[Openswan Users] SAref working fine but device with public ip no

Vincent Tamet vincent.tamet at ilimit.net
Wed Apr 18 11:39:40 EDT 2012 

Hi,
We have prove the installation with:
netkey (without SAref): equips with public ip connect and works perfectly.
                        2 equips with the same ip, connect but only one have the ping working, and then one disconnect.
klips  (without SAref): equips with public ip connect and works perfectly.
                        2 equips with the same ip, connect but only one have the ping working, and then one disconnect.
klips  (with SAref):    equips with public ip establish with ipsec but we haven't any log from the xl2tpd.
                        2 equips with the same ip, connect and works perfectly.

For the SAref we use an ubuntu with the both patch from the openswan source, and make it using the openswan documentation:
  https://www.openswan.org/projects/openswan/wiki/Building_and_Installing_an_SAref_capable_KLIPS_version_for_DebianUbuntu#Optain-SAref-patches-from-Xelerance

Kernel: 2.6.32-33-pae-saref
Openswan 2.6.38
xl2tpd-1.3.1 from testing ubuntu

Do you have an idea where the problem come from ?
Any idea to diagnose this more deeper ?

Best regards.

# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan 2.6.38 (klips)
Checking for IPsec support in kernel                            [OK]
 KLIPS: checking for NAT Traversal support                      [OK]
 KLIPS: checking for OCF crypto offload support                 [N/A]
 Kernel: IPsec SAref kernel support                             [OK]
 Kernel: IPsec SAref Bind kernel support                        [OK]
Checking that pluto is running                                  [OK]
 Pluto listening for IKE on udp 500                             [OK]
 Pluto listening for NAT-T on udp 4500                          [OK]
Two or more interfaces found, checking IP forwarding            [FAILED]
Checking NAT and MASQUERADEing                                  [OK]
Checking for 'ip' command                                       [OK]
Checking /bin/sh is not /bin/dash                               [WARNING]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]

* /etc/ipsec.conf 
version 2.0
config setup
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/16,%v4:!172.16.3.0/24
    #protostack=netkey
    protostack=auto
    interfaces="%defaultroute"
    oe=off

conn L2TP-PSK-NAT
    rightsubnet=vhost:%no,%priv
    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=IPETH0
    leftnexthop=IPGW
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any
    compress=no
    overlapip=yes   # for SAref + MAST
    sareftrack=yes

* /etc/xl2tpd/xl2tpd.conf
[global]                                ; Global parameters:
listen-addr = IPETH0
ipsec saref = yes
port = 1701

[lns default]                           ; Our fallthrough LNS definition
ip range = 172.16.3.2 - 172.16.3.254
local ip = 172.16.3.1
assign ip = yes
require authentication = yes
refuse pap = yes                        ; * Refuse PAP authentication
refuse chap = yes
ppp debug = yes                          ; * Turn on PPP debugging
pppoptfile = /etc/ppp/options.l2tpd     ; * ppp options file
length bit = yes


* /etc/ppp/options.l2tpd
require-mschap-v2
ipcp-accept-local
ipcp-accept-remote
ms-dns 8.8.8.8
ms-dns 8.8.4.4
auth
hide-password
debug
name l2tpd
noccp
nocrtscts
nodefaultroute
idle 3600
connect-delay 5000
asyncmap 0
passive
lcp-echo-interval 5
lcp-echo-failure 10
lcp-max-terminate 2
lcp-max-failure 5
lcp-max-configure 10
mtu 1400
mru 1400




Vincent Tamet

More information about the Users mailing list