[Openswan Users] xl2tpd not responding - why?

Troy Telford ttelford.groups at gmail.com
Tue Sep 7 19:17:46 EDT 2010

On 2010-09-07 17:04:02 -0600, Paul Wouters said:

> On Tue, 7 Sep 2010, Troy Telford wrote:
>>>> Not sure if it will make a difference, but I have an "ipsec saref =
>>>> yes" in my xl2tpd.conf file.  That helps xl2tpd to work with NATted
>>>> IPsec clients if I remember correctly.
>>> You MUST use an saref patched kernel if setting that option, or else
>>> all your packets will fail.
>> If I read the documentation correctly, ipsec saref only works if you're
>> using Openswan KLIPS.  I've been using NETKEY.
> That's right, you need to use klips with protostack=mast
>> Part of me is wondering how much pain I'm inflicting on myself by using
>> NETKEY... but I'm seeing the  "IPsec SA established transport mode"
>> message, so I'm thinking that the IPsec portion is working properly...
> Yes, that part is working. Be sure you are on 2.6.x and not 2.4.x though.

I have something working properly!  That makes me feel pretty good, and 
I know what I need to focus on.

>> Would switching from NETKEY to KLIPS have any real effect on the
>> problems I've been seeing?
> No, it should still work fine with netkey too. Except debugging is slightly
> easier because you can tcpdump the ipsecX interface.

May be worth a try; with Debian (and presumably ubuntu), it seems that 
it's easy enough to make a kernel that supports both NETKEY or KLIPS - 
there's even a nice README on patching ipsec saref.

By the way, Paul - the Openswan book was great - the openssl usage 
section(s) alone were worth the cost.
Troy Telford

More information about the Users mailing list