[Openswan dev] Openswan 2.3.1/2.4.0rc1 instability with L2TP

Dirk Nehring dnehring at marcant.net
Wed Aug 24 01:20:43 CEST 2005

On Mon, Aug 22, 2005 at 05:44:53PM -0400, Michael Richardson wrote:
> >>>>> "Norbert" == Norbert Wegener <nw at sbs.de> writes:
>     Norbert> Further analysis showed, that when using a netkey kernel
>     Norbert> instead of KLIPS and openswan-2.4.0rc1 , everything worked
>     Norbert> as expected.  So the problem seems to be only partially
>     Norbert> causes by the fragment_size miscalculation. The main reason
>     Norbert> seems to be related to KLIPS.  Norbert Wegener
>   tcpdump -i ipsec0 -w /tmp/ipsec0.pcap -s 1600
>   tcpdump -i eth1 -w /tmp/eth0.pcap -s 1600
>   on the server end of things. (assuming eth1 is your external
> interface)
>   I have been told that there are issues with fragmentation of
> transport-mode packets.  Don't ask me what I think of L2TP.

I have found the problem: there is something between 2.3.1 and 2.4.0dr8
which breaks IPSec/L2TP with NETKEY. There is an useless addition route
and the tunnel collapses at the first encrypted packet. Tomorrow I'll
give you further information.

For now:
openswan 2.3.1/l2tp NETKEY: works
strongswan 2.5.2/l2tp NETKEY: works
openswan 2.4.0dr8 and up/NETKEY: tunnel collapes

Authentification: IPSEc via PSK, PPP via CHAP (no RADIUS).

I'm using exactly the same config for all 3 setups.


Dirk Nehring         | MarcanT Internet-Services GmbH
Technischer Leiter   | Ravensberger Str. 10G
                     | D-33602 Bielefeld
dnehring at marcant.net | <http://www.marcant.net/>

More information about the Dev mailing list