[Openswan Users] l2tp traffic outside ipsec after upgrading to 2.6.20

Christian Huldt christian at solvare.se
Tue Mar 24 09:47:25 EDT 2009


Since this seems to be related to
http://bugs.xelerance.com/view.php?id=1004
I thought this might help understanding that bug.

I tried to deal with unpatched Windows and Mac clients by setting up
another connection on another IP
#################################
conn roadwarrior-l2tp-mac
        leftprotoport=17/1701
        rightprotoport=17/%any
        forceencaps = yes
        pfs=no
        left=83.244.207.131
        leftnexthop=83.244.207.129
        right=%any
        rightsubnet=vhost:%no,%priv
        auto=add
 
conn roadwarrior-l2tp-win
        leftprotoport=17/1701
        rightprotoport=17/1701
        #rightprotoport=17/%any
        forceencaps = no
        pfs=no
        left=83.244.207.130
        right=%any
        rightsubnet=vhost:%no,%priv
        auto=add
###################################

with 83.244.207.130 being the "main" IP address.
connections to the other address 83.244.207.131 was failing exactly like
below, but this was using 2.4.9

Is this a routing problem/bug? Would eroute.c be a good place to start
looking?


I wrote:
> I updated openswan from 2.4.13 to 2.6.20 as there is a need to deal with
> a few users behind the same remote NAT.
> (Would that require that I switch to klips?)
>
> now with basically the same config as before (I added OE=off and
> protostack=netkey) it seems as the l2tp response (xl2tpd-1.1.11) is
> going outside the ipsec tunnel...
>
> I don't quite understand this...
>
> Mar 19 21:40:54 [pluto] "roadwarrior-l2tp"[1] 90.231.251.47 #3: received
> and ignored informational message
> Mar 19 21:40:55 [pluto] "roadwarrior-l2tp"[1] 90.231.251.47 #3: the peer
> proposed: 83.233.207.130/32:17/1701 -> 192.168.10.167/32:17/61608
> Mar 19 21:40:55 [pluto] "roadwarrior-l2tp"[2] 90.231.251.47 #4:
> responding to Quick Mode proposal {msgid:320f4f82}
> Mar 19 21:40:55 [pluto] "roadwarrior-l2tp"[2] 90.231.251.47 #4:     us:
> 83.233.207.130[+S=C]:17/1701
> Mar 19 21:40:55 [pluto] "roadwarrior-l2tp"[2] 90.231.251.47 #4:   them:
> 90.231.251.47[192.168.10.167,+S=C]:17/61624===192.168.10.167/32
> Mar 19 21:40:55 [pluto] "roadwarrior-l2tp"[2] 90.231.251.47 #4:
> transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
> Mar 19 21:40:55 [pluto] "roadwarrior-l2tp"[2] 90.231.251.47 #4:
> STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
> Mar 19 21:40:55 [pluto] "roadwarrior-l2tp"[2] 90.231.251.47 #4:
> transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
> Mar 19 21:40:55 [pluto] "roadwarrior-l2tp"[2] 90.231.251.47 #4:
> STATE_QUICK_R2: IPsec SA established tunnel mode {ESP/NAT=>0x01cc51f4
> <0x7dc1d643 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=90.231.251.47:4500
> DPD=none}
> Mar 19 21:41:02 [xl2tpd] Maximum retries exceeded for tunnel 21866. 
> Closing._
> Mar 19 21:41:02 [xl2tpd] Connection 12 closed to 90.231.251.47, port
> 61624 (Timeout)_
> Mar 19 21:41:16 [xl2tpd] Maximum retries exceeded for tunnel 55782. 
> Closing._
> Mar 19 21:41:16 [xl2tpd] Connection 12 closed to 90.231.251.47, port
> 61624 (Timeout)_
>
> tcpdump:
>
> 21:40:58.267869 IP (tos 0x0, ttl 64, id 26, offset 0, flags [DF], proto
> UDP (17), length 138) nr130.big-bop.com.l2tp >
> 90-231-251-47-no52.tbcn.telia.com.61624:  l2tp:[TLS](12/0)Ns=0,Nr=1
> *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...
>
>   


-- 
mvh
Christian Huldt
0704612207



More information about the Users mailing list