[Openswan Users] Openswan - xl2tpd : can resolve , ping sites but can't browse them !

Taekwondo AQR taekwondoaqr at gmail.com
Wed Mar 30 05:57:30 EDT 2011 

Hello,

I have installed xl2tpd v1.2.7 (from epel repo) and compiled OpenSwan 2.6.33
on centos 5.5 i686 with 2.6.18 kernel. ( dedicated server on datacenter )

Then configured xl2tpd and openswan. Now I can connect from windows xp / 7
to my server and also I can resolve and ping sites but can not browse them !

I think it is not related to DNS entries, as I can ping hostname and it
resolves to the IP and pings too. Nslookup also work correctly.
But when I try to browse any site using firefox it stays on "Waiting for
..." status.

Here is my ipsec.conf :
---------------------------------------
version 2.0
config setup
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        oe=off
        protostack=netkey

conn L2TP-PSK-NAT
        rightsubnet=vhost:%priv
        also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
        authby=secret
        pfs=no
        auto=add
        keyingtries=3
        rekey=no
        ikelifetime=8h
        keylife=1h
        type=transport
        left=My.Server.IP.Address
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/%any

---------------------------------------



And here the xl2tpd.conf :
---------------------------------------
[global]
ipsec saref = yes

[lns default]
ip range = 10.1.2.2-10.1.2.255
local ip = 10.1.2.1
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
---------------------------------------



And also here the options.xl2tpd :
---------------------------------------
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
---------------------------------------



last lines of /var/log/secure :
---------------------------------------
Mar 30 05:31:51 ea pluto[593]: "L2TP-PSK-NAT"[2] 84.241.x.y #2: transition
from state STATE_QUICK_R1 to state STATE_QUICK_R2
Mar 30 05:31:51 ea pluto[593]: "L2TP-PSK-NAT"[2] 84.241.x.y #2:
STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x060e648e
<0xd0d110d3 xfrm=3DES_0-HMAC_MD$
---------------------------------------


'ipsec verify' result :
---------------------------------------
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.33/K2.6.18-194.32.1.el5 (netkey)
Checking for IPsec support in kernel                            [OK]
 SAref kernel support                                           [N/A]
 NETKEY:  Testing XFRM related proc values                      [OK]
        [OK]
        [OK]
Checking that pluto is running                                  [OK]
 Pluto listening for IKE on udp 500                             [OK]
 Pluto listening for NAT-T on udp 4500                          [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command                                       [OK]
Checking /bin/sh is not /bin/dash                               [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]
---------------------------------------




It is also interesting point that when I comment "oe=off" , I can not
connect using windows xp client.
I tested this on 2 dedicated server and also 2 different clients .

Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110330/8cde8141/attachment.html

More information about the Users mailing list