LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   l2tp and openswan tunnel problem? (http://www.linuxquestions.org/questions/linux-networking-3/l2tp-and-openswan-tunnel-problem-4175448178/)

shams 02-01-2013 10:56 AM

l2tp and openswan tunnel problem?
 
Since weeks i want to setup my debian wheezy box as l2tp client to connect to my vpn server with xl2tpd and openswan, the external interface of my linux sytem is ppp0 with dynamic ip address and the internal interface is eth0 it's ip address is 192.168.1.1.

this is my ipsec.conf:
Quote:

version 2.0
config setup
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.1.0/24,%v4:172.16.0.0/12
oe=off
protostack=netkey
plutostderrlog=/var/log/pluto.log
interfaces="%defaultroute"

conn L2tp-Client

authby=secret
pfs=no
auto=add
rekey=no
type=transport
left=%defaultroute
leftnexthop=%defaultroute
leftid=%defaultroute
leftprotoport=17/1701
leftsourceip=192.168.1.1
leftsubnet=192.168.1.0/24
right=46.165.221.230
rightid=46.165.221.230
rightnexthop=46.165.221.230
rightprotoport=17/1701
The "ipsec auto --up L2tp-Client" command show the connection established:
Quote:

listening for IKE messages
adding interface ppp0/ppp0 118.104.230.5:500
adding interface ppp0/ppp0 118.104.230.5:4500
adding interface eth0/eth0 192.168.1.1:500
adding interface eth0/eth0 192.168.1.1:4500
adding interface lo/lo 127.0.0.1:500
adding interface lo/lo 127.0.0.1:4500
adding interface lo/lo ::1:500
loading secrets from "/etc/ipsec.secrets"
"L2tp-Client" #1: initiating Main Mode
"L2tp-Client" #1: ignoring unknown Vendor ID payload [882fe56d6fd20dbc2251613b2ebe5beb]

"L2tp-Client" #1: received Vendor ID payload [Dead Peer Detection]
"L2tp-Client" #1: received Vendor ID payload [RFC 3947] method set to=109
"L2tp-Client" #1: enabling possible NAT-traversal with method 4
"L2tp-Client" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
"L2tp-Client" #1: STATE_MAIN_I2: sent MI2, expecting MR2
"L2tp-Client" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
"L2tp-Client" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
"L2tp-Client" #1: STATE_MAIN_I3: sent MI3, expecting MR3
"L2tp-Client" #1: Main mode peer ID is ID_IPV4_ADDR: '46.165.221.230'
"L2tp-Client" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
"L2tp-Client" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp2048}
"L2tp-Client" #2: initiating Quick Mode PSK+ENCRYPT+DONTREKEY+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:817a4a6b proposal=defaults pfsgroup=no-pfs}
"L2tp-Client" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
"L2tp-Client" #2: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP=>0xc27caac2 <0x03c95196 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
and this is the routing table:
Quote:

# ip route show
default dev ppp0 scope link
46.165.221.230 via 118.104.228.4 dev ppp0 src 192.168.1.1
118.104.228.4 dev ppp0 proto kernel scope link src 118.104.230.5
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1
46.165.221.230 is my vpn server ip address and 118.104.228.4 is my isp ip address but i think the trafic didn't go throught this tunnel this is the tcpdump output:
Quote:

#tcpdump -i ppp0

19:50:03.628622 IP mypc.50912 > 217.212.238.33.http: Flags [.], ack 135116, win 259, length 0
19:50:03.654674 IP 78-60-68-191.static.zebra.lt.63619 > mypc.51413: UDP, length 103
19:50:03.655292 IP mypc.3419 > resolver1-fs.opendns.com.domain: 31095+ PTR? 191.68.60.78.in-addr.arpa. (43)
19:50:03.956620 IP 217.212.238.33.http > mypc.50914: Flags [.], seq 144460:145846, ack 1635, win 65535, length 1386
19:50:04.208670 IP mypc.50914 > 217.212.238.33.http: Flags [.], ack 145846, win 259, length 0
19:50:04.232589 IP 217.212.238.33.http > mypc.50914: Flags [.], seq 145846:147232, ack 1635, win 65535, length 1386
19:50:04.446509 IP 217.212.238.33.http > mypc.50914: Flags [.], seq 147232:148246, ack 1635, win 65535, length 1014
19:50:04.446895 IP mypc.50914 > 217.212.238.33.http: Flags [.], ack 148246, win 259, length 0
19:50:04.735465 IP 217.212.238.33.http > mypc.50914: Flags [.], seq 148246:149632, ack 1635, win 65535, length 1386
19:50:04.814437 IP 217.212.238.33.http > mypc.50914: Flags [.], seq 149632:150014, ack 1635, win 65535, length 382
19:50:04.815738 IP mypc.50914 > 217.212.238.33.http: Flags [.], ack 150014, win 259, length 0
19:50:06.131215 IP resolver1-fs.opendns.com.domain > mypc.19745: 20394 0/0/0 (25)
19:50:06.278986 IP mypc.30523 > resolver1-fs.opendns.com.domain: 63097+ AAAA? shamsme. (25)
19:50:06.423183 IP 217.212.238.33.http > mypc.50912: Flags [.], seq 135116:136502, ack 2730, win 65535, length 1386
19:50:06.637187 IP 217.212.238.33.http > mypc.50912: Flags [.], seq 136502:137562, ack 2730, win 65535, length 1060
19:50:06.637717 IP mypc.50912 > 217.212.238.33.http: Flags [.], ack 137562, win 259, length 0
19:50:06.659136 IP loft2278.serverloft.eu.openvpn > mypc.42546: Flags [R.], seq 0, ack 1347820094, win 0, length 0
19:50:06.949136 IP 217.212.238.33.http > mypc.50912: Flags [.], seq 137562:138948, ack 2730, win 65535, length 1386
19:50:07.089100 IP 217.212.238.33.http > mypc.50912: Flags [.], seq 138948:139651, ack 2730, win 65535, length 703
19:50:08.273203 IP mypc.44279 > resolver1-fs.opendns.com.domain: 41557+ PTR? 88.179.170.86.in-addr.arpa. (44)
19:50:08.302491 IP CPE-121-218-160-31.lnse4
Please help me where i am wrong?

shams 02-01-2013 08:04 PM

Please help to solve the problem, in my knowlegde what i noticed the problem is my dynamic ip, because when i use for the left the "%defaultroute" there is no ip assinged to the defaultroute as shown above in the route it is "0.0.0.0" so ipsec fail and complain there is no valid ip for the defaultroute, but when i use my eth0 interface ip address 192.168.1.1, ipsec establish the tunnel between "46.165.221.230 via 118.104.228.4 dev ppp0 src 192.168.1.1" but the internet trafic go throught my external interface which is ppp0 not the eth0, so the trafic didn't use the l2tp tunnel.

amirn 06-26-2013 08:26 AM

i have a step by step L2TP + OpenSwan example (it's for EC2 but with very little modification you can make this work anywhere)
here is the link "L2TP OpenSwan How To"


All times are GMT -5. The time now is 01:54 PM.