[Openswan Users] Filtered UDP ports, How to open them?

Paul Wouters paul at nohats.ca
Sat Nov 23 04:17:49 UTC 2013

On Sat, 23 Nov 2013, Mohsen B.Sarmadi wrote:

> Subject: [Openswan Users] Filtered UDP ports, How to open them?
> Dear All,
> I am using a EC2 Ubuntu 12.04 LTS instance in AWS. Openswan is listening to UDP ports but the ports have been filtered, can you help me
> to open them?

Who is filtering these? Your machine itself or AWS? If AWS is still
filtering port 4500, you need to open that up via their management

> $ sudo nmap -sU localhost
> Starting Nmap 5.21 ( http://nmap.org ) at 2013-11-23 03:26 UTC
> Nmap scan report for localhost (
> Host is up (0.000018s latency).
> Hostname localhost resolves to 2 IPs. Only scanned
> Not shown: 996 closed ports
> PORT     STATE         SERVICE
> 68/udp   open|filtered dhcpc
> 500/udp  open          isakmp
> 1701/udp open|filtered L2TP
> 4500/udp open|filtered nat-t-ike

If you're nmapping localhost, than it appears you are filtering it. You
can confirm this by manually issuing:

iptables -I INPUT -p udp --dport 4500 -j ACCEPT

1701 should be filtered, but no need to do it on an AWS host. Just have
AWS filter 1701, and you open up 1701. Than after decryption the 1701
traffic can properly find its way.

>     dpdtimeout=120
>     dpdaction=clear
>     # Set ikelifetime and keylife to same defaults windows has
>     ikelifetime=8h
>     keylife=1h
>     type=transport
>     # Replace IP address with your local IP (private, behind NAT IP is okay as well)
>     left=

This should be your real address, not localhost! You can try
left=%defaultroute, but I'm not entirely sure if that will work
in combination with your right=%any on that version of openswan.
You probably also need to add leftid=yourelasticip

> $ cat  /etc/xl2tpd/xl2tpd.conf
>  [global] ; Global parameters:
> ipsec saref = no

> Nov 23 03:29:10 ip-10-185-160-186 xl2tpd[2320]: Listening on IP address, port 1701

You must specify the l2tp IP here. xl2tpd is broken when not specifying
listen-addr: specifically. It should be a real ip, not 127.0.01 and not
the elastic ip.

Alternatively, you can try using XAUTH/Modeconfig instead of L2TP using
libreswan or strongswan.


More information about the Users mailing list