[Openswan Users] Re:[OpenswanUsers]2.6.13+Klipsproblems

Andrew Congdon andrew.congdon at iplatinum.com.au
Thu Nov 24 18:07:14 CET 2005


Paul Wouters (paul at xelerance.com) wrote:
>
> On Fri, 4 Nov 2005, Andrew Congdon wrote:
>
> > I'm using several 2.3.1/2.6.12.6 FC4 talking to 2.3.1/2.6.11.6 FC3 and
> > freeswan 2.03/2.4.22 FC1. I'm getting regular:
> >
> > klips_error:ipsec_xmit_send: ip_send() failed, err=-1
>
> You did not have a changing IP address?

Dynamic address but not changing very often at my end, static at the other.

> Is your interface being down'ed
> briefly?

No it's just the ipsec0 connectivity which is being lost. Can still talk
to the public target address just not through the tunnel.

> I've also seen a report that reloading the iptables rules fixed this problem.

Hmmm.. this seems to have some effect with 2.6.11 but not otherwise?!

> Maybe it has something to do with ip_conntrack when NAT/MASQ is used?

I'm MASQing on these machines and conntracking at my end but not the
destination.

> > failed in ISAKMP notify. Errno 105: No buffer space available

This is only when the interface is very busy with both a lot of
traffic and a lot of new connection requests.

> Do you have many instances of non
> established IPsec connections ?

None.

> > The configuration is a point to point openswan IPSEC rsasigkey'd connection
> > with a GRE tunnel on top using OSPF to share routes. I use the KLIPS code to
> > simplify the firewalling via the ipsec[n] interface. This is a long standing
> > configuration (~5 years).
>
> So I am confused as to where the errors are from. The old freeswan or the
> new openswan?

New machines with recent openswan/kernel have problems talking to the older
machines/code both talking to freeswan and openswan.

> > I had to move to 2.4.0 (or 2.4.2dr5) to build with 2.6.13. This creates a
> > curious problem where I can ping remote hosts but can't ssh or http to them
> > whilst I _can_ ftp to them?! Similarly if I try to use 2.4.0 on 2.6.12.6.
>
> Could be mtu issues?

I've tried varying this but it seems to have no effect.

> Did you disable OE in your ispec.conf? There should be a line saying:
>
> include /etc/ipsec.d/examples/no_oe.conf

Yes that's there.

> > I tried to bypass the problem by moving to 2.6.14 but I can't build 2.4.2rc1:
>
> 2.6.13 and 2.6.14 are mostly untested and untried, and we expect major issues,
> since the networking code in the latest few kernel releases is undergoing
> major surgery.

I've moved on to 2.4.4 and now CVS (v2_4_X branch) with 2.6.13 but no changes.

I've now tried the "fragicmp=no" mentioned elsewhere and that's fixed a lot of
things! I wasn't sure where the original poster had put this so I just hacked
it into startklips to try it. I now have a nearly reliable connection again..
with only 3 of these in the last hour:

klips_error:ipsec_xmit_send: ip_send() failed, err=-1

The "fragicmp" has certainly fixed the routing holes where ftp would traverse
the tunnel but ssh would not! Now if I saturate the tunnel after a couple of
minutes I get:

klips_error:ipsec_xmit_send: ip_send() failed, err=-1
last message repeated 11 times

And the tunnel must be recreated.

> Paul

thanks for the help,
--
Andrew



More information about the Users mailing list