[Openswan Users] Cannot make openswan working...

Andriy Lesyuk s-andy at in.if.ua
Thu May 1 14:50:33 EDT 2008

>> Okey, the problems seems to be solved... partially! I added
>> leftnexthop=x2.x2.x2.x2 The server network interfaces are: eth0:
>> x2.x2.x2.x2 - external interface with real IP
> I still don't understand your setup. The server has a leftnexthop
> to its own network interface?
Actually, yes... Is this not good? I do not understand well what 
leftnexthop is for as far as I'm new to Openswan...

Let me describe by server in details once again (real "world" IP 
addresses are replaced for privacy):

eth0: (net; external gw
eth1: (net
eth1:0-2 (virtual interfaces): (; 
( and (
ipsec0 (=eth1): (net

eth0 is external interface connected to our ISP. eth1 is internal 
interface which does have real world IP addresses.

Openswan listens to L2TP server also listens to

What value should be for leftnexthop? I don't know which should be but 
with the current value ( IPSec works just fine.
> What is it exactly that you want to achieve? Allow VPN users in
> from the Internet to the internal network? Allow VPN users on
> the internal (possibly untrusted such as wireless?) network out
> to the Internet?
Ideally I want both... But currently I want to have VPN for external 
(from Internet) users.
>> eth1: x.x.x.x - internal interface with real IP and networks:
> The internal interface has a real world IP address?
Right! from the config above.
>> Packets arriving to L2TPd server on ipsec0 visually go from client's router
>> real IP (y.y.y.y) and port 1701 and go to x.x.x.x:1701. They are leaving
>> the server from interface eth0. I can understand why they do...
> L2TP packets should not leave the server unencrypted unless you
> explicitly forward them to some other L2TP server (which is rare).
I do know this... But they do.

As I understand L2TP packets go to the server through IPSec. There they 
are decrypted and transfered to L2TP server through ipsec0 interface 
(and I do see them there).

The problem is that they are leaving the server (the response actually) 
from eth0. This is actually correct because the default route points to (that is to interface eth0). And therefore (I guess) they 
are not encrypted. They should be leaving the server from ipsec0, right?

Here is tcpdump:

Packets arriving to ipsec0:

1:33:57.905681 IP >  
l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S) 
*BEARER_CAP() |...
21:33:58.920239 IP >  
l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S) 
*BEARER_CAP() |...
21:34:00.908124 IP >  
l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S) 
*BEARER_CAP() |...

Packets leaving from eth0:

21:33:57.906384 IP >  
l2tp:[TLS](51/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) 
21:33:58.912664 IP >  
l2tp:[TLS](51/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) 
21:33:58.920973 IP >  
l2tp:[TLS](51/0)Ns=0,Nr=1 ZLB
21:33:59.920664 IP >  
l2tp:[TLS](51/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) 
21:34:00.908905 IP >  
l2tp:[TLS](51/0)Ns=0,Nr=1 ZLB
21:34:00.928642 IP >  
l2tp:[TLS](51/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) 
21:34:01.936666 IP >  
l2tp:[TLS](51/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) 
21:34:02.944765 IP >  
l2tp:[TLS](51/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(36263) 
*RESULT_CODE(1/0 Timeout)
21:34:03.952657 IP >  
l2tp:[TLS](51/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(36263) 
*RESULT_CODE(1/0 Timeout)
21:34:04.922763 IP >  
l2tp:[TLS](51/0)Ns=0,Nr=1 ZLB

Currently I think about playing with iproute/iptables to make packets 
leave from ipsec0 (changing route for them)...
>> PPTP (as an alternative to IPSec/L2TP) can be used in local network for
>> providing Internet access (like PPPoE). In this case the client connects
>> from the zone which is actually used on the server. So I wonder if
>> IPSec/L2TP can be used as VPN over Ethernet
> I don't know what you mean exactly, but L2TP/IPsec can do the same
> things as PPTP.
Actually here I was wondering if it is possible to have the following:

VPN client (eg,, that is eth1) -> VPN server (, 
also eth1)
In this case the client would get some special IP (eg, 
through L2TP/PPP and will be able to use Internet through this new 
channel. Seems this is possible.

Here are my updated configs:


version 2.0

config setup

conn nung-server

# Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf


listen-addr =
port = 1701
auth file = /etc/l2tpd/l2tp-secrets
rand source = dev

[lns default]
exclusive = no
ip range =
local ip =
require chap = yes
refuse pap = yes
require authentication = yes
name = base.domain
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes

I guess there is no problem with Openswan/IPSec for now... Currently I 
have a problem with L2TP...

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080501/fff5f6af/attachment.html 

More information about the Users mailing list