[Openswan Users] Re:[OpenswanUsers]2.6.13+Klipsproblems

Paul Wouters paul at xelerance.com
Thu Nov 24 09:07:33 CET 2005


On Thu, 24 Nov 2005, Andrew Congdon wrote:

> >
> > You did not have a changing IP address?
>
> Dynamic address but not changing very often at my end, static at the other.
>
> > Is your interface being down'ed
> > briefly?
>
> No it's just the ipsec0 connectivity which is being lost. Can still talk
> to the public target address just not through the tunnel.

Is it the roadwarrior that was gone briefly?

> New machines with recent openswan/kernel have problems talking to the older
> machines/code both talking to freeswan and openswan.
>
> > > I had to move to 2.4.0 (or 2.4.2dr5) to build with 2.6.13. This creates a
> > > curious problem where I can ping remote hosts but can't ssh or http to them
> > > whilst I _can_ ftp to them?! Similarly if I try to use 2.4.0 on 2.6.12.6.
> >
> > Could be mtu issues?
>
> I've tried varying this but it seems to have no effect.

> I've now tried the "fragicmp=no" mentioned elsewhere and that's fixed a lot of
> things! I wasn't sure where the original poster had put this so I just hacked
> it into startklips to try it. I now have a nearly reliable connection again..
> with only 3 of these in the last hour:

You can just add it to the config setup section.

> The "fragicmp" has certainly fixed the routing holes where ftp would traverse
> the tunnel but ssh would not! Now if I saturate the tunnel after a couple of
> minutes I get:
>
> klips_error:ipsec_xmit_send: ip_send() failed, err=-1
> last message repeated 11 times
>
> And the tunnel must be recreated.

Hmm, that's a bug that is hard to trace....

This is NETKEY right? You could try KLIPS.

Paul


More information about the Users mailing list