[Openswan Users] ipsec/l2tp gateway to the private net, packets come in on ipsec1 interface and come out on ipsec0, but everything works ok!

Mikhail Yu. Kononets mkononets at gmail.com
Tue Jun 10 03:33:33 EDT 2008 

Hi all.

I've been setting up an l2tp/ipsec (only) gateway for windows os 
roadwarriors. Everything went ok and worked well under testing, but i've 
noticed some strange thing when watching how exactly are the packets go.

when i connected to the gateway from the public net both iptraf and 
iptables reported that l2tp packets arrived on ipsec0 interface, and 
went out on ipsec1, but the connection worked very well at the same 
time! I watched nothing special in the logs.

my test setup:
slackware 12.0
smp kernel 2.6.23.16+klips patch +mppc patch
openswan 2.4.12
xl2tpd 1.2.0
all these was built from sources.
no firewall, no nat, no special routing (just proxyarp in pppd).

two interfaces: eth0 - private, eth1 - public.
from ipsec.conf:
conn settings
	intefaces="ipsec0=eth0 ipsec1=eth1"

when i changed interfaces to
	intefaces="ipsec0=eth1"
or to
	intefaces="ipsec0=eth1 ipsec1=eth0"

l2tp traffic went as necessary, that is, l2tp packets came in and went 
out on the same interface ipsec0. when i changed back to "ipsec0=eth0 
ipsec1=eth1" packets were reported by iptables again as coming in and 
out on different ipsec interfaces.

Again, in spite of all these things, connections are successfully 
established and works without any problem.

By the way, is it possible now for many roadwarriors to connect to the 
klips ipsec/l2tp gateway using the same PSK? Some doc which i don't 
remember said that it is impossible to use single PSK for many 
roadwarriors with klips and another doc 
http://www.freeswan.org/freeswan_snaps/CURRENT-SNAP/doc/faq.html#road.PSK 
said that single PSK could be used for many roadwarriors with the option 
"nouniqueids=no" in the connection definition, but i've got an error 
message and openswan refuses to start if i do so. Is it possible at all, 
either with klips or with netkey? Unfortunately, i cannot test it right now.

-- 
With best regards,

Mikhail Kononets

candidate of chemical sciences, research scientist
Laboratory of communicational technologies in medicine
faculty of basic medicine
M.V. Lomonosov Moscow state university
kononets at fbm.msu.ru
mkononets at gmail.com

С наилучшими пожеланиями,

Михаил Юрьевич Кононец

кандидат химических наук, научный сотрудник
Лаборатория коммуникационных технологий в медицине
факультет фундаментальной медицины
МГУ имени М. В. Ломоносова
kononets at fbm.msu.ru
mkononets at gmail.com

More information about the Users mailing list