I'm setting up a VPN gateway with strongSwan + l2tpns on Debian. It
works perfectly so far except with Mac OSX clients, as has been
previously reported by Wolfgang Hennerbichler on this same list, and I
found that if I do like he suggests in his page at
http://www.wogri.at/RoadWarrior-VPN.249.0.html and comment out the
code that sends the Hello packets, Mac clients now work.
That is not an option for the production environment, so I looked a
bit more into the issue. I captured the L2TP traffic on Wireshark with
a Debian client (with xl2tpd as L2TP client) and I saw the same
effect: as soon as the server recieves the SCCN packet and opens the
tunnel, the regular cleanup process sends a Hello packet immediately,
not paying attention to the 60s timeout. The only difference being
that xl2tpd simply ignores the packet while OSX chokes on it and
terminates the connection.
The really strange thing however is that I did the same with a Windows
XP client (turning off the IPsec part of the VPN client via the
registry) and in that capture the extraneous Hello packet was not
sent! And the only differences I could find between both connections
were that: a) the Framing capabilities AVP (Microsoft announced Async
= False, xl2tpd announced Async=True), which I think l2tpns doesn't
pay attention to, and b) the Receive Window size (8 in Microsoft, 4 in
xl2tpd). But changing the window size only delays the sending of the
ZLBs, but the server still sends the extraneous Hello packets to
What can be happening here???
Get latest updates about Open Source Projects, Conferences and News.