[Openswan Users] xl2tpd uses inactive mast0 interface

Sven Schiwek ml-openswan at svenux.de
Tue Nov 23 08:08:11 EST 2010 

Hi Paul,

thanks for the information.
If I remove the interface and initiate a xl2tp connection the ipsec
tunnel opens correct but then the kernel crashes and the system freezes.
I try to catch the panic next time - I'm working on a live system where
I can not reboot every time I want... :-)

Let me present my network configuration with some more details:
I have a Linux system which is our default gateway to the internet and
which also act as a router to some other networks:

- eth0 (192.168.50.1/23) - Office LAN
- eth1 (192.168.60.1/24) - VoIP LAN (irrelevant for us)
- eth2 (192.168.70.1/24) - Guest LAN (Full NAT to the internet)
- eth3 (1.2.3.4/29) - Internet

Openswan is listening on eth3, xl2tpd is listening on all interfaces.

If I try to establish a xl2tp connection out of the "Guest LAN" to
Openswan, the described problem occurs.
If I initiate a xl2tp session out of the internet the configuration is
working fine and the tunnel comes up.

So I believe the problem is the internal routing between eth2 and eth3.

I try to repeat the problem within a virtual machine - than I can do
some more debugging.

Well, at leased some version information:
Kernel: 2.6.32
Openswan: 2.6.32dr4
xl2tpd: 1.2.6


=== ipsec.conf ===
version 2.0

config setup
        interfaces="ipsec0=eth3"
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        oe=off
        plutowait=yes
        nhelpers=0
        klipsdebug=none
        plutodebug=none
        uniqueids=yes
        dumpdir=/tmp/
        protostack=klips

conn XL2TP
        compress=no
        authby=secret
        pfs=no
        forceencaps=no
        ikelifetime=12h
        keylife=12h
        rekey=no
        left=1.2.3.4
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/%any
        auto=add
        dpddelay=30
        dpdtimeout=120
        dpdaction=clear


=== xl2tpd.conf ===
[lns default]
ip range = 192.168.50.2-192.168.50.254
local ip = 192.168.50.254
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
flow bit = yes


Regards,
Sven


On 11/19/2010 11:28 AM, Paul Wouters wrote:
> On Fri, 12 Nov 2010, Paul Wouters wrote:
> 
>>> I have have done some more tests but I found no way to remove the mast0
>>> interface.
> 
> 
> ipsec tncfg --delete mast0
> 
> I've just added some code that removes mast0 on protostack=klips and that
> removes ipsecX on protostack=mast (though currently ipsec0 cannot be
> deleted)
> 
> We will add module init paramters that will allow us to modprobe ipsec
> using
> klips=X and mast=X to ensure unwanted interfaces will not appear.
> 
> Paul
> 
>

More information about the Users mailing list