[Openswan Users] [OpenswanUsers]2.6.13+Klips problems

[Paul Wouters]

On Fri, 4 Nov 2005, Andrew Congdon wrote:

> I'm using several 2.3.1/2.6.12.6 FC4 talking to 2.3.1/2.6.11.6 FC3 and
> freeswan 2.03/2.4.22 FC1. I'm getting regular:
>
> klips_error:ipsec_xmit_send: ip_send() failed, err=-1

You did not have a changing IP address? Is your interface being down'ed
briefly?
I've also seen a report that reloading the iptables rules fixed this problem.
Maybe it has something to do with ip_conntrack when NAT/MASQ is used?

> failed in ISAKMP notify. Errno 105: No buffer space available

What does 'ipsec auto --status' say? Do you have many instances of non
established IPsec connections ?

> The configuration is a point to point openswan IPSEC rsasigkey'd connection
> with a GRE tunnel on top using OSPF to share routes. I use the KLIPS code to
> simplify the firewalling via the ipsec[n] interface. This is a long standing
> configuration (~5 years).

So I am confused as to where the errors are from. The old freeswan or the
new openswan?

> I had to move to 2.4.0 (or 2.4.2dr5) to build with 2.6.13. This creates a
> curious problem where I can ping remote hosts but can't ssh or http to them
> whilst I _can_ ftp to them?! Similarly if I try to use 2.4.0 on 2.6.12.6.

Could be mtu issues?

Did you disable OE in your ispec.conf? There should be a line saying:

include /etc/ipsec.d/examples/no_oe.conf

> I tried to bypass the problem by moving to 2.6.14 but I can't build 2.4.2rc1:

2.6.13 and 2.6.14 are mostly untested and untried, and we expect major issues,
since the networking code in the latest few kernel releases is undergoing
major surgery.

Paul
-- 

"Happiness is never grand"

	--- Mustapha Mond, World Controller (Brave New World)