[Openswan Users] openswan 2.6.24rc4 pushed, please test!

Paul Wouters paul at xelerance.com
Tue Dec 29 13:19:18 EST 2009 

On Tue, 29 Dec 2009, Marc Fisher wrote:

> Subject: Re: [Openswan Users] openswan 2.6.24rc4 pushed, please test!

[l2tp test to aivd.xelerance.com]

> worked nice, I'm in. It gave me 193.111.228.106, but thats just detail ;)
> Wow, good to know it is possible to make it work, I guess it's just my linux 
> box then. Could you tell me the specs of the server side? Like distro, kernel 
> and if it's klips or netkey, also openswan version please. I'd also very much 
> appreciate, if you could send me the config including the xl2tpd one if 
> possible. I'd try that and then I could be certain it's something on my 
> server that I need to tamper with.

So it must be something on your server then. Below are my configs.

bash-3.2# ipsec --version
Linux Openswan U2.6.24rc2-dirty/K2.6.26-1-xen-amd64 (netkey)

bash-3.2# /usr/sbin/xl2tpd -h

xl2tpd version:  xl2tpd-1.2.4

Note that eth0, the public interface has an mtu of 1472 instead of 1500

/etc/sysctl.conf has

net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

ipsec.conf:

config setup
 	nat_traversal=yes
 	virtual_private=%v4:192.168.0.0/16,%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:193.110.157.60/32
 	protostack=netkey
 	nhelpers=0
 	interfaces="%defaultroute"
 	oe=off

conn l2tp-psk
 	authby=secret
 	pfs=no
 	auto=add
 	rekey=no
 	#overlapip=yes
         type=transport
 	leftsendcert=always
 	left=193.110.157.131
 	leftprotoport=17/1701
 	right=%any
 	rightprotoport=17/%any
 	rightsubnet=vhost:%priv,%no

xl2tpd.conf (note that 193.111.228.0/24 is my "internal" network.

[global]
listen-addr = 193.110.157.131 
; ipsec saref = yes
; ipsec saref = no
debug tunnel = yes

[lns default]
ip range = 193.111.228.100-193.111.228.199
local ip = 193.111.228.1
require chap = yes
refuse pap = yes
require authentication = yes
name = OpenswanVPN
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

options.xl2tpd:

ipcp-accept-local
ipcp-accept-remote
ms-dns  193.110.157.136
ms-dns  193.110.157.2
ms-wins 192.168.1.2
ms-wins 192.168.1.4
noccp
auth
crtscts
idle 1800
mtu 1400
mru 1400
nodefaultroute
debug
lock
proxyarp
connect-delay 5000

More information about the Users mailing list