[Openswan Users] UDP over NATed IPSec and L2TP tunnel

Matt Rudge mrudge at gmail.com
Thu May 19 06:15:30 EDT 2011 

Hi all,

I hope you can help me with a problem I'm having. My topology looks like this:

Windows XP IPSec and L2TP Client
   |
   |
   |
Netopia Cayman DSL Router (ports 4500, 500 and 1701 forwarded)
   |
   |
Ubuntu Server running Openswan and xl2tpd

I'm fairly new to using Openswan as a server, but the tunnel initiates
ok and I can ping both ways. I can also access SMTP and POP3, as well
as IMAP and http services; however the client has a package for
monitoring their burglar alarm, which uses UDP port 3001, and I can't
get this to work at all.

If I do a tcpdump on the server while the client is trying to connect,
then I get this output:

 192.168.1.2.3001 > 192.168.1.81.3001: [udp sum ok] UDP, length 1
 192.168.1.2.3001 > 192.168.1.81.3001: [udp sum ok] UDP, length 15
 192.168.1.2.3001 > 192.168.1.81.3001: [udp sum ok] UDP, length 15
 192.168.1.2.3001 > 192.168.1.81.3001: [udp sum ok] UDP, length 15
 192.168.1.2.3001 > 192.168.1.81.3001: [udp sum ok] UDP, length 15
 192.168.1.2.3001 > 192.168.1.81.3001: [udp sum ok] UDP, length 15

192.168.1.2 is the client, 192.168.1.81 is the alarm interface, so I
can see that the UDP packets are getting as far as the Openswan box,
but we never see any traffic back from the alarm interface, and the
connection eventually fails. In contrast, a Wireshark capture of the
communication between a client on the local network (192.168.1.9) and
the alarm interface, shows the following:

 18	29.961350	192.168.1.9	192.168.1.81	UDP	Source port: 3001
Destination port: 3001[Malformed Packet]
 19	29.966600	192.168.1.9	192.168.1.81	LAPD	I, N(R)=0, N(S)=64
 20	29.986889	192.168.1.81	192.168.1.9	UDP	Source port: solid-mux
Destination port: 3001

And the connection gets established.

I'm sure that I need to set up some rules in iptables to get it
working, but I'm not entirely conversant with iptables either. At the
moment, the Netopia Cayman router handles basic firewall services, so
I have no iptables rules (apart from basic SSH hardening).

I'm really tearing my hair out with this one, so I'd really appreciate
any guidance you could offer.

Many thanks

Matt
-- 
www.mattrudge.net - for wibble and guff
blog.mattrudge.net - for Linuxy goodness

More information about the Users mailing list