[Openswan dev] KLIPS and 802.1q

Mikhail Pustovit pustovit at gmail.com
Tue May 29 10:57:09 EDT 2007


> I read the FAQ entry about VLAN with OpenS/WAN [1] and thought that it
> should work. My impression was that ESP over VLAN is a supported
> scenario.

> However, outgoing traffic (simple ICMP echo requests) gets stuck, the
> TX error counter of the ipsec0 interface will increase with each
> packet. I use Linux 2.6.19 and OpenS/WAN 2.4.7.

> Debugging revealed that the ESP packets seem to be dropped in
> linux/net/ipv4/route.c:ip_route_output_slow(). More specific, the
> __in_dev_get_rtnl() call in this function returns NULL. In the
> consequence, ipsec_tunnel_send() fails at the ip_route_output_key()
> call.

> My ipsec0 interface is tied to the VLAN interface of eth0:

> $ whack --status | head -1
> 000 interface ipsec0/eth0.0004 192.168.151.1

> However, in ip_route_output_slow(), dev_out points to eth0 instead of
> eth0.0004. As eth0 has no IP configured, the __in_dev_get_rtnl() call
> fails. If I force dev_out to point to eth0.0004, the ESP packets are
> transmitted and the VPN works.

> Is this a bug? Or is this scenario not supported at all?

Hi!

I have the same problem on 2.6.18 kernel and Openswan 2.4.7.
When using KLIPS, and ipsec0 is pointed to VLAN interface
(interfaces="ipsec0=vlan0010"), tunnel establishes connection,
but can't transmit any data. TX errors counter on ipsec0 increases
with each packet transmitted.

When using NETKEY, everything works fine, but without ipsecX devices... :(((

Any ideas?....

Thanks!


More information about the Dev mailing list