> From: YASUOKA Masahiko > Sent: Thursday, February 27, 2014 5:44 PM > >> In L2TP/IPsec, "transport mode" IPsec is used instead of tunnel mode. > >> This means enc(4) is not used. And de-capsulated L2TP packets are > >> received on the same interface which receives IPsec packet. > > > > Hmm, that's not what I'm seeing. On the regular WAN interface (em1), > > when a > > connection is established, I see some initial isakmp packets, and after > > that, the only packets on that interface are the esp protocol: > > You're right. I was confused, sorry.
When I shut down the VPN client, it does look like there are some non-encapsulated packets coming from the client to the l2tp port on the WAN interface: 17:52:50.434908 esp bart.pbhware.com > host-134-71-203-251.allocated.csupomona.edu spi 0x0 d875c54 seq 23 len 68 17:52:50.512023 host-134-71-203-251.allocated.csupomona.edu.isakmp > bart.pbhware.com.isak mp: isakmp v1.0 exchange INFO encrypted cookie: 5eaec242bc98f28f->83a0e65155bcbcf8 msgid: c52320cb len: 76 17:52:50.512028 host-134-71-203-251.allocated.csupomona.edu.isakmp > bart.pbhware.com.isakmp: isakmp v1.0 exchange INFO encrypted cookie: 5eaec242bc98f28f->83a0e65155bcbcf8 msgid: c52320cb len: 76 17:52:50.512030 host-134-71-203-251.allocated.csupomona.edu.isakmp > bart.pbhware.com.isak mp: isakmp v1.0 exchange INFO encrypted cookie: 5eaec242bc98f28f->83a0e65155bcbcf8 msgid: 64cf721d len: 92 17:52:50.512032 host-134-71-203-251.allocated.csupomona.edu.isakmp > bart.pbhware.com.isakmp: isakmp v1.0 exchange INFO encrypted cookie: 5eaec242bc98f28f->83a0e65155bcbcf8 msgid: 64cf721d len: 92 17:52:50.961996 host-134-71-203-251.allocated.csupomona.edu.62139 > bart.pbhware.com.l2tp: l2tp:[TLS](6/24262)Ns=4,Nr=2 *MSGTYPE(CDN) *ASSND_SESS_ID(4330) *RESULT_CODE(768/0 ) [|l2tp] 17:52:50.962000 host-134-71-203-251.allocated.csupomona.edu.62139 > bart.pbhware.com.l2tp: l2tp:[TLS](6/24262)Ns=4,Nr=2 *MSGTYPE(CDN) *ASSND_SESS_ID(4330) *RESULT_CODE(768/0 ) [|l2 They result in warnings from npppd though: 2014-02-27 17:52:50:INFO: l2tpd Received from=134.71.203.251:62139: bad control message: tunnelId=6 is not found. mestype=CDN 2014-02-27 17:52:52:INFO: l2tpd Received from=134.71.203.251:62139: bad control message: tunnelId=6 is not found. mestype=CDN So they're clearly not important. The client I'm testing right now is an iPhone, maybe it's a bug on that side. > Not at all. I'll fix npppd to warn in the log when the pipex sysctl > is not set. Yeah, that's a great idea. I was running in debug mode, and it logged: 2014-02-27 17:37:44:NOTICE: ppp id=0 layer=base Using pipex=yes If there would have been a warning right next to it that pipex was disabled that would've been quite helpful in pointing out the forgotten step.