[Openswan Users] xl2tpd source address problem

Mariusz Droździel Mariusz.Drozdziel at teleaudio.pl
Mon Nov 24 08:28:57 EST 2008 

Hi,

I have two boxes serving openswan/xl2tpd configuration for roadwarriors.
IP addresses are shared over VRRP. Everything works fine, until one of the boxes goes down. If the 2nd box will bring up the 2nd ip address, xl2tpd wont work probperly. The issue is, that even though IPSEC connection is estalished fine, xl2tpd replays to the client with the first address on the interface as the source address:

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/ether 00:50:56:bc:4b:64 brd ff:ff:ff:ff:ff:ff
    inet 172.16.179.2/24 scope global eth0
    inet x.x.x.203/26 scope global eth0

In this case everything works fine. If the other box goes down, machine will bring up 2nd IP address:

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/ether 00:50:56:bc:4b:64 brd ff:ff:ff:ff:ff:ff
    inet 172.16.179.2/24 scope global eth0
    inet x.x.x.203/26 scope global eth0
    inet x.x.x.202/26 scope global secondary eth0

Now, whenever roadwarrior established connection to x.x.x.202 IPSEC is established, but xl2tpd replays with x.x.x.203, even though client send packets to x.x.x.202.

As you can see below, xl2tpd answers with different source address, than the initial packet was send to.

1227532691.120534 IP y.y.y.y.500 > x.x.x.202.500: isakmp: phase 1 I ident
1227532691.121363 IP x.x.x.202.500 > y.y.y.y.500: isakmp: phase 1 R ident
1227532691.220845 IP y.y.y.y.500 > x.x.x.202.500: isakmp: phase 1 I ident
1227532691.234819 IP x.x.x.202.500 > y.y.y.y.500: isakmp: phase 1 R ident
1227532691.280043 IP y.y.y.y.500 > x.x.x.202.500: isakmp: phase 1 I ident[E]
1227532691.285535 IP x.x.x.202.500 > y.y.y.y.500: isakmp: phase 1 R ident[E] 1227532691.287660 IP y.y.y.y.500 > x.x.x.202.500: isakmp: phase 2/others I oakley-quick[E]
1227532691.288431 IP x.x.x.202.500 > y.y.y.y.500: isakmp: phase 2/others R oakley-quick[E]
1227532691.294045 IP y.y.y.y.500 > x.x.x.202.500: isakmp: phase 2/others I oakley-quick[E]
1227532691.294935 IP y.y.y.y > x.x.x.202: ESP(spi=0xec400719,seq=0x1), length 164
1227532692.295488 IP y.y.y.y > x.x.x.202: ESP(spi=0xec400719,seq=0x2), length 164
1227532693.296284 IP x.x.x.203.1701 > y.y.y.y.1701:  l2tp:[TLS](35/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...
1227532693.296668 IP x.x.x.203.1701 > y.y.y.y.1701:  l2tp:[TLS](35/0)Ns=0,Nr=1 ZLB
1227532694.296599 IP x.x.x.203.1701 > y.y.y.y.1701:  l2tp:[TLS](35/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...
1227532694.297527 IP y.y.y.y > x.x.x.202: ESP(spi=0xec400719,seq=0x3), length 164
1227532694.298073 IP x.x.x.203.1701 > y.y.y.y.1701:  l2tp:[TLS](35/0)Ns=0,Nr=1 ZLB
1227532695.296952 IP x.x.x.203.1701 > y.y.y.y.1701:  l2tp:[TLS](35/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...
1227532696.297121 IP x.x.x.203.1701 > y.y.y.y.1701:  l2tp:[TLS](35/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...
1227532697.297546 IP x.x.x.203.1701 > y.y.y.y.1701:  l2tp:[TLS](35/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...
1227532698.297834 IP x.x.x.203.1701 > y.y.y.y.1701:  l2tp:[TLS](35/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(12681) *RESULT_CODE(1/0 Timeout) 1227532698.303770 IP y.y.y.y > x.x.x.202: ESP(spi=0xec400719,seq=0x4), length 164
1227532698.307736 IP x.x.x.203.1701 > y.y.y.y.1701:  l2tp:[TLS](35/0)Ns=0,Nr=1 ZLB
1227532699.298134 IP x.x.x.203.1701 > y.y.y.y.1701:  l2tp:[TLS](35/0)Ns=1,Nr=1 *MSGTYPE(StopCCN) *ASSND_TUN_ID(12681) *RESULT_CODE(1/0 Timeout)

The same problem if I bring down this node. Then the other one will bring up x.x.x.203 as the secondary address on eth0, but xl2tpd will always send packets with source address x.x.x.202.

Btw: Is there any way to see the trafic on the outer interface before it gets encrytped while using NETKEY?


Mariusz Droździel
Administrator Sieci i Systemów
Sekcja Administracji Systemów
Dział Informatyki i Telekomunikacji
tel. +48 22 244 40 60



TELEAUDIO Sp. z o.o.
Al. Jerozolimskie 81, 02-001 Warszawa
tel. +48 22 244 40 00  fax +48 22 244 40 02
KRS 0000229759, NIP 525-10-65-169

More information about the Users mailing list