Openswan/strongSwan + openl2tpd
Page 1 of 1

Author:  FrankL [ Mon Nov 22, 2010 11:07 am ]
Post subject:  Openswan/strongSwan + openl2tpd

In non-ephemeral ports setup, the following issue pops up:

When trying to run openl2tpd as LNS with either Openswan (confirmed) or strongSwan, connection issues arise (confirmed with Micorosft Windows Vista as LAC). These issues are caused by the automatic configuration of the Security Policy Database by Openswan/strongSwan, and the way openl2tpd opens connections. To my best understanding, the creation of the outgoing policy in the SPD happens after openl2tpd tries to create an outgoing connection. Because the connection of openl2tpd already is open, it won't match the newly created rule by openswan/strongswan.

The best documentation I've found on why these issues arise is here: ... 00200.html

However, I lack the technical knowledge to say whether the proposed solution is acceptable, and/or whether openl2tpd should be changed to work around these issues. The fact that this patch did not get accepted into upstream is not a good sign though.

A working 'hack' for this problem is to use the plugin + setkey to let openl2tpd duplicate the SPD modifications that openswan/strongswan make. However, these would not be needed if the creation of SPD rules by openswan/strongswan matched the needs of openl2tpd. Further more, the af_key interface used by setkey/ seems to be old and solving this issue is a step in switching over to the xfrm interface (and doing away with dependencies like ipsec-tools).

Mr. Chapman, would you mind looking into the issue described in the link I posted above, and see if either openswan/strongswan or openl2tp is the most logical target for changes to fix this issue? I'm sure the maintainers of these software packages would listen to you if they are the ones that need to be fixed.

Author:  FrankL [ Tue Nov 23, 2010 10:32 am ]
Post subject:  Re: Openswan/strongSwan + openl2tpd

I've filed a bugreport at

Author:  FrankL [ Sat Dec 17, 2011 10:35 pm ]
Post subject:  Re: Openswan/strongSwan + openl2tpd

After more than a year, there is still no activity on Openswan's end to fix this issue (regardless of having recognized the issue and assigning someone to fix it). Strongswan and Racoon ike daemons also suffer from this issue.

It is not completely clear to me whether this behaviour is due to the way the IPSEC rfc are worded or by the implementations in the ike daemons.

While the plugin + racoon's setkey are a hack to work around this issue, it is not desired as it requires installation of extra packages (when racoon is not the IKE daemon), and does not work with IPSEC implementations other than NETKEY (i.e. KLIPS).

Is it possible to add a switch in openl2tp that specifies a delay before responding to requests by a connecting LAC? This might allow the IPSEC IKE time to set up an outgoing SPD before openl2tp responds.

In this scenario openl2tp still does not know whether the outgoing SPD has been established, but the chances will probably increase a lot. I can't immediately think of a better way to do work around this issue...

Page 1 of 1 All times are UTC [ DST ]
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group