[Openswan Users] Troubleshooting ipsec/l2tp

klas openswan at k.flum.net
Tue Oct 22 18:24:55 UTC 2013 

Found out some more about this.

Working machine:
ip xfrm state
src 111.222.333.444 dst 192.168.0.4
	proto esp spi 0xd2ed5f31 reqid 16385 mode transport
	replay-window 32 
	auth hmac(sha1) 0x...
	enc cbc(des3_ede) 0x... 
	encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
	sel src 0.0.0.0/0 dst 0.0.0.0/0 

src 192.168.0.4 dst 111.222.333.444
	proto esp spi 0xf825cca2 reqid 16385 mode transport
	replay-window 32 
	auth hmac(sha1) 0x...
	enc cbc(des3_ede) 0x... 
	encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
	sel src	0.0.0.0/0 dst 0.0.0.0/0

Non working machine:
src 111.222.333.444 dst 192.168.0.140
	proto esp spi 0x472e4b37 reqid 16385 mode transport
	replay-window 32 
	auth-trunc hmac(sha1) 0x... 96
	enc cbc(des3_ede) 0x... 
	encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
	sel src	10.200.101.15/32 dst 192.168.0.140/32 proto udp
	dport 1701 

src 192.168.0.140 dst 111.222.333.444 
	proto esp spi 0x9b45d2f8 reqid 16385 mode transport
	replay-window 32
	auth-trunc hmac(sha1) 0x... 96
	enc cbc(des3_ede) 0x... 
	encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
	sel src 192.168.0.140/32 dst 10.200.101.15/32 proto udp sport
	1701

Observe the selectors. 10.200.101.15 is the servers local ip. xl2tp
tries to communicate with the public ip (111.222.333.444).

What's causing this? 

Thanks
Klas

On Mon, 21 Oct 2013 20:18:54 +0200
klas <openswan at k.flum.net> wrote:

> I've got two machines in the same LAN. Both have (as far as I can
> tell) identical configurations for ipsec and xl2tpd. Once machine can
> connect as client to the server, the other one can't.
> The clients and the server are both behind NAT.
> 
> ipsec seems to come up fine for both machines, but machine 2 is not
> able to set up l2tp. It's sending one packet and gets no answer.
> 
> Any pointers about how to troubleshoot this?
> 
> Thanks
> Klas
> 
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments:
> https://flattr.com/thing/38387/IPsec-for-Linux-made-easy Building and
> Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list