[Openswan Users] L2TP packets being dropped at server

Graeme Peart graemepeart at sbcglobal.net
Wed Feb 24 22:46:43 EST 2010


Will,
I'm no expert but have managed to get L2TP working with Openswan - both
client and server, and with an iPod Touch.  Here are some thoughts...
- The virtual_private should have an entry to exclude the private network on
which the server exists
-  For some reason I have to start Openswan after booting - On Ubuntu: sudo
/etc/init.d/ipsec start
- If you are behind NAT at one or both ends I couldn't get 2.6.23 but 2.6.24
seems to work fine
- I eventually resorted to setting up my own "Internet" so I could see what
was going on at both ends.  I used a couple of old home routers, an iPod
Touch as the client and an Ubuntu machine as the server.  You should be able
to use a single router to get things going.
- Windows XP and Vista can be used as simple L2TP servers or clients.  I
found them easier to get going and helpful to use as the "other end" from my
Ubuntu machine.  There is a registry tweak you will have to do.  See
Microsoft KB article 926179.

My config files are below.  These are for the server.  I don't have the
client files handy but can dig them out if you need.
Hope this gives you some clues,
Graeme

----------------------------------------------------------------------
#/etc/ipsec.conf
version	2.0	# conforms to second version of ipsec.conf specification

config setup
	interfaces=%none
	nat_traversal=yes
	
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192
.168.1.0/24
	oe=off
	protostack=netkey

include /etc/ipsec.d/l2tp-psk.conf

----------------------------------------------------------------------

#/etc/ipsec.d/l2tp-psk.conf
conn L2TP-PSK-NAT
	rightsubnet=vhost:%priv,%no
	also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
	authby=secret
	pfs=no
	keyingtries=5
	rekey=yes
	ikelifetime=12h
	keylife=1h
	type=transport
	left=192.168.1.60
	leftnexthop=192.168.1.254
	#leftnexthop=192.168.1.1
	leftprotoport=17/1701
	right=%any
	rightprotoport=17/%any
	dpddelay=19
	dpdtimeout=60
	dpdaction=clear
	auto=add

# Normally, KLIPS drops all plaintext traffic from IP's it has a crypted #
connection with. With L2TP clients behind NAT, that's not really what # you
want. The connection below allows both l2tp/ipsec and plaintext #
connections from behind the same NAT router. 
# The l2tpd use a leftprotoport, so they are more specific and will be used
# first. Then, packets for the host on different ports and protocols (eg
ssh) # will match this passthrough conn.

conn passthrough-for-non-tunnel
        type=passthrough
        left=192.168.1.60
        leftnexthop=192.168.1.254
        right=0.0.0.0
        rightsubnet=0.0.0.0/0
        auto=route

-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of Will Roberts
Sent: Tuesday, February 23, 2010 7:23 PM
To: users at openswan.org
Subject: [Openswan Users] L2TP packets being dropped at server

Hello,

I am trying to configure L2TP over IPsec using xl2tp and openswan. I've 
tried openswan 2.6.23, 2.6.24, and git master per a suggestion on IRC. 
When I bring up the connection both ends report that the IPsec SA 
transport mode was successfully established.

At that point if I start my L2TP connection I can see ESP packets 
leaving my client and reaching my host by using tcpdump. However the 
L2TP daemon doesn't appear to be receiving the packets so the client 
times out the connection.

I'm not sure where else to look at this point. Below are the the 
configuration files for both client/server as well as a barf with the 
connection established.

Client conf: http://www.bws42.com/zztmp/client.ipsec.conf
Client barf: http://www.bws42.com/zztmp/client.barf.txt
Server conf: http://www.bws42.com/zztmp/server.ipsec.conf
Server barf: http://www.bws42.com/zztmp/server.barf.txt

Regards,
--Will
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155



More information about the Users mailing list