[Openswan dev] Openswan 2.3.1/2.4.0rc1 instability with L2TP

Norbert Wegener nw at sbs.de
Tue Aug 23 12:59:07 CEST 2005


Michael Richardson wrote:

>    Norbert> Further analysis showed, that when using a netkey kernel
>    Norbert> instead of KLIPS and openswan-2.4.0rc1 , everything worked
>    Norbert> as expected.  So the problem seems to be only partially
>    Norbert> causes by the fragment_size miscalculation. The main reason
>    Norbert> seems to be related to KLIPS.  Norbert Wegener
>
>  tcpdump -i ipsec0 -w /tmp/ipsec0.pcap -s 1600 
>  tcpdump -i eth1 -w /tmp/eth0.pcap -s 1600
>
>  on the server end of things. (assuming eth1 is your external
>interface)
>
>  I have been told that there are issues with fragmentation of
>transport-mode packets. 
>
I do not have any problems with l2tp and fragmentation using the NETKEY 
kernels and userland 2.4.0rc1.

> Don't ask me what I think of L2TP.
>  
>

You find the tcpdumps at:
http://www.wegener-net.de/openswan/eth1.pcap
http://www.wegener-net.de/openswan/ipsec0.pcap
tcpdump captured 100 packets on ipsec0 in contrast to 163 packets on eth1.

Additionally there is the messagefile with plutodebug=all and klipsdebug=all
http://www.wegener-net.de/openswan/messages

Norbert


>- -- 
>] Michael Richardson          Xelerance Corporation, Ottawa, ON |  firewalls  [
>] mcr @ xelerance.com           Now doing IPsec training, see   |net architect[
>] http://www.sandelman.ca/mcr/    www.xelerance.com/training/   |device driver[
>]                    I'm a dad: http://www.sandelman.ca/lrmr/                 [
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.2.2 (GNU/Linux)
>Comment: Finger me for keys
>
>iQCVAwUBQwpHUoqHRg3pndX9AQGyTAP/QIeUM/TwRAAfYS0D2vCe+UJTF9ONCwN3
>qv+oB+siqS0VAbC4eiJ9WQ5JmtYlREifCUsDcieKfHW82IHHVuf0lCFly8s4QBAV
>3TwJLebgex+pahFeqVHu/IbJJSn6Fr9tRxybG2UO5wbZkzw5+OxjOm/uIxRPhML9
>QAyO4WTKCK4=
>=t8OK
>-----END PGP SIGNATURE-----
>  
>



More information about the Dev mailing list