[Openswan Users] L2TP/IPsec problem

Paul Wouters paul at xelerance.com
Mon Aug 29 20:36:03 CEST 2005


On Mon, 29 Aug 2005, Nico Schmoigl wrote:

> L2tpd can't help here. That stuff is still at the phase of ipsec 
> negotiations. Therefore l2tpd isn't involved here.

It is. By telling l2tp to make smaller packets, the ESP packets will also
be smaller and the espinudp will also be smaller.

> As already mentioned on the list, I now got it working. I decreased the size 
> of the certificates (both of the CA and the used key itself) to the absolute 
> minimum (I formerly used phpki from http://phpki.sf.net which adds additional 
> x509v3 values like CRT, NSComments and all that stuff - look at my patch, 
> which is available at the project's website!).

This seems a different problem of IKE packets not surviving fragmentation.

> If it helps you, I can send you a bunch of keys and certificates with which 
> it works and another bunch with which it doen't work. If the logfiles are 
> also interesting for you, I can send them, too. Just drop me a short mail...

I think this is a known problem, but needs to be documented better. And fixed.

Paul


More information about the Users mailing list