[Openswan Users] Openswan - xl2tpd : can resolve , ping sites but can't browse them !

Vincent Tamet vincent.tamet at ilimit.net
Wed Mar 30 06:54:58 EDT 2011


If ping works, thought the ip forwarding is set yet, don't you thing ?

----- Mail original -----
De: "Lance Garcia" <lgarcia at mandalorian.com>
À: "Taekwondo AQR" <taekwondoaqr at gmail.com>, users at openswan.org
Envoyé: Mercredi 30 Mars 2011 12:53:12
Objet: Re: [Openswan Users] Openswan - xl2tpd : can resolve , ping sites but can't browse them !


Have you tried enabling IP forwarding on the VPN server? 


On 30 March 2011 11:34, Vincent Tamet < vincent.tamet at ilimit.net > wrote: 


Hi, 
Look like a MTU problem. 
Could you probe with ping with a size bigger to confirm this ? 

Next step you need to check your firewall to accept the icmp unreachable packet, like that the PMTU will work and solve the problem. 
About the solution to use, thought is the best way, another solution could be change the MSS size... 

Best regards. 


----- Mail original ----- 
De: "Taekwondo AQR" < taekwondoaqr at gmail.com > 
À: users at openswan.org 
Envoyé: Mercredi 30 Mars 2011 11:57:30 
Objet: [Openswan Users] Openswan - xl2tpd : can resolve , ping sites but can't browse them ! 






Hello, 

I have installed xl2tpd v1.2.7 (from epel repo) and compiled OpenSwan 2.6.33 on centos 5.5 i686 with 2.6.18 kernel. ( dedicated server on datacenter ) 

Then configured xl2tpd and openswan. Now I can connect from windows xp / 7 to my server and also I can resolve and ping sites but can not browse them ! 

I think it is not related to DNS entries, as I can ping hostname and it resolves to the IP and pings too. Nslookup also work correctly. 
But when I try to browse any site using firefox it stays on "Waiting for ..." status. 

Here is my ipsec.conf : 
--------------------------------------- 
version 2.0 
config setup 
nat_traversal=yes 
virtual_private=%v4: 10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 
oe=off 
protostack=netkey 

conn L2TP-PSK-NAT 
rightsubnet=vhost:%priv 
also=L2TP-PSK-noNAT 

conn L2TP-PSK-noNAT 
authby=secret 
pfs=no 
auto=add 
keyingtries=3 
rekey=no 
ikelifetime=8h 
keylife=1h 
type=transport 
left=My.Server.IP.Address 
leftprotoport=17/1701 
right=%any 
rightprotoport=17/%any 

--------------------------------------- 



And here the xl2tpd.conf : 
--------------------------------------- 
[global] 
ipsec saref = yes 

[lns default] 
ip range = 10.1.2.2-10.1.2.255 
local ip = 10.1.2.1 
refuse chap = yes 
refuse pap = yes 
require authentication = yes 
ppp debug = yes 
pppoptfile = /etc/ppp/options.xl2tpd 
length bit = yes 
--------------------------------------- 



And also here the options.xl2tpd : 
--------------------------------------- 
require-mschap-v2 
ms-dns 8.8.8.8 
ms-dns 8.8.4.4 
asyncmap 0 
auth 
crtscts 
lock 
hide-password 
modem 
debug 
name l2tpd 
proxyarp 
lcp-echo-interval 30 
lcp-echo-failure 4 
--------------------------------------- 



last lines of /var/log/secure : 
--------------------------------------- 
Mar 30 05:31:51 ea pluto[593]: "L2TP-PSK-NAT"[2] 84.241.x.y #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2 
Mar 30 05:31:51 ea pluto[593]: "L2TP-PSK-NAT"[2] 84.241.x.y #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x060e648e <0xd0d110d3 xfrm=3DES_0-HMAC_MD$ 
--------------------------------------- 


'ipsec verify' result : 
--------------------------------------- 
Version check and ipsec on-path [OK] 
Linux Openswan U2.6.33/K2.6.18-194.32.1.el5 (netkey) 
Checking for IPsec support in kernel [OK] 
SAref kernel support [N/A] 
NETKEY: Testing XFRM related proc values [OK] 
[OK] 
[OK] 
Checking that pluto is running [OK] 
Pluto listening for IKE on udp 500 [OK] 
Pluto listening for NAT-T on udp 4500 [OK] 
Two or more interfaces found, checking IP forwarding [OK] 
Checking NAT and MASQUERADEing 
Checking for 'ip' command [OK] 
Checking /bin/sh is not /bin/dash [OK] 
Checking for 'iptables' command [OK] 
Opportunistic Encryption Support [DISABLED] 
--------------------------------------- 




It is also interesting point that when I comment "oe=off" , I can not connect using windows xp client. 
I tested this on 2 dedicated server and also 2 different clients . 

Thank you. 

_______________________________________________ 
Users at openswan.org 
http://lists.openswan.org/mailman/listinfo/users 
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy 
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155 
_______________________________________________ 
Users at openswan.org 
http://lists.openswan.org/mailman/listinfo/users 
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy 
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155 



-- 
-- 
Lance Garcia 


_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list