[Openswan Users] L2TP/IPSEC over PPP: IPSEC established, no traffic over ipsec0

Eduan Basson eduan at multenet.com
Thu Nov 13 08:09:31 EST 2008


Hi all

I've been struggling to make a VPN connection over a dial-up interface 
using openswan and KLIPS. This is from openswan/xl2tpd on Linux-2.4.27 
(including PPPOL2TP patch, I double checked) to Windows 2003 server.

IPSEC looks like it establishes successfully:
Nov 13 14:47:22 warn pluto[622]: "ipsec" #2: STATE_QUICK_I2: sent QI2, 
IPsec SA established {ESP=>0x35e351a7 <0x617b9d78 xfrm=3DES_0-HMAC_SHA1 
NATD=none DPD=none}

A route is automatically added (by pluto?) to my routing table:
1.2.3.4    0.0.0.0         255.255.255.255 UH    0      0        0 ipsec0
where 1.2.3.4 used to be my VPN server IP.

My problem is that at this point I'd like to open an L2TP connection 
over the ipsec0 interface, but nothing flows across that interface!

If I ping my VPN server, a tcpdump on the client shows:
# tcpdump -i ipsec0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ipsec0, link-type LINUX_SLL (Linux cooked), capture size 68 
bytes
15:00:00.451318 IP 41.7.4.57 > 196.211.225.229: icmp 64: echo request seq 9
15:00:01.452188 IP 41.7.4.57 > 196.211.225.229: icmp 64: echo request seq 10
15:00:02.453088 IP 41.7.4.57 > 196.211.225.229: icmp 64: echo request seq 11

But a windump on the NPF_GenericDialupAdapter (Window's ipsec 
interface?) shows nothing:
C:\>windump -i1
windump: listening on \Device\NPF_GenericDialupAdapter


If I remove the route over ipsec0 and replace it with one over ppp0, 
data flows, but then this isn't over ipsec.

Unfortunately I can't do a barf, as I don't have perl running, but I 
followed Jacco de Leeuw's instructions on this page: 
http://www.jacco2.dds.nl/networking/linux-l2tp.html. I will include all 
my iptables info though.

Please, anyone, any ideas?

Thanks

Eduan Basson

--------------------------------------------------------------------------------------------------------
# iptables -vL
Chain INPUT (policy ACCEPT 3606 packets, 219K bytes)
 pkts bytes target     prot opt in     out     source               
destination        
    0     0 REJECT     udp  --  ppp9   any     anywhere             
anywhere            udp dpt:domain reject-with icmp-host-prohibited
    0     0 REJECT     udp  --  ppp0   any     anywhere             
anywhere            udp dpt:domain reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               
destination        

Chain OUTPUT (policy ACCEPT 2746 packets, 1064K bytes)
 pkts bytes target     prot opt in     out     source               
destination        

# iptables -t nat -vL
Chain PREROUTING (policy ACCEPT 203 packets, 27042 bytes)
 pkts bytes target     prot opt in     out     source               
destination        
    0     0 REDIRECT   udp  --  any    any     anywhere             
anywhere            udp dpt:domain
    0     0 REDIRECT   tcp  --  any    any     anywhere             
anywhere            tcp dpt:domain

Chain POSTROUTING (policy ACCEPT 4 packets, 262 bytes)
 pkts bytes target     prot opt in     out     source               
destination        
    0     0 MASQUERADE  all  --  any    ppp9    anywhere             
anywhere           
    0     0 DROP       all  --  any    dummy0  anywhere             
anywhere           
   19  1692 MASQUERADE  all  --  any    ppp0    anywhere             
anywhere           
    5   723 ACCEPT     all  --  any    any     anywhere             
1.2.3.4   

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               
destination        
# iptables -t mangle -vL
Chain PREROUTING (policy ACCEPT 3638 packets, 221K bytes)
 pkts bytes target     prot opt in     out     source               
destination        
    0     0 DROP       all  --  ppp0   any     anywhere            
!41.7.4.57          

Chain INPUT (policy ACCEPT 3638 packets, 221K bytes)
 pkts bytes target     prot opt in     out     source               
destination        

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               
destination        

Chain OUTPUT (policy ACCEPT 2775 packets, 1067K bytes)
 pkts bytes target     prot opt in     out     source               
destination        

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               
destination        
 2260 1023K ACCEPT     all  --  any    eth+    anywhere             
anywhere           
  463 40839 ACCEPT     all  --  any    any     anywhere             
1.2.3.4   
   52  3512 ACCEPT     all  --  any    lo      anywhere             
anywhere           
    0     0 ACCEPT     all  --  any    ppp9    anywhere             
anywhere           
#



More information about the Users mailing list