[Openswan dev] WinXP L2TP disconnects as small UDP packets can not pass the tunnel
hiren joshi
joshihirenn at gmail.com
Wed Nov 19 10:12:23 EST 2008
Hello,
Problem:
NATed L2TP connection with Windows XP (SP2) terminates after 1 minute.
Environment:
Linux Openswan 2.4.9 (klips)
Configuration:
l2tpd + openswan ---<ppp link> --- Router-1 --- I-Net --- Router-2 --- WinXP
I am attaching klipsdebug, l2tpd debug logs and packet capture (with
public IP replaced with above configuration diagram names) captured
during L2TP connection life-cycle.
Please let me know how can I solve the problem.
Thanks for your time.
Regards,
-hiren
-------------------------------------------
My observation:
- Win XP sends L2TP control packets that are 52 bytes in length after
ESP+UDP encapsulation.
- These packets are dropped (ipsec klipsdebug --all) by the following code:
linux/net/ipsec/ipsec_esp.c::ipsec_rcv_esp_checks
if(skb->len < (irs->hard_header_len + sizeof(struct iphdr) +
sizeof(struct esphdr))) {
KLIPS_PRINT(debug_rcv & DB_RX_INAU,
"klips_debug:ipsec_rcv: "
"runt esp packet of skb->len=%d received
from %s, dropped.\n",
skb->len,
irs->ipsaddr_txt);
if(irs->stats) {
irs->stats->rx_errors++;
}
return IPSEC_RCV_BADLEN;
}
Allowing these packets (removing - return IPSEC_RCV_BADLEN;) solves the problem.
pinging with -s 0 shows that skb->len = Payload(0) + ICMP (8) + IP
(20) + ESP (16) + UDP (16) = 60.
I think for NATed packets, the check should be:
if(skb->len < (sizeof(struct udphdr) + sizeof(struct esphdr))) {
Other information:
This happens only when ipsec0 is attached with ppp0.
It doesn't happen when: ipsec0 -> ethX and ipsec1 -> ppp0.
Perhaps due to fudging ipsec0 (ipsec_rcv.c::klips26_rcv_encap),
hard_header_len is calculated 14 (ethernet) instead of 22 (ppp).
It also do not happen with xl2tpd client :).
Related Links:
http://lists.openswan.org/pipermail/dev/2007-April/001555.html
http://lists.openswan.org/pipermail/dev/2008-September/001931.html
I am not familiar with the code.
Is changing the condition a right thing to do?
How can I put it only for NATed packets?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: l2tpd.log
Type: text/x-log
Size: 13737 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/dev/attachments/20081119/1ce47683/attachment-0001.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: messages
Type: application/octet-stream
Size: 551521 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/dev/attachments/20081119/1ce47683/attachment-0001.obj
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: l2tp.cap.txt
Url: http://lists.openswan.org/pipermail/dev/attachments/20081119/1ce47683/attachment-0001.txt
More information about the Dev
mailing list