[Openswan Users] xl2tpd not working without listen-address

Toby Chamberlain tjchamberlain at hotmail.com
Mon Feb 21 19:15:16 EST 2011 

Hi,

I have an openswan server with a number of public IPs and am trying to setup 
up xl2tpd on it. I can get it to work but *only* if I bind xl2tpd to a 
specific IP with listen-address... if I leave it listening on all IPs xl2tpd 
sends all its replies from the internal IP and I get lots of "peer requested 
tunnel xxx twice" error in the log (and the client cannot connect).

We would like to be able to access the LAN remotely if any particular 
interface goes down, so having xl2tpd limited to one interface is not ideal. 
Is this a limitation of xl2tpd or is it an issue with my particular setup?

With listen-address:
Feb 22 10:14:33 mitchell xl2tpd[9728]: Listening on IP address 165.x.x.x, 
port 1701
Feb 22 10:15:25 mitchell xl2tpd[9728]: Connection established to 60.x.x.x, 
1701.  Local: 58648, Remote: 8 (ref=0/0).  LNS session is 'default'
Feb 22 10:15:25 mitchell xl2tpd[9728]: start_pppd: I'm running:
Feb 22 10:15:25 mitchell xl2tpd[9728]: "/usr/sbin/pppd"
Feb 22 10:15:25 mitchell xl2tpd[9728]: "passive"
etc.
Feb 22 10:15:25 mitchell xl2tpd[9728]: Call established with 60.x.x.x, 
Local: 48449, Remote: 1, Serial: 0

Without listen-address:
Feb 22 09:57:47 mitchell xl2tpd[6814]: Listening on IP address 0.0.0.0, port 
1701
Feb 22 09:58:41 mitchell xl2tpd[6814]: control_finish: Peer requested tunnel 
13 twice, ignoring second one.
Feb 22 09:58:42 mitchell xl2tpd[6814]: control_finish: Peer requested tunnel 
13 twice, ignoring second one.
Feb 22 09:58:46 mitchell xl2tpd[6814]: control_finish: Peer requested tunnel 
13 twice, ignoring second one.
Feb 22 09:58:46 mitchell xl2tpd[6814]: Maximum retries exceeded for tunnel 
50454.  Closing.

A stack trace without listen-address shows the server sending (unencrypted) 
l2f packets out from the internal IP:
# tcpdump -ni eth1 port 1701
10:10:30.035964 IP 172.16.2.1.1701 > 60-x-x-x.1701: 
l2tp:[TLS](6/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) 
*BEARER_CAP() *FIRM_VER(1680) *HOST_NAME(mitchell) 
*VENDOR_NAME(xelerance.com) *ASSND_TUN_ID(19653) *RECV_WIN_SIZE(4)
10:10:31.036989 IP 172.16.2.1.1701 > 60-x-x-x.1701: 
l2tp:[TLS](6/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) 
*BEARER_CAP() *FIRM_VER(1680) *HOST_NAME(mitchell) 
*VENDOR_NAME(xelerance.com) *ASSND_TUN_ID(19653) *RECV_WIN_SIZE(4)
10:10:32.038012 IP 172.16.2.1.1701 > 60-x-x-x.1701: 
l2tp:[TLS](6/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) 
*BEARER_CAP() *FIRM_VER(1680) *HOST_NAME(mitchell) 
*VENDOR_NAME(xelerance.com) *ASSND_TUN_ID(19653) *RECV_WIN_SIZE(4)
10:10:33.039036 IP 172.16.2.1.1701 > 60-x-x-x.1701: 
l2tp:[TLS](6/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) 
*BEARER_CAP() *FIRM_VER(1680) *HOST_NAME(mitchell) 
*VENDOR_NAME(xelerance.com) *ASSND_TUN_ID(19653) *RECV_WIN_SIZE(4)
10:10:34.040052 IP 172.16.2.1.1701 > 60-x-x-x.1701: 
l2tp:[TLS](6/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) 
*BEARER_CAP() *FIRM_VER(1680) *HOST_NAME(mitchell) 
*VENDOR_NAME(xelerance.com) *ASSND_TUN_ID(19653) *RECV_WIN_SIZE(4)

I am using Debian squeeze: xl2tpd-1.2.6 and openswan 2.6.28

Toby

More information about the Users mailing list