I have been struggling with a problem with a ipsec/l2tp vpn server on my firewall for a long time. The user will tell windows to connect, and they connect to the ipsec just fine, connect to l2tpd just fine, get a ip from pppd just fine. However once the ppp interface comes up on the server ipsec starts to spit this message out
Mar 3 21:59:26 firewall pluto[5135]: ERROR: asynchronous network error report on br0 (sport=4500) for message to 155.97.239.238 port 4500, complainant ***.***.103.174: No route to host [errno 113, origin I CMP type 3 code 1 (not authenticated)] I see that twice and the tunnel comes down. Another thing I have noticed is that I can ping 155.97.239.238 before the connection attempt and after the tunnel is torn down. However when the connection has been established, I can't ping that IP, I see the same message the ipsec server spits out "No route to host". So I did the logical thing and checked the routing table before, during and after a connection and this is what I saw. before and after default ***-***-103-161. 255.255.255.240 UG 0 0 0 br0 localnet * 255.255.255.240 U 0 0 0 br0 192.168.2.0 * 255.255.255.0 U 0 0 0 bond0.101 192.168.1.0 * 255.255.255.0 U 0 0 0 bond0.103 192.168.0.0 * 255.255.255.0 U 0 0 0 bond0.100 default ***-***-103-161. 0.0.0.0 UG 0 0 0 br0 during re-east-2-238. * 255.255.255.255 UH 0 0 0 br0 192.168.0.248 * 255.255.255.255 UH 0 0 0 ppp0 default ***-***-103-161. 255.255.255.240 UG 0 0 0 br0 localnet * 255.255.255.240 U 0 0 0 br0 192.168.2.0 * 255.255.255.0 U 0 0 0 bond0.101 192.168.1.0 * 255.255.255.0 U 0 0 0 bond0.103 192.168.0.0 * 255.255.255.0 U 0 0 0 bond0.100 default ***-***-103-161. 0.0.0.0 UG 0 0 0 br0 re-east-2-238 is the rdns for the client. So the only thing that I can come up with is that the first route that gets added (by ppp or by the firewall?) is breaking everything. But I have no idea where its coming from. Can anyone help? Here are my configs for the firewall for vpn. hosts vpn br0:0.0.0.0/0 interfaces loc ppp+ detect <-- is this right? tunnels ipsec net 0.0.0.0/0 vpn ipsecnat net 0.0.0.0/0 vpn zones vpn ipsec loc ipv4 rules ACCEPT $FW vpn udp 1701 ACCEPT vpn $FW udp 1701 ACCEPT net $FW udp 4500 Oh, and one more odd thing about this vpn, when i'm on the ***-***-103-161. 255.255.255.240 subnet (so outside the firewall but still on our own public ip space). The vpn works like a charm, no problems at all (which is also why this problem is so confusing). Thanks for your time Andrew T. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
