<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7654.12">
<TITLE>Re: [Openswan Users] L2TP/IPSEC response unencrypted(wasopenswan-2.6.24rc1 NATed MacOS Kernel crash)</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<BR>
<P><FONT SIZE=2>> So my current concern with the last patch is that is may break netkey.<BR>
<BR>
In fact it did. By setting protostak=netkey, I was unable to connect using NAT-T and openswan-2.6.24rc1 + your latest patch:<BR>
<BR>
01:27:20.985552 IP 10.1.1.10.4500 > 10.1.1.9.4500: NONESP-encap: isakmp: phase 1 I ident[E]<BR>
01:27:20.989607 IP 10.1.1.9.4500 > 10.1.1.10.4500: NONESP-encap: isakmp: phase 1 R ident[E]<BR>
01:27:20.993305 IP 10.1.1.10.4500 > 10.1.1.9.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]<BR>
01:27:21.028567 IP 10.1.1.9.4500 > 10.1.1.10.4500: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]<BR>
01:27:21.051405 IP 10.1.1.10.4500 > 10.1.1.9.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]<BR>
01:27:21.053492 IP 10.1.1.10.4500 > 10.1.1.9.4500: UDP-encap: ESP(spi=0x71442200,seq=0x1), length 156<BR>
01:27:22.050637 IP 10.1.1.10.4500 > 10.1.1.9.4500: UDP-encap: ESP(spi=0x71442200,seq=0x2), length 156<BR>
01:27:23.079834 IP 10.1.1.9.1701 > 10.1.1.10.1701: l2tp:[TLS](42/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...<BR>
01:27:23.080538 IP 10.1.1.9.1701 > 10.1.1.10.1701: l2tp:[TLS](42/0)Ns=0,Nr=1 ZLB<BR>
01:27:23.080806 IP 10.1.1.10 > 10.1.1.9: ICMP 10.1.1.10 udp port 1701 unreachable, length 139<BR>
01:27:23.080827 IP 10.1.1.10 > 10.1.1.9: ICMP 10.1.1.10 udp port 1701 unreachable, length 48<BR>
01:27:24.049890 IP 10.1.1.10.4500 > 10.1.1.9.4500: UDP-encap: ESP(spi=0x71442200,seq=0x3), length 156<BR>
01:27:24.051864 IP 10.1.1.9.1701 > 10.1.1.10.1701: l2tp:[TLS](42/0)Ns=0,Nr=1 ZLB<BR>
01:27:24.052402 IP 10.1.1.10 > 10.1.1.9: ICMP 10.1.1.10 udp port 1701 unreachable, length 48<BR>
01:27:24.081143 IP 10.1.1.9.1701 > 10.1.1.10.1701: l2tp:[TLS](42/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...<BR>
01:27:24.081888 IP 10.1.1.10 > 10.1.1.9: ICMP 10.1.1.10 udp port 1701 unreachable, length 139<BR>
01:27:25.081161 IP 10.1.1.9.1701 > 10.1.1.10.1701: l2tp:[TLS](42/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...<BR>
01:27:25.082610 IP 10.1.1.10 > 10.1.1.9: ICMP 10.1.1.10 udp port 1701 unreachable, length 139<BR>
01:27:25.191517 IP 10.1.1.10.4500 > 10.1.1.9.4500: isakmp-nat-keep-alive<BR>
01:27:26.081784 IP 10.1.1.9.1701 > 10.1.1.10.1701: l2tp:[TLS](42/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...<BR>
01:27:26.082560 IP 10.1.1.10 > 10.1.1.9: ICMP 10.1.1.10 udp port 1701 unreachable, length 139<BR>
01:27:27.085507 IP 10.1.1.9.1701 > 10.1.1.10.1701: l2tp:[TLS](42/0)Ns=0,Nr=1 *MSGTYPE(SCCRP) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() |...<BR>
01:27:27.086378 IP 10.1.1.10 > 10.1.1.9: ICMP 10.1.1.10 udp port 1701 unreachable, length 139<BR>
01:27:28.056206 IP 10.1.1.10.4500 > 10.1.1.9.4500: UDP-encap: ESP(spi=0x71442200,seq=0x4), length 156<BR>
01:27:28.058190 IP 10.1.1.9.1701 > 10.1.1.10.1701: l2tp:[TLS](42/0)Ns=0,Nr=1 ZLB<BR>
01:27:28.058767 IP 10.1.1.10 > 10.1.1.9: ICMP 10.1.1.10 udp port 1701 unreachable, length 48<BR>
<BR>
So I unapplied the patch (only the last one), recompiled, and I was able to connect using netkey again. This was tested on Ubuntu 8.04.<BR>
<BR>
<BR>
> I would also like to see multiple OSX behind a single NAT working, but<BR>
> thats another discussion ;-)<BR>
<BR>
Now, that's just not for me. No OSX over here. Anyone with the time and resources to do it?<BR>
<BR>
> Hmm, do you get an oops ? If so it can't hurt to post them, might help<BR>
> figure it out. Which kernel version is CentOS ?<BR>
<BR>
Every time. I'm attaching a few of them. I've only teste on on kernels 2.6.18.7.1-128.centos.plus and 2.6.18-164.el5, and both of them crashed. I recompiled 2.6.18.7.1-128.centos.plus with old-style NAT-T, since the new style won't work with kernels below 2.6.23, and on the few times I could get the ipsec module running without oopsing, openswan-2.6.24rc1 + your patches got KLIPS and NAT-T working on CentOS. I had previously tested with openswan-2.6.24rc1, netkey and NAT-T and it did work (thanks Paul), but as soon as I loaded ipsec.ko, the oopses where all over the place. They happened while connecting a XP client using NAT-T and also while injecting/removing ipsec module. With your patch, it's now down to the problem while injecting/removing the ipsec module. At least, no more oopses with NAT-T and KLIPS! :-)<BR>
<BR>
Oh, and your patch broke netkey on CentOS too, so it's safe to assume that it needs to be called specifically when using KLIPS.<BR>
<BR>
> I tend to run Linus kernels, beats me what could cause problems with Ubuntu<BR>
> and NAT-T, but again, and oops may help,<BR>
<BR>
I'm attaching it also. You latest patch did not help with this particular Oops. The only way to get this information I'm attaching was to use kdump. Netconsole was unable to send the Oops to the remote machine.<BR>
<BR>
Hope this helps,<BR>
<BR>
Giovani</FONT>
</P>
</BODY>
</HTML>