[Openswan Users] Openswan + RHES 2.6 IPSEC strange problem

[Matt Dainty]

On Fri, Mar 26, 2004 at 05:11:38PM +0000, Matt Dainty wrote:
> 
> I can start up Openswan and the tunnel gets created, and I can ping
> boxen back and forth from each side, but if I try and launch say an HTTP
> request from a client on the Openswan side to a webserver in the
> FreeS/WAN-protected network, the tunnel just freezes part-way through
> the client receiving the content from the webserver.
> 
> I thought it was just Openswan until I realised all traffic on the same
> NIC freezes too. It appears to take a random amount of time and other
> non-IPSEC traffic and things unfreeze again. At no time is there any log
> messages from the kernel or anywhere else. There are two other NICs in
> the machine which are bridged together and these continue working
> throughout.

I've fixed this, rather obscure and unrelated. The ADSL router supplying
the Openswan box's net connection was playing up, I couldn't even get
the whole web status page from it via a locally-connected machine
without it being truncated, so it looks like it was randomly
dropping/chopping traffic, which I never managed to trigger with
'normal' net traffic. Power-cycled it and everything appears to be
working correctly. Odd.

I've hit on the tunnel now with some traffic and it's holding up nicely.

> Sniffing traffic on each endpoint from each other yields packets
> occasionally from the FreeS/WAN end to the Openswan end:
> 
> Y.Y.Y.Y > X.X.X.X: ESP(spi=...,seq=...)
> truncated-ip - 16 bytes missing! Y.Y.Y.Y > <some weird IP> bad-hlen 12
> (ipip-proto-4)
> X.X.X.X > Y.Y.Y.Y: ESP(spi=...,seq=...)

This still happens, but AFAICT it's harmless. Right?

Cheers

Matt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20040329/bc483db7/attachment.bin