[Openswan Users] Simple L2TP/IPsec server not working (openswan, xl2tpd, Ubuntu, Windows)

Yang Zhang yanghatespam at gmail.com
Wed Feb 6 16:22:39 EST 2013


I have included the tcpdump capture (which looks identical on the
client) as well as the (sparse) iptables configuration.  iptables
logging turns up nothing.

For xl2tpd, nothing shows up in syslog on connecting (only on xl2tpd
initialization), even after adding in:

debug avp = yes
debug network = yes
debug packet = yes
debug state = yes
debug tunnel = yes

I revamped the information pasted into the question - what else should
I look at?

On Wed, Feb 6, 2013 at 9:58 AM, Bob Miller <bob at computerisms.ca> wrote:
> STATE_QUICK_R2: IPsec SA established transport mode
>
> This line here ^^ means that your ipsec tunnel is established.
>
> This (generally) means your problem could be one of two things: l2tp
> layer is rejecting you; iptables is blocking you.  I would start with
> the l2tp logs and see what you find there.  failing that, your two best
> friends to figure out what is happening are tcpdump and "iptables
> (filters here) -j LOG"
> --
> Computerisms
> Bob Miller
> 867-334-7117 / 867-633-3760
> http://computerisms.ca
>
>
> On Tue, 2013-02-05 at 19:21 -0800, Yang Zhang wrote:
>> Hi Bob, you're right - that made progress, but I am still unable to
>> connect.  I updated my question in light of your answer.  Any idea why
>> ipsec is ignoring the connection?
>>
>> I noticed that the auth.log now mentions ESP.  At first I thought this
>> might be a problem, since (AFAICT) the EC2 firewall (which can't be
>> disabled) doesn't have any options to permit/route ESP packets.  But,
>> observing tshark output on the client, it doesn't appear any are even
>> being sent.
>>
>> (If ESP will indeed pose a problem eventually, if not now, what's the
>> easiest configuration for an alternative mode of transport?)
>>
>> Thanks for any answers.
>>
>> On Sat, Feb 2, 2013 at 12:32 AM, Bob Miller <bob at computerisms.ca> wrote:
>> > I see.
>> >
>> > then my guess would be left=MY.PUBLIC.IP.ADDRESS would be the problem,
>> > since this is looking for a connection at 10.252.194.250:500.  I would
>> > expect it should be left=ipofethx, but I have never put openswan behind
>> > nat before, so not sure how that works....
>> > --
>> > Computerisms
>> > Bob Miller
>> > 867-334-7117 / 867-633-3760
>> > http://computerisms.ca
>> >
>> >
>> > On Fri, 2013-02-01 at 23:22 -0800, Yang Zhang wrote:
>> >> Yes, if you scroll down the you'll see that in the /etc/ipsec.conf.
>> >>
>> >> On Fri, Feb 1, 2013 at 9:19 PM, Bob Miller <bob at computerisms.ca> wrote:
>> >> > Feb  2 00:27:49 ip-10-252-194-250 pluto[3845]: packet from
>> >> > 64.236.139.254:8514: initial Main Mode message received on
>> >> > 10.252.194.250:500 but no connection has been authorized with policy=PSK
>> >> >
>> >> >
>> >> > do you have authby=secret in your conn?
>> >> >
>> >> >
>> >> > --
>> >> > Computerisms
>> >> > Bob Miller
>> >> > 867-334-7117 / 867-633-3760
>> >> > http://computerisms.ca
>> >> >
>> >> >
>> >> > On Fri, 2013-02-01 at 18:15 -0800, Yang Zhang wrote:
>> >> >> Hi, thought I'd try this list for help with my question:
>> >> >>
>> >> >> http://serverfault.com/questions/474742/simple-l2tp-ipsec-server-not-working-openswan-xl2tpd-ubuntu-windows
>> >> >>
>> >> >> Thanks a lot, really appreciate it!
>> >> >> _______________________________________________
>> >> >> Users at lists.openswan.org
>> >> >> https://lists.openswan.org/mailman/listinfo/users
>> >> >> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> >> >> Building and Integrating Virtual Private Networks with Openswan:
>> >> >> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>> >> >
>> >> > _______________________________________________
>> >> > Users at lists.openswan.org
>> >> > https://lists.openswan.org/mailman/listinfo/users
>> >> > Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> >> > Building and Integrating Virtual Private Networks with Openswan:
>> >> > http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>> >>
>> >>
>> >>
>> >
>>
>>
>>
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155



--
Yang Zhang
http://yz.mit.edu/


More information about the Users mailing list