[Swan] xl2tpd does not respond
bob at computerisms.ca
Tue Feb 16 06:29:56 UTC 2016
I know, l2tp is dead. I have read it before and I acknowledge that, but
I have a bit of an older system configured to use ntlm_auth and xl2tpd
and now is (I hope) not the time to change it. I have been spinning my
wheels all evening and I am hoping maybe some body has an idea for me...
I had a working firewall, 2 net-to-net tunnels and a handful of road
warriors. Now the customer needs a segregated lan with a couple of
forwards to it from the main network, and they want it to run over a
dedicated internet connection.
So I rsync'd the OS over to a bigger better machine with 4 NICs, got a
new connection from the (only) ISP, and plugged it all in. The ISP gave
me an IP address in the same subnet as the original connection, so both
internet connections have the same gateway, but I added a routing table,
configured it, modified iptables, and everything worked as expected.
net-to-net tunnels came up, but next day I got report that the
road-warriors are not working.
Tracing the problem down, I find that xl2tpd is not receiving anything.
The ipsec gets all the way to the end with the SA established, but
xl2tpd is a lump on the log. I run it in the foreground, it claims to
be listening on the correct internet connection and correct port, and ss
-apnu shows the it is listening as well. I can use netcat to send a
text file, and I can see output, so I know he is listening...
It seems protoport in the ipsec.conf is the most likely thing to be
looking at, both right and left are set to 17/%any, but I tried a bunch
of variations. I also tried down'ing the ports for the new internet
connection and the new lan, mangled my ipsec.conf in all sorts of ways
and recompiling/reinstalling xl2tpd. xl2tpd is completely
non-responsive, almost as if there is an iptables rule blocking it, but
none seems to exist, unless there is some policy rule I need to add maybe?
Of this whole situation, the only thing that is new to me is the
multiple internet connections on a single firewall, this can't cause the
xl2tpd daemon to go non-responsive, can it? in particular I am
wondering about an additional routing table, but I think this could only
affect outbound traffic, and xl2tpd should at least acknowledge a
connection is made to it. Maybe this requires something to change in my
Does anyone have any ideas about what is (not) happening here?
867-334-7117 / 867-633-3760
More information about the Swan