Bug 11273

Summary: Unable to port forward L2TP traffic.
Product: IPFire Reporter: Tom Rymes <tomvend>
Component: ---Assignee: Alexander Marx <alexander.marx>
Status: CLOSED WONTFIX QA Contact:
Severity: Minor Usability    
Priority: Will only affect a few users CC: michael.tremer, peter.mueller
Version: 2   
Hardware: all   
OS: All   
Bug Depends on:    
Bug Blocks: 11618    

Description Tom Rymes 2016-12-17 04:41:52 UTC 
As discussed in the forum: http://forum.ipfire.org/viewtopic.php?f=27&t=17438&p=103016&hilit=l2TP#p103016

We are trying to enable the use of a Windows RRAC VPN Host on our network by port forwarding L2TP and IPSec from Red to the server on green. Even after we have disabled IPSec and confirmed that StrongSwan is not running, we are still unable to establish a connection to the Windows server. I see no traffic being dropped while attempting a connection.

If we remove IPFire and plug the Windows server directly into the external circuit, it works just fine.
Comment 1 Tom Rymes 2017-06-02 21:24:41 UTC 
I am wondering if one of these two options in /etc/strongswan.d/charon.conf is the solution to this problem, namely to tell Charon to only listen to one of the aliases on the red interface:

   "# A comma-separated list of network interfaces that should be ignored, if
    # interfaces_use is specified this option has no effect.
    # interfaces_ignore =

    # A comma-separated list of network interfaces that should be used by
    # charon. All other interfaces are ignored.
    # interfaces_use ="

In other words, we currently have three addresses on the red interface, the main static IP and two aliases: red0, red0:0, and red0:1.

If we wished to point the L2TP traffic to the IP associated with red0:1, and all normal IPSec traffic is pointed at red0, then either of these should work?

interfaces_ignore = red0:1

or

interfaces_use = red0

Thoughts?

Tom
Comment 2 Michael Tremer 2018-02-12 00:05:11 UTC 
No if strongswan isn't running this shoudn't make any difference at all.

Is this still an issue for you we should be spending time on or is this not relevant any more? If so, since you are the only user who ran into this, please close.
Comment 3 Tom Rymes 2018-02-12 00:52:37 UTC 
As you have pointed out elsewhere, IKEv2 is the new standard, so this is superfluous.
Comment 4 Michael Tremer 2018-02-12 14:10:21 UTC 
Perfect. Thanks.