Hello! I would like to run l2tpd daemon on my firewall to enable road-warrior connection of Windows XP SP2 users to my local network. My firewall is built on: Fedora Core 4 kernel 2.6.16 iptables 1.3.5 shorewall 3.0.6 l2tpd v. 0.69 from http://www.jacco2.dds.nl/networking/freeswan-l2tp.html Command shorewall show capabilities shows policy match support enabled. I issued certificates using CA script for both the firewall and the remote user. Racoon seems to be OK, it creates both SA and SP. For shorewall settings I used the example for road warrior scenario at http://www.shorewall.net/IPSEC-2.6.html#id2509591 Even when I allow communication from vpn zone to fw and vice versa, I don''t see any messages when running l2tpd in debug mode (l2tpd -D) and Shorewall logs blocking udp port 1701. Is there any body running L2TP daemon on Shorewall firewall who would be so kind to send me some configuration examples? Do I need separate zones for ipsec and l2tpd? Any help would be appreciated. Best regards Michal ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
On Friday 21 April 2006 01:45, Michal Sladek wrote:> Hello! >> > Even when I allow communication from vpn zone to fw and vice versa, I don''t > see any messages when running l2tpd in debug mode (l2tpd -D) and Shorewall > logs blocking udp port 1701. >With L2TP, you need to allow UDP 1701 from fw->net and net->fw; you can do that with rules in /etc/shorewall/rules or you can use a ''generic'' UDP 1701 entry in /etc/shorewall/tunnels. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hello! It doesn''t seems to work anyway. There is how-to published at http://www.funknet.org/doc/tunnel/l2tp.xml which says, that UDP 1701 should be enabled only for traffic coming from IPsec tunnel. Unfortunately, when I display security policies with setkey -D -P, they are created, but never used. Michal < ------------ Původní zpráva ------------ < Od: Tom Eastep <teastep@shorewall.net> < Předmět: Re: [Shorewall-users] ask for help with L2TP < Datum: 21.4.2006 15:43:07 < ---------------------------------------- < On Friday 21 April 2006 01:45, Michal Sladek wrote: < > Hello! < > < < > < > Even when I allow communication from vpn zone to fw and vice versa, I don''t < > see any messages when running l2tpd in debug mode (l2tpd -D) and Shorewall < > logs blocking udp port 1701. < > < < With L2TP, you need to allow UDP 1701 from fw->net and net->fw; you can do < that with rules in /etc/shorewall/rules or you can use a ''generic'' UDP 1701 < entry in /etc/shorewall/tunnels. < < -Tom < -- < Tom Eastep \ Nothing is foolproof to a sufficiently talented fool < Shoreline, \ http://shorewall.net < Washington USA \ teastep@shorewall.net < PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key < < < ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
On Friday 21 April 2006 10:29, Michal wrote:> Hello! > > It doesn''t seems to work anyway. There is how-to published at > http://www.funknet.org/doc/tunnel/l2tp.xml which says, that UDP 1701 should > be enabled only for traffic coming from IPsec tunnel.The iptables rules in that article enable UDP 1701 fw->all> Unfortunately, when I > display security policies with setkey -D -P, they are created, but never > used. >If you want our help, you are going to have to give us details. See http://www.shorewall.net/support.htm -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key