> From: YASUOKA Masahiko
> Sent: Thursday, February 27, 2014 5:44 PM
> >> In L2TP/IPsec, "transport mode" IPsec is used instead of tunnel mode.
> >> This means enc(4) is not used. And de-capsulated L2TP packets are
> >> received on the same interface which receives IPsec packet.
> >
> > Hmm, that's not what I'm seeing. On the regular WAN interface (em1),
> > when a
> > connection is established, I see some initial isakmp packets, and after
> > that, the only packets on that interface are the esp protocol:
>
> You're right. I was confused, sorry.
When I shut down the VPN client, it does look like there are some
non-encapsulated packets coming from the client to the l2tp port on the WAN
interface:
17:52:50.434908 esp bart.pbhware.com >
host-134-71-203-251.allocated.csupomona.edu spi 0x0
d875c54 seq 23 len 68
17:52:50.512023 host-134-71-203-251.allocated.csupomona.edu.isakmp >
bart.pbhware.com.isak
mp: isakmp v1.0 exchange INFO encrypted
cookie: 5eaec242bc98f28f->83a0e65155bcbcf8 msgid: c52320cb len: 76
17:52:50.512028 host-134-71-203-251.allocated.csupomona.edu.isakmp >
bart.pbhware.com.isakmp: isakmp v1.0 exchange INFO encrypted
cookie: 5eaec242bc98f28f->83a0e65155bcbcf8 msgid: c52320cb len: 76
17:52:50.512030 host-134-71-203-251.allocated.csupomona.edu.isakmp >
bart.pbhware.com.isak
mp: isakmp v1.0 exchange INFO encrypted
cookie: 5eaec242bc98f28f->83a0e65155bcbcf8 msgid: 64cf721d len: 92
17:52:50.512032 host-134-71-203-251.allocated.csupomona.edu.isakmp >
bart.pbhware.com.isakmp: isakmp v1.0 exchange INFO encrypted
cookie: 5eaec242bc98f28f->83a0e65155bcbcf8 msgid: 64cf721d len: 92
17:52:50.961996 host-134-71-203-251.allocated.csupomona.edu.62139 >
bart.pbhware.com.l2tp:
l2tp:[TLS](6/24262)Ns=4,Nr=2 *MSGTYPE(CDN) *ASSND_SESS_ID(4330)
*RESULT_CODE(768/0 ) [|l2tp]
17:52:50.962000 host-134-71-203-251.allocated.csupomona.edu.62139 >
bart.pbhware.com.l2tp: l2tp:[TLS](6/24262)Ns=4,Nr=2 *MSGTYPE(CDN)
*ASSND_SESS_ID(4330) *RESULT_CODE(768/0 ) [|l2
They result in warnings from npppd though:
2014-02-27 17:52:50:INFO: l2tpd Received from=134.71.203.251:62139: bad
control message: tunnelId=6 is not found. mestype=CDN
2014-02-27 17:52:52:INFO: l2tpd Received from=134.71.203.251:62139: bad
control message: tunnelId=6 is not found. mestype=CDN
So they're clearly not important. The client I'm testing right now is an
iPhone, maybe it's a bug on that side.
> Not at all. I'll fix npppd to warn in the log when the pipex sysctl
> is not set.
Yeah, that's a great idea. I was running in debug mode, and it logged:
2014-02-27 17:37:44:NOTICE: ppp id=0 layer=base Using pipex=yes
If there would have been a warning right next to it that pipex was disabled
that would've been quite helpful in pointing out the forgotten step.
