[Openswan Users] Unable to connect to Openswan/L2TP from Sprint Wireless Broadband

Roberto C. Sánchez roberto at connexer.com
Sun Mar 2 19:12:44 EST 2008

So, I recently acquired a Sprint Wireless Broadband card (the Novatel
Ovation U727; a nice small USB device).  The setup:

server: Debian Etch; Linux 2.6.18; Openswan; xl2tpd
client: Mac OS X Tiger

The client (my laptop) is able to connect to the VPN from everywhere
except over the Sprint network.  I tried to some troubleshooting, but I
am not sure of the results.  Basically, it looks like the VPN server's
return packets are not making it to laptop.

The IP addresses are like this: <- my VPN server <- Sprint address assigned to my laptop (no NAT, that is
the address assigned to the ppp0 interface)

Here is the tcpdump output from the VPN server as the laptop tries to
connect and fails:

15:54:10.973291 IP > ESP(spi=0xb730f9c8,seq=0x31), length 116
15:54:10.973957 IP >  l2tp:[TLS](16/0)Ns=0,Nr=1 ZLB
(repeated several times with increasing sequence numbers)
15:54:15.989662 IP > isakmp: phase 2/others I inf[E]
15:54:15.991480 IP > isakmp: phase 2/others R inf[E]
15:54:19.330664 IP >  l2tp:[TLS](16/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...
15:54:19.492722 IP > ICMP udp port 49284 unreachable, length 36
15:54:20.334738 IP >  l2tp:[TLS](16/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...
15:54:20.477902 IP > ICMP udp port 49284 unreachable, length 36

Of course, there is lots more output, but it is all repetitive.

At the same time as that was happening, I was running tcpdump on my
laptop.  Here is what I am seeing there:

15:54:11.421295 IP >  l2tp:[TLS](16/0)Ns=0,Nr=1 ZLB
15:54:11.482267 IP >  l2tp:[TLS](16/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(29218) *RESULT_CODE(1/0 Timeout)
15:54:12.230883 IP > ESP(spi=0xb730f9c8,seq=0x34), length 116
15:54:13.231118 IP > ESP(spi=0xb730f9c8,seq=0x35), length 116
15:54:14.237649 IP > isakmp: phase 2/others I inf[E]
15:54:14.237838 IP > isakmp: phase 2/others I inf[E]
15:54:14.804443 IP >  l2tp:[TLS](16/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() *FIRM_VER(1680) |...
15:54:14.804502 IP > ICMP udp port 49284 unreachable, length 36
15:54:14.805366 IP >  l2tp:[TLS](16/0)Ns=0,Nr=1 ZLB
15:54:14.805417 IP > ICMP udp port 49284 unreachable, length 36
15:54:15.809458 IP >  l2tp:[TLS](16/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() *FIRM_VER(1680) |...
15:54:15.809515 IP > ICMP udp port 49284 unreachable, length 36

Now, the best I can tell is that the VPN server cannot reach the laptop
on UDP port 49284.  However, the tcpdump output from the laptop shows
that it is sending back ICMP port unreachable.  I am able to connect to
the VPN either after having dialed in to my ISPs backup dialup account
or by connecting to a wireless network outside my own network and
initiating the connection to the VPN from there.  However, when
connected to the Sprint broadband network, the VPN fails to establish
the connection.

That leaves me with possible problems, as best I can tell:

 1. My laptop is somehow filtering those packets
 2. Sprint is filtering those packets

I find 1 to be unlikely since the laptop can connect just fine to the
VPN from lots of other places.  I find 2 to be more likely, but I am not
sure if that is actually the cause, nor how to fix it.

If anyone could point me to some way to fix this, I would appreciate it.
Naturally, Sprint's customer service is completely useless on this



Roberto C. Sánchez
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.openswan.org/pipermail/users/attachments/20080302/afe7a370/attachment.bin 

More information about the Users mailing list