[Openswan Users] Openswan establishes IPSec, won't route to l2tpd

Bob Miller bob at computerisms.ca
Mon Jul 22 18:15:47 UTC 2013


Hi,

> "L2TP-PSK-NAT"[6] 99.224.181.54 #6: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x02e99cda <0xd25bb5ee xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=99.224.181.54:4500 DPD=enabled}
> 
> 
> This last line leads me to believe that the IPSec part of things is established and working.  After the OS X client gives up because it cannot contact the L2TP server, I see the following lines:

Correct

> conn L2TP-PSK-NAT
>     rightsubnet=vhost:%priv,%no
>     also=L2TP-PSK-noNAT
>  
> conn L2TP-PSK-noNAT
>     authby=secret
>     pfs=no
>     auto=add
>     keyingtries=3
>     rekey=no
>     ikelifetime=8h
>     keylife=1h
>     type=transport
>     left=50.50.21.66
>     leftprotoport=udp/1701
>     right=%any
>     rightprotoport=udp/%any
>     dpddelay=40
>     dpdtimeout=130
>     dpdaction=clear

If you think of the conn as a description of the network, then this
description provides enough info for openswan to establish and IPSec
connection, but he doesn't know what to do about the l2tp part.  You
need to add the following so openswan can build the correct routes:

leftnexthop=gw to 50.50.21.66
rightsubnet= vhost:%no,%priv

I also make it my habit to make leftprotoport 17/%any instead of 17/1701

FYI there may be more problems further down, but I stopped reading your mail here.

On a side note, I note you are using passwords instead of certificates,
which in my experience is the only way to get mac devices working
without tech and end-user both going to extraordinary lengths.  If you
ever get your mac devices working properly with certs, I would be
interested to know how you do it...





More information about the Users mailing list