[Openswan Users] L2TP packets being dropped at server

Will Roberts wpr2 at cornell.edu
Fri Feb 26 00:12:36 EST 2010 

Graeme,

Thanks for the pointers. Someone else suggested that I check my 
firewall, and although I'd done it with 2.6.23 now I'm not certain that 
I did with 2.6.24 and the git master build I'm running with at the 
moment. With the firewall accepting UDP packets on port 1701 the L2TP 
daemon does accept the connection, at which point things fail because I 
haven't finished those configs :)

I had somewhat assumed that my firewall would be bypassed since the 
traffic wouldn't be coming in through normal means. In case anyone else 
makes the same assumption, I used the following two rules to allow all 
IPsec traffic, and then drop all non-IPsec traffic to the L2TP daemon 
since my firewall would accept unencrypted L2TP packets once the UDP 
"connection" was established:

iptables -A INPUT -m policy --dir in --pol ipsec -j ACCEPT
iptables -A ironwall -i eth0 -p udp --dport 1701 -j DROP

Regards,
--Will

On 02/24/2010 10:46 PM, Graeme Peart wrote:
> Will,
> I'm no expert but have managed to get L2TP working with Openswan - both
> client and server, and with an iPod Touch.  Here are some thoughts...
> - The virtual_private should have an entry to exclude the private network on
> which the server exists
> -  For some reason I have to start Openswan after booting - On Ubuntu: sudo
> /etc/init.d/ipsec start
> - If you are behind NAT at one or both ends I couldn't get 2.6.23 but 2.6.24
> seems to work fine
> - I eventually resorted to setting up my own "Internet" so I could see what
> was going on at both ends.  I used a couple of old home routers, an iPod
> Touch as the client and an Ubuntu machine as the server.  You should be able
> to use a single router to get things going.
> - Windows XP and Vista can be used as simple L2TP servers or clients.  I
> found them easier to get going and helpful to use as the "other end" from my
> Ubuntu machine.  There is a registry tweak you will have to do.  See
> Microsoft KB article 926179.
>
> My config files are below.  These are for the server.  I don't have the
> client files handy but can dig them out if you need.
> Hope this gives you some clues,
> Graeme
>
> ----------------------------------------------------------------------
> #/etc/ipsec.conf
> version	2.0	# conforms to second version of ipsec.conf specification
>
> config setup
> 	interfaces=%none
> 	nat_traversal=yes
> 	
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192
> .168.1.0/24
> 	oe=off
> 	protostack=netkey
>
> include /etc/ipsec.d/l2tp-psk.conf
>
> ----------------------------------------------------------------------
>
> #/etc/ipsec.d/l2tp-psk.conf
> conn L2TP-PSK-NAT
> 	rightsubnet=vhost:%priv,%no
> 	also=L2TP-PSK-noNAT
>
> conn L2TP-PSK-noNAT
> 	authby=secret
> 	pfs=no
> 	keyingtries=5
> 	rekey=yes
> 	ikelifetime=12h
> 	keylife=1h
> 	type=transport
> 	left=192.168.1.60
> 	leftnexthop=192.168.1.254
> 	#leftnexthop=192.168.1.1
> 	leftprotoport=17/1701
> 	right=%any
> 	rightprotoport=17/%any
> 	dpddelay=19
> 	dpdtimeout=60
> 	dpdaction=clear
> 	auto=add
>
> # Normally, KLIPS drops all plaintext traffic from IP's it has a crypted #
> connection with. With L2TP clients behind NAT, that's not really what # you
> want. The connection below allows both l2tp/ipsec and plaintext #
> connections from behind the same NAT router.
> # The l2tpd use a leftprotoport, so they are more specific and will be used
> # first. Then, packets for the host on different ports and protocols (eg
> ssh) # will match this passthrough conn.
>
> conn passthrough-for-non-tunnel
>          type=passthrough
>          left=192.168.1.60
>          leftnexthop=192.168.1.254
>          right=0.0.0.0
>          rightsubnet=0.0.0.0/0
>          auto=route
>
> -----Original Message-----
> From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
> Behalf Of Will Roberts
> Sent: Tuesday, February 23, 2010 7:23 PM
> To: users at openswan.org
> Subject: [Openswan Users] L2TP packets being dropped at server
>
> Hello,
>
> I am trying to configure L2TP over IPsec using xl2tp and openswan. I've
> tried openswan 2.6.23, 2.6.24, and git master per a suggestion on IRC.
> When I bring up the connection both ends report that the IPsec SA
> transport mode was successfully established.
>
> At that point if I start my L2TP connection I can see ESP packets
> leaving my client and reaching my host by using tcpdump. However the
> L2TP daemon doesn't appear to be receiving the packets so the client
> times out the connection.
>
> I'm not sure where else to look at this point. Below are the the
> configuration files for both client/server as well as a barf with the
> connection established.
>
> Client conf: http://www.bws42.com/zztmp/client.ipsec.conf
> Client barf: http://www.bws42.com/zztmp/client.barf.txt
> Server conf: http://www.bws42.com/zztmp/server.ipsec.conf
> Server barf: http://www.bws42.com/zztmp/server.barf.txt
>
> Regards,
> --Will
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>

More information about the Users mailing list