Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
02-01-2013, 09:56 AM
|
#1
|
|
Member
Registered: Jan 2004
Posts: 539
Rep: 
|
l2tp and openswan tunnel problem?
Since weeks i want to setup my debian wheezy box as l2tp client to connect to my vpn server with xl2tpd and openswan, the external interface of my linux sytem is ppp0 with dynamic ip address and the internal interface is eth0 it's ip address is 192.168.1.1.
this is my ipsec.conf:
Quote:
version 2.0
config setup
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.1.0/24,%v4:172.16.0.0/12
oe=off
protostack=netkey
plutostderrlog=/var/log/pluto.log
interfaces="%defaultroute"
conn L2tp-Client
authby=secret
pfs=no
auto=add
rekey=no
type=transport
left=%defaultroute
leftnexthop=%defaultroute
leftid=%defaultroute
leftprotoport=17/1701
leftsourceip=192.168.1.1
leftsubnet=192.168.1.0/24
right=46.165.221.230
rightid=46.165.221.230
rightnexthop=46.165.221.230
rightprotoport=17/1701
|
The "ipsec auto --up L2tp-Client" command show the connection established:
Quote:
listening for IKE messages
adding interface ppp0/ppp0 118.104.230.5:500
adding interface ppp0/ppp0 118.104.230.5:4500
adding interface eth0/eth0 192.168.1.1:500
adding interface eth0/eth0 192.168.1.1:4500
adding interface lo/lo 127.0.0.1:500
adding interface lo/lo 127.0.0.1:4500
adding interface lo/lo ::1:500
loading secrets from "/etc/ipsec.secrets"
"L2tp-Client" #1: initiating Main Mode
"L2tp-Client" #1: ignoring unknown Vendor ID payload [882fe56d6fd20dbc2251613b2ebe5beb]
"L2tp-Client" #1: received Vendor ID payload [Dead Peer Detection]
"L2tp-Client" #1: received Vendor ID payload [RFC 3947] method set to=109
"L2tp-Client" #1: enabling possible NAT-traversal with method 4
"L2tp-Client" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
"L2tp-Client" #1: STATE_MAIN_I2: sent MI2, expecting MR2
"L2tp-Client" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
"L2tp-Client" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
"L2tp-Client" #1: STATE_MAIN_I3: sent MI3, expecting MR3
"L2tp-Client" #1: Main mode peer ID is ID_IPV4_ADDR: '46.165.221.230'
"L2tp-Client" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
"L2tp-Client" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp2048}
"L2tp-Client" #2: initiating Quick Mode PSK+ENCRYPT+DONTREKEY+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:817a4a6b proposal=defaults pfsgroup=no-pfs}
"L2tp-Client" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
"L2tp-Client" #2: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP=>0xc27caac2 <0x03c95196 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
|
and this is the routing table:
Quote:
# ip route show
default dev ppp0 scope link
46.165.221.230 via 118.104.228.4 dev ppp0 src 192.168.1.1
118.104.228.4 dev ppp0 proto kernel scope link src 118.104.230.5
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1
|
46.165.221.230 is my vpn server ip address and 118.104.228.4 is my isp ip address but i think the trafic didn't go throught this tunnel this is the tcpdump output:
Quote:
#tcpdump -i ppp0
19:50:03.628622 IP mypc.50912 > 217.212.238.33.http: Flags [.], ack 135116, win 259, length 0
19:50:03.654674 IP 78-60-68-191.static.zebra.lt.63619 > mypc.51413: UDP, length 103
19:50:03.655292 IP mypc.3419 > resolver1-fs.opendns.com.domain: 31095+ PTR? 191.68.60.78.in-addr.arpa. (43)
19:50:03.956620 IP 217.212.238.33.http > mypc.50914: Flags [.], seq 144460:145846, ack 1635, win 65535, length 1386
19:50:04.208670 IP mypc.50914 > 217.212.238.33.http: Flags [.], ack 145846, win 259, length 0
19:50:04.232589 IP 217.212.238.33.http > mypc.50914: Flags [.], seq 145846:147232, ack 1635, win 65535, length 1386
19:50:04.446509 IP 217.212.238.33.http > mypc.50914: Flags [.], seq 147232:148246, ack 1635, win 65535, length 1014
19:50:04.446895 IP mypc.50914 > 217.212.238.33.http: Flags [.], ack 148246, win 259, length 0
19:50:04.735465 IP 217.212.238.33.http > mypc.50914: Flags [.], seq 148246:149632, ack 1635, win 65535, length 1386
19:50:04.814437 IP 217.212.238.33.http > mypc.50914: Flags [.], seq 149632:150014, ack 1635, win 65535, length 382
19:50:04.815738 IP mypc.50914 > 217.212.238.33.http: Flags [.], ack 150014, win 259, length 0
19:50:06.131215 IP resolver1-fs.opendns.com.domain > mypc.19745: 20394 0/0/0 (25)
19:50:06.278986 IP mypc.30523 > resolver1-fs.opendns.com.domain: 63097+ AAAA? shamsme. (25)
19:50:06.423183 IP 217.212.238.33.http > mypc.50912: Flags [.], seq 135116:136502, ack 2730, win 65535, length 1386
19:50:06.637187 IP 217.212.238.33.http > mypc.50912: Flags [.], seq 136502:137562, ack 2730, win 65535, length 1060
19:50:06.637717 IP mypc.50912 > 217.212.238.33.http: Flags [.], ack 137562, win 259, length 0
19:50:06.659136 IP loft2278.serverloft.eu.openvpn > mypc.42546: Flags [R.], seq 0, ack 1347820094, win 0, length 0
19:50:06.949136 IP 217.212.238.33.http > mypc.50912: Flags [.], seq 137562:138948, ack 2730, win 65535, length 1386
19:50:07.089100 IP 217.212.238.33.http > mypc.50912: Flags [.], seq 138948:139651, ack 2730, win 65535, length 703
19:50:08.273203 IP mypc.44279 > resolver1-fs.opendns.com.domain: 41557+ PTR? 88.179.170.86.in-addr.arpa. (44)
19:50:08.302491 IP CPE-121-218-160-31.lnse4
|
Please help me where i am wrong? |
|
|
|
|
02-01-2013, 07:04 PM
|
#2
|
|
Member
Registered: Jan 2004
Posts: 539
Original Poster
Rep:
|
Please help to solve the problem, in my knowlegde what i noticed the problem is my dynamic ip, because when i use for the left the "%defaultroute" there is no ip assinged to the defaultroute as shown above in the route it is "0.0.0.0" so ipsec fail and complain there is no valid ip for the defaultroute, but when i use my eth0 interface ip address 192.168.1.1, ipsec establish the tunnel between "46.165.221.230 via 118.104.228.4 dev ppp0 src 192.168.1.1" but the internet trafic go throught my external interface which is ppp0 not the eth0, so the trafic didn't use the l2tp tunnel.
|
|
|
|
|
06-26-2013, 07:26 AM
|
#3
|
|
LQ Newbie
Registered: Mar 2011
Distribution: Fedora,Ubunutu
Posts: 16
Rep: 
|
i have a step by step L2TP + OpenSwan example (it's for EC2 but with very little modification you can make this work anywhere)
here is the link " L2TP OpenSwan How To" |
|
|
|
All times are GMT -5. The time now is 06:39 PM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
