Can IP Masquerading Handle L2TP Connections?

Follow Slashdot stories on Twitter

Can IP Masquerading Handle L2TP Connections? 6

Posted by Cliff on Thursday October 05, 2000 @01:04AM from the yet-another-protocol dept.

carrier lost asks: "I have to connect to my company's VPN using L2TP. I am masquerading my company-provided Windows boxes behind Linux 2.2.16. I have successfully configured the combination to provide PPTP, but now I have to figure out how to enable L2TP. Has anyone done this? Can you point me to a step-by-step tutorial?"

This discussion has been archived. No new comments can be posted.

L2TP Through IPMasquerading?

Load All Comments

Search 6 Comments Log In/Create an Account

Comments Filter:

My vpn experiences... (Score:3)

by Leknor ( 224175 ) writes: on Thursday October 05, 2000 @12:21AM (#730238)

I've never heard of L2TP before your post but here is the vpn I've recently setup.
I got vpnd [sunsite.auc.dk] and put it on two boxes on the internet. Each box was on the edge of a company network providing ip_masq and basic firewalling. The biggest problem I had was a conceptual problem with vpn'ing and it was that was you are effectivly creating one big network not two networks connected together. Maybe this is obivous to others but it wasn't on any web site I've read and networking isn't common enought for me to pay for a class or something.
Before I go any further the vpnd setup has been semi-reliable. This doesn't bother me because we have taken two average connections to the internet and created a convient, non-critical link for dirt cheap. If you need a reliable link put the money into it until it is as reliable as you need it. Open source and GNU/Linux are good but not the answer to everything ... yet. :-)
Here is the info that would have saved me a few hours. I'm assuming you've read the readme and faq from vpnd [sunsite.auc.dk]. You have two private networks, we'll call them 192.168.0.0/24 and 192.168.127.0/24 . Choose one to be the client and one the server. In our case one had a changing IP addr so we made that one the client. Then setup all the config options in vpnd.conf like it should be. Here's what got me, when you setup the route1 option the netmask needs to be a netmask that includes both sub-networks. In my case I used 255.255.0.0
If you need more help feel free to email me.

Leknor

Share
twitter facebook
You will choke on IPSec (Score:3)

by d4emon ( 28603 ) writes: on Thursday October 05, 2000 @05:53AM (#730239) Homepage

In order to provide encryption and authentication with L2TP, IPSec is used. Unlike PPTP which encrypts the packet and then encapsulates the ppp payload inside another layer of tcp/ip headers, L2TP relies on IPSec to encrypt the layer 2 payload and wraps it in TCP/IP headers. The problem is that the WHOLE packet is checksummed (including both TCP and IP headers.) What that means is that if you NAT the packet, the packet will be rewritten, the checksum will fail, and the packet will be dropped on the other side of the tunnel.

Share
twitter facebook
Setup L2TP on your linux box (Score:2)

by malice95 ( 40013 ) writes:

I suggest to avoid problems with your linux box
masquerading packets which have been already
checksummed.. You setup the vpn service on your
linux box. L2TP is essentially ipsec. If you follow the VPN howto.. avaliable at most Linux howto sites or visit the www.freeswan.org?? site
you should be able to get it up and running in
no time.

Malice95
This is how it works... (Score:2)

by VeniDormi ( 74182 ) writes:

L2TP (Layer 2 tunneling protocol) typically used with IPSec the same way PPP (Point-to-Point Protocol) is used with PPTP (L2TP/IPSec is the default VPN config for Win2K). L2TP encapsulates IP, IPX or whatever, and is encapsulated inside IPSec. From the RFC Draft: "The Layer Two Tunneling Protocol (L2TP) ... permits the tunneling of the link layer (i.e., HDLC, async HDLC) of PPP." In essence it's a pared down PPP specifically for use in tunneling multiple protocols over IP.

You can actually masquerade IPSec connections under the right circumstances, although I'd recommend patching your Linux firewall with the FreeS/WAN stuff and doing it from there unless you absolutely HAVE to.

From John Hardin's website:
"The IPsec AH protocol (51/ip) incorporates a cryptographic checksum including the IP addresses in the IP header. Since masquerading changes those IP addresses and since the cryptographic checksum cannot be recalculated by the masquerading firewall, the masqueraded packets will fail the checksum test and will be discarded by the remote IPsec gateway. Therefore, IPsec implementations that use the AH protocol cannot be successfully masqueraded. Sorry. (ESP with authentication can be masqueraded.)"

Some links you might find helpful:
Linux L2TP Daemon (rather old) [marko.net]
The Draft RFC mentioned above (from the same site) [marko.net]
John Hardin's VPN Masquerading Website [rubyriver.com]
FreeS/WAN home page (IPSec for Linux) [xs4all.nl]
It is possible..... (Score:1)

by Keeper ofthe Keys ( 48750 ) writes:

Just not all that practical: read on.

L2TP Router INT: 192.168.200.1
L2TP Router EXT: 192.168.0.50
|
|
MASQ BOX INT: 192.168.0.1
MASQ BOX EXT: 172.32.1.1 (or any GLOBAL IP)

MASQ BOX EXT: 172.32.1.2 (or any GLOBAL IP)
MASQ BOX INT: 192.168.0.50
|
|
L2TP Router EXT: 192.168.0.1
L2TP Router INT: 192.168.201.1

================================================
Notice that the IP of each MASQ box is identical to the opposing L2TP Router.

Each MASQ box must have PORT FORWARDING enabled with the GRE/ESP patch to the Linux Kernal to enable IPCHAINS passthrough and proper forwarding.

Each MASQ box must have either 2 way MASQerading running or a combination of global IP's (headache time) that allow the packets to change origin at destination.

L2TP1 initiates a connection to 192.168.0.1, which is then forwarded by MASQ1 to MASQ2 on port 500, utilizing GRE/ESP packet encoding. MASQ2 is set to forward internally these packets to L2TP2 on it's internal network, with the "originating" system appearing to be the local MASQ2 system, which, by design has the same IP as the original L2TP system.

Now, this is an incredible waste of time, since you completely wreck the ability of L2TP to support multiple connections .... but it is POSSIBLE!

Cheers (and I appologize for the headaches if you try to make this work)
Ugh (Score:1)

by LWolenczak ( 10527 ) writes:

Ok, I'm going to make a correction.

Layer 2 Tunneling Protocol, is basicly a revamped version of pptp w/o microsoft extentions by Cisco.

It it NOT IPSec. Nor is it tipiclly used with IPSec. It is one of the two options to create a tunnel between two windows boxes talking using IPSec in Windows 2000.

The ip_masq_pptp patch (witch I beleave is intergrated into the kernel now) basiclly allows for the masquerading of GRE tunnel traffic.

FreeS/WAN will not help you with this, unless you can convince the admins to let you connect using pptp w/o MS encryption and Authenication, Hidden inside IPSec encryption. Beleave it or not, I'm setting it up now so some remote offices of the company I work for can just power up pgpnet ( a free windows ipsec implementation) and then just create a pptp tunnel.

Hope this clears up a few things.
-LW

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Can IP Masquerading Handle L2TP Connections? 6

L2TP Through IPMasquerading? More Login

L2TP Through IPMasquerading?

My vpn experiences... (Score:3)

You will choke on IPSec (Score:3)

Setup L2TP on your linux box (Score:2)

This is how it works... (Score:2)

It is possible..... (Score:1)

Ugh (Score:1)

Related Links Top of the: day, week, month.

Slashdot Top Deals

Slashdot