[Openswan Users] ipsec/l2tp gateway to the private net, packets come in on ipsec1 interface and come out on ipsec0, but everything works ok!

Mikhail Yu. Kononets mkononets at gmail.com
Tue Jun 10 13:18:53 EDT 2008 

Paul Wouters wrote:
> 
>> when i connected to the gateway from the public net both iptraf and 
>> iptables reported that l2tp packets arrived on ipsec0 interface, and 
>> went out on ipsec1, but the connection worked very well at the same 
>> time! I watched nothing special in the logs.
> 
>> two interfaces: eth0 - private, eth1 - public.
>> from ipsec.conf:
>> conn settings
>> 	intefaces="ipsec0=eth0 ipsec1=eth1"
>>
>> when i changed interfaces to
>> 	intefaces="ipsec0=eth1"
>> or to
>> 	intefaces="ipsec0=eth1 ipsec1=eth0"
> 
> Do you run ipsec on the private interface? if not, then you should just
> use interfaces="ipsec0=eth1"
yes, i run ipsec on the private interface too, for testing.

> 
>> l2tp traffic went as necessary, that is, l2tp packets came in and went 
>> out on the same interface ipsec0. when i changed back to "ipsec0=eth0 
>> ipsec1=eth1" packets were reported by iptables again as coming in and 
>> out on different ipsec interfaces.
> 
> I don't understand this. Do you have funky routing?
As you could suppose, i don't understand it as well. I've noticed it 
completely accidentally when watching traffic of a well working 
l2tp/ipsec connection. L2tp packets from outside were reported by 
iptables and iptraf as arriving on ipsec0 (nonsense, it is private in my 
case!) and going out on ipsec1 (ok, it is public). I don't know what all 
of it means because l2tp/ipsec test connection works very well at the 
same time. When i exchange ipsec* interfaces or remove private one 
packets started to go as they supposed to, e.g. arriving and going out 
on the same corresponding interface. Here's an example of my logs 
received using -j LOG iptables target.

when i ran "iptables -A INPUT -i ipsec0 -j LOG --log-level info" i 
watched incoming l2tp packets.

Jun  9 20:43:41 test-ipsec kernel: IN=ipsec0 OUT= 
MAC=00:0d:88:43:76:f5:00:15:c7
:e0:18:00:08:00 SRC=83.237.252.60 DST=my.public.ip.address LEN=58 
TOS=0x00 PREC=0x00
TTL=118 ID=8770 PROTO=UDP SPT=1701 DPT=1701 LEN=38
Jun  9 20:43:42 test-ipsec kernel: IN=ipsec0 OUT= 
MAC=00:0d:88:43:76:f5:00:15:c7
:e0:18:00:08:00 SRC=83.237.252.60 DST=my.public.ip.address LEN=58 
TOS=0x00 PREC=0x00
TTL=118 ID=8772 PROTO=UDP SPT=1701 DPT=1701 LEN=38

when i ran "iptables -A OUTPUT -i ipsec1 -j LOG --log-level info" i 
watched outgoing l2tp packets.

Jun  9 20:44:35 test-ipsec kernel: IN= OUT=ipsec1 
SRC=my.public.ip.address DST=83.237.252.60 LEN=56 TOS=0x00 PREC=0x00 
TTL=64 ID=0 DF PROTO=UDP SPT=1701 DPT=1701 LEN
=36
Jun  9 20:44:36 test-ipsec kernel: IN= OUT=ipsec1 
SRC=my.public.ip.address DST=83.237.252.60 LEN=48 TOS=0x00 PREC=0x00 
TTL=64 ID=0 DF PROTO=UDP SPT=1701 DPT=1701 LEN=28

when i ran "iptables -A INPUT -i ipsec0 -j LOG --log-level info" i can 
see no incoming traffic on ipsec0 (as well as no outgoing traffic on 
ipsec1 interface).

# ifconfig ipsec0
ipsec0    Link encap:Ethernet  HWaddr 00:02:44:08:7B:99
           inet addr:192.168.0.78  Mask:255.255.255.0

# ifconfig ipsec1
ipsec1    Link encap:Ethernet  HWaddr 00:0D:88:43:76:F5
           inet addr:my.public.ip.address  Mask:255.255.255.0
           UP RUNNING NOARP  MTU:16260  Metric:1

# ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:02:44:08:7B:99
           inet addr:192.168.0.78  Bcast:192.168.0.255  Mask:255.255.255.0
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

# ifconfig eth1
eth1      Link encap:Ethernet  HWaddr 00:0D:88:43:76:F5
           inet addr:my.public.ip.address  Bcast:my.public.ip.255 
Mask:255.255.255.0
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1




> Is your l2tp/ipsec
> gateway behind NAT? (eg will the packets need to come in and go out
> over the same interface? 
> but if you do why have two ethers?)
i just have two interfaces - one's public and connected to the 
ineternet, another's private and connected to the private network. so 
i've got four standard routes -  loopback subnet, private subnet, public 
subnet and a default route. Again - no nat at all (and no other 
iptables' rules as well) - just the simplest possible setup needed for 
initial run and basic tests of an l2tp/ipsec gateway.

>> By the way, is it possible now for many roadwarriors to connect to the 
>> klips ipsec/l2tp gateway using the same PSK? 
> 
> AFAIK, it is the only way to use PSK with roadwarriors.
I understand it. I've managed to test it with netkey and several vpn 
clients connected at the same time. It just works and does not require 
any additional configuration.

>> said that single PSK could be used for many roadwarriors with the option 
>> "nouniqueids=no" in the connection definition, but i've got an error 
> 
> "uniqueids=no"
It was a mistake in my letter (not in my local files). When put it into 
the "config setup" section, it works. I tried to put it into "conn ..." 
section beforehand, that's why i've got an error message, i suppose.

> 
> Paul


-- 
With best regards,

Mikhail Kononets

candidate of chemical sciences, research scientist
Laboratory of communicational technologies in medicine
faculty of basic medicine
M.V. Lomonosov Moscow state university
kononets at fbm.msu.ru
mkononets at gmail.com

С наилучшими пожеланиями,

Михаил Юрьевич Кононец

кандидат химических наук, научный сотрудник
Лаборатория коммуникационных технологий в медицине
факультет фундаментальной медицины
МГУ имени М. В. Ломоносова
kononets at fbm.msu.ru
mkononets at gmail.com

More information about the Users mailing list