[Openswan Users] Openswan - xl2tpd : can resolve , ping sites but can't browse them !
Lance Garcia
lgarcia at mandalorian.com
Wed Mar 30 06:53:12 EDT 2011
Have you tried enabling IP forwarding on the VPN server?
On 30 March 2011 11:34, Vincent Tamet <vincent.tamet at ilimit.net> wrote:
> Hi,
> Look like a MTU problem.
> Could you probe with ping with a size bigger to confirm this ?
>
> Next step you need to check your firewall to accept the icmp unreachable
> packet, like that the PMTU will work and solve the problem.
> About the solution to use, thought is the best way, another solution could
> be change the MSS size...
>
> Best regards.
>
>
> ----- Mail original -----
> De: "Taekwondo AQR" <taekwondoaqr at gmail.com>
> À: users at openswan.org
> Envoyé: Mercredi 30 Mars 2011 11:57:30
> Objet: [Openswan Users] Openswan - xl2tpd : can resolve , ping sites
> but can't browse them !
>
>
>
> Hello,
>
> I have installed xl2tpd v1.2.7 (from epel repo) and compiled OpenSwan
> 2.6.33 on centos 5.5 i686 with 2.6.18 kernel. ( dedicated server on
> datacenter )
>
> Then configured xl2tpd and openswan. Now I can connect from windows xp / 7
> to my server and also I can resolve and ping sites but can not browse them !
>
> I think it is not related to DNS entries, as I can ping hostname and it
> resolves to the IP and pings too. Nslookup also work correctly.
> But when I try to browse any site using firefox it stays on "Waiting for
> ..." status.
>
> Here is my ipsec.conf :
> ---------------------------------------
> version 2.0
> config setup
> nat_traversal=yes
> virtual_private=%v4: 10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
> oe=off
> protostack=netkey
>
> conn L2TP-PSK-NAT
> rightsubnet=vhost:%priv
> also=L2TP-PSK-noNAT
>
> conn L2TP-PSK-noNAT
> authby=secret
> pfs=no
> auto=add
> keyingtries=3
> rekey=no
> ikelifetime=8h
> keylife=1h
> type=transport
> left=My.Server.IP.Address
> leftprotoport=17/1701
> right=%any
> rightprotoport=17/%any
>
> ---------------------------------------
>
>
>
> And here the xl2tpd.conf :
> ---------------------------------------
> [global]
> ipsec saref = yes
>
> [lns default]
> ip range = 10.1.2.2-10.1.2.255
> local ip = 10.1.2.1
> refuse chap = yes
> refuse pap = yes
> require authentication = yes
> ppp debug = yes
> pppoptfile = /etc/ppp/options.xl2tpd
> length bit = yes
> ---------------------------------------
>
>
>
> And also here the options.xl2tpd :
> ---------------------------------------
> require-mschap-v2
> ms-dns 8.8.8.8
> ms-dns 8.8.4.4
> asyncmap 0
> auth
> crtscts
> lock
> hide-password
> modem
> debug
> name l2tpd
> proxyarp
> lcp-echo-interval 30
> lcp-echo-failure 4
> ---------------------------------------
>
>
>
> last lines of /var/log/secure :
> ---------------------------------------
> Mar 30 05:31:51 ea pluto[593]: "L2TP-PSK-NAT"[2] 84.241.x.y #2: transition
> from state STATE_QUICK_R1 to state STATE_QUICK_R2
> Mar 30 05:31:51 ea pluto[593]: "L2TP-PSK-NAT"[2] 84.241.x.y #2:
> STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x060e648e
> <0xd0d110d3 xfrm=3DES_0-HMAC_MD$
> ---------------------------------------
>
>
> 'ipsec verify' result :
> ---------------------------------------
> Version check and ipsec on-path [OK]
> Linux Openswan U2.6.33/K2.6.18-194.32.1.el5 (netkey)
> Checking for IPsec support in kernel [OK]
> SAref kernel support [N/A]
> NETKEY: Testing XFRM related proc values [OK]
> [OK]
> [OK]
> Checking that pluto is running [OK]
> Pluto listening for IKE on udp 500 [OK]
> Pluto listening for NAT-T on udp 4500 [OK]
> Two or more interfaces found, checking IP forwarding [OK]
> Checking NAT and MASQUERADEing
> Checking for 'ip' command [OK]
> Checking /bin/sh is not /bin/dash [OK]
> Checking for 'iptables' command [OK]
> Opportunistic Encryption Support [DISABLED]
> ---------------------------------------
>
>
>
>
> It is also interesting point that when I comment "oe=off" , I can not
> connect using windows xp client.
> I tested this on 2 dedicated server and also 2 different clients .
>
> Thank you.
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
--
--
Lance Garcia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110330/96d7132c/attachment.html
More information about the Users
mailing list