

| ===============xl2tpd=========
|
| [global]
| debug tunnel = yes
| debug network = yes

listen-addr = 66.66.66.66 <- This might help if xl2tpd is using wrong ip
~ for answer.

| [lns default]
| ip range = 192.168.113.150-192.168.201.175
| local ip = 192.168.113.253
| require chap = yes
| refuse pap = yes
| require authentication = yes
| name = LinuxVPNserver
| ppp debug = yes
| pppoptfile = /etc/ppp/options.xl2tpd
| length bit = yes
| _______________________________________________
| Users at openswan.org
| http://lists.openswan.org/mailman/listinfo/users
| Building and Integrating Virtual Private Networks with Openswan:
| http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


- --
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFIrQxETlrZKzwul1ERAs4KAJ4/4ZCbISMpxM8cZkLafsCOHpsEtACgmPM7
ZZaQ4W1b/6O3zAda7GCXMN8=
=OtMm
-----END PGP SIGNATURE-----

More information about the Users mailing list