xl2tpd woes

I’ve been trying to get an IPsec/L2TP VPN server going on spade. This kind of VPN involves several layers (ipsec, l2tp and ppp) which all seem to fail independently and differently depending on how I test a configuration. So far it’s been a 4-day epic.

I figured I should establish that L2TP worked in a trivial case before trying to glue it together with ipsec. So I installed xl2tpd on scuff and tried to connect over the local network.

Here are some lessons learnt:

  • Bringing LACs up is a bit convoluted (you write “c lacname” to the control file).
  • The xl2tpd.conf file sets PPP and L2TP parameters. These shouldn’t be confused: auth file, hostname and challenge are L2TP things.
  • As a consequence, always use /etc/ppp/chap-secrets, not the l2tp secrets file.
  • xl2tpd has a bug that means refuse authentication in a LAC does the opposite of what you think it should do.

When you write refuse authentication = no in a LAC section, xl2tpd adds refuse-chap and refuse-pap to the PPP options unconditionally. This results in a lot of “peer refused to authenticate” PPP errors. The bug is present in version 1.2.0 and Debian’s dfsg-1 release. I made some noise on their list and a bug report.

I guess hardly anybody manually creates L2TP client connections, because this would be really obvious (at least that there was something wrong, finding the problem took me a day of tcpdumps, source perusal and log file reading).

Update: patch accepted in xl2tpd 1.2.2

launch for Mac OS X

I’m in the habit of keeping multiple profiles under firefox. It means I can have a profile for FF2 (with old plugins that haven’t been ported to FF3), a profile for development with FF3, and one for general browsing with FF3.

Despite their usefulness, profiles seem to be discouraged. The profile manager isn’t shown by default. You have to start the firefox binary with -P to get it up.

Having multiple profiles is great, but under Mac OS X it’s not easy to use them simultaneously. Trying to re-launch an application just activates the currently open instance. Aside from the (wasteful) hack of duplicating the .app directory, how do you open the same application twice under Mac OS X?

The answer is launch. It’s in fink too.

launch -m -a Firefox

Apparently Quicksilver had a “Launch a copy” action that did something similar, but I can’t find it in the current version.

google SPF bounces

Google’s gmail MX is doing the right thing by enforcing SPF rules, but the wrong thing by sending bounces (backscatter) to the address that those SPF rules indicate is forged.

I got the following message from the google mailer daemon (addresses obscured, of course, but xxx@xxxxxxxx.com does list google’s mail domains in its MX DNS records):
Continue reading “google SPF bounces”