OpenWrt Forum Archive

Topic: L2TP over IPsec with PSK using racoon/xl2tpd

The content of this topic has been archived between 26 Mar 2018 and 19 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Sorry to bring up this thread.

Any idea what does this error means?

xl2tpd[6049]: control_finish: Peer requested tunnel 15 twice, ignoring second one.
xl2tpd[6049]: control_finish: Peer requested tunnel 15 twice, ignoring second one.
xl2tpd[6049]: Maximum retries exceeded for tunnel 17563.  Closing.
xl2tpd[6049]: Connection 15 closed to x.x.x.x, port 61760 (Timeout)
xl2tpd[6049]: control_finish: Peer requested tunnel 15 twice, ignoring second one.
xl2tpd[6049]: Unable to deliver closing message for tunnel 17563. Destroying anyway.
xl2tpd[6049]: control_finish: Peer requested tunnel 15 twice, ignoring second one.
xl2tpd[6049]: Maximum retries exceeded for tunnel 14753.  Closing.
xl2tpd[6049]: Connection 15 closed to x.x.x.x, port 61760 (Timeout)
xl2tpd[6049]: Unable to deliver closing message for tunnel 14753. Destroying anyway.

where x.x.x.x is my public ip address

Sorry, anyone can help ?

You could insert a rule before the drop in zone_wan to log every package so you can see if the firewall is blocking something.

arokh wrote:

You could insert a rule before the drop in zone_wan to log every package so you can see if the firewall is blocking something.

Sorry, how to do that?

Is it possible at al to connect with the default IPSec client from Windows XP SP3? I configured my WNDR3700v1 with Arokhs "alternate" build with racoon/xl2tpd, and tried the default config:

First, I tried to connect from within my local lan (behind the router), which gave the indication that AES was not supported in XP. This was confirmed here: http://technet.microsoft.com/en-us/netw … 87611.aspx so I changed /etc/racoon.conf from:

(...)
sainfo anonymous {
        encryption_algorithm aes;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
}

to

(...)
sainfo anonymous {
        encryption_algorithm 3des;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
}

After that, I could make IPSec connections from my LAN to the router. Not useful, I know, but just to proof my config was correct wink After that, I tried to connect from the internet. After some testing and failing, I found that this log was the cause of the problem:

Jan  6 11:03:39 router daemon.info racoon: INFO: respond new phase 1 negotiation: 83.86.x.x[500]<=>217.149.x.x[220]
Jan  6 11:03:39 router daemon.info racoon: INFO: begin Identity Protection mode.
Jan  6 11:03:39 router daemon.info racoon: INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
Jan  6 11:03:39 router daemon.info racoon: INFO: received Vendor ID: FRAGMENTATION
Jan  6 11:03:39 router daemon.info racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Jan  6 11:03:39 router daemon.info racoon: [217.149.x.x] INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
Jan  6 11:03:39 router daemon.info racoon: [83.86.x.x] INFO: Hashing 83.86.x.x[500] with algo #2
Jan  6 11:03:39 router daemon.info racoon: INFO: NAT-D payload #0 verified
Jan  6 11:03:39 router daemon.info racoon: [217.149.x.x] INFO: Hashing 217.149.x.x[220] with algo #2
Jan  6 11:03:39 router daemon.info racoon: INFO: NAT-D payload #1 doesn't match
Jan  6 11:03:39 router daemon.info racoon: INFO: NAT detected: PEER
Jan  6 11:03:39 router daemon.info racoon: [217.149.x.x] INFO: Hashing 217.149.x.x[220] with algo #2
Jan  6 11:03:39 router daemon.info racoon: [83.86.x.x] INFO: Hashing 83.86.x.x[500] with algo #2
Jan  6 11:03:39 router daemon.info racoon: INFO: Adding remote and local NAT-D payloads.
Jan  6 11:03:39 router daemon.info racoon: [217.149.x.x] ERROR: couldn't find the pskey for 217.149.x.x.
Jan  6 11:03:39 router daemon.info racoon: [217.149.x.x] NOTIFY: Using default PSK.
Jan  6 11:03:39 router daemon.info racoon: INFO: NAT-T: ports changed to: 217.149.x.x[11630]<->83.86.x.x[4500]
Jan  6 11:03:39 router daemon.info racoon: INFO: KA list add: 83.86.x.x[4500]->217.149.x.x[11630]
Jan  6 11:03:39 router daemon.info racoon: WARNING: Expecting IP address type in main mode (RFC2409) , but FQDN.
Jan  6 11:03:39 router daemon.info racoon: [217.149.x.x] ERROR: invalid ID payload.
Jan  6 11:03:40 router daemon.info racoon: WARNING: Expecting IP address type in main mode (RFC2409) , but FQDN.
Jan  6 11:03:40 router daemon.info racoon: [217.149.x.x] ERROR: invalid ID payload.
Jan  6 11:03:42 router daemon.info racoon: WARNING: Expecting IP address type in main mode (RFC2409) , but FQDN.
Jan  6 11:03:42 router daemon.info racoon: [217.149.x.x] ERROR: invalid ID payload.
Jan  6 11:03:46 router daemon.info racoon: WARNING: Expecting IP address type in main mode (RFC2409) , but FQDN.
Jan  6 11:03:46 router daemon.info racoon: [217.149.x.x] ERROR: invalid ID payload.
Jan  6 11:03:54 router daemon.info racoon: WARNING: Expecting IP address type in main mode (RFC2409) , but FQDN.
Jan  6 11:03:54 router daemon.info racoon: [217.149.x.x] ERROR: invalid ID payload.
Jan  6 11:04:10 router daemon.info racoon: WARNING: Expecting IP address type in main mode (RFC2409) , but FQDN.
Jan  6 11:04:10 router daemon.info racoon: [217.149.x.x] ERROR: invalid ID payload.
Jan  6 11:04:29 router daemon.info racoon: ERROR: phase1 negotiation failed due to time up. ab10c64f0eb7134d:3b9f2c1ae081a89e
Jan  6 11:04:29 router daemon.info racoon: INFO: KA remove: 83.86.x.x[4500]->217.149.x.x[11630]
Jan  6 11:04:42 router daemon.info racoon: [217.149.x.x] ERROR: unknown Informational exchange received.

I found the following about this error (even though they do not name racoon specifically, it seems the same): http://forum.mikrotik.com/viewtopic.php?f=2&t=49849 From that, I conclude that it is not possible at all to use the XP IPSec client from behind another NAT'ed connection, which is almost everywhere... bummer.

Maybe there is some configuration option I can use? Has anyone succeeded in establishing an IPSec connection from Windows XP to OpenWRT/racoon? If not, I think there are three options for me...
- Upgrade to Windows 7 (not likely since its my company laptop)
- Use some other VPN client (any suggestions?)
- Ask for a patch for racoon (any chance? or does XP violate some RFCs?)

birnenschnitzel wrote:

Maybe you should follow the advise from issue 2 in this document http://www.juniperforum.com/index.php?topic=5628.0

Markus

Interesting solution, but the hack in oakley.dll did not work. Racoon still complained about getting an fqdn instead of an ip-address. I also tried the Shrewsoft VPN client. It did succeed in connecting, but then stopped somewhere before the user authentication process should kick in, so the network connection failed to come up. So, still no luck on the XP front... I'm open for suggestions smile

Are you sure that the patch survived the reboot and was not replaced by the dllcache folder backup file?

Markus

Yes, I checked with a hex editor that after the reboot the bit was still changed. I changed both c:\windows\system32\oakley.dll and c:\windows\system32\dllcache\oakley.dll. I also got errors from Windows File Protection, and told him to sh#t up and keep the changed file. So yes, the dll is definately changed.

(Last edited by avbohemen on 11 Jan 2012, 12:17)

So we have to toggle racoon to accept FQDN.

Please try to set

remote anonymous {
  peers_identifier fqdn;
  verify_identifier off;
  ...
}

in your racoon.conf

Markus

peers_identifier needed to have another parameter after 'fqdn', but somehow it was not the fqdn of my client. That just wasn't accepted and racoon fails to start. Finally I found that simply "peers_identifier fqdn a;" would start the daemon, but the error I get when connecting with my xp client is still the same: "invalid ID payload". So still no-go sad

arokh wrote:

/etc/xl2tpd/xl2tpd.conf:

...
ip range = 192.168.1.81-192.168.1.89
local ip = 192.168.1.80
...

Could you clarify the ip's in this portion?

My br-lan interface is configured with 192.168.1.1 with a /24 mask.  I've configured it out so that dhcp assigns clients 192.168.1.100-250. 

Does this mean I should change the above config to 'local ip = 192.168.1.1' or do I need to plumb 192.168.1.80 as an alias on br-lan?

--
Andy

aharrison wrote:
arokh wrote:

/etc/xl2tpd/xl2tpd.conf:

...
ip range = 192.168.1.81-192.168.1.89
local ip = 192.168.1.80
...

Could you clarify the ip's in this portion?

My br-lan interface is configured with 192.168.1.1 with a /24 mask.  I've configured it out so that dhcp assigns clients 192.168.1.100-250. 

Does this mean I should change the above config to 'local ip = 192.168.1.1' or do I need to plumb 192.168.1.80 as an alias on br-lan?

--
Andy

@Andy: set your local ip to your br-lan address. Then set "ip range" to something outside your dhcp range, ie. 192.168.1.50-99. Xl2tpd will assign addresses to vpn clients, not the builtin dhcp server. Also make sure to set "ms-dns" in /etc/ppp/options.xl2tpd to your br-lan address (assuming you are using your router as your dns server/forwarder). That should do the trick.

@everyone:
I get xl2tpd/racoon to work fine if I use arokh's alternate build. However, I just compiled my own build (which works great btw), and with that one I get the same error as alfredlim:

Feb 21 16:31:23 router daemon.info racoon: INFO: respond new phase 1 negotiation: <router-wan-ip>[500]<=><vpn-client-ip>[67]
Feb 21 16:31:23 router daemon.info racoon: INFO: begin Identity Protection mode.
Feb 21 16:31:23 router daemon.info racoon: INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
Feb 21 16:31:23 router daemon.info racoon: INFO: received Vendor ID: RFC 3947
Feb 21 16:31:23 router daemon.info racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Feb 21 16:31:23 router daemon.info racoon: INFO: received Vendor ID: FRAGMENTATION
Feb 21 16:31:23 router daemon.info racoon: [<vpn-client-ip>] INFO: Selected NAT-T version: RFC 3947
Feb 21 16:31:23 router daemon.info racoon: ERROR: invalid DH group 20.
Feb 21 16:31:23 router daemon.info racoon: ERROR: invalid DH group 19.
Feb 21 16:31:23 router daemon.info racoon: [<router-wan-ip>] INFO: Hashing <router-wan-ip>[500] with algo #2
Feb 21 16:31:23 router daemon.info racoon: INFO: NAT-D payload #0 verified
Feb 21 16:31:23 router daemon.info racoon: [<vpn-client-ip>] INFO: Hashing <vpn-client-ip>[67] with algo #2
Feb 21 16:31:23 router daemon.info racoon: INFO: NAT-D payload #1 doesn't match
Feb 21 16:31:23 router daemon.info racoon: INFO: NAT detected: PEER
Feb 21 16:31:23 router daemon.info racoon: [<vpn-client-ip>] INFO: Hashing <vpn-client-ip>[67] with algo #2
Feb 21 16:31:23 router daemon.info racoon: [<router-wan-ip>] INFO: Hashing <router-wan-ip>[500] with algo #2
Feb 21 16:31:23 router daemon.info racoon: INFO: Adding remote and local NAT-D payloads.
Feb 21 16:31:23 router daemon.info racoon: [<vpn-client-ip>] ERROR: couldn't find the pskey for <vpn-client-ip>.
Feb 21 16:31:23 router daemon.info racoon: [<vpn-client-ip>] NOTIFY: Using default PSK.
Feb 21 16:31:23 router daemon.info racoon: INFO: NAT-T: ports changed to: <vpn-client-ip>[36992]<-><router-wan-ip>[4500]
Feb 21 16:31:23 router daemon.info racoon: INFO: KA list add: <router-wan-ip>[4500]-><vpn-client-ip>[36992]
Feb 21 16:31:23 router daemon.info racoon: INFO: ISAKMP-SA established <router-wan-ip>[4500]-<vpn-client-ip>[36992] spi:fc96f56628fd7041:ac130c26fcef6da8
Feb 21 16:31:23 router daemon.info racoon: INFO: respond new phase 2 negotiation: <router-wan-ip>[4500]<=><vpn-client-ip>[36992]
Feb 21 16:31:23 router daemon.info racoon: INFO: no policy found, try to generate the policy : 10.15.78.225/32[1701] <router-wan-ip>/32[1701] proto=udp dir=in
Feb 21 16:31:23 router daemon.info racoon: INFO: Adjusting my encmode UDP-Transport->Transport
Feb 21 16:31:23 router daemon.info racoon: INFO: Adjusting peer's encmode UDP-Transport(4)->Transport(2)
Feb 21 16:31:23 router daemon.info racoon: INFO: IPsec-SA established: ESP/Transport <router-wan-ip>[4500]-><vpn-client-ip>[36992] spi=204024557(0xc292aed)
Feb 21 16:31:23 router daemon.info racoon: INFO: IPsec-SA established: ESP/Transport <router-wan-ip>[4500]-><vpn-client-ip>[36992] spi=1981853477(0x7620af25)
Feb 21 16:31:25 router daemon.debug xl2tpd[18804]: control_finish: Peer requested tunnel 12 twice, ignoring second one.
Feb 21 16:31:26 router daemon.debug xl2tpd[18804]: control_finish: Peer requested tunnel 12 twice, ignoring second one.
Feb 21 16:31:30 router daemon.notice xl2tpd[18804]: Maximum retries exceeded for tunnel 33378.  Closing.
Feb 21 16:31:30 router daemon.info xl2tpd[18804]: Connection 12 closed to <vpn-client-ip>, port 1701 (Timeout)
Feb 21 16:31:30 router daemon.debug xl2tpd[18804]: control_finish: Peer requested tunnel 12 twice, ignoring second one.
Feb 21 16:31:31 router daemon.info racoon: INFO: deleting a generated policy.
Feb 21 16:31:31 router daemon.info racoon: INFO: purged IPsec-SA proto_id=ESP spi=1981853477.
Feb 21 16:31:31 router daemon.info racoon: INFO: ISAKMP-SA expired <router-wan-ip>[4500]-<vpn-client-ip>[36992] spi:fc96f56628fd7041:ac130c26fcef6da8
Feb 21 16:31:31 router daemon.info racoon: INFO: ISAKMP-SA deleted <router-wan-ip>[4500]-<vpn-client-ip>[36992] spi:fc96f56628fd7041:ac130c26fcef6da8
Feb 21 16:31:31 router daemon.info racoon: INFO: KA remove: <router-wan-ip>[4500]-><vpn-client-ip>[36992]
Feb 21 16:31:35 router daemon.debug xl2tpd[18804]: Unable to deliver closing message for tunnel 33378. Destroying anyway.

By the way, I believe I got the same error when I used a regular trunk build (not arokh's) and then install the xl2tpd/racoon packages using this howto. The configuration I applied in both setups is a backup from arokh's build, and I cannot find any differences from this howto.

The error I get ("Peer requested tunnel 12 twice, ignoring second one.") is pretty hard to find in combination with racoon. Most google results are using openswan or something else. I'm wondering whether it is a configuration error on my side or something else. And I am able to connect to the vpn server from the LAN side of my router, no problems there. Any ideas?

I am getting this error

* opkg_install_cmd: Cannot install package kmod-crypto-cbc.
* opkg_install_cmd: Cannot install package kmod-crypto-deflate.
* opkg_install_cmd: Cannot install package kmod-crypto-iv.
* opkg_install_cmd: Cannot install package kmod-crypto-rng.
* opkg_install_cmd: Cannot install package kmod-crypto-wq.
* opkg_install_cmd: Cannot install package kmod-zlib.

how do i fix the source of them or patch the hole?

arokh wrote:

Note that I use my own init script that runs setkey.conf. I also include a hotplug script to restart racoon on WAN ifup, this is needed so that setkey.conf runs with the new IP address.

Ok, I missed this one. That's probably why my own compile does not connect my vpn. So the next question is: how do I compile arokh's version into my own custom firmware? Or should I just replace the init scripts (/etc/init.d/racoon; /etc/setkey.conf; /etc/hotplug.d/iface/93-racoon)? Thanks for any answer.

My tunnel is working well with this tutorial but I have a performance problem.
when I am connected to my WNDR3700 via L2TP over IPsec with my android smartphone, up and download speed is max. 700kb/sec.
any tipps here?

Did you check cpu usage with top at the same time? Does sound a little low though... What kind of connection do you have?

i checked top, cpu and so on. i have 16Mbit DSL line.
this strange thing also happens when I use openvpn.

So what was the results when you checked? Any idle usage? There's surely some limit to how much encrypted throughput this hardware can handle, you can see that by using scp.

(Last edited by arokh on 22 Mar 2012, 14:07)

WNDR3700:

Mem: 60124K used, 1720K free, 0K shrd, 30172K buff, 10728K cached
CPU:   0% usr   0% sys   0% nic  99% idle   0% io   0% irq   0% sirq
Load average: 0.00 0.01 0.05 2/60 25753
  PID  PPID USER     STAT   VSZ %VSZ %CPU COMMAND
22518     1 root     S     1604   3%   0% /usr/sbin/pppd plugin rp-pppoe.so mtu
25738 25730 root     R     1496   2%   0% top
31943     1 root     S     5792   9%   0% /usr/sbin/collectd
27957     1 root     S     2952   5%   0% /usr/sbin/racoon
23702     1 root     S     1632   3%   0% {dynamic_dns_upd} /bin/sh /usr/lib/dd
23322     1 root     S     1604   3%   0% hostapd -P /var/run/wifi-phy1.pid -B
23225     1 root     S     1596   3%   0% hostapd -P /var/run/wifi-phy0.pid -B
25735  3138 root     S     1516   2%   0% /usr/sbin/pppd passive nodetach 192.1
 5250     1 root     S     1512   2%   0% /usr/sbin/crond -c /etc/crontabs -l 5
  787     1 root     S     1504   2%   0% /sbin/syslogd -l 8 -C16
25730 25729 root     S     1504   2%   0% -ash
    1     0 root     S     1500   2%   0% init
  525     1 root     S     1500   2%   0% init
 3681     1 root     S     1488   2%   0% syslogd -O /opt/log/messages -s 2000
  789     1 root     S     1488   2%   0% /sbin/klogd
25722 23702 root     S     1484   2%   0% sleep 600
 2559     1 root     S     1240   2%   0% pure-ftpd (SERVER)
25729  2543 root     S     1196   2%   0% /usr/sbin/dropbear -P /var/run/dropbe
 2543     1 root     S     1140   2%   0% /usr/sbin/dropbear -P /var/run/dropbe
23101     1 root     S     1084   2%   0% /usr/sbin/ntpclient -i 600 -s -l -D -

Android Smartphone (SGS2)

CPU: 31.4% usr  9.7% sys  0.2% nic 56.6% idle  1.0% io  0.0% irq  0.7% sirq
Load average: 1.55 1.65 0.91 2/987 5924
?[7m  PID  PPID USER     STAT   VSZ %VSZ CPU %CPU COMMAND?[0m
 5739  2662 10138    R     242m 30.1   0 28.0 {droid.speedtest} org.zwanoo.andro
 2815  2662 1000     S     374m 46.5   0  8.3 system_server
 2944  2662 1000     S     226m 28.1   1  1.3 {ndroid.systemui} com.android.syst
 2671     1 1021     S    17396  2.1   1  0.7 /system/bin/gpsd -c /system/etc/gp
    9     2 0        SW       0  0.0   0  0.5 [events/0]
 1477     2 0        SW       0  0.0   1  0.4 [mmcqd]
 4144  2662 10010    S     227m 28.2   1  0.3 {.client.samsung} com.vlingo.clien
 1387     2 0        SW       0  0.0   0  0.3 [mali-pmm-wq]
 3910  2662 10072    S     230m 28.6   1  0.2 {LocationService} com.google.andro
 5876  5871 0        R     1064  0.1   1  0.2 /system/xbin/busybox /sbin/top
 2670     1 1000     S    14276  1.7   0  0.1 /system/bin/tvoutserver
  539     2 0        SW       0  0.0   0  0.1 [kondemand/0]
 1273     2 0        SW       0  0.0   1  0.1 [svnet_txq]
 2984  2662 1001     S     234m 29.1   0  0.1 {m.android.phone} com.android.phon
 4759  2662 10178    S     230m 28.6   1  0.1 com.ebay.mobile
 5223  2662 1000     S     211m 26.2   0  0.1 {rver.vpn:remote} com.android.serv
 5918     2 0        SW       0  0.0   1  0.1 [events/1]
 3031  2662 10213    S     455m 56.5   0  0.0 com.spb.shell3d
 3054  2662 10060    S     328m 40.8   1  0.0 {e.process.gapps} com.google.proce
 4380  2662 10014    S     277m 34.5   0  0.0 {android.vending} com.android.vend

i tested scp.
2.9MB/s was the maximum

Ok, then I guess it's reasonable to assume that encryption handled by the kernel should be equally fast so 700kb sounds a little low...

i am using your build ;-)

Hi, someone can help me with strongswan+xl2tp? I can't use racoon because there aren't some package (like zlib, kmod-cbc and other) for my openwrt version (10.03.1 final on tplink wr1043nd).

When i tray to connect from my iphone to my openwrt router (ip 192.168.1.254) popup says that isn't possible to connect to server.
This is my config files:



<ipsec.conf>
config setup
    # plutodebug=all
    # crlcheckinterval=600
    # strictcrlpolicy=yes
    # cachecrls=yes
    nat_traversal=yes
    charonstart=no
    plutostart=yes
    virtual_private=%v4:0.0.0.0/0,%v4:!192.168.1.0/24 #192.168.1.0/24 is my lan
conn L2TP-PSK
    authby=secret
    pfs=no
    rekey=no
    keyingtries=3
    type=transport
    left=%defaultroute
    leftnexthop=%defaultroute
    leftprotoport=17/1701
    right=%any
    rightsubnet=vhost:%no,%priv
    rightprotoport=17/%any
    auto=add




<ipsec.secret>
%any %any : PSK "superpassword"




<xl2tpd.conf>
[global]
port = 1701
;auth file = /etc/xl2tpd/xl2tp-secrets
access control = no
ipsec saref = yes
[lns default]
exclusive = yes
ip range = 192.168.1.202-192.168.1.210  (out of the dhcp range, right? )
local ip = 192.168.1.254  (openwrt himself ip)
;lac = 10.0.1.2
;hidden bit = no
length bit = yes
name = some-name
;refuse authentication = yes
ppp debug = yes
require authentication = yes
unix authentication = no
require chap = yes
refuse pap = yes
pppoptfile = /etc/ppp/options.xl2tpd



<options.xl2tp>
lock
auth
debug
dump
noccp
novj
novjccomp
nopcomp
noaccomp
require-mschap
require-mschap-v2
ms-dns 192.168.1.254  (my openwrt ip)
lcp-echo-interval 120
lcp-echo-failure 10
idle 1800
connect-delay 5000
nodefaultroute
noipdefault
proxyarp
mtu 1400
mru 1400


<chap-secrets>
#USERNAME   PROVIDER   PASSWORD    IPADDRESS
user      *          "password"   192.168.1.202   #ip out the dhcp range
*           password     "password"   192.168.1.202  #ip out the dhcp range



<firewall.conf>
config 'rule'
    option 'target' 'ACCEPT'
    option '_name' 'IPSec IKE'
    option 'src' 'wan'
    option 'proto' 'udp'
    option 'dest_port' '500'

config 'rule'
    option 'target' 'ACCEPT'
    option '_name' 'IPSec ESP'
    option 'src' 'wan'
    option 'proto' 'esp'

config 'rule'
    option 'target' 'ACCEPT'
    option '_name' 'IPsec NAT-T'
    option 'src' 'wan'
    option 'proto' 'udp'
    option 'dest_port' '4500'
   
config 'rule'
    option 'target' 'ACCEPT'
    option '_name' 'L2TP ESP'   
    option 'src' 'wan'     
    option 'proto' 'udp'
    option 'dest_port' '1701'
    option 'extra' '-m policy --strict --dir in --pol ipsec --proto esp'



<firewall.user>
iptables -A forwarding_rule -o ppp0 -j ACCEPT
iptables -A forwarding_rule -i ppp0 -j ACCEPT



what's wrong? seems that xl2tp doesn't answer to strongswan call sad

In the firewall rules in the opening post, does the ESP rule need to reference protocol ESP (vs. UDP)?

In other words, change:

# IPsec/ESP
config 'rule'
        option 'target' 'ACCEPT'
        option '_name' 'IPsec ESP'
        option 'src' 'wan'
        option 'proto' 'udp'

to:

# IPsec/ESP
config 'rule'
        option 'target' 'ACCEPT'
        option '_name' 'IPsec ESP'
        option 'src' 'wan'
        option 'proto' 'esp'

(Last edited by languagegame on 22 Jun 2012, 06:59)