Re: [L2tpd-devel] [PATCH] various patches

[Eric S. <er...@tr...>]

On Tue, 15 Jan 2002, Jeff Mcadams wrote:

> Also sprach Eric Sorenson
> [FreeS/WAN with l2tpd]
>
> >It works pretty well with freeswan, I got it working in "Win2K
> >Emulation Mode" last month.
>
> Wow...how did I miss that message on the list?  Amazing.

It was sort of buried.. I was suprised that nobody commented though :-)

> Anyway...that's good to know that it works.  Have you run across anyone
> that has this type of setup interoperating with w2k itself?  That'd be
> nice to confirm.  :)

From groveling through both this list and freeswan-users archives, I
don't think anybody else has gotten that far.

> Kinda my thinking as well...but I really didn't know enough about IPSec
> to comment intelligently on it.  I didn't know if there were FreeS/WAN
> libs or something that we could build into l2tpd to leverage their work
> in ours.
>
> Something like that would be cool, but I fear that its not terribly
> practical given the nature of the things that we're dealing with here.

It's also not necessary. Luckily Unix is pretty reasonable and makes
this sort of stuff easy by following its own rules. The routing table
gets consulted at each stage of the encapsulation and it's OK if the
destination is another pseudo-device on the same machine.

packet destined through tunnel -> 'ip ro add 10/8 dev ppp0' -> l2tpd ->
l2tpd encap. to other endpoint -> 'ip ro add end.poi.n.t/32 dev ipsec0' ->
freeswan SA match for end.poi.n.t/32 proto0/port0 -> crypto via klips ->
ipsec encap. to other endpoint -> 'ip ro add default via gat.ew.a.y dev eth0'

> It may ultimately just be best to have good documentation on the
> integration of the two components, work with distro vendors so that
> their tools can support configuration of FreeS/WAN and l2tpd better, and
> maybe working with the two packages to make the integration easier to
> begin with.  I'm all ears for suggestions on the latter for the l2tpd
> side of things.

It's pretty far from being "productized" at this point. I'm working on
making a little easier to set up though, because there are more people
who want to use it internally here, and it's kind of painful to setup a
a new person up now. No particular order, but here are some todos/q's:

l2tpd/pppd:
- explore making the username/password entry 'interactive'
- make configurable the route that gets added, the only option
  i found in pppd now is the defaultgateway / nodefaultgateway,
  which isn't quite right.

freeswan:
- had to patch freeswan to use x.509 certs from www.strongsec.com
- had to patch freeswan not to crap out on last QM phase2 message
  (this is xedia-specific strangeness I think) changed FALSE to TRUE
  in freeswan-1.94/pluto/ipsec_doi.c:1835 check_net_id() routine
- fix _updown shell script to add the proper route for transport mode
  connections (should be to 'right's IP through /dev/ipsec0, not to
  'rightsubnet' through 'right')

I'll work on pulling the requisite changes together in a patch/RPM
as I set up more systems, to make this easier on others. Dunno about
using it against a W2K server, but I suspect the IPSEC transport-mode
negotiation wouldn't succeed; w2k expects a more specific SA than
freeswan can currently negotiate (transport mode, any protocol, port 1701).
I will try to set a w2k server up to test this.

-=Eric