[Openswan Users] Mac OS X Roadwarrior IPSEC/L2TP fails second connection

Anthony Lester alester at free.fr
Thu May 27 11:41:33 EDT 2010


Hi All,

Anybody any ideas about my reconnection problem. For the moment I
need to restart ipsec to connect a second time, which is not a very
reliable solution for me. I'd be very grateful for any hints.

I've just upgraded to Openswan 2.6.26 and I also upgraded my kernel
since it was previously rather old and I thought this could be an issue
(I am now on 2.6.27). However I still have the problem.

Best regards
Anthony

On 18 Mar 2010, at 20:49, Anthony Lester wrote:

> Hello,
>
> I have set up a IPSEC/L2TP VPN server using Openswan 2.6.24 and xl2tpd
> 1.2.4 on a machine in my home network which is behind a NAT router. I
> then try to connect from a Mac OS X laptop on a public WiFi network.
> The first connection works fine, but if I disconnect then try to
> reconnect, I get a message that there is no reply from the server. If
> I then restart ipsec on the server, I can connect again.
>
> After analyzing logs on both sides and looking at tcpdump results it
> seems that when the connection fails the L2TP negotiation is not
> working. Specifically the SCCRP reply from the server is being sent to
> the client unencrypted (i.e. not through the IPSEC connection) and so
> it is not seen by the client.
>
> Anybody any ideas?
>
> My configuration is as follows:
>
> version 2.0
>
> config setup
>         interfaces=%defaultroute
>         nat_traversal=yes
>         virtual_private=
> %v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:! 
> 192.168.1.0/24
>         protostack=netkey
>
> conn %default
>         keyingtries=5
>         compress=yes
>         disablearrivalcheck=no
>         authby=rsasig
>         leftrsasigkey=%cert
>         rightrsasigkey=%cert
>         rightca=%same
>
> conn roadwarrior-l2tp
>         leftprotoport=17/1701
>         rightprotoport=17/%any
>         also=roadwarrior
>
> conn roadwarrior
>         left=%defaultroute
>         leftcert=alester.hd.free.fr.pem
>         leftsubnet=192.168.1.0/24
>         right=%any
>         rightsubnet=vhost:%no,%priv
>         pfs=no
>         auto=add
>
> + all the auto=ignore stuff to disable oe
>
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155



More information about the Users mailing list