[Openswan dev] IPComp

Paul Wouters paul at xelerance.com
Fri Jul 2 14:36:03 CEST 2004

On Thu, 1 Jul 2004, Dominique Blas wrote:

> Indeed, when using IPComp it works, when not using the compress it doesn't not work any more (no packet comes back through the tunnel).
> With IPComp it works but only packets that size less than 348 bytes (ping -s 319 works) can come back through the tunnel (they go through but don't come back; however the echo reply
> has exactly the same size as the echo request packet) and there is no error in the syslog.
> I confirm that the scenario is the same with packets of 1500 bytes : they go through but don't come back.
> Of course, when I try to send packet from the SFreeswan, only packets with an overall size of less that 348 (ping -s 320) can go through.

I can't advise on this bit. I will leave this to people who know more about
the internals then I do, but.

> WITHOUT compression big packets (> 1000 bytes) can go through the interface (and come back) BUT many memory allocations from pluto failed (lack of memory) and,
> finally, the tunnel hangs.

There have been a few fixes to pluto memory leaks from Hugh Redelmeier. I
recommend you upgrade the SFS machines to Openswan-1, which is a continuation
of that SFS tree. If you still experience problems, can you edit pluto's
Makefile and enable -DLEAK_DETECTIVE ?
Then run it for a while, but before completely exhausting the memory,
shutdown the ipsec service and check the logs for messages from pluto. It
is important to shut it down, since the leaks are only logged when shutting


<Reverend> IRC is just multiplayer notepad.

More information about the Dev mailing list