[Openswan Users] Simple L2TP/IPsec server not working (openswan, xl2tpd, Ubuntu, Windows)

Yang Zhang yanghatespam at gmail.com
Wed Feb 6 16:50:02 EST 2013 

Another thing I'm wondering is: what *should* be happening at this
point, that is not happening here?  What is it that's coming in that
the server-side stack isn't responding to appropriately (and which
part of the stack)?

On Wed, Feb 6, 2013 at 1:22 PM, Yang Zhang <yanghatespam at gmail.com> wrote:
> I have included the tcpdump capture (which looks identical on the
> client) as well as the (sparse) iptables configuration.  iptables
> logging turns up nothing.
>
> For xl2tpd, nothing shows up in syslog on connecting (only on xl2tpd
> initialization), even after adding in:
>
> debug avp = yes
> debug network = yes
> debug packet = yes
> debug state = yes
> debug tunnel = yes
>
> I revamped the information pasted into the question - what else should
> I look at?
>
> On Wed, Feb 6, 2013 at 9:58 AM, Bob Miller <bob at computerisms.ca> wrote:
>> STATE_QUICK_R2: IPsec SA established transport mode
>>
>> This line here ^^ means that your ipsec tunnel is established.
>>
>> This (generally) means your problem could be one of two things: l2tp
>> layer is rejecting you; iptables is blocking you.  I would start with
>> the l2tp logs and see what you find there.  failing that, your two best
>> friends to figure out what is happening are tcpdump and "iptables
>> (filters here) -j LOG"
>> --
>> Computerisms
>> Bob Miller
>> 867-334-7117 / 867-633-3760
>> http://computerisms.ca
>>
>>
>> On Tue, 2013-02-05 at 19:21 -0800, Yang Zhang wrote:
>>> Hi Bob, you're right - that made progress, but I am still unable to
>>> connect.  I updated my question in light of your answer.  Any idea why
>>> ipsec is ignoring the connection?
>>>
>>> I noticed that the auth.log now mentions ESP.  At first I thought this
>>> might be a problem, since (AFAICT) the EC2 firewall (which can't be
>>> disabled) doesn't have any options to permit/route ESP packets.  But,
>>> observing tshark output on the client, it doesn't appear any are even
>>> being sent.
>>>
>>> (If ESP will indeed pose a problem eventually, if not now, what's the
>>> easiest configuration for an alternative mode of transport?)
>>>
>>> Thanks for any answers.
>>>
>>> On Sat, Feb 2, 2013 at 12:32 AM, Bob Miller <bob at computerisms.ca> wrote:
>>> > I see.
>>> >
>>> > then my guess would be left=MY.PUBLIC.IP.ADDRESS would be the problem,
>>> > since this is looking for a connection at 10.252.194.250:500.  I would
>>> > expect it should be left=ipofethx, but I have never put openswan behind
>>> > nat before, so not sure how that works....
>>> > --
>>> > Computerisms
>>> > Bob Miller
>>> > 867-334-7117 / 867-633-3760
>>> > http://computerisms.ca
>>> >
>>> >
>>> > On Fri, 2013-02-01 at 23:22 -0800, Yang Zhang wrote:
>>> >> Yes, if you scroll down the you'll see that in the /etc/ipsec.conf.
>>> >>
>>> >> On Fri, Feb 1, 2013 at 9:19 PM, Bob Miller <bob at computerisms.ca> wrote:
>>> >> > Feb  2 00:27:49 ip-10-252-194-250 pluto[3845]: packet from
>>> >> > 64.236.139.254:8514: initial Main Mode message received on
>>> >> > 10.252.194.250:500 but no connection has been authorized with policy=PSK
>>> >> >
>>> >> >
>>> >> > do you have authby=secret in your conn?
>>> >> >
>>> >> >
>>> >> > --
>>> >> > Computerisms
>>> >> > Bob Miller
>>> >> > 867-334-7117 / 867-633-3760
>>> >> > http://computerisms.ca
>>> >> >
>>> >> >
>>> >> > On Fri, 2013-02-01 at 18:15 -0800, Yang Zhang wrote:
>>> >> >> Hi, thought I'd try this list for help with my question:
>>> >> >>
>>> >> >> http://serverfault.com/questions/474742/simple-l2tp-ipsec-server-not-working-openswan-xl2tpd-ubuntu-windows
>>> >> >>
>>> >> >> Thanks a lot, really appreciate it!
>>> >> >> _______________________________________________
>>> >> >> Users at lists.openswan.org
>>> >> >> https://lists.openswan.org/mailman/listinfo/users
>>> >> >> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>> >> >> Building and Integrating Virtual Private Networks with Openswan:
>>> >> >> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>> >> >
>>> >> > _______________________________________________
>>> >> > Users at lists.openswan.org
>>> >> > https://lists.openswan.org/mailman/listinfo/users
>>> >> > Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>> >> > Building and Integrating Virtual Private Networks with Openswan:
>>> >> > http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>> >>
>>> >>
>>> >>
>>> >
>>>
>>>
>>>
>>
>> _______________________________________________
>> Users at lists.openswan.org
>> https://lists.openswan.org/mailman/listinfo/users
>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
>
> --
> Yang Zhang
> http://yz.mit.edu/



--
Yang Zhang
http://yz.mit.edu/

More information about the Users mailing list