OK, just added another NIC.

new routing table is:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
localnet        *               255.255.255.192 U     0      0        0 eth0
localnet        *               255.255.255.192 U     0      0        0 eth1
localnet        *               255.255.255.192 U     0      0        0 ipsec0
loopback        *               255.0.0.0       U     0      0        0 lo
default         real-gateway-here 0.0.0.0         UG    1      0        0 eth0

I have verified that it still works when the client is on the same subnet (ie, 
it does). Still no joy with clients on different subnets though.

The tcpdump of ipsec0 I have noticed, is a lot more populated when the client 
is connecting from the same subnet.

Here's a capture from the ipsec0 interface when the client on the same subnet 
connects:

11:10:07.413679 client.1701 > server.1701:  l2tp:[TLS](0/0)Ns=0,Nr=0 
*MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S) *BEARER_CAP() |...
11:10:08.413361 client.1701 > server.1701:  l2tp:[TLS](0/0)Ns=0,Nr=0 
*MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S) *BEARER_CAP() |...
11:10:10.413700 client.1701 > server.1701:  l2tp:[TLS](0/0)Ns=0,Nr=0 
*MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S) *BEARER_CAP() |...
11:10:10.415706 server.1701 > client.1701:  l2tp:[TLS](5/0)Ns=0,Nr=1 ZLB (DF)
11:10:10.425646 server.1701 > client.1701:  l2tp:[TLS](5/0)Ns=0,Nr=1 
*MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |... (DF)
11:10:10.426751 client.1701 > server.1701:  l2tp:[TLS](7278/0)Ns=1,Nr=1 
*MSGTYPE(SCCCN)
11:10:10.426871 client.1701 > server.1701:  l2tp:[TLS](7278/0)Ns=2,Nr=1 
*MSGTYPE(ICRQ) *ASSND_SESS_ID(1) *CALL_SER_NUM(0) *BEARER_TYPE(A)
11:10:10.427175 client.1701 > server.1701:  l2tp:[TLS](7278/0)Ns=3,Nr=1 ZLB
11:10:10.428974 server.1701 > client.1701:  l2tp:[TLS](5/0)Ns=1,Nr=2 ZLB (DF)
11:10:10.432184 server.1701 > client.1701:  l2tp:[TLS](5/1)Ns=1,Nr=3 
*MSGTYPE(ICRP) *ASSND_SESS_ID(11609) (DF)
11:10:10.432469 server.1701 > client.1701:  l2tp:[TLS](5/0)Ns=2,Nr=3 ZLB (DF)
11:10:10.433090 client.1701 > server.1701:  l2tp:[TLS](7278/11609)Ns=3,Nr=2 
*MSGTYPE(ICCN) *TX_CONN_SPEED(10000000) *FRAMING_TYPE(S) PROXY_AUTH_TYPE(No 
Auth)
11:10:10.433198 client.1701 > server.1701:  l2tp:[TLS](7278/0)Ns=4,Nr=2 ZLB
11:10:10.443158 client.1701 > server.1701:  l2tp:[L](7278/11609) {Conf-Req(0), 
MRU=1400, Magic-Num=6d831485, PFC, ACFC, Call-Back CBCP}
11:10:10.445649 server.1701 > client.1701:  l2tp:[TLS](5/1)Ns=2,Nr=4 ZLB (DF)
11:10:10.452715 server.1701 > client.1701:  l2tp:[L](5/1) {Conf-Req(1), 
MRU=898, ACCM=00000000, Auth-Prot CHAP/MD5, Magic-Num=000fa56c, PFC, ACFC} 
(DF)
11:10:10.453890 client.1701 > server.1701:  l2tp:[L](7278/11609) {Conf-Ack(1), 
MRU=898, ACCM=00000000, Auth-Prot CHAP/MD5, Magic-Num=000fa56c, PFC, ACFC}
11:10:12.444217 client.1701 > server.1701:  l2tp:[L](7278/11609) {Conf-Req(1), 
MRU=1400, Magic-Num=6d831485, PFC, ACFC, Call-Back CBCP}
11:10:12.445582 server.1701 > client.1701:  l2tp:[L](5/1) {Conf-Rej(1), 
Call-Back CBCP} (DF)
11:10:13.455692 server.1701 > client.1701:  l2tp:[L](5/1) {Conf-Req(1), 
MRU=898, ACCM=00000000, Auth-Prot CHAP/MD5, Magic-Num=000fa56c, PFC, ACFC} 
(DF)
(...and it keeps going...)

tcpdump -i ipsec0 when the client on a different subnet connects yields only 
the following lines:
11:25:22.338430 202-52-55-001.veridas.net.1701 > aeolus.veridas.net.1701:  
l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S) 
*BEARER_CAP() |...
11:25:23.335845 202-52-55-001.veridas.net.1701 > aeolus.veridas.net.1701:  
l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S) 
*BEARER_CAP() |...

In other words, no difference at all =|

Arya

On Friday 02 July 2004 09:13, Arya wrote:
> Hi,
>
> When I read your reply, I almost wet myself. I added the printf statements
> to the source, as you said, however when the client on a different subnet
> connects it would appear that it continues past that select() statement
> (ie, select ok is seen). Therefore the cause cant be this =|
>
> Also, Jacco, rightsubnet=vhost:%no,%priv seems to break IPSec (says no
> authorized connection). That's OK, this one I can work out myself :-)
>
> I'm going to try to add another nic to the PC. I'll let you know what
> happens :)
>
> Arya
>
> On Thursday 01 July 2004 22:26, Yannick Lecaillez wrote:
> > In precision of my previous post : this
> > is what i added to the network.c for see
> > the problem :
> >
> > (l2tpd: network.c / around line 327)
> >
> > printf("select\n");
> > select (max + 1, &readfds, NULL, NULL, NULL);
> > printf("select ok\n");
> >
> > Sure, it's really simple ... But permit to
> > discover the problem : "select" is displayed but "select ok"
> > not ...
> >
> > Moreover, when i send UDP packet on the public interface (not throught
> > IPSEC) l2tpd receive these without problem.
> > For finish, i think it's not a routing porblem since the IP Sec SA
> > was established (but i'm not an IP Sec specialist :)).
> >
> > Again, hope this can help ...


Reply via email to