[Openswan Users] Probelm with host reachability whenipsectunnelis
operational
Gömöri Zoltán
suf at freemail.hu
Sat Jul 23 12:34:00 CEST 2005
Hi,
It seems to me that it is either:
1. A bug in the 2.6 kernel's NETKEY implementation or
2. A bug in the OpenS/WAN's NETKEY handling or
3. An additional configuration is needed for the OpenS/WAN if somebody want
to use it together with NETKEY in a hub/spoke config like this.
I would realy like to see if somebody who has enough knowledge investigate
this issue
Zoltan
> -----Original Message-----
> From: users-bounces at openswan.org
> [mailto:users-bounces at openswan.org] On Behalf Of Greg McGuire
> Sent: Friday, July 22, 2005 9:04 PM
> To: users at openswan.org
> Subject: Re: [Openswan Users] Probelm with host reachability
> whenipsectunnelis operational
>
> An update:
>
> I was able to get everything working properly by backing off to
> kernel 2.4.27 and using KLIPS instead. On Debian you need to
> apt-get
> and compile the openswan-module-source (as I'm sure you all know).
> This works quite well. I guess this is one reason to choose KLIPS
> over NETKEY at the moment, if you happen to have a hub/spoke routing
> configuration like this.
>
> Regards,
> Greg
>
>
> On Jul 21, 2005, at 3:05 PM, Gömöri Zoltán wrote:
>
> > Hi Greg,
> >
> >
> >> Yes, I believe you are right; I've determined essentially the same
> >> thing: the ipsec tunnel is not ignoring the local subnet when it
> >> grabs packets to send down the tunnel: everything in
> >> 10.0.0.0/8 gets
> >> caught, instead of 10.0.0.0/8 minus 10.x.0.0/16 (the local subnet).
> >> I know there must be a way around this that doesn't
> involve patching
> >> netfilter, although I'll give that a try if nobody else has a
> >> suggestion for a simpler fix in openswan.
> >>
> >
> > If you want I can give you a simpler fix, but I was not satisfied
> > with it.
> > Lower the MTU size on all of the machines on the remote site to
> > 1444 bytes.
> > The result of the behaviour sending packets originated on
> the local
> > ip of
> > the remote gateway is breaking the PMTU discovery procedure.
> > I discovered this in the following setup:
> > I have an XP machine on the remote site. I was connecting
> this machine
> > from the central site with RDP. I was geting an empty blue screen
> > on the
> > RDP client and after a few minutes it disconnected.
> > I checked the logs and found that the connection went
> correctly until
> > the XP on the remote site started to send 1500byte packets with DF
> > bit set.
> > The remote gateway responded to the packets with ICMP type
> 3 code 4
> > packet
> > indicating to lower the packet size or switch of the DF bit.
> > This ICMP packet NEVER arrive to the XP machine because the packet
> > sent into
> > the tunnel and not to the local subnet.
> >
> > The MTU size setting is an other workaround and not the solution.
> > I continously waiting for the solution. :-(
> >
> > Zoltan
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at openswan.org
> > http://lists.openswan.org/mailman/listinfo/users
> >
>
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
>
More information about the Users
mailing list