[SOLVED] L2TP/IPSec road warrior setup; but packets aren't being encrypted.
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
However, when checking that the data is being encrypted, I'm seeing the packets being encapsulated in l2tp, but the payload is clear; no encryption at all.
I've checked and double-checked the config and it matches, but still no success.
The VPN server is Debian using ipsec and xl2tpd. The process show:
Code:
23051 ? S 0:00 /bin/sh /usr/lib/ipsec/_plutorun --debug --uniqueids yes --force_busy no --nocrsend no --strictcrlpolicy no --nat_traversal yes --keep_alive --protostack netkey --force_keepalive
23053 ? S 0:00 \_ /bin/sh /usr/lib/ipsec/_plutorun --debug --uniqueids yes --force_busy no --nocrsend no --strictcrlpolicy no --nat_traversal yes --keep_alive --protostack netkey --force_keepa
23058 ? S 0:00 | \_ /usr/lib/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-netkey --uniqueids --nat_traversal --virtual_private %v4:10.0.0.0/8,%v4:192.168
23085 ? S 0:00 | \_ _pluto_adns
23054 ? S 0:00 \_ /bin/sh /usr/lib/ipsec/_plutoload --wait no --post
23052 ? S 0:00 logger -s -p daemon.error -t ipsec__plutorun
23102 ? Ss 0:01 /usr/sbin/xl2tpd
When testing the connection from the VPN client, I can see that I'm properly tunneling to the server and getting internet through it, but all as clear packets.
How can I ensure the payloads are being encrypted?
Below is the ipsec.conf I'm running on; does anything stand out in here as I was following a tutorial (link posted in first post) which was supposed to enable ipsec on the link.
Thanks
Anubis
Code:
# /etc/ipsec.conf - Openswan IPsec configuration file
# This file: /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
nhelpers=0
protostack=netkey
oe=off
# Add connections here
conn L2TP-PSK-CLIENTS
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
type=transport
#left=%defaultroute
#leftnexthop=%defaultroute
#leftprotoport=17/1701
left=XXX.XXX.XXX.XXX <<< vpn server's wan address
leftnexthop=XXX.XXX.XXX.XXX <<< vpn server's default gateway
leftprotoport=17/1701
right=%any
rightsubnet=vhost:%priv,%no
rightprotoport=17/%any
dpddelay=40
dpdtimeout=130
dpdaction=clear
The problem's been resolved. The issue was some old VPN software that was installed on the client PC which was some how overriding the built-in windows VPN settings/control. Removing this software returned windows to normal and the VPN connection now works as expected.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.