[Openswan Users] L2TP problem... I think

Andrew Tolboe tolboe at reaction-eng.com
Sun Mar 2 14:45:16 EST 2008 

Jacco de Leeuw wrote:
> Andrew Tolboe wrote:
>
>   
>> addresses), so I'm outside the firewall but still within our public ip 
>> address subnet.  But as soon as I go farther then that (like at home) 
>> the VPN stops working.
>>     
>
>   
>> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
>>     
>
>   
>> [lns default]
>> ip range = 192.168.0.248 - 192.168.0.254
>>     
>
> You have to exclude your internal subnet, something like this:
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.0.0/24
>
> What is the DUNS error code that the client reports? Do you require
> MPPE encryption or MPPC compression?
>
> Jacco
>   
ok I added virtual_private to the ipsec.conf but still no difference in 
behavior.

Ok, here are the order of events as I see them happen.

First the DUN connects without any errors (sends ipsec key and user/pass)
I get the correct ip address/dns/wins/subnet/gateway etc

here is a print out of that
PPP adapter vpn:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
        Physical Address. . . . . . . . . : 00-53-45-00-00-00
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.0.248
        Subnet Mask . . . . . . . . . . . : 255.255.255.255
        Default Gateway . . . . . . . . . : 192.168.0.248
        DNS Servers . . . . . . . . . . . : 192.168.0.6
                                            192.168.0.5
        Primary WINS Server . . . . . . . : 192.168.0.6
        Secondary WINS Server . . . . . . : 192.168.0.6

However, if I look at the sent/received packets on the client the sent 
will continue to grow but the received will not (it usually stays around 
297 or something while the sent grows around 10,000)
Then if I watch the ipsec server logs I see this error show up within a 
minute of being connected

Mar  2 12:17:48 firewall pluto[28954]: ERROR: asynchronous network error 
report
on br0 (sport=4500) for message to 155.97.239.238 port 4500, complainant 
***.***.
103.174: No route to host [errno 113, origin ICMP type 3 code 1 (not 
authenticat
ed)]

then the client disconnects (without a error, but I assume its some sort 
of timeout error) and I loose the connection.

Another test that I tried is pinging the client, i can ping the clients 
ip before and after the attempted connection but during I get no route 
to host (unless i'm on my public ip space) and I think its because of 
something that gets added in my route tables.

lre-east-2-238. *               255.255.255.255 UH    0      0        0 br0    <-- Is this right?  The lre-east bit is the client rdns
192.168.0.248   *               255.255.255.255 UH    0      0        0 ppp0   <-- This looks ok

But I have no idea why that route is getting added or how to stop it 
from getting added when the ppp0 connection comes up.
Thanks for your time
-Andrew T.

More information about the Users mailing list