[Openswan Users] xl2tpd uses inactive mast0 interface

Sven Schiwek ml-openswan at svenux.de
Fri Nov 5 08:16:34 EDT 2010


Hi,

I have a problem with a l2tp connection.
I have a W-Lan router connected to the Openswan server (via eth2),
Openswan is listening on eth3. When I initiate a l2tp connection from a
Windows 7 client via W-Lan the ipsec connection is coming up (not the l2tp
part) but then I get this firewall log:

Nov  5 10:51:21 misc1 kernel: [7155469.839899] iptables: INPUT deny
IN=mast0 OUT=
MAC=00:25:90:04:3d:cb:00:24:d7:01:d4:b8:08:00:45:00:00:8c:04:fa:00:00:80:11:e3:16:c0:a8:46:70:d5:dd:75:5a:06:a5:06:a5:00:78:f3:4f:c8:02:00:70:00:00:00:00:00:00:00:00:80:08
SRC=192.168.70.112 DST=PUBLICIP LEN=140 TOS=0x00 PREC=0x00 TTL=128 ID=1274
PROTO=UDP SPT=1701 DPT=1701 LEN=120 MARK=0x80160000

Yea, this is the mast0 interface but I have not enabled the saref patch
(ipsec.conf -> protostack=klips) and (xl2tpd.conf -> ipsec saref = no) so
why do I have traffic to this (disabled but available) interface?
Openswan 2.6.31 is listening on the external interface 'eth3' - so I want
to establish a connection from wlan-'eth2' to 'eth3'-Openswan.

If that is of interest - the ipsec status of the XL2TP connection:

$> ipsec auto --status | grep XL2TP
000 "XL2TP":
PUBLICIP<PUBLICIP>[+S=C]:17/1701...%virtual[+S=C]:17/%any===?; unrouted;
eroute owner: #0
000 "XL2TP":     myip=unset; hisip=unset;
000 "XL2TP":   ike_life: 43200s; ipsec_life: 43200s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "XL2TP":   policy: PSK+ENCRYPT+TUNNEL+DONTREKEY+IKEv2ALLOW+lKOD+rKOD;
prio: 32,32; interface: eth3;
000 "XL2TP":   dpd: action:clear; delay:30; timeout:120;
000 "XL2TP":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "XL2TP"[11]:
PUBLICIP<PUBLICIP>[+S=C]:17/1701...192.168.70.112[+S=C]:17/1701; erouted;
eroute owner: #23
000 "XL2TP"[11]:     myip=unset; hisip=unset;
000 "XL2TP"[11]:   ike_life: 43200s; ipsec_life: 43200s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "XL2TP"[11]:   policy:
PSK+ENCRYPT+TUNNEL+DONTREKEY+IKEv2ALLOW+lKOD+rKOD; prio: 32,32; interface:
eth3;
000 "XL2TP"[11]:   dpd: action:clear; delay:30; timeout:120;
000 "XL2TP"[11]:   newest ISAKMP SA: #22; newest IPsec SA: #23;
000 "XL2TP"[11]:   IKE algorithm newest: AES_CBC_256-SHA1-MODP2048
000 #23: "XL2TP"[11] 192.168.70.112:500 STATE_QUICK_R2 (IPsec SA
established); EVENT_SA_EXPIRE in 3590s; newest IPSEC; eroute owner;
isakmp#22; idle; import:not set
000 #23: "XL2TP"[11] 192.168.70.112 esp.224c4aca at 192.168.70.112
esp.bf2a21b5 at PUBLICIP ref=28 refhim=27
000 #22: "XL2TP"[11] 192.168.70.112:500 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_EXPIRE in 28790s; newest ISAKMP; nodpd; idle;
import:not set



Btw. if I allow traffic on the (inactive) mast0 interface (no IP assigned)
I get this xl2tpd messages:

$> tail -f /var/log/syslog
Nov  5 11:54:15 misc1 xl2tpd[24410]: control_finish: Peer requested tunnel
11 twice, ignoring second one.
Nov  5 11:54:15 misc1 xl2tpd[24410]: Connection 11 closed to
192.168.70.112, port 1701 (Timeout)
Nov  5 11:54:20 misc1 xl2tpd[24410]: Unable to deliver closing message for
tunnel 1946. Destroying anyway.


Any help is greatly appreciated.
Sven




More information about the Users mailing list