On Thu, 27 Feb 2014 13:51:10 -0800 "Paul B. Henson" <hen...@acm.org> wrote: >> From: YASUOKA Masahiko >> Sent: Wednesday, February 26, 2014 8:46 PM >> sysctl net.pipex.enable=1 > > Hmm, yeah, that... I had updated my /etc/sysctl.conf with that change, but > the system had not been rebooted since I did that; and it does appear I > forgot to run it by hand 8-/. I could have sworn I manually tweaked it when > I updated the config, but when I double checked, it was not set, so clearly > I did not <sigh>. After enabling that setting, I can ping the client from > the server and vice versa, yay! It looks like ospfd isn't propagating the > route for the VPN addresses, so I can't talk to anything past the router, > presumably I need to update that config next.
I'm glad to hear that. >> In L2TP/IPsec, "transport mode" IPsec is used instead of tunnel mode. >> This means enc(4) is not used. And de-capsulated L2TP packets are >> received on the same interface which receives IPsec packet. > > Hmm, that's not what I'm seeing. On the regular WAN interface (em1), when a > connection is established, I see some initial isakmp packets, and after > that, the only packets on that interface are the esp protocol: You're right. I was confused, sorry. > For the purpose of writing pf rules, I'd like to understand exactly what > interfaces the packets are traversing. It looks like initially there are > isakmp packets from the remote client to the server on the external WAN > interface, followed by encapsulated esp packets. At that point, it looks > like the packets are flowing through the enc0 interface, from the remote > client to the l2tp server. Once that tunnel is established, it looks like > the tunneled packets flow through the pppx0 interface. Exactly. > Thanks much for helping point out my obvious mistake with pipex :). I wish I > would have thought to double check that yesterday when I was beating my head > against the wall trying to figure out why it wasn't working... Not at all. I'll fix npppd to warn in the log when the pipex sysctl is not set. --yasuoka
