[Openswan Users] l2tp traffic outside ipsec after upgrading to 2.6.20

Christian Huldt christian at solvare.se
Fri Mar 20 07:02:36 EDT 2009


I updated openswan from 2.4.13 to 2.6.20 as there is a need to deal with
a few users behind the same remote NAT.
(Would that require that I switch to klips?)

now with basically the same config as before (I added OE=off and
protostack=netkey) it seems as the l2tp response (xl2tpd-1.1.11) is
going outside the ipsec tunnel...

I don't quite understand this...

Mar 19 21:40:54 [pluto] "roadwarrior-l2tp"[1] 90.231.251.47 #3: received
and ignored informational message
Mar 19 21:40:55 [pluto] "roadwarrior-l2tp"[1] 90.231.251.47 #3: the peer
proposed: 83.233.207.130/32:17/1701 -> 192.168.10.167/32:17/61608
Mar 19 21:40:55 [pluto] "roadwarrior-l2tp"[2] 90.231.251.47 #4:
responding to Quick Mode proposal {msgid:320f4f82}
Mar 19 21:40:55 [pluto] "roadwarrior-l2tp"[2] 90.231.251.47 #4:     us:
83.233.207.130[+S=C]:17/1701
Mar 19 21:40:55 [pluto] "roadwarrior-l2tp"[2] 90.231.251.47 #4:   them:
90.231.251.47[192.168.10.167,+S=C]:17/61624===192.168.10.167/32
Mar 19 21:40:55 [pluto] "roadwarrior-l2tp"[2] 90.231.251.47 #4:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Mar 19 21:40:55 [pluto] "roadwarrior-l2tp"[2] 90.231.251.47 #4:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Mar 19 21:40:55 [pluto] "roadwarrior-l2tp"[2] 90.231.251.47 #4:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Mar 19 21:40:55 [pluto] "roadwarrior-l2tp"[2] 90.231.251.47 #4:
STATE_QUICK_R2: IPsec SA established tunnel mode {ESP/NAT=>0x01cc51f4
<0x7dc1d643 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=90.231.251.47:4500
DPD=none}
Mar 19 21:41:02 [xl2tpd] Maximum retries exceeded for tunnel 21866. 
Closing._
Mar 19 21:41:02 [xl2tpd] Connection 12 closed to 90.231.251.47, port
61624 (Timeout)_
Mar 19 21:41:16 [xl2tpd] Maximum retries exceeded for tunnel 55782. 
Closing._
Mar 19 21:41:16 [xl2tpd] Connection 12 closed to 90.231.251.47, port
61624 (Timeout)_

tcpdump:

21:40:58.267869 IP (tos 0x0, ttl 64, id 26, offset 0, flags [DF], proto
UDP (17), length 138) nr130.big-bop.com.l2tp >
90-231-251-47-no52.tbcn.telia.com.61624:  l2tp:[TLS](12/0)Ns=0,Nr=1
*MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...

-- 
mvh
Christian Huldt
0704612207



More information about the Users mailing list