[Openswan Users] L2TP/IPSEC over PPP: IPSEC established, no traffic over ipsec0
Eduan Basson
eduan at multenet.com
Thu Nov 13 08:09:31 EST 2008
Hi all
I've been struggling to make a VPN connection over a dial-up interface
using openswan and KLIPS. This is from openswan/xl2tpd on Linux-2.4.27
(including PPPOL2TP patch, I double checked) to Windows 2003 server.
IPSEC looks like it establishes successfully:
Nov 13 14:47:22 warn pluto[622]: "ipsec" #2: STATE_QUICK_I2: sent QI2,
IPsec SA established {ESP=>0x35e351a7 <0x617b9d78 xfrm=3DES_0-HMAC_SHA1
NATD=none DPD=none}
A route is automatically added (by pluto?) to my routing table:
1.2.3.4 0.0.0.0 255.255.255.255 UH 0 0 0 ipsec0
where 1.2.3.4 used to be my VPN server IP.
My problem is that at this point I'd like to open an L2TP connection
over the ipsec0 interface, but nothing flows across that interface!
If I ping my VPN server, a tcpdump on the client shows:
# tcpdump -i ipsec0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ipsec0, link-type LINUX_SLL (Linux cooked), capture size 68
bytes
15:00:00.451318 IP 41.7.4.57 > 196.211.225.229: icmp 64: echo request seq 9
15:00:01.452188 IP 41.7.4.57 > 196.211.225.229: icmp 64: echo request seq 10
15:00:02.453088 IP 41.7.4.57 > 196.211.225.229: icmp 64: echo request seq 11
But a windump on the NPF_GenericDialupAdapter (Window's ipsec
interface?) shows nothing:
C:\>windump -i1
windump: listening on \Device\NPF_GenericDialupAdapter
If I remove the route over ipsec0 and replace it with one over ppp0,
data flows, but then this isn't over ipsec.
Unfortunately I can't do a barf, as I don't have perl running, but I
followed Jacco de Leeuw's instructions on this page:
http://www.jacco2.dds.nl/networking/linux-l2tp.html. I will include all
my iptables info though.
Please, anyone, any ideas?
Thanks
Eduan Basson
--------------------------------------------------------------------------------------------------------
# iptables -vL
Chain INPUT (policy ACCEPT 3606 packets, 219K bytes)
pkts bytes target prot opt in out source
destination
0 0 REJECT udp -- ppp9 any anywhere
anywhere udp dpt:domain reject-with icmp-host-prohibited
0 0 REJECT udp -- ppp0 any anywhere
anywhere udp dpt:domain reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 2746 packets, 1064K bytes)
pkts bytes target prot opt in out source
destination
# iptables -t nat -vL
Chain PREROUTING (policy ACCEPT 203 packets, 27042 bytes)
pkts bytes target prot opt in out source
destination
0 0 REDIRECT udp -- any any anywhere
anywhere udp dpt:domain
0 0 REDIRECT tcp -- any any anywhere
anywhere tcp dpt:domain
Chain POSTROUTING (policy ACCEPT 4 packets, 262 bytes)
pkts bytes target prot opt in out source
destination
0 0 MASQUERADE all -- any ppp9 anywhere
anywhere
0 0 DROP all -- any dummy0 anywhere
anywhere
19 1692 MASQUERADE all -- any ppp0 anywhere
anywhere
5 723 ACCEPT all -- any any anywhere
1.2.3.4
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
# iptables -t mangle -vL
Chain PREROUTING (policy ACCEPT 3638 packets, 221K bytes)
pkts bytes target prot opt in out source
destination
0 0 DROP all -- ppp0 any anywhere
!41.7.4.57
Chain INPUT (policy ACCEPT 3638 packets, 221K bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 2775 packets, 1067K bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
2260 1023K ACCEPT all -- any eth+ anywhere
anywhere
463 40839 ACCEPT all -- any any anywhere
1.2.3.4
52 3512 ACCEPT all -- any lo anywhere
anywhere
0 0 ACCEPT all -- any ppp9 anywhere
anywhere
#
More information about the Users
mailing list