[Openswan Users] Openswan 2.6.26 + mast + saref + xl2tpd
Vincent Bernat
bernat at luffy.cx
Tue Jun 8 09:45:15 EDT 2010
Hi Paul!
Thanks for your quick answer.
On Tue, 8 Jun 2010 08:53:00 -0400 (EDT), Paul Wouters <paul at xelerance.com>
wrote:
> Have you configured the mast0 interface to have the same IP as your
public
> facing interface?
No, but it has been configured automatically by Openswan.
4: mast0: <NOARP,UP,LOWER_UP> mtu 1452 qdisc pfifo_fast state UNKNOWN qlen
10
link/none
inet 193.252.122.236/32 scope global mast0
> Did you try lowering the mtu slightly? eg 1472 ?
It is 1452.
> do you have iptables support?
Yes, the scripts did setup some rules in mangle table:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
IPSEC all -- 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:4500
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:4500
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:500
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:500
IPSEC all -- 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain IPSEC (2 references)
target prot opt source destination
MARK all -- 193.X.X.236 10.X.X.X MARK set 0x80010000
The answer packets are routed to mast0 interface as you can see in this
tcpdump output:
ZZZZZZ:/etc/ipsec.d/examples# tcpdump -pni mast0
tcpdump: WARNING: arptype 65534 not supported by libpcap - falling back to
cooked socket
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on mast0, link-type LINUX_SLL (Linux cooked), capture size 96
bytes
15:43:38.148679 IP 10.X.X.168.1701 > 193.X.X.236.1701:
l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(AS)
*BEARER_CAP() |...
15:43:39.148019 IP 10.X.X.168.1701 > 193.X.X.236.1701:
l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(AS)
*BEARER_CAP() |...
15:43:40.149228 IP 10.X.X.168.1701 > 193.X.X.236.1701:
l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(AS)
*BEARER_CAP() |...
15:43:40.151340 IP 193.X.X.236.1701 > 10.X.X.168.1701:
l2tp:[TLS](30062/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0)
*FRAMING_CAP(AS) *BEARER_CAP() |...
15:43:40.152219 IP 193.X.X.236.1701 > 10.X.X.168.1701:
l2tp:[TLS](30062/0)Ns=0,Nr=1 ZLB
15:43:40.153101 IP 193.X.X.236.1701 > 10.X.X.168.1701:
l2tp:[TLS](30062/0)Ns=0,Nr=1 ZLB
> do you have proper /etc/sysctl.conf settings? (see
/etc/ipsec.d/examples)
I disabled rp_filter for mast0. I have enabled martian logs and I don't
get anything in the logs. I have applied sysctl.conf from
/etc/ipsec.d/examples and the problem is still here.
>> Any idea on why Openswan is not able to find the correct saref and
>> therefore is unable to send answers?
>
> Perhaps show us "ipsec barf" ?
Sure, here it is.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipsec.output.gz
Type: application/x-gzip
Size: 55976 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20100608/a6415210/attachment-0001.gz
More information about the Users
mailing list