[Swan] xl2tpd does not respond

Bob Miller bob at computerisms.ca
Tue Feb 16 06:29:56 UTC 2016

Hi List,

I know, l2tp is dead.  I have read it before and I acknowledge that, but 
I have a bit of an older system configured to use ntlm_auth and xl2tpd 
and now is (I hope) not the time to change it.  I have been spinning my 
wheels all evening and I am hoping maybe some body has an idea for me...

I had a working firewall, 2 net-to-net tunnels and a handful of road 
warriors.  Now the customer needs a segregated lan with a couple of 
forwards to it from the main network, and they want it to run over a 
dedicated internet connection.

So I rsync'd the OS over to a bigger better machine with 4 NICs, got a 
new connection from the (only) ISP, and plugged it all in.  The ISP gave 
me an IP address in the same subnet as the original connection, so both 
internet connections have the same gateway, but I added a routing table, 
configured it, modified iptables, and everything worked as expected. 
net-to-net tunnels came up, but next day I got report that the 
road-warriors are not working.

Tracing the problem down, I find that xl2tpd is not receiving anything. 
  The ipsec gets all the way to the end with the SA established, but 
xl2tpd is a lump on the log.  I run it in the foreground, it claims to 
be listening on the correct internet connection and correct port, and ss 
-apnu shows the it is listening as well.  I can use netcat to send a 
text file, and I can see output, so I know he is listening...

It seems protoport in the ipsec.conf is the most likely thing to be 
looking at, both right and left are set to 17/%any, but I tried a bunch 
of variations.  I also tried down'ing the ports for the new internet 
connection and the new lan, mangled my ipsec.conf in all sorts of ways 
and recompiling/reinstalling xl2tpd.  xl2tpd is completely 
non-responsive, almost as if there is an iptables rule blocking it, but 
none seems to exist, unless there is some policy rule I need to add maybe?

Of this whole situation, the only thing that is new to me is the 
multiple internet connections on a single firewall, this can't cause the 
xl2tpd daemon to go non-responsive, can it?  in particular I am 
wondering about an additional routing table, but I think this could only 
affect outbound traffic, and xl2tpd should at least acknowledge a 
connection is made to it.  Maybe this requires something to change in my 

Does anyone have any ideas about what is (not) happening here?
Bob Miller
867-334-7117 / 867-633-3760

More information about the Swan mailing list