[Openswan Users] xl2tpd never receiving or replying to packets
Thomas York
straterra at fuhell.com
Sat Jun 8 00:17:49 UTC 2013
Try running a strace on xl2tpd while connecting. If it's the same issue
I've seen, you should see errors with every packet. I've only seen this
with Debian and Ubuntu with SARef. However, it works perfectly for me on
RHEL.
Unfortunately, I haven't been able to find a fix. I was told to ask the
mailing list, but haven't gotten around to it.
-Thomas York
On Jun 7, 2013 6:36 PM, "Rob Emanuele" <rje at shoreis.com> wrote:
> Greetings,
>
> I'm trying to set up a new ipsec/l2tp vpn server on Ubuntu 13.04. They
> have an FC5 system that they want to upgrade since it has a NAT-T bug
> where two clients behind the same NAT address cannot connect
> simultaneously. We never see any log messages that log data into xl2tpd.
> We do see an ipsec SA established. We do see ESP data coming into the box
> with tcpdump.
>
> I'm wondering if my kernel isn't passing the data to xl2tpd correctly or
> at all. Would you guys have any suggestions for debugging it further? Do
> we need any particular sysctl settings other than ipv4 forwarding?
>
> Notes on our set up below.
>
> Thank you,
>
> Rob
>
> Versions:
>
> Linux vpnserver2 3.8.0-23-generic #34-Ubuntu SMP Wed May 29 20:24:54 UTC
> 2013 i686 i686 i686 GNU/Linux
>
> xl2tpd 1.3.1+dfsg-1
>
> openswan 1:2.6.38-1
>
> ipsec.conf ===========
>
> config setup
> nat_traversal=yes
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
> #contains the networks that are allowed as subnet= for the remote
> client. In other words, the address ranges that may live behind a NAT
> router through which a client connects.
> oe=off
> protostack=netkey
>
> conn L2TP-PSK-NAT
> rightsubnet=vhost:%priv
> also=L2TP-PSK-noNAT
>
> conn L2TP-PSK-noNAT
> authby=secret
> pfs=no
> auto=add
> keyingtries=3
> rekey=no
> # Apple iOS doesn't send delete notify so we need dead peer detection
> # to detect vanishing clients
> dpddelay=30
> dpdtimeout=120
> dpdaction=clear
> # Set ikelifetime and keylife to same defaults windows has
> ikelifetime=8h
> keylife=1h
> type=transport
> # Replace IP address with your local IP (private, behind NAT IP is
> okay as well)
> left=<OUR EXTERNAL IP>
> # For updated Windows 2000/XP clients,
> # to support old clients as well, use leftprotoport=17/%any
> leftprotoport=17/1701
> right=%any
> rightprotoport=17/%any
> #force all to be nat'ed. because of iOS
> forceencaps=yes
>
> xl2tpd.conf ===========
>
> [lns default]
> ip range = 192.168.113.176-192.168.113.200
> local ip = 192.168.113.252
> require chap = yes
> refuse pap = yes
> require authentication = yes
> name = LinuxVPNserver2
> ppp debug = yes
> pppoptfile = /etc/ppp/options.xl2tpd
> length bit = yes
>
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130607/46a1780c/attachment.html>
More information about the Users
mailing list