[Openswan dev] KLIPS and 802.1q

Tino Keitel tino.keitel at innominate.com
Mon May 21 10:30:04 EDT 2007

Hi folks,

I read the FAQ entry about VLAN with OpenS/WAN [1] and thought that it
should work. My impression was that ESP over VLAN is a supported

However, outgoing traffic (simple ICMP echo requests) gets stuck, the
TX error counter of the ipsec0 interface will increase with each
packet. I use Linux 2.6.19 and OpenS/WAN 2.4.7.

Debugging revealed that the ESP packets seem to be dropped in
linux/net/ipv4/route.c:ip_route_output_slow(). More specific, the
__in_dev_get_rtnl() call in this function returns NULL. In the
consequence, ipsec_tunnel_send() fails at the ip_route_output_key()

My ipsec0 interface is tied to the VLAN interface of eth0:

$ whack --status | head -1
000 interface ipsec0/eth0.0004

However, in ip_route_output_slow(), dev_out points to eth0 instead of
eth0.0004. As eth0 has no IP configured, the __in_dev_get_rtnl() call
fails. If I force dev_out to point to eth0.0004, the ESP packets are
transmitted and the VPN works.

Is this a bug? Or is this scenario not supported at all?

Thanks in advance and regards,

[1] http://wiki.openswan.org/index.php/Openswan/FAQ#a28

Tino Keitel
Software Engineer
Innominate Security Technologies AG
/protecting industrial networks/
Tel: +49.30.6392-3309
Fax: +49.30.6392-3307
Albert-Einstein-Str. 14
D-12489 Berlin

Register Court: AG Charlottenburg, HR B 81603
Management Board: Joachim Fietz, Dirk Seewald
Chairman of the Supervisory Board: Edward M. Stadum

More information about the Dev mailing list