[Openswan Users] Openswan establishes IPSec, won't route to l2tpd

Joe Rhodes lists at joerhodes.com
Mon Jul 22 18:45:11 UTC 2013 

Bob:

Well, you're  a genius.  The winning suggestion was this one:

> I also make it my habit to make leftprotoport 17/%any instead of 17/1701


The other suggestions were either there (the ghost:%no,%priv) or were not needed (the leftnexthop=GW for 50.50.21.66).

For those researching via Google, it would seem that xl2tpd is doing something fun with ports.  If you have IPSec only listen for 1701, it won't work.  Open it up to any UDP port, and it suddenly connects.

Now I have to figure out how to properly firewall this, but that's another matter.

I can't say I'm terribly interested in working the certificate angle right now.  I'm just setting things up for small businesses and simple is the order of the day.  (Especially on the client side!)  All of these installations are small enough that a PSK will work fine.

Thanks again!

-Joe Rhodes


On Jul 22, 2013, at 2:15 PM, Bob Miller <bob at computerisms.ca> wrote:

> Hi,
> 
>> "L2TP-PSK-NAT"[6] 99.224.181.54 #6: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x02e99cda <0xd25bb5ee xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=99.224.181.54:4500 DPD=enabled}
>> 
>> 
>> This last line leads me to believe that the IPSec part of things is established and working.  After the OS X client gives up because it cannot contact the L2TP server, I see the following lines:
> 
> Correct
> 
>> conn L2TP-PSK-NAT
>>    rightsubnet=vhost:%priv,%no
>>    also=L2TP-PSK-noNAT
>> 
>> conn L2TP-PSK-noNAT
>>    authby=secret
>>    pfs=no
>>    auto=add
>>    keyingtries=3
>>    rekey=no
>>    ikelifetime=8h
>>    keylife=1h
>>    type=transport
>>    left=50.50.21.66
>>    leftprotoport=udp/1701
>>    right=%any
>>    rightprotoport=udp/%any
>>    dpddelay=40
>>    dpdtimeout=130
>>    dpdaction=clear
> 
> If you think of the conn as a description of the network, then this
> description provides enough info for openswan to establish and IPSec
> connection, but he doesn't know what to do about the l2tp part.  You
> need to add the following so openswan can build the correct routes:
> 
> leftnexthop=gw to 50.50.21.66
> rightsubnet= vhost:%no,%priv
> 
> I also make it my habit to make leftprotoport 17/%any instead of 17/1701
> 
> FYI there may be more problems further down, but I stopped reading your mail here.
> 
> On a side note, I note you are using passwords instead of certificates,
> which in my experience is the only way to get mac devices working
> without tech and end-user both going to extraordinary lengths.  If you
> ever get your mac devices working properly with certs, I would be
> interested to know how you do it...
> 
> 
> 
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list