[Openswan Users] xl2tpd never receiving or replying to packets

Rob Emanuele rje at shoreis.com
Fri Jun 7 22:26:29 UTC 2013 

Greetings,

I'm trying to set up a new ipsec/l2tp vpn server on Ubuntu 13.04.  They
have an FC5 system that they want to upgrade since it has a NAT-T bug
where two clients behind the same NAT address cannot connect
simultaneously.  We never see any log messages that log data into xl2tpd. 
We do see an ipsec SA established.  We do see ESP data coming into the box
with tcpdump.

I'm wondering if my kernel isn't passing the data to xl2tpd correctly or
at all.  Would you guys have any suggestions for debugging it further?  Do
we need any particular sysctl settings other than ipv4 forwarding?

Notes on our set up below.

Thank you,

Rob

Versions:

Linux vpnserver2 3.8.0-23-generic #34-Ubuntu SMP Wed May 29 20:24:54 UTC
2013 i686 i686 i686 GNU/Linux

xl2tpd  1.3.1+dfsg-1

openswan 1:2.6.38-1

ipsec.conf ===========

config setup
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    #contains the networks that are allowed as subnet= for the remote
client. In other words, the address ranges that may live behind a NAT
router through which a client connects.
    oe=off
    protostack=netkey

conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    # Apple iOS doesn't send delete notify so we need dead peer detection
    # to detect vanishing clients
    dpddelay=30
    dpdtimeout=120
    dpdaction=clear
    # Set ikelifetime and keylife to same defaults windows has
    ikelifetime=8h
    keylife=1h
    type=transport
    # Replace IP address with your local IP (private, behind NAT IP is
okay as well)
    left=<OUR EXTERNAL IP>
    # For updated Windows 2000/XP clients,
    # to support old clients as well, use leftprotoport=17/%any
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any
    #force all to be nat'ed. because of iOS
    forceencaps=yes

xl2tpd.conf ===========

[lns default]
ip range = 192.168.113.176-192.168.113.200
local ip = 192.168.113.252
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver2
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

More information about the Users mailing list