[Openswan dev] KLIPS and 802.1q
Tino Keitel
tino.keitel at innominate.com
Mon May 21 10:30:04 EDT 2007
Hi folks,
I read the FAQ entry about VLAN with OpenS/WAN [1] and thought that it
should work. My impression was that ESP over VLAN is a supported
scenario.
However, outgoing traffic (simple ICMP echo requests) gets stuck, the
TX error counter of the ipsec0 interface will increase with each
packet. I use Linux 2.6.19 and OpenS/WAN 2.4.7.
Debugging revealed that the ESP packets seem to be dropped in
linux/net/ipv4/route.c:ip_route_output_slow(). More specific, the
__in_dev_get_rtnl() call in this function returns NULL. In the
consequence, ipsec_tunnel_send() fails at the ip_route_output_key()
call.
My ipsec0 interface is tied to the VLAN interface of eth0:
$ whack --status | head -1
000 interface ipsec0/eth0.0004 192.168.151.1
However, in ip_route_output_slow(), dev_out points to eth0 instead of
eth0.0004. As eth0 has no IP configured, the __in_dev_get_rtnl() call
fails. If I force dev_out to point to eth0.0004, the ESP packets are
transmitted and the VPN works.
Is this a bug? Or is this scenario not supported at all?
Thanks in advance and regards,
Tino
[1] http://wiki.openswan.org/index.php/Openswan/FAQ#a28
--
Tino Keitel
Software Engineer
Innominate Security Technologies AG
/protecting industrial networks/
Tel: +49.30.6392-3309
Fax: +49.30.6392-3307
Albert-Einstein-Str. 14
D-12489 Berlin
http://www.innominate.com/
Register Court: AG Charlottenburg, HR B 81603
Management Board: Joachim Fietz, Dirk Seewald
Chairman of the Supervisory Board: Edward M. Stadum
More information about the Dev
mailing list