[Openswan Users] xl2tpd not responding - why?
ttelford.groups at gmail.com
Tue Sep 7 19:17:46 EDT 2010
On 2010-09-07 17:04:02 -0600, Paul Wouters said:
> On Tue, 7 Sep 2010, Troy Telford wrote:
>>>> Not sure if it will make a difference, but I have an "ipsec saref =
>>>> yes" in my xl2tpd.conf file. That helps xl2tpd to work with NATted
>>>> IPsec clients if I remember correctly.
>>> You MUST use an saref patched kernel if setting that option, or else
>>> all your packets will fail.
>> If I read the documentation correctly, ipsec saref only works if you're
>> using Openswan KLIPS. I've been using NETKEY.
> That's right, you need to use klips with protostack=mast
>> Part of me is wondering how much pain I'm inflicting on myself by using
>> NETKEY... but I'm seeing the "IPsec SA established transport mode"
>> message, so I'm thinking that the IPsec portion is working properly...
> Yes, that part is working. Be sure you are on 2.6.x and not 2.4.x though.
I have something working properly! That makes me feel pretty good, and
I know what I need to focus on.
>> Would switching from NETKEY to KLIPS have any real effect on the
>> problems I've been seeing?
> No, it should still work fine with netkey too. Except debugging is slightly
> easier because you can tcpdump the ipsecX interface.
May be worth a try; with Debian (and presumably ubuntu), it seems that
it's easy enough to make a kernel that supports both NETKEY or KLIPS -
there's even a nice README on patching ipsec saref.
By the way, Paul - the Openswan book was great - the openssl usage
section(s) alone were worth the cost.
More information about the Users