[Openswan Users]
Dirk Nehring
dnehring at marcant.net
Sun Dec 25 23:37:25 CET 2005
On Sun, Dec 25, 2005 at 11:01:53PM +0100, Dirk Nehring wrote:
> On Sun, Dec 25, 2005 at 10:39:16PM +0100, Dirk Nehring wrote:
> > On Tue, Dec 20, 2005 at 04:38:03PM +0100, Paul Wouters wrote:
> > > On Mon, 19 Dec 2005, Dirk Nehring wrote:
> > >
> > > > > Well, I'm not sure if the combination PSK, NAT-T and transport mode is
> > > > > officially supported by Openswan. So you might have to ditch that PSK.
> > > > > I have moved the thread to the users mailinglist because I am not yet
> > > > > convinced this is a developers issue.
> > > >
> > > > something gets broken between 2.3.1 and 2.4.0. For me it's a dev-issue,
> > > > __if__ transport mode is supported.
> > >
> > > Correct, a few things broke. Most of those are fixed in 2.4.5rc3.
> > >
> > > > Works with 2.3.1 without problems, but since 2.4.0dr??? it doesn't work
> > > > anymore. Currently I'm using kernel version 2.6.14.3. I can give you a
> > > > test account if you like to check it by yourself.
> > >
> > > Are you using klips or netkey? klips incorrectly didnt set the mtu on
> > > the interface, causing a lot of really small packets to be sent. The
> > > following fix (from cvs) needs to be applied to 2.4.5dr3 in ipsec_xmit.c
> > > around line 400:
> > >
> > > ixs->physmtu = ixs->physdev->mtu;
> > > + ixs->cur_mtu = ixs->dev->mtu;
> > >
> > > Or check out the 2_4_x branch using cvs.
> >
> > Hello Paul,
> >
> > sorry for the late reply. I try to figure out the problem. I am using
> > NETKEY with 2.6.14.4. ppp is 2.4.3. In my test setup, I am using EAP-TLS
> > authentification and CHAP (without RADIUS). Here is my config:
> >
> > ipsec.conf:
> > -----------------------------------------------------------------
> > version 2.0
> >
> > config setup
> > plutodebug="control"
> > plutostderrlog=/var/log/pluto.log
> > nat_traversal=yes
> > virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
> >
> > conn %default
> > left=1.2.3.4
> >
> > include /etc/ipsec.d/examples/no_oe.conf
> >
> > conn L2TP
> > right=%any
> > rightsubnet=vhost:%no,%priv
> > rightprotoport=17/1701
> > leftprotoport=17/1701
> > pfs=no
> > keyingtries=3
> > authby=secret
> > ike=3des-md5
> > esp=3des-sha1,3des-md5
> > auto=add
> > -----------------------------------------------------------------
> >
> > l2tp.conf:
> > -----------------------------------------------------------------
> > global
> > load-handler "sync-pppd.so"
> > load-handler "cmd.so"
> >
> > section sync-pppd
> > lns-pppd-opts "file /etc/ppp/options.l2tpd"
> >
> > section peer
> > peer 0.0.0.0
> > mask 0
> > port 1701
> > lns-handler sync-pppd
> > hide-avps no
> >
> > section cmd
> > -----------------------------------------------------------------
> >
> > options.l2tpd:
> > -----------------------------------------------------------------
> > name l2tpd
> > #plugin /usr/lib/pppd/2.4.3/radius.so
> > #plugin /usr/lib/pppd/2.4.3/radattr.so
> > debug
> > lock
> > ipcp-accept-local
> > ipcp-accept-remote
> > ms-dns 2.3.4.5
> > mtu 1376
> > #require-eap
> > require-chap
> > lcp-echo-failure 3
> > lcp-echo-interval 10
> > #avpair Framed-MTU=1362
> > -----------------------------------------------------------------
> >
> > It's a relatively easy setup, for bughunting. With openswan 2.3.1, I
> > have no problem. Now I tested 2.4.5dr3 with the MTU-patch. ppp
> > authentification after successful IPSec authentification doesn't work.
>
> Small addition: my client is using NAT-T. If I added "type=transport",
> authentification is successful, but I cannot send any packet through the
> tunnel and it collapses after some seconds.
Interesting, if I use "type=transport", I cannot see the defined
connection at all under 2.3.1. Never tested this. Could it be possible
that you have corrected the transport mode and disabled the old (broken,
but working) way of using it? Strange...
Dirk
More information about the Users
mailing list