New development:

YEEHAW!

It would appear that the problem was indeed the internal routing table. 

route add -net 0.0.0.0 netmask 0.0.0.0 dev ipsec0

That fixed it :D
*celebrates*

Arya



On Friday 02 July 2004 11:21, Arya wrote:
> OK, just added another NIC.
>
> new routing table is:
>
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use
> Iface localnet        *               255.255.255.192 U     0      0       
> 0 eth0 localnet        *               255.255.255.192 U     0      0      
>  0 eth1 localnet        *               255.255.255.192 U     0      0     
>   0 ipsec0 loopback        *               255.0.0.0       U     0      0  
>      0 lo default         real-gateway-here 0.0.0.0         UG    1      0 
>       0 eth0
>
> I have verified that it still works when the client is on the same subnet
> (ie, it does). Still no joy with clients on different subnets though.
>
> The tcpdump of ipsec0 I have noticed, is a lot more populated when the
> client is connecting from the same subnet.
>
> Here's a capture from the ipsec0 interface when the client on the same
> subnet connects:
>
> 11:10:07.413679 client.1701 > server.1701:  l2tp:[TLS](0/0)Ns=0,Nr=0
> *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S) *BEARER_CAP() |...
> 11:10:08.413361 client.1701 > server.1701:  l2tp:[TLS](0/0)Ns=0,Nr=0
> *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S) *BEARER_CAP() |...
> 11:10:10.413700 client.1701 > server.1701:  l2tp:[TLS](0/0)Ns=0,Nr=0
> *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S) *BEARER_CAP() |...
> 11:10:10.415706 server.1701 > client.1701:  l2tp:[TLS](5/0)Ns=0,Nr=1 ZLB
> (DF) 11:10:10.425646 server.1701 > client.1701:  l2tp:[TLS](5/0)Ns=0,Nr=1
> *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |... (DF)
> 11:10:10.426751 client.1701 > server.1701:  l2tp:[TLS](7278/0)Ns=1,Nr=1
> *MSGTYPE(SCCCN)
> 11:10:10.426871 client.1701 > server.1701:  l2tp:[TLS](7278/0)Ns=2,Nr=1
> *MSGTYPE(ICRQ) *ASSND_SESS_ID(1) *CALL_SER_NUM(0) *BEARER_TYPE(A)
> 11:10:10.427175 client.1701 > server.1701:  l2tp:[TLS](7278/0)Ns=3,Nr=1 ZLB
> 11:10:10.428974 server.1701 > client.1701:  l2tp:[TLS](5/0)Ns=1,Nr=2 ZLB
> (DF) 11:10:10.432184 server.1701 > client.1701:  l2tp:[TLS](5/1)Ns=1,Nr=3
> *MSGTYPE(ICRP) *ASSND_SESS_ID(11609) (DF)
> 11:10:10.432469 server.1701 > client.1701:  l2tp:[TLS](5/0)Ns=2,Nr=3 ZLB
> (DF) 11:10:10.433090 client.1701 > server.1701: 
> l2tp:[TLS](7278/11609)Ns=3,Nr=2 *MSGTYPE(ICCN) *TX_CONN_SPEED(10000000)
> *FRAMING_TYPE(S) PROXY_AUTH_TYPE(No Auth)
> 11:10:10.433198 client.1701 > server.1701:  l2tp:[TLS](7278/0)Ns=4,Nr=2 ZLB
> 11:10:10.443158 client.1701 > server.1701:  l2tp:[L](7278/11609)
> {Conf-Req(0), MRU=1400, Magic-Num=6d831485, PFC, ACFC, Call-Back CBCP}
> 11:10:10.445649 server.1701 > client.1701:  l2tp:[TLS](5/1)Ns=2,Nr=4 ZLB
> (DF) 11:10:10.452715 server.1701 > client.1701:  l2tp:[L](5/1)
> {Conf-Req(1), MRU=898, ACCM=00000000, Auth-Prot CHAP/MD5,
> Magic-Num=000fa56c, PFC, ACFC} (DF)
> 11:10:10.453890 client.1701 > server.1701:  l2tp:[L](7278/11609)
> {Conf-Ack(1), MRU=898, ACCM=00000000, Auth-Prot CHAP/MD5,
> Magic-Num=000fa56c, PFC, ACFC} 11:10:12.444217 client.1701 > server.1701: 
> l2tp:[L](7278/11609) {Conf-Req(1), MRU=1400, Magic-Num=6d831485, PFC, ACFC,
> Call-Back CBCP}
> 11:10:12.445582 server.1701 > client.1701:  l2tp:[L](5/1) {Conf-Rej(1),
> Call-Back CBCP} (DF)
> 11:10:13.455692 server.1701 > client.1701:  l2tp:[L](5/1) {Conf-Req(1),
> MRU=898, ACCM=00000000, Auth-Prot CHAP/MD5, Magic-Num=000fa56c, PFC, ACFC}
> (DF)
> (...and it keeps going...)
>
> tcpdump -i ipsec0 when the client on a different subnet connects yields
> only the following lines:
> 11:25:22.338430 202-52-55-001.veridas.net.1701 > aeolus.veridas.net.1701:
> l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S)
> *BEARER_CAP() |...
> 11:25:23.335845 202-52-55-001.veridas.net.1701 > aeolus.veridas.net.1701:
> l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S)
> *BEARER_CAP() |...
>
> In other words, no difference at all =|
>
> Arya
>
> On Friday 02 July 2004 09:13, Arya wrote:
> > Hi,
> >
> > When I read your reply, I almost wet myself. I added the printf
> > statements to the source, as you said, however when the client on a
> > different subnet connects it would appear that it continues past that
> > select() statement (ie, select ok is seen). Therefore the cause cant be
> > this =|
> >
> > Also, Jacco, rightsubnet=vhost:%no,%priv seems to break IPSec (says no
> > authorized connection). That's OK, this one I can work out myself :-)
> >
> > I'm going to try to add another nic to the PC. I'll let you know what
> > happens :)
> >
> > Arya
> >
> > On Thursday 01 July 2004 22:26, Yannick Lecaillez wrote:
> > > In precision of my previous post : this
> > > is what i added to the network.c for see
> > > the problem :
> > >
> > > (l2tpd: network.c / around line 327)
> > >
> > > printf("select\n");
> > > select (max + 1, &readfds, NULL, NULL, NULL);
> > > printf("select ok\n");
> > >
> > > Sure, it's really simple ... But permit to
> > > discover the problem : "select" is displayed but "select ok"
> > > not ...
> > >
> > > Moreover, when i send UDP packet on the public interface (not throught
> > > IPSEC) l2tpd receive these without problem.
> > > For finish, i think it's not a routing porblem since the IP Sec SA
> > > was established (but i'm not an IP Sec specialist :)).
> > >
> > > Again, hope this can help ...


Reply via email to