[Openswan Users]

Sun Dec 25 23:01:53 CET 2005

On Sun, Dec 25, 2005 at 10:39:16PM +0100, Dirk Nehring wrote:
> On Tue, Dec 20, 2005 at 04:38:03PM +0100, Paul Wouters wrote:
> > On Mon, 19 Dec 2005, Dirk Nehring wrote:
> >
> > > > Well, I'm not sure if the combination PSK, NAT-T and transport mode is
> > > > officially supported by Openswan. So you might have to ditch that PSK.
> > > > I have moved the thread to the users mailinglist because I am not yet
> > > > convinced this is a developers issue.
> > >
> > > something gets broken between 2.3.1 and 2.4.0. For me it's a dev-issue,
> > > __if__ transport mode is supported.
> >
> > Correct, a few things broke. Most of those are fixed in 2.4.5rc3.
> >
> > > Works with 2.3.1 without problems, but since 2.4.0dr??? it doesn't work
> > > anymore. Currently I'm using kernel version 2.6.14.3. I can give you a
> > > test account if you like to check it by yourself.
> >
> > Are you using klips or netkey? klips incorrectly didnt set the mtu on
> > the interface, causing a lot of really small packets to be sent. The
> > following fix (from cvs) needs to be applied to 2.4.5dr3 in ipsec_xmit.c
> > around line 400:
> >
> >         ixs->physmtu = ixs->physdev->mtu;
> > +       ixs->cur_mtu = ixs->dev->mtu;
> >
> > Or check out the 2_4_x branch using cvs.
>
> Hello Paul,
>
> sorry for the late reply. I try to figure out the problem. I am using
> NETKEY with 2.6.14.4. ppp is 2.4.3. In my test setup, I am using EAP-TLS
> authentification and CHAP (without RADIUS). Here is my config:
>
> ipsec.conf:
> -----------------------------------------------------------------
> version 2.0
>
> config setup
>         plutodebug="control"
>         plutostderrlog=/var/log/pluto.log
>         nat_traversal=yes
>         virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
>
> conn %default
>         left=1.2.3.4
>
> include /etc/ipsec.d/examples/no_oe.conf
>
> conn L2TP
>         right=%any
>         rightsubnet=vhost:%no,%priv
>         rightprotoport=17/1701
>         leftprotoport=17/1701
>         pfs=no
>         keyingtries=3
>         authby=secret
>         ike=3des-md5
>         esp=3des-sha1,3des-md5
>         auto=add
> -----------------------------------------------------------------
>
> l2tp.conf:
> -----------------------------------------------------------------
> global
> load-handler "sync-pppd.so"
> load-handler "cmd.so"
>
> section sync-pppd
> lns-pppd-opts "file /etc/ppp/options.l2tpd"
>
> section peer
> peer 0.0.0.0
> mask 0
> port 1701
> lns-handler sync-pppd
> hide-avps no
>
> section cmd
> -----------------------------------------------------------------
>
> options.l2tpd:
> -----------------------------------------------------------------
> name l2tpd
> #plugin /usr/lib/pppd/2.4.3/radius.so
> #plugin /usr/lib/pppd/2.4.3/radattr.so
> debug
> lock
> ipcp-accept-local
> ipcp-accept-remote
> ms-dns 2.3.4.5
> mtu 1376
> #require-eap
> require-chap
> lcp-echo-failure 3
> lcp-echo-interval 10
> #avpair Framed-MTU=1362
> -----------------------------------------------------------------
>
> It's a relatively easy setup, for bughunting. With openswan 2.3.1, I
> have no problem. Now I tested 2.4.5dr3 with the MTU-patch. ppp
> authentification after successful IPSec authentification doesn't work.

Small addition: my client is using NAT-T. If I added "type=transport",
authentification is successful, but I cannot send any packet through the
tunnel and it collapses after some seconds.

Dirk