[Openswan Users] L2TP/IPsec problem
Nico Schmoigl
mailinglisten at schmoigl-online.de
Tue Aug 30 22:23:04 CEST 2005
Hi Paul,
hi rest of the list members,
> IPsec has two modes. Transport mode and Tunnel mode. Almost all type of
> IPsec connections are Tunnel mode. Microsoft's L2TP implementation uses
> IPsec in Transport mode.
>
> You can try to setup a simple 'standard' tunnel, which implies type=tunnel
> and see if the problem is there or not. Then change it to type=transport
> and see if the problem reappears. I think it will.
Here's the interesting part of it: my current tests (further results
below) show that the sequence
transport (1), tunnel (2), transport (3)
(1) does not work
(2) works
(3) works (!)
But please: Don't ask me why!
>> And there another point drops in, what I do not understand in this
>> scenario: If I decrease the MTU, then I decrease the size of the
>> packets I can accept. Thus, fragementation will occur "earlier". Why
>> could it then happen, that IKE packets suddenly get accepted? From my
>> point of view, the certificates must even be smaller than that to be
>> accepted. I could understand the system, if I had to *increase* the
>> MTU size which would allow bigger certificates to send (doesn't get
>> fragemented then).
> ppp packets only flow after the IPsec tunnel is up. There are two different
> layers of fragmentation happening here. Or perhaps even three or four,
> depending on the packet sizes. (ppp, l2tp, esp, udpinesp)
mmhm... my current tests don't really show the impact of MTU/MRU values
on this issue. I think, that I observered another, more overlaying
issue. If using "big certificates", rebooting of the Windows client does
matter!
>> I am not that far into the code, that I could fix it, but I am willing
>> to help you with documentation.
>> Is there any existing documentation on that besides the bug notes
>> #401? Does it make sense to also add my data to this bug report?
> I think the key issue is to see hwo all these bug reports on similar errors
> fit together or not. Are they the same bug.
>
> If you can do the testing I described above with tunnel and transport mode,
> and give us the results of that, it might be very useful to understand this
> issue.
At http://www.schmoigl-online.de/ipsec/debugging.tar.bz2 you'll find a
documentation package of my latest testings on this issue. Here's the
environment in which these tests happend:
* Linux box, Kernel v2.4.31 with openswan 2.3.1, NAT-T patch applied to
the kernel
* Road Warrior with Windows 2000 SP4, patch #818043 applied and
activated, IPCOMP_DEFLATE not activated
* Connection of the Linux Box is done through eth1; direct Internet
connection (no NAT involved)
* Road Warrior is connected via GPRS mobile celluar phone provider which
only sends intranet IPs (namely 10.x.x.x) which are then NATed on
leaving the cellular network.
* setup files on the linux box are within the documentation package
* private keys and used certificates are in an extra file (downloadable
from http://www.schmoigl-online.de/ipsec/keys.tar.bz2). If applying, the
password is '1234' (please note: my system does not accept these keys
anymore!)
* with every setup, there is a corresponding subdir in the documentation
package. There you'll find the used setup files (ipsec.conf,
options.l2tpd, ...) and the generated debug messages both from the VPN
server (/var/log/message excerpt) and from the OAKLEY of the client
(%SYSTEMROOT%\debug\oakley.log).
* ipsec on the VPN server will be restarted via the command 'ipsec setup
--restart' between each setup
* restarts of the client (and therefor restarts of the OAKLEY) are
written expicitly in the description of the setup
Here's what I did:
setup 1:
* Client with big certificate (just reinstalled; no reboot so far)
* Server with big certificate (just reinstalled; no reboot so far)
* ipsec in transport mode
* mtu of PPPD is 1500
* mru of PPPD is standard
result: connection established
setup 2:
* same as setup 1
* but after a restart of the client (same key/certificates)
result: connection timed out
setup 3:
* same as setup 2
* but with "type=tunnel" instead
result: connection established
setup 4:
* same as setup 2
* but with mru and mtu set to 800 in options.l2tpd
result: connection established
setup 5:
* same as setup 2 for verification
result: connection established (!)
setup 6:
* same as setup 5
* just again after a normal rebooting of the client (nothing else changed)
result: connection timed out
setup 7:
* same as setup 6
* deleting the old Client's Certificate and its key
* adding the new small certificate to the client's repository
* deleting the old Server's Certificate and its key
* adding the new small certificate to the server's repository
result: connection established
setup 8:
* same as setup 7
* but client just rebooted
result: connection established
In short: If you have a big certificate installed and you reboot your
client, chances are good, that you may not connect anymore. However,
with small certificates, it doesn't matter to reboot the client.
So far, this sounds to be a Windowsish problem, not purely ipsec related.
Oh, just a short note: I just read in the bug database, that someone
said that a very silimar issue could be solved by using strongswan
instead of openswan (compare bug issue #401). I must confess, that this
is not true for the issue I am just observing: I already had strongswan
running on my box, however experiencing the same problems as described
here. That is also why I am not adding my findings to this bug report.
I hope that my work helps you a bit with debugging this issue...
73
Nico
More information about the Users
mailing list