[Openswan Users] Simple L2TP/IPsec server not working (openswan, xl2tpd, Ubuntu, Windows)

Yang Zhang yanghatespam at gmail.com
Wed Feb 6 18:40:44 EST 2013 

Thanks Bob.

I actually just solved this problem - turns out the problem is with
the client.  The solution still annoys me: Windows actually requires a
registry tweak, and then this magically works.  More details on the SO
page.

Now I have to figure out why OS X doesn't work.

On Wed, Feb 6, 2013 at 3:21 PM, Bob Miller <bob at computerisms.ca> wrote:
> If all that logging is on but you are getting nothing in your syslog,
> then I would say your l2tp packets aren't reaching their destination.
>
> What is supposed to happen is that after the ipsec tunnel is created,
> your windows client will connect to the l2tp server through the tunnel.
> Maybe your windows client is not sending the packets through the tunnel,
> or maybe iptables is blocking the traffic.  maybe it's something else.
>
> Your MASQUERADE target in iptables will need to have packets destined
> for the tunnel excluded from that rule so as to not incorrectly route
> return traffic.  Not sure if that is the problem now, but it will be one
> later.
>
> I recommend using iptables-save as a good way to dump firewall rules
> instead of iptables -L - its much more readable and complete.  in order
> to know if your packets are even reaching iptables, you will need to log
> them in mangle/prerouting (or in the raw table).
> http://l7-filter.sourceforge.net/PacketFlow.png
>
>  21:00:49.972728 IP 64.236.139.254.26724 > 10.252.60.213.4500:
> NONESP-encap: isakmp: phase 1 I ident[E]
> 21:00:49.973924 IP 10.252.60.213.4500 > 64.236.139.254.26724:
> NONESP-encap: isakmp: phase 1 R ident[E]
>
> This looks weird to me.  This dump is taken on a firewall at the client
> end?  Such a firewall should not be able to route to a 10.252.x.x
> address, not sure what you have going on there.  Also, these should be
> ESP packets encapsulated in something like UDP, this traffic appears to
> be unencrypted.
>
> looks like packets are not being delivered into the tunnel.  maybe wrong
> protoport in ipsec.conf, I always set right and left protoport to 17/%
> any.  Or incorrect configuration on the windows client?  Go over jacco's
> page on connecting windows clients and make sure you have everything
> according to his instructions...
> --
> Computerisms
> Bob Miller
> 867-334-7117 / 867-633-3760
> http://computerisms.ca
>
>
> On Wed, 2013-02-06 at 13:50 -0800, Yang Zhang wrote:
>> Another thing I'm wondering is: what *should* be happening at this
>> point, that is not happening here?  What is it that's coming in that
>> the server-side stack isn't responding to appropriately (and which
>> part of the stack)?
>>
>> On Wed, Feb 6, 2013 at 1:22 PM, Yang Zhang <yanghatespam at gmail.com> wrote:
>> > I have included the tcpdump capture (which looks identical on the
>> > client) as well as the (sparse) iptables configuration.  iptables
>> > logging turns up nothing.
>> >
>> > For xl2tpd, nothing shows up in syslog on connecting (only on xl2tpd
>> > initialization), even after adding in:
>> >
>> > debug avp = yes
>> > debug network = yes
>> > debug packet = yes
>> > debug state = yes
>> > debug tunnel = yes
>> >
>> > I revamped the information pasted into the question - what else should
>> > I look at?
>> >
>> > On Wed, Feb 6, 2013 at 9:58 AM, Bob Miller <bob at computerisms.ca> wrote:
>> >> STATE_QUICK_R2: IPsec SA established transport mode
>> >>
>> >> This line here ^^ means that your ipsec tunnel is established.
>> >>
>> >> This (generally) means your problem could be one of two things: l2tp
>> >> layer is rejecting you; iptables is blocking you.  I would start with
>> >> the l2tp logs and see what you find there.  failing that, your two best
>> >> friends to figure out what is happening are tcpdump and "iptables
>> >> (filters here) -j LOG"
>> >> --
>> >> Computerisms
>> >> Bob Miller
>> >> 867-334-7117 / 867-633-3760
>> >> http://computerisms.ca
>> >>
>> >>
>> >> On Tue, 2013-02-05 at 19:21 -0800, Yang Zhang wrote:
>> >>> Hi Bob, you're right - that made progress, but I am still unable to
>> >>> connect.  I updated my question in light of your answer.  Any idea why
>> >>> ipsec is ignoring the connection?
>> >>>
>> >>> I noticed that the auth.log now mentions ESP.  At first I thought this
>> >>> might be a problem, since (AFAICT) the EC2 firewall (which can't be
>> >>> disabled) doesn't have any options to permit/route ESP packets.  But,
>> >>> observing tshark output on the client, it doesn't appear any are even
>> >>> being sent.
>> >>>
>> >>> (If ESP will indeed pose a problem eventually, if not now, what's the
>> >>> easiest configuration for an alternative mode of transport?)
>> >>>
>> >>> Thanks for any answers.
>> >>>
>> >>> On Sat, Feb 2, 2013 at 12:32 AM, Bob Miller <bob at computerisms.ca> wrote:
>> >>> > I see.
>> >>> >
>> >>> > then my guess would be left=MY.PUBLIC.IP.ADDRESS would be the problem,
>> >>> > since this is looking for a connection at 10.252.194.250:500.  I would
>> >>> > expect it should be left=ipofethx, but I have never put openswan behind
>> >>> > nat before, so not sure how that works....
>> >>> > --
>> >>> > Computerisms
>> >>> > Bob Miller
>> >>> > 867-334-7117 / 867-633-3760
>> >>> > http://computerisms.ca
>> >>> >
>> >>> >
>> >>> > On Fri, 2013-02-01 at 23:22 -0800, Yang Zhang wrote:
>> >>> >> Yes, if you scroll down the you'll see that in the /etc/ipsec.conf.
>> >>> >>
>> >>> >> On Fri, Feb 1, 2013 at 9:19 PM, Bob Miller <bob at computerisms.ca> wrote:
>> >>> >> > Feb  2 00:27:49 ip-10-252-194-250 pluto[3845]: packet from
>> >>> >> > 64.236.139.254:8514: initial Main Mode message received on
>> >>> >> > 10.252.194.250:500 but no connection has been authorized with policy=PSK
>> >>> >> >
>> >>> >> >
>> >>> >> > do you have authby=secret in your conn?
>> >>> >> >
>> >>> >> >
>> >>> >> > --
>> >>> >> > Computerisms
>> >>> >> > Bob Miller
>> >>> >> > 867-334-7117 / 867-633-3760
>> >>> >> > http://computerisms.ca
>> >>> >> >
>> >>> >> >
>> >>> >> > On Fri, 2013-02-01 at 18:15 -0800, Yang Zhang wrote:
>> >>> >> >> Hi, thought I'd try this list for help with my question:
>> >>> >> >>
>> >>> >> >> http://serverfault.com/questions/474742/simple-l2tp-ipsec-server-not-working-openswan-xl2tpd-ubuntu-windows
>> >>> >> >>
>> >>> >> >> Thanks a lot, really appreciate it!
>> >>> >> >> _______________________________________________
>> >>> >> >> Users at lists.openswan.org
>> >>> >> >> https://lists.openswan.org/mailman/listinfo/users
>> >>> >> >> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> >>> >> >> Building and Integrating Virtual Private Networks with Openswan:
>> >>> >> >> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>> >>> >> >
>> >>> >> > _______________________________________________
>> >>> >> > Users at lists.openswan.org
>> >>> >> > https://lists.openswan.org/mailman/listinfo/users
>> >>> >> > Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> >>> >> > Building and Integrating Virtual Private Networks with Openswan:
>> >>> >> > http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>> >>> >>
>> >>> >>
>> >>> >>
>> >>> >
>> >>>
>> >>>
>> >>>
>> >>
>> >> _______________________________________________
>> >> Users at lists.openswan.org
>> >> https://lists.openswan.org/mailman/listinfo/users
>> >> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> >> Building and Integrating Virtual Private Networks with Openswan:
>> >> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>> >
>> >
>> >
>> > --
>> > Yang Zhang
>> > http://yz.mit.edu/
>>
>>
>>
>> --
>> Yang Zhang
>> http://yz.mit.edu/
>



--
Yang Zhang
http://yz.mit.edu/

More information about the Users mailing list