[Openswan dev] Openswan 2.3.1/2.4.0rc1 instability with L2TP
Dirk Nehring
dnehring at marcant.net
Wed Aug 24 23:24:01 CEST 2005
On Wed, Aug 24, 2005 at 12:20:43AM +0200, Dirk Nehring wrote:
> On Mon, Aug 22, 2005 at 05:44:53PM -0400, Michael Richardson wrote:
> >
> > >>>>> "Norbert" == Norbert Wegener <nw at sbs.de> writes:
> > Norbert> Further analysis showed, that when using a netkey kernel
> > Norbert> instead of KLIPS and openswan-2.4.0rc1 , everything worked
> > Norbert> as expected. So the problem seems to be only partially
> > Norbert> causes by the fragment_size miscalculation. The main reason
> > Norbert> seems to be related to KLIPS. Norbert Wegener
> >
> > tcpdump -i ipsec0 -w /tmp/ipsec0.pcap -s 1600
> > tcpdump -i eth1 -w /tmp/eth0.pcap -s 1600
> >
> > on the server end of things. (assuming eth1 is your external
> > interface)
> >
> > I have been told that there are issues with fragmentation of
> > transport-mode packets. Don't ask me what I think of L2TP.
>
> I have found the problem: there is something between 2.3.1 and 2.4.0dr8
> which breaks IPSec/L2TP with NETKEY. There is an useless addition route
> and the tunnel collapses at the first encrypted packet. Tomorrow I'll
> give you further information.
>
> For now:
> openswan 2.3.1/l2tp NETKEY: works
> strongswan 2.5.2/l2tp NETKEY: works
> openswan 2.4.0dr8 and up/NETKEY: tunnel collapes
>
> Authentification: IPSEc via PSK, PPP via CHAP (no RADIUS).
Further information: I tracked it down to a NAT-T problem: openswan
2.4.0dr8 and up also works with IPSec/L2TP, but without NAT-T. With
NAT-T, 2.3.1 is the last working version for me (can't compile dr2
btw.).
Dirk
--
Dirk Nehring | MarcanT Internet-Services GmbH
Technischer Leiter | Ravensberger Str. 10G
| D-33602 Bielefeld
dnehring at marcant.net | <http://www.marcant.net/>
More information about the Dev
mailing list