[Openswan Users] L2TP packets being dropped at server
Graeme Peart
graemepeart at sbcglobal.net
Wed Feb 24 22:46:43 EST 2010
Will,
I'm no expert but have managed to get L2TP working with Openswan - both
client and server, and with an iPod Touch. Here are some thoughts...
- The virtual_private should have an entry to exclude the private network on
which the server exists
- For some reason I have to start Openswan after booting - On Ubuntu: sudo
/etc/init.d/ipsec start
- If you are behind NAT at one or both ends I couldn't get 2.6.23 but 2.6.24
seems to work fine
- I eventually resorted to setting up my own "Internet" so I could see what
was going on at both ends. I used a couple of old home routers, an iPod
Touch as the client and an Ubuntu machine as the server. You should be able
to use a single router to get things going.
- Windows XP and Vista can be used as simple L2TP servers or clients. I
found them easier to get going and helpful to use as the "other end" from my
Ubuntu machine. There is a registry tweak you will have to do. See
Microsoft KB article 926179.
My config files are below. These are for the server. I don't have the
client files handy but can dig them out if you need.
Hope this gives you some clues,
Graeme
----------------------------------------------------------------------
#/etc/ipsec.conf
version 2.0 # conforms to second version of ipsec.conf specification
config setup
interfaces=%none
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192
.168.1.0/24
oe=off
protostack=netkey
include /etc/ipsec.d/l2tp-psk.conf
----------------------------------------------------------------------
#/etc/ipsec.d/l2tp-psk.conf
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv,%no
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
keyingtries=5
rekey=yes
ikelifetime=12h
keylife=1h
type=transport
left=192.168.1.60
leftnexthop=192.168.1.254
#leftnexthop=192.168.1.1
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
dpddelay=19
dpdtimeout=60
dpdaction=clear
auto=add
# Normally, KLIPS drops all plaintext traffic from IP's it has a crypted #
connection with. With L2TP clients behind NAT, that's not really what # you
want. The connection below allows both l2tp/ipsec and plaintext #
connections from behind the same NAT router.
# The l2tpd use a leftprotoport, so they are more specific and will be used
# first. Then, packets for the host on different ports and protocols (eg
ssh) # will match this passthrough conn.
conn passthrough-for-non-tunnel
type=passthrough
left=192.168.1.60
leftnexthop=192.168.1.254
right=0.0.0.0
rightsubnet=0.0.0.0/0
auto=route
-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of Will Roberts
Sent: Tuesday, February 23, 2010 7:23 PM
To: users at openswan.org
Subject: [Openswan Users] L2TP packets being dropped at server
Hello,
I am trying to configure L2TP over IPsec using xl2tp and openswan. I've
tried openswan 2.6.23, 2.6.24, and git master per a suggestion on IRC.
When I bring up the connection both ends report that the IPsec SA
transport mode was successfully established.
At that point if I start my L2TP connection I can see ESP packets
leaving my client and reaching my host by using tcpdump. However the
L2TP daemon doesn't appear to be receiving the packets so the client
times out the connection.
I'm not sure where else to look at this point. Below are the the
configuration files for both client/server as well as a barf with the
connection established.
Client conf: http://www.bws42.com/zztmp/client.ipsec.conf
Client barf: http://www.bws42.com/zztmp/client.barf.txt
Server conf: http://www.bws42.com/zztmp/server.ipsec.conf
Server barf: http://www.bws42.com/zztmp/server.barf.txt
Regards,
--Will
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list