[Openswan Users] L2TP OS X/Windows problem

Lawrence Manning lawrence.manning at smoothwall.net
Mon Jan 18 06:45:17 EST 2010 

On 15 Jan 2010, at 15:37, Lawrence Manning wrote:

> Hi,
>
> On 15 Jan 2010, at 15:16, Paul Wouters wrote:
>
>> On Fri, 15 Jan 2010, Lawrence Manning wrote:
>>
>>> We've come into the old rightprotoport problem documented in a few
>>> places.  Basically if we change it too:
>>>
>>> rightportoport=1701/0
>>>
>>> The OS X client can connect, but the windows user cant.  Apparently
>>> this is fixed in openswan 2.4.10 but even with 2.4.15 we still  
>>> errors
>>> connecting with the windows client:
>>
>> Use rightportoport=1701/%any
>>
>> You might need to grab the _updown.netkey from openswan 2.6 and use
>> that
>> as _updown for 2.4.x. )or just upgrade to 2.6.24)
>
> Now the ipsec stage completes but I get the following from xl2tpd:
>
> xl2tpd[11856]: setsockopt recvref: Protocol not available
> xl2tpd[11856]: This binary does not support kernel L2TP.
> xl2tpd[11856]: xl2tpd version xl2tpd-1.1.12 started on
> smoothwall.local PID:11856
> xl2tpd[11856]: Written by Mark Spencer, Copyright (C) 1998, Adtran,  
> Inc.
> xl2tpd[11856]: Forked by Scott Balmos and David Stipp, (C) 2001
> xl2tpd[11856]: Inherited by Jeff McAdams, (C) 2002
> xl2tpd[11856]: Forked again by Xelerance (www.xelerance.com) (C) 2006
> xl2tpd[11856]: Listening on IP address 0.0.0.0, port 1701
> xl2tpd[11856]: control_finish: Peer requested tunnel 14 twice,
> ignoring second one.
> xl2tpd[11856]: control_finish: Peer requested tunnel 14 twice,
> ignoring second one.
> (etc)
>
> I get no such problems if I use 17/1701 as rightprotoport - ipsec is
> allowed through and xl2tpd fires up the pppd.  This is all using a
> Windows XP2 client.
>
> We are still on KLIPS here.  Any ideas what changes we need to make to
> the _updown?  Am really confused!

Bad form to reply to your own post, however...

Running 2.4.15 now (KLIPS) and have figured out what's cuasing the  
issue.  I just can't fix it. :(

When connecting with rightprotoport=17/1701, I get a nice route to my  
client:

192.168.72.203  192.168.72.1    255.255.255.255 UGH   0      0         
0 ipsec0

So L2TP traffic travels down ipsec0, which is right.

But with rightprotoport=17/%any I see:

0.0.0.0         192.168.72.1    255.255.255.255 UGH   0      0         
0 ipsec0

As this route.  The l2tp traffic travels down the ethernet, which is  
obviously not right.

Does anyone know how to fix this?  It's as if the %any is being turned  
into 0.0.0.0 as the routing network....

-- 

Lawrence Manning
Lead Developer

SmoothWall Ltd
1 John Charles Way
Leeds LS12 6QA
United Kingdom

1 800 959 3760     (USA, Canada and North America)
0870 1 999 500     (United Kingdom)
+44 870 1 999 500  (All other countries)

SmoothWall is registered in England: 4298247

This email and any attachments transmitted with it are confidential to  
the intended recipient(s) and may not be communicated to any other  
person or published by any means without the permission of SmoothWall  
Limited.  Any opinions stated in this message are solely those of the  
author.  See: http://smoothwall.net/company/email.php for the full  
text of this notice.

More information about the Users mailing list