[Openswan Users] Openswan - xl2tpd : can resolve , ping sites but can't browse them !
Vincent Tamet
vincent.tamet at ilimit.net
Wed Mar 30 06:34:55 EDT 2011
Hi,
Look like a MTU problem.
Could you probe with ping with a size bigger to confirm this ?
Next step you need to check your firewall to accept the icmp unreachable packet, like that the PMTU will work and solve the problem.
About the solution to use, thought is the best way, another solution could be change the MSS size...
Best regards.
----- Mail original -----
De: "Taekwondo AQR" <taekwondoaqr at gmail.com>
À: users at openswan.org
Envoyé: Mercredi 30 Mars 2011 11:57:30
Objet: [Openswan Users] Openswan - xl2tpd : can resolve , ping sites but can't browse them !
Hello,
I have installed xl2tpd v1.2.7 (from epel repo) and compiled OpenSwan 2.6.33 on centos 5.5 i686 with 2.6.18 kernel. ( dedicated server on datacenter )
Then configured xl2tpd and openswan. Now I can connect from windows xp / 7 to my server and also I can resolve and ping sites but can not browse them !
I think it is not related to DNS entries, as I can ping hostname and it resolves to the IP and pings too. Nslookup also work correctly.
But when I try to browse any site using firefox it stays on "Waiting for ..." status.
Here is my ipsec.conf :
---------------------------------------
version 2.0
config setup
nat_traversal=yes
virtual_private=%v4: 10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
oe=off
protostack=netkey
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=My.Server.IP.Address
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
---------------------------------------
And here the xl2tpd.conf :
---------------------------------------
[global]
ipsec saref = yes
[lns default]
ip range = 10.1.2.2-10.1.2.255
local ip = 10.1.2.1
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
---------------------------------------
And also here the options.xl2tpd :
---------------------------------------
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
---------------------------------------
last lines of /var/log/secure :
---------------------------------------
Mar 30 05:31:51 ea pluto[593]: "L2TP-PSK-NAT"[2] 84.241.x.y #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Mar 30 05:31:51 ea pluto[593]: "L2TP-PSK-NAT"[2] 84.241.x.y #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x060e648e <0xd0d110d3 xfrm=3DES_0-HMAC_MD$
---------------------------------------
'ipsec verify' result :
---------------------------------------
Version check and ipsec on-path [OK]
Linux Openswan U2.6.33/K2.6.18-194.32.1.el5 (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [OK]
[OK]
[OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
---------------------------------------
It is also interesting point that when I comment "oe=off" , I can not connect using windows xp client.
I tested this on 2 dedicated server and also 2 different clients .
Thank you.
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list