[Openswan Users] Request for configuration help for non-trivial AWS VPC OpenSwan Remote User L2TP/IPsec VPN configuration

Simon Deziel simon at xelerance.com
Fri Aug 30 21:20:32 UTC 2013


Hi Michael,

On 13-08-30 04:05 PM, Michael Crawford wrote:

[snip]

> * This security group also allows in (for VPN functionality) from
> 0.0.0.0/0:
>   TCP 4500

You can leave out TCP/4500 as the encapsulation happens on UDP/4500 only.

>   UDP 4500
>   UDP 500
>   ESP (50)

This is interesting as IIRC Amazon didn't route ESP before.

[snip]

> conn L2TP-PSK-noNAT
>     authby=secret
>     pfs=no
>     auto=add
>     keyingtries=3
>     rekey=no
>     dpddelay=10
>     dpdtimeout=90
>     dpdaction=clear
>     ikelifetime=8h
>     keylife=1h
>     type=transport
>     left=10.240.0.4
>     leftsubnet=10.240.0.0/20       <== added later, still doesn't work
> with this.

Since you use IPsec to only "transport" the L2TP traffic, the leftsubnet
is meaningless.

[snip]

> # Configure ufw firewall to allow IPsec and L2TP traffic
> # - We can use standard statements to allow the NAT-T traffic
> # - But we must edit the before.rules to restrict L2TP to over Ipsec
> #   - The statement for this is inserted via the sed script below
> 
> ufw allow 500/udp
> ufw allow 4500
> 
> cat << EOF > /tmp/ufw_before_$$.sed
> /^-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT/a\\
> \\
> # Allow L2TP only over IPSEC\\
> -A ufw-before-input -m policy --dir in --pol ipsec -p udp --dport 1701 -j
> ACCEPT
> EOF

Shouldn't the above also include something for IP proto 50 (ESP)?

[snip]

> Here's what works at this point:
> * I have configured standard "L2TP over IPSec" VPN on a Mac running Mac
> OSX 10.8.4 with this VPN
>   configuration, using the Public EIP associated with the "vn01" VPN/NAT
> instance.
> * I've done the same with most recent IOS on an iPad.
> * In both cases, the VPN is connecting, and I'm showing log activity which
> indicates it's working.
> * On the Mac, I show the provided IP address as 10.240.3.200, the first
> address in the range
>   I've configured, as expected, and the IP address of the Router as
> 10.240.3.196, also as expected.
> * Here's the relevant sections of the Mac's routing table:
> 
>   Destination   Gateway       Flags  Refs  Use  Netif  My Comments
>   ------------  ------------  -----  ----  ---  -----
> -------------------------------
>   default       10.0.1.1      UGSc   262   0    en1
>   default       10.240.3.196  UGScI  1     0    ppp0
>   . . .
>   10.240.3/24   ppp0          Usc    1     0    ppp0   What configured
> this as a /24?
>   10.240.3.196  10.240.3.200  Uhr    2     0    ppp0
> 
> * I can ssh into all hosts which fall within this 10.240.3/24 route,
> meaning hosts on the subnets
>   10.240.3.0/25 and 10.240.3.128/26

Those are covered by the 10.240.3/24 so you connect to them directly:
not crossing interfaces on the VPN gateway.

> * I cannot ssh into any hosts outside this route, such as a host on the
> 10.240.1.0/25 subnet.

That's where I'd start debugging this issue.

First, I'd check on the VPN gateway to see what reaches it from the VPN
client and if something is transmitted to the destination IP.

Secondly, I'd check if a machine in the 10.240.1.0/25 subnet can ping
the VPN client (or if you see the packets crossing the VPN gateway).

> Summary of help needed:
> * I'm thinking this must be simple, probably missing one line to tell the
> client end that the
>   route it should use must be bigger, to use 10.240.0.0/20 instead of
> 10.240.3.0/24, but I can't

The routes are configured by the client. It seems like you OS assigns a
default route to the PPP interface so all you packets should reach the
VPN gateway.

>   seem to find any documentation which describes how to do this. Hopefully
> an expert on this list
>   can help me get this last bit working.
> * At that point, I think this configuration may be useful to many others,
> as I've seen many 
>   references on Google from people attempting to get something similar to
> this to work.
> 
> Thanks in advance for any help!

Thanks for letting us know that Amazon now allows inbound ESP traffic.
This will probably make the life of many simpler.

Have a good day,
Simon


More information about the Users mailing list