[Openswan dev] Openswan 2.3.1/2.4.0rc1 instability with L2TP
Dirk Nehring
dnehring at marcant.net
Wed Aug 24 01:20:43 CEST 2005
On Mon, Aug 22, 2005 at 05:44:53PM -0400, Michael Richardson wrote:
>
> >>>>> "Norbert" == Norbert Wegener <nw at sbs.de> writes:
> Norbert> Further analysis showed, that when using a netkey kernel
> Norbert> instead of KLIPS and openswan-2.4.0rc1 , everything worked
> Norbert> as expected. So the problem seems to be only partially
> Norbert> causes by the fragment_size miscalculation. The main reason
> Norbert> seems to be related to KLIPS. Norbert Wegener
>
> tcpdump -i ipsec0 -w /tmp/ipsec0.pcap -s 1600
> tcpdump -i eth1 -w /tmp/eth0.pcap -s 1600
>
> on the server end of things. (assuming eth1 is your external
> interface)
>
> I have been told that there are issues with fragmentation of
> transport-mode packets. Don't ask me what I think of L2TP.
I have found the problem: there is something between 2.3.1 and 2.4.0dr8
which breaks IPSec/L2TP with NETKEY. There is an useless addition route
and the tunnel collapses at the first encrypted packet. Tomorrow I'll
give you further information.
For now:
openswan 2.3.1/l2tp NETKEY: works
strongswan 2.5.2/l2tp NETKEY: works
openswan 2.4.0dr8 and up/NETKEY: tunnel collapes
Authentification: IPSEc via PSK, PPP via CHAP (no RADIUS).
I'm using exactly the same config for all 3 setups.
Dirk
--
Dirk Nehring | MarcanT Internet-Services GmbH
Technischer Leiter | Ravensberger Str. 10G
| D-33602 Bielefeld
dnehring at marcant.net | <http://www.marcant.net/>
More information about the Dev
mailing list