[Openswan Users] ipsec over tcp?

Paul Wouters paul at xelerance.com
Fri Jan 7 16:43:53 CET 2005


On Fri, 7 Jan 2005, Tomasz Grzelak wrote:

> I've got problems in overloaded networks, where ipsec connections tear down
> often (after several minutes), probably because of keepalive packets being
> lost.
>
> Is it possible to set up a vpn (a windows ipsec/l2tp/ppp client to the
> openswan 2.2.0) over tcp, not udp encapsulation?

you can't built a tcp state on top of ipsec. the ipsec protocol has no 
three way handshake or acks. Apart from tcp being trivial to kill with an
RST packet.

> And maybe there's another way to reach the goal?

Fix your network. VLAN it, subnet it, kill the traffic on it, QoS it.

Paul


More information about the Users mailing list