[Openswan Users] Fwd: Openswan - xl2tpd : can resolve , ping sites but can't browse them !

Fri Apr 1 07:17:01 EDT 2011

Hi,
I send your answer to the list, like that, all the users could known/use the solution you have used.
Best regards.

----- Mail transféré -----
De: "Taekwondo AQR" <taekwondoaqr at gmail.com>
À: "Vincent Tamet" <vincent.tamet at ilimit.net>
Envoyé: Vendredi 1 Avril 2011 07:19:52
Objet: Re: [Openswan Users] Openswan - xl2tpd : can resolve , ping sites but can't browse them !

Hello all ! 

Thank you everyone to help ! 
I have solved the problem by setting mru and mtu to 1280. 
http://rootmanager.com/ubuntu-ipsec-l2tp-windows-domain-auth/setting-up-openswan-xl2tpd-with-native-windows-clients.html 

Thanks again ! 

On 30 March 2011 20:55, Vincent Tamet < vincent.tamet at ilimit.net > wrote: 

Oky 

You could test the mtu with: "ping -c 2 -s 1472 74.125.225.19" I allready check this server is ok about mtu. 
If you have something like "Frag needed and DF set (mtu = 1446)" the pmtu will work correctly so you can check it with "ip route show table cache". 
If you don't have any answer you need to search the right -s for exemple 1300 then 1400 (work with 1300 but not with 1400, test with 1350...). 

In a other hand could you test this ? 
$ telnet 74.125.225.19 80 
Trying 74.125.225.19... 
Connected to 74.125.225.19. 
Escape character is '^]'. 

Then type "get" and twice the return key, i get this: 

HTTP/1.0 400 Bad Request 
Content-Type: text/html; charset=UTF-8 
Content-Length: 1350 
Date: Wed, 30 Mar 2011 16:18:14 GMT 

Server: GFE/2.0 

<html><head> 
<meta http-equiv="content-type" content="text/html;charset=utf-8"> 
<title>400 Bad Request</title> 
<style></style> 
<script> 
</script> 
</head> 
<body text=#000000 bgcolor=#ffffff> 
<table border=0 cellpadding=2 cellspacing=0 width=100%><tr><td rowspan=3 width=1% nowrap> 
<b><font face=times color=#0039b6 size=10>G</font><font face=times color=#c41200 size=10>o</font><font face=times color=#f3c518 size=10>o</font><font face=times color=#0039b6 size=10>g</font><font face=times color=#30a72f size=10>l</font><font face=times color=#c41200 size=10>e</font>&nbsp;&nbsp;</b> 
<td>&nbsp;</td></tr> 
<tr><td bgcolor="#3366cc"><font face=arial,sans-serif color="#ffffff"><b>Error</b></td></tr> 
<tr><td>&nbsp;</td></tr></table> 
<blockquote> 
<H1>Bad Request</H1> 
Your client has issued a malformed or illegal request.

<p> 
</blockquote> 
<table width=100% cellpadding=0 cellspacing=0><tr><td bgcolor="#3366cc"><img alt="" width=1 height=4></td></tr></table> 
</body></html> 
Connection closed by foreign host. 

----- Mail original ----- 
De: "Taekwondo AQR" < taekwondoaqr at gmail.com > 
À: "Vincent Tamet" < vincent.tamet at ilimit.net > 
Envoyé: Mercredi 30 Mars 2011 18:14:51 

Objet: Re: [Openswan Users] Openswan - xl2tpd : can resolve , ping sites but can't browse them ! 

Hello, 

Humm, OK . I am going to use tcpdump . Should I use this tool on the client or server ?? 

Please can you explain more about MTU (Maximum transmission unit?) and how to check / change it ? 

Here is the traceroute when I connected using l2tp ( ping but no browsing ): 
1 318 ms 315 ms 314 ms 10.1.2.1 
2 316 ms 315 ms 313 ms 173.124.215.219 
3 314 ms 315 ms 314 ms g4-8.c10g-core-2.xlhost.com [206.222.25.229] 
4 317 ms 314 ms 314 ms ten1-1-0.edge-beta.xlhost.com [206.222.25.133] 
5 327 ms 327 ms 326 ms 206.223.119.21 
6 326 ms 328 ms 328 ms 72.14.236.176 
7 327 ms 328 ms 326 ms 64.233.174.173 
8 326 ms 328 ms 328 ms 74.125.225.19 

And here is the traceroute when I connect using pptpd which works fine : 
1 315 ms 312 ms * 192.168.88.1 
2 318 ms 319 ms 320 ms 173.124.215.219 
3 318 ms 318 ms 318 ms g4-8.c10g-core-2.xlhost.com [206.222.25.229] 
4 318 ms 319 ms * ten1-1-0.edge-beta.xlhost.com [206.222.25.133] 
5 329 ms 331 ms 365 ms 206.223.119.21 
6 331 ms 331 ms 330 ms 72.14.236.176 
7 332 ms 331 ms 331 ms 64.233.174.173 
8 330 ms 330 ms 331 ms 74.125.225.19 

Best regards 

On 30 March 2011 16:31, Vincent Tamet < vincent.tamet at ilimit.net > wrote: 

You should use tcpdump to find where the paquet arrived and where not, this will help you. 
Have you a linux box to do a traceroute o an mtr ? 

----- Mail original ----- 
De: "Taekwondo AQR" < taekwondoaqr at gmail.com > 
À: "Vincent Tamet" < vincent.tamet at ilimit.net > 
Envoyé: Mercredi 30 Mars 2011 13:31:11 

Objet: Re: [Openswan Users] Openswan - xl2tpd : can resolve , ping sites but can't browse them ! 

Hello, 

I tried 'telnet 209.85.229.99 80' and get But it returns nothing and stay in waiting mode ! like firefox. 
:( 

On 30 March 2011 15:34, Vincent Tamet < vincent.tamet at ilimit.net > wrote: 

Look for a ip of www.google.com 
host www.google.fr 
www.google.fr is an alias for www.google.com . 
www.google.com is an alias for www.l.google.com . 
www.l.google.com has address 209.85.229.147 
www.l.google.com has address 209.85.229.99 
www.l.google.com has address 209.85.229.104 

Could you try this: 
telnet 209.85.229.99 80 
then type "get" and then twice the return key and post me the result, if you have one. 

PS: here a normal test 
Trying 209.85.229.99... 
Connected to 209.85.229.99. 
Escape character is '^]'. 
get 
HTTP/1.0 400 Bad Request 
Content-Type: text/html; charset=UTF-8 
Content-Length: 1350 
Date: Wed, 30 Mar 2011 11:02:15 GMT 
Server: GFE/2.0 

<html><head> 
<meta http-equiv="content-type" content="text/html;charset=utf-8"> 
<title>400 Bad Request</title> 
<style></style> 
<script> 
</script> 
</head> 
<body text=#000000 bgcolor=#ffffff> 
<table border=0 cellpadding=2 cellspacing=0 width=100%><tr><td rowspan=3 width=1% nowrap> 
<b><font face=times color=#0039b6 size=10>G</font><font face=times color=#c41200 size=10>o</font><font face=times color=#f3c518 size=10>o</font><font face=times color=#0039b6 size=10>g</font><font face=times color=#30a72f size=10>l</font><font face=times color=#c41200 size=10>e</font>&nbsp;&nbsp;</b> 
<td>&nbsp;</td></tr> 
<tr><td bgcolor="#3366cc"><font face=arial,sans-serif color="#ffffff"><b>Error</b></td></tr> 
<tr><td>&nbsp;</td></tr></table> 
<blockquote> 
<H1>Bad Request</H1> 
Your client has issued a malformed or illegal request.

<p> 
</blockquote> 
<table width=100% cellpadding=0 cellspacing=0><tr><td bgcolor="#3366cc"><img alt="" width=1 height=4></td></tr></table> 
</body></html> 
Connection closed by foreign host. 

----- Mail original ----- 
De: "Taekwondo AQR" < taekwondoaqr at gmail.com > 
À: "Vincent Tamet" < vincent.tamet at ilimit.net > 
Envoyé: Mercredi 30 Mars 2011 13:01:11 

Objet: Re: [Openswan Users] Openswan - xl2tpd : can resolve , ping sites but can't browse them ! 

Hello, 

Thank you for your replies. 
Yes , IP Forwarding is enabled ! I can use PPTPD VPN connection without any problem. 
Also : 

iptables -t nat -L shows that : 
MASQUERADE all -- anywhere anywhere 

Thanks again ! 

On 30 March 2011 15:24, Vincent Tamet < vincent.tamet at ilimit.net > wrote: 

If ping works, thought the ip forwarding is set yet, don't you thing ? 

----- Mail original ----- 
De: "Lance Garcia" < lgarcia at mandalorian.com > 
À: "Taekwondo AQR" < taekwondoaqr at gmail.com >, users at openswan.org 
Envoyé: Mercredi 30 Mars 2011 12:53:12 
Objet: Re: [Openswan Users] Openswan - xl2tpd : can resolve , ping sites but can't browse them ! 

Have you tried enabling IP forwarding on the VPN server? 

On 30 March 2011 11:34, Vincent Tamet < vincent.tamet at ilimit.net > wrote: 

Hi, 
Look like a MTU problem. 
Could you probe with ping with a size bigger to confirm this ? 

Next step you need to check your firewall to accept the icmp unreachable packet, like that the PMTU will work and solve the problem. 
About the solution to use, thought is the best way, another solution could be change the MSS size... 

Best regards. 

----- Mail original ----- 
De: "Taekwondo AQR" < taekwondoaqr at gmail.com > 
À: users at openswan.org 
Envoyé: Mercredi 30 Mars 2011 11:57:30 
Objet: [Openswan Users] Openswan - xl2tpd : can resolve , ping sites but can't browse them ! 

Hello, 

I have installed xl2tpd v1.2.7 (from epel repo) and compiled OpenSwan 2.6.33 on centos 5.5 i686 with 2.6.18 kernel. ( dedicated server on datacenter ) 

Then configured xl2tpd and openswan. Now I can connect from windows xp / 7 to my server and also I can resolve and ping sites but can not browse them ! 

I think it is not related to DNS entries, as I can ping hostname and it resolves to the IP and pings too. Nslookup also work correctly. 
But when I try to browse any site using firefox it stays on "Waiting for ..." status. 

Here is my ipsec.conf : 
--------------------------------------- 
version 2.0 
config setup 
nat_traversal=yes 
virtual_private=%v4: 10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 
oe=off 
protostack=netkey 

conn L2TP-PSK-NAT 
rightsubnet=vhost:%priv 
also=L2TP-PSK-noNAT 

conn L2TP-PSK-noNAT 
authby=secret 
pfs=no 
auto=add 
keyingtries=3 
rekey=no 
ikelifetime=8h 
keylife=1h 
type=transport 
left=My.Server.IP.Address 
leftprotoport=17/1701 
right=%any 
rightprotoport=17/%any 

--------------------------------------- 

And here the xl2tpd.conf : 
--------------------------------------- 
[global] 
ipsec saref = yes 

[lns default] 
ip range = 10.1.2.2-10.1.2.255 
local ip = 10.1.2.1 
refuse chap = yes 
refuse pap = yes 
require authentication = yes 
ppp debug = yes 
pppoptfile = /etc/ppp/options.xl2tpd 
length bit = yes 
--------------------------------------- 

And also here the options.xl2tpd : 
--------------------------------------- 
require-mschap-v2 
ms-dns 8.8.8.8 
ms-dns 8.8.4.4 
asyncmap 0 
auth 
crtscts 
lock 
hide-password 
modem 
debug 
name l2tpd 
proxyarp 
lcp-echo-interval 30 
lcp-echo-failure 4 
--------------------------------------- 

last lines of /var/log/secure : 
--------------------------------------- 
Mar 30 05:31:51 ea pluto[593]: "L2TP-PSK-NAT"[2] 84.241.x.y #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2 
Mar 30 05:31:51 ea pluto[593]: "L2TP-PSK-NAT"[2] 84.241.x.y #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x060e648e <0xd0d110d3 xfrm=3DES_0-HMAC_MD$ 
--------------------------------------- 

'ipsec verify' result : 
--------------------------------------- 
Version check and ipsec on-path [OK] 
Linux Openswan U2.6.33/K2.6.18-194.32.1.el5 (netkey) 
Checking for IPsec support in kernel [OK] 
SAref kernel support [N/A] 
NETKEY: Testing XFRM related proc values [OK] 
[OK] 
[OK] 
Checking that pluto is running [OK] 
Pluto listening for IKE on udp 500 [OK] 
Pluto listening for NAT-T on udp 4500 [OK] 
Two or more interfaces found, checking IP forwarding [OK] 
Checking NAT and MASQUERADEing 
Checking for 'ip' command [OK] 
Checking /bin/sh is not /bin/dash [OK] 
Checking for 'iptables' command [OK] 
Opportunistic Encryption Support [DISABLED] 
--------------------------------------- 

It is also interesting point that when I comment "oe=off" , I can not connect using windows xp client. 
I tested this on 2 dedicated server and also 2 different clients . 

Thank you. 

_______________________________________________ 
Users at openswan.org 
http://lists.openswan.org/mailman/listinfo/users 
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy 
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155 
_______________________________________________ 
Users at openswan.org 
http://lists.openswan.org/mailman/listinfo/users 
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy 
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155 

-- 
-- 
Lance Garcia 

_______________________________________________ 
Users at openswan.org 
http://lists.openswan.org/mailman/listinfo/users 
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy 
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155 