[Openswan dev] Openswan 2.3.1/2.4.0rc1 instability with L2TP
Norbert Wegener
nw at sbs.de
Tue Aug 23 12:59:07 CEST 2005
Michael Richardson wrote:
> Norbert> Further analysis showed, that when using a netkey kernel
> Norbert> instead of KLIPS and openswan-2.4.0rc1 , everything worked
> Norbert> as expected. So the problem seems to be only partially
> Norbert> causes by the fragment_size miscalculation. The main reason
> Norbert> seems to be related to KLIPS. Norbert Wegener
>
> tcpdump -i ipsec0 -w /tmp/ipsec0.pcap -s 1600
> tcpdump -i eth1 -w /tmp/eth0.pcap -s 1600
>
> on the server end of things. (assuming eth1 is your external
>interface)
>
> I have been told that there are issues with fragmentation of
>transport-mode packets.
>
I do not have any problems with l2tp and fragmentation using the NETKEY
kernels and userland 2.4.0rc1.
> Don't ask me what I think of L2TP.
>
>
You find the tcpdumps at:
http://www.wegener-net.de/openswan/eth1.pcap
http://www.wegener-net.de/openswan/ipsec0.pcap
tcpdump captured 100 packets on ipsec0 in contrast to 163 packets on eth1.
Additionally there is the messagefile with plutodebug=all and klipsdebug=all
http://www.wegener-net.de/openswan/messages
Norbert
>- --
>] Michael Richardson Xelerance Corporation, Ottawa, ON | firewalls [
>] mcr @ xelerance.com Now doing IPsec training, see |net architect[
>] http://www.sandelman.ca/mcr/ www.xelerance.com/training/ |device driver[
>] I'm a dad: http://www.sandelman.ca/lrmr/ [
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.2.2 (GNU/Linux)
>Comment: Finger me for keys
>
>iQCVAwUBQwpHUoqHRg3pndX9AQGyTAP/QIeUM/TwRAAfYS0D2vCe+UJTF9ONCwN3
>qv+oB+siqS0VAbC4eiJ9WQ5JmtYlREifCUsDcieKfHW82IHHVuf0lCFly8s4QBAV
>3TwJLebgex+pahFeqVHu/IbJJSn6Fr9tRxybG2UO5wbZkzw5+OxjOm/uIxRPhML9
>QAyO4WTKCK4=
>=t8OK
>-----END PGP SIGNATURE-----
>
>
More information about the Dev
mailing list