[Openswan Users] Unable to connect to Openswan/L2TP from Sprint Wireless Broadband

Roberto C. Sánchez roberto at connexer.com
Sun Mar 2 19:12:44 EST 2008 

So, I recently acquired a Sprint Wireless Broadband card (the Novatel
Ovation U727; a nice small USB device).  The setup:

server: Debian Etch; Linux 2.6.18; Openswan; xl2tpd
client: Mac OS X Tiger

The client (my laptop) is able to connect to the VPN from everywhere
except over the Sprint network.  I tried to some troubleshooting, but I
am not sure of the results.  Basically, it looks like the VPN server's
return packets are not making it to laptop.

The IP addresses are like this:

66.93.22.254 <- my VPN server
68.29.218.126 <- Sprint address assigned to my laptop (no NAT, that is
the address assigned to the ppp0 interface)

Here is the tcpdump output from the VPN server as the laptop tries to
connect and fails:

15:54:10.973291 IP 68.29.218.126 > 66.93.22.254: ESP(spi=0xb730f9c8,seq=0x31), length 116
15:54:10.973957 IP 66.93.22.254.1701 > 68.29.218.126.49284:  l2tp:[TLS](16/0)Ns=0,Nr=1 ZLB
(repeated several times with increasing sequence numbers)
15:54:15.989662 IP 68.29.218.126.500 > 66.93.22.254.500: isakmp: phase 2/others I inf[E]
15:54:15.991480 IP 66.93.22.254.500 > 68.29.218.126.500: isakmp: phase 2/others R inf[E]
15:54:19.330664 IP 66.93.22.254.1701 > 68.29.218.126.49284:  l2tp:[TLS](16/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...
15:54:19.492722 IP 68.29.218.126 > 66.93.22.254: ICMP 68.29.218.126 udp port 49284 unreachable, length 36
15:54:20.334738 IP 66.93.22.254.1701 > 68.29.218.126.49284:  l2tp:[TLS](16/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...
15:54:20.477902 IP 68.29.218.126 > 66.93.22.254: ICMP 68.29.218.126 udp port 49284 unreachable, length 36

Of course, there is lots more output, but it is all repetitive.

At the same time as that was happening, I was running tcpdump on my
laptop.  Here is what I am seeing there:

15:54:11.421295 IP 66.93.22.254.1701 > 68.29.218.126.49284:  l2tp:[TLS](16/0)Ns=0,Nr=1 ZLB
15:54:11.482267 IP 66.93.22.254.1701 > 68.29.218.126.49284:  l2tp:[TLS](16/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(29218) *RESULT_CODE(1/0 Timeout)
15:54:12.230883 IP 68.29.218.126 > 66.93.22.254: ESP(spi=0xb730f9c8,seq=0x34), length 116
15:54:13.231118 IP 68.29.218.126 > 66.93.22.254: ESP(spi=0xb730f9c8,seq=0x35), length 116
15:54:14.237649 IP 68.29.218.126.500 > 66.93.22.254.500: isakmp: phase 2/others I inf[E]
15:54:14.237838 IP 68.29.218.126.500 > 66.93.22.254.500: isakmp: phase 2/others I inf[E]
15:54:14.804443 IP 66.93.22.254.1701 > 68.29.218.126.49284:  l2tp:[TLS](16/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() *FIRM_VER(1680) |...
15:54:14.804502 IP 68.29.218.126 > 66.93.22.254: ICMP 68.29.218.126 udp port 49284 unreachable, length 36
15:54:14.805366 IP 66.93.22.254.1701 > 68.29.218.126.49284:  l2tp:[TLS](16/0)Ns=0,Nr=1 ZLB
15:54:14.805417 IP 68.29.218.126 > 66.93.22.254: ICMP 68.29.218.126 udp port 49284 unreachable, length 36
15:54:15.809458 IP 66.93.22.254.1701 > 68.29.218.126.49284:  l2tp:[TLS](16/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() *FIRM_VER(1680) |...
15:54:15.809515 IP 68.29.218.126 > 66.93.22.254: ICMP 68.29.218.126 udp port 49284 unreachable, length 36

Now, the best I can tell is that the VPN server cannot reach the laptop
on UDP port 49284.  However, the tcpdump output from the laptop shows
that it is sending back ICMP port unreachable.  I am able to connect to
the VPN either after having dialed in to my ISPs backup dialup account
or by connecting to a wireless network outside my own network and
initiating the connection to the VPN from there.  However, when
connected to the Sprint broadband network, the VPN fails to establish
the connection.

That leaves me with possible problems, as best I can tell:

 1. My laptop is somehow filtering those packets
 2. Sprint is filtering those packets

I find 1 to be unlikely since the laptop can connect just fine to the
VPN from lots of other places.  I find 2 to be more likely, but I am not
sure if that is actually the cause, nor how to fix it.

If anyone could point me to some way to fix this, I would appreciate it.
Naturally, Sprint's customer service is completely useless on this
matter.

Regards,

-Roberto

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.openswan.org/pipermail/users/attachments/20080302/afe7a370/attachment.bin

More information about the Users mailing list