[Openswan Users] XL2TP/iPhone don't work because of wrong route/ip for UDP/1701 answer packets

Wolfgang Nothdurft wolfgang at linogate.de
Tue Jan 18 11:27:00 EST 2011 

Am 18.01.2011 15:52, schrieb Paul Wouters:
> On Tue, 18 Jan 2011, Wolfgang Nothdurft wrote:
> 
>> Now, since one or two weeks, it proposes that it is behind nat (see
>> l2tp_iphone_new.txt), but sends the l2tp 1701/udp packets anyway with
>> the public ip through the ipsec tunnel. Because openswan only insert a
>> route to the proposed local ip through the tunnel the answer packets
>> were routed direct over the default route.
>>
>> The l2tpd gets only the repeatedly incoming request and logs:
>>
>> Jan 18 11:27:44 riab l2tpd[4229]: control_finish: Peer requested tunnel
>> 21 twice, ignoring second one.
> 
> Ohh. I did not realise that was the actual problem in these scenarios...
> 
>> Removing the rightsubnet parameter from the config let the iPhone
>> connect, but than all other clients (Win7, etc) who proposes correctly
>> are left out.
> 
> Can you try with one conn without rightsubnet and one conn with
> rightsubnet=vhost:%priv
> (without the %no). I wonder if that's what is causing this?

ok. it worked with virtual_private set to following:

virtual_private=%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.0.0/24

leaving out 10.0.0.0/8 for the umts/iPhone subnet and 192.168.0.0/24 for
the local net.

and two connections:

conn l2tp_0-iPhone_1701_gw-gw_213.xxx.xxx.xxx-0.0.0.0_0
        also=l2tp_0-iPhone_1701
        right=%any
        auto=add
conn l2tp_0-iPhone_1701_gw-sn_xxx.xxx.xxx-0.0.0.0_0
        also=l2tp_0-iPhone_1701
        right=%any
        rightsubnet=vhost:%priv
        auto=add
conn l2tp_0-iPhone_1701
        also=l2tp_0-iPhone
        leftprotoport=17/1701
        rightprotoport=17/%any
conn l2tp_0-iPhone
        left=213.xxx.xxx.xxx
        authby=secret
        auth=esp
        pfs=no
        #forceencaps=yes
        disablearrivalcheck=no
        keyingtries=3
        rekey=no

But I need to load the connections in the correct order, if not the
connection match on gw-sn.

Jan 18 16:35:32 riab pluto[26871]: added connection description
"l2tp_0-iPhone_1701_gw-sn_213.xxx.xxx.xxx-0.0.0.0_0"
Jan 18 16:35:33 riab pluto[26871]: added connection description
"l2tp_0-iPhone_1701_gw-gw_213.xxx.xxx.xxx-0.0.0.0_0"

Also when I configure the 10.0.0.0/8 network in virtual_private, pluto
selects the wrong gw-sn connection.

But I need to test this setup with the windows clients, because I think
there were also problems, that pluto selects the wrong connection, if I
used a similar two conn setup.

Wolfgang

More information about the Users mailing list