[Openswan Users] openswan 2.6.35rc1 and xl2tpd-1.3.0rc1 pre-releases - please test

Paul Wouters paul at xelerance.com
Sat Jul 23 10:59:28 EDT 2011


On Sat, 23 Jul 2011, Curu Wong wrote:

Thanks for the feedback Curu!

> I used to setup l2tp-ipsec tunnels using x509, and I thought that with PSK, only  one connection can up at the same time, so I used two connection xl2tp-gw1 and xl2tp-gw2 for
> test. In fact, I was wondering, if we can not use PSK with multiple client at the same time, how can microsoft's vpn server accomplish that?

By having right=%any you can, except that all roadwarriors have to use the same PSK. You can work
around some of that with aggressive mode, but not when you want to use l2tp.

> But I have a suggestion, can we add the check of rp_filter to "ipsec verify" when running with klips/mast stack? Because that may help some newbies who can't/doesn't find a
> proper doc/guide for their initial config.

Yes, I'll add it. We used to just change it and therefor not bug the user, but I
think we might only do that for ipsecX and not mastX.

> the l2tp/ipsec gateway's internal IP 192.168.6.18 is not involved here!
> Then I change /etc/xl2tpd/xl2tpd.conf on centos, set
> listen-addr = S.S.S.S
> restart xl2tpd, then everything works fine, just like the ubuntu one.

Yeah, that's a bug in xl2tpd. It is not properly using the HAVE_UDPFROMTO code like openswan does, so it is not
using the source ip it received the packet on for reply packets when bound to ANY.

> One more thing, no matter with ubuntu or CentOS, there's always this  error message whenever ipsec service restarted
> I don't know if it matters:
> ====================================================
> Jul 23 11:27:34 tvpn pluto[13271]: ERROR: PF_KEY K_SADB_X_PLUMBIF response for configure_mast_device  included errno 17: File exists

We should probably suppress that error. It just means there is a mast0 interface already.

Paul


More information about the Users mailing list