[Openswan Users] L2TP/IPsec problem

Paul Wouters paul at xelerance.com
Tue Aug 30 00:42:11 CEST 2005 

On Mon, 29 Aug 2005, Nico Schmoigl wrote:

> From my observations the certificates only come "on stage" during the very 
> first phase where an authenticated connection is being established via the 
> IPSEC protocol family. At this point, there even is no tunnel for a 
> communication between the client and the L2TP process. You can even put it 
> harder: IPSEC doesn't care, if L2TP or whatever will be used later on. I also 
> could authenticate two IPSEC linux boxes with certificates (via a NAT-T 
> connection) and then send raw IP via the interfaces. Shouldn't then I have 
> the same problem, won't I? Or am I misinterpretating something?

IPsec has two modes. Transport mode and Tunnel mode. Almost all type of
IPsec connections are Tunnel mode. Microsoft's L2TP implementation uses
IPsec in Transport mode.

You can try to setup a simple 'standard' tunnel, which implies type=tunnel
and see if the problem is there or not. Then change it to type=transport and
see if the problem reappears. I think it will.

> And there another point drops in, what I do not understand in this scenario: 
> If I decrease the MTU, then I decrease the size of the packets I can accept. 
> Thus, fragementation will occur "earlier". Why could it then happen, that IKE 
> packets suddenly get accepted? From my point of view, the certificates must 
> even be smaller than that to be accepted. I could understand the system, if I 
> had to *increase* the MTU size which would allow bigger certificates to send 
> (doesn't get fragemented then).

ppp packets only flow after the IPsec tunnel is up. There are two different
layers of fragmentation happening here. Or perhaps even three or four, 
depending on the packet sizes. (ppp, l2tp, esp, udpinesp)

> I am not that far into the code, that I could fix it, but I am willing to 
> help you with documentation.
> Is there any existing documentation on that besides the bug notes #401? Does 
> it make sense to also add my data to this bug report?

I think the key issue is to see hwo all these bug reports on similar errors
fit together or not. Are they the same bug.

If you can do the testing I described above with tunnel and transport mode,
and give us the results of that, it might be very useful to understand this
issue.

Paul

More information about the Users mailing list