Can IP Masquerading Handle L2TP Connections?

← Back to Stories (view on slashdot.org)

Can IP Masquerading Handle L2TP Connections?

Posted by Cliff on Wednesday October 4, 2000 @05:04PM from the yet-another-protocol dept.

carrier lost asks: "I have to connect to my company's VPN using L2TP. I am masquerading my company-provided Windows boxes behind Linux 2.2.16. I have successfully configured the combination to provide PPTP, but now I have to figure out how to enable L2TP. Has anyone done this? Can you point me to a step-by-step tutorial?"

4 of 6 comments (clear)

Min score:

Reason:

Sort:

My vpn experiences... by Leknor · 2000-10-04 16:21 · Score: 3

I've never heard of L2TP before your post but here is the vpn I've recently setup.
I got vpnd and put it on two boxes on the internet. Each box was on the edge of a company network providing ip_masq and basic firewalling. The biggest problem I had was a conceptual problem with vpn'ing and it was that was you are effectivly creating one big network not two networks connected together. Maybe this is obivous to others but it wasn't on any web site I've read and networking isn't common enought for me to pay for a class or something.
Before I go any further the vpnd setup has been semi-reliable. This doesn't bother me because we have taken two average connections to the internet and created a convient, non-critical link for dirt cheap. If you need a reliable link put the money into it until it is as reliable as you need it. Open source and GNU/Linux are good but not the answer to everything ... yet. :-)
Here is the info that would have saved me a few hours. I'm assuming you've read the readme and faq from vpnd. You have two private networks, we'll call them 192.168.0.0/24 and 192.168.127.0/24 . Choose one to be the client and one the server. In our case one had a changing IP addr so we made that one the client. Then setup all the config options in vpnd.conf like it should be. Here's what got me, when you setup the route1 option the netmask needs to be a netmask that includes both sub-networks. In my case I used 255.255.0.0
If you need more help feel free to email me.

Leknor
You will choke on IPSec by d4emon · 2000-10-04 21:53 · Score: 3

In order to provide encryption and authentication with L2TP, IPSec is used. Unlike PPTP which encrypts the packet and then encapsulates the ppp payload inside another layer of tcp/ip headers, L2TP relies on IPSec to encrypt the layer 2 payload and wraps it in TCP/IP headers. The problem is that the WHOLE packet is checksummed (including both TCP and IP headers.) What that means is that if you NAT the packet, the packet will be rewritten, the checksum will fail, and the packet will be dropped on the other side of the tunnel.

--
_____________ Blah, blah, this is my sig, yackyty shmakity
Setup L2TP on your linux box by malice95 · 2000-10-04 22:09 · Score: 2

I suggest to avoid problems with your linux box
masquerading packets which have been already
checksummed.. You setup the vpn service on your
linux box. L2TP is essentially ipsec. If you follow the VPN howto.. avaliable at most Linux howto sites or visit the www.freeswan.org?? site
you should be able to get it up and running in
no time.

Malice95
This is how it works... by VeniDormi · 2000-10-05 01:09 · Score: 2

L2TP (Layer 2 tunneling protocol) typically used with IPSec the same way PPP (Point-to-Point Protocol) is used with PPTP (L2TP/IPSec is the default VPN config for Win2K). L2TP encapsulates IP, IPX or whatever, and is encapsulated inside IPSec. From the RFC Draft: "The Layer Two Tunneling Protocol (L2TP) ... permits the tunneling of the link layer (i.e., HDLC, async HDLC) of PPP." In essence it's a pared down PPP specifically for use in tunneling multiple protocols over IP.

You can actually masquerade IPSec connections under the right circumstances, although I'd recommend patching your Linux firewall with the FreeS/WAN stuff and doing it from there unless you absolutely HAVE to.

From John Hardin's website:
"The IPsec AH protocol (51/ip) incorporates a cryptographic checksum including the IP addresses in the IP header. Since masquerading changes those IP addresses and since the cryptographic checksum cannot be recalculated by the masquerading firewall, the masqueraded packets will fail the checksum test and will be discarded by the remote IPsec gateway. Therefore, IPsec implementations that use the AH protocol cannot be successfully masqueraded. Sorry. (ESP with authentication can be masqueraded.)"

Some links you might find helpful:
Linux L2TP Daemon (rather old)
The Draft RFC mentioned above (from the same site)
John Hardin's VPN Masquerading Website
FreeS/WAN home page (IPSec for Linux)