[Openswan Users] Problems with multiple VPN tunnels and RoadWarrios

Wed Sep 7 08:21:57 CEST 2005

On Wed, 2005-09-07 at 10:53 +0200, Andrej Trobentar wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> John A. Sullivan III wrote:
> >
> > A little more information would be helpful. Have you done a packet trace to see where the connectivity is
> > breaking? 
> 
> Here's another session log from ipsec0 interface :
> 
> 1) Without the static tunnel up
> - - doing a "ls -alRh /" on internal host (server.rikom)
> 
> 10:42:19.557694 195.246.28.67.l2tp > 193.2.211.10.l2tp:
> l2tp:[L](58959/38422) {IP 93: 192.168.3.2.1122 > 192.168.15.50.ssh: P
> 9308:9360(52) ack 28861 win 9220 (DF)}
> 10:42:19.558008 193.2.211.10.l2tp > 195.246.28.67.l2tp:  l2tp:[L](10/1)
> {IP 41: 192.168.15.50.ssh > 192.168.3.2.1122: . ack 9360 win 10720 (DF)
> [tos 0x10] } (DF)
> 10:42:19.558349 193.2.211.10.l2tp > 195.246.28.67.l2tp:  l2tp:[L](10/1)
> {IP 93: 192.168.15.50.ssh > 192.168.3.2.1122: P 28861:28913(52) ack 9360
> win 10720 (DF) [tos 0x10] } (DF)
> 10:42:19.562001 193.2.211.10.l2tp > 195.246.28.67.l2tp:  l2tp:[L](10/1)
> {IP 109: 192.168.15.50.ssh > 192.168.3.2.1122: P 28913:28981(68) ack
> 9360 win 10720 (DF) [tos 0x10] } (DF)
> 10:42:19.562956 193.2.211.10.l2tp > 195.246.28.67.l2tp:  l2tp:[L](10/1)
> {IP 157: 192.168.15.50.ssh > 192.168.3.2.1122: P 28981:29097(116) ack
> 9360 win 10720 (DF) [tos 0x10] } (DF)
> 10:42:19.837536 195.246.28.67.l2tp > 193.2.211.10.l2tp:
> l2tp:[L](58959/38422) {IP 93: 192.168.3.2.1122 > 192.168.15.50.ssh: P
> 9360:9412(52) ack 28913 win 9168 (DF)}
> 10:42:19.838123 193.2.211.10.l2tp > 195.246.28.67.l2tp:  l2tp:[L](10/1)
> {IP 1401: 192.168.15.50.ssh > 192.168.3.2.1122: . 29097:30457(1360) ack
> 9412 win 10720 (DF) [tos 0x10] } (DF)
> 10:42:19.838271 193.2.211.10.l2tp > 195.246.28.67.l2tp:  l2tp:[L](10/1)
> {IP 1401: 192.168.15.50.ssh > 192.168.3.2.1122: . 30457:31817(1360) ack
> 9412 win 10720 (DF) [tos 0x10] } (DF)
> 10:42:19.907251 195.246.28.67.l2tp > 193.2.211.10.l2tp:
> l2tp:[L](58959/38422) {IP 93: 192.168.3.2.1122 > 192.168.15.50.ssh: P
> 9412:9464(52) ack 28981 win 9100 (DF)}
> 10:42:19.907715 193.2.211.10.l2tp > 195.246.28.67.l2tp:  l2tp:[L](10/1)
> {IP 1401: 192.168.15.50.ssh > 192.168.3.2.1122: . 31817:33177(1360) ack
> 9464 win 10720 (DF) [tos 0x10] } (DF)
> 10:42:19.907850 193.2.211.10.l2tp > 195.246.28.67.l2tp:  l2tp:[L](10/1)
> {IP 1401: 192.168.15.50.ssh > 192.168.3.2.1122: . 33177:34537(1360) ack
> 9464 win 10720 (DF) [tos 0x10] } (DF)
> 10:42:20.007133 195.246.28.67.l2tp > 193.2.211.10.l2tp:
> l2tp:[L](58959/38422) {IP 93: 192.168.3.2.1122 > 192.168.15.50.ssh: P
> 9464:9516(52) ack 29097 win 8984 (DF)}
> 10:42:20.007603 193.2.211.10.l2tp > 195.246.28.67.l2tp:  l2tp:[L](10/1)
> {IP 1401: 192.168.15.50.ssh > 192.168.3.2.1122: . 34537:35897(1360) ack
> 9516 win 10720 (DF) [tos 0x10] } (DF)
> 10:42:20.007739 193.2.211.10.l2tp > 195.246.28.67.l2tp:  l2tp:[L](10/1)
> {IP 1401: 192.168.15.50.ssh > 192.168.3.2.1122: . 35897:37257(1360) ack
> 9516 win 10720 (DF) [tos 0x10] } (DF)
> 10:42:20.387556 195.246.28.67.l2tp > 193.2.211.10.l2tp:
> l2tp:[L](58959/38422) {IP 93: 192.168.3.2.1122 > 192.168.15.50.ssh: P
> 9516:9568(52) ack 30457 win 9520 (DF)}
> 10:42:20.388049 193.2.211.10.l2tp > 195.246.28.67.l2tp:  l2tp:[L](10/1)
> {IP 1401: 192.168.15.50.ssh > 192.168.3.2.1122: . 37257:38617(1360) ack
> 9568 win 10720 (DF) [tos 0x10] } (DF)
> 10:42:20.388188 193.2.211.10.l2tp > 195.246.28.67.l2tp:  l2tp:[L](10/1)
> {IP 1401: 192.168.15.50.ssh > 192.168.3.2.1122: . 38617:39977(1360) ack
> 9568 win 10720 (DF) [tos 0x10] } (DF)
> 
> 
> As soon as I put the static tunnel up (and ping a host on the other end)
> the log gets like this :
> 
> 2) Wit the static tunnel up
> - - doing a "ls -alRh /" on internal host (server.rikom)
> 
> 10:46:05.727869 195.246.28.67.l2tp > 193.2.211.10.l2tp:
> l2tp:[L](58959/38422) {IP 93: 192.168.3.2.1123 > 192.168.15.50.ssh: P
> 21088:21140(52) ack 66107 win 9520 (DF)}
> 10:46:05.787735 195.246.28.67.l2tp > 193.2.211.10.l2tp:
> l2tp:[L](58959/38422) {IP 93: 192.168.3.2.1123 > 192.168.15.50.ssh: P
> 21140:21192(52) ack 66107 win 9520 (DF)}
> 10:46:05.788046 193.2.211.10.l2tp > 195.246.28.67.l2tp:  l2tp:[L](10/1)
> {IP 41: 192.168.15.50.ssh > 192.168.3.2.1123: . ack 21192 win 10720 (DF)
> [tos 0x10] } (DF)
> 10:46:05.838172 195.246.28.67.l2tp > 193.2.211.10.l2tp:
> l2tp:[L](58959/38422) {IP 93: 192.168.3.2.1123 > 192.168.15.50.ssh: P
> 21192:21244(52) ack 66107 win 9520 (DF)}
> 10:46:05.886957 195.246.28.67.l2tp > 193.2.211.10.l2tp:
> l2tp:[L](58959/38422) {IP 93: 192.168.3.2.1123 > 192.168.15.50.ssh: P
> 21244:21296(52) ack 66107 win 9520 (DF)}
> 10:46:05.927659 195.246.28.67.l2tp > 193.2.211.10.l2tp:
> l2tp:[L](58959/38422) {IP 93: 192.168.3.2.1123 > 192.168.15.50.ssh: P
> 21296:21348(52) ack 66107 win 9520 (DF)}
> 10:46:05.928105 193.2.211.10.l2tp > 195.246.28.67.l2tp:  l2tp:[L](10/1)
> {IP 41: 192.168.15.50.ssh > 192.168.3.2.1123: . ack 21348 win 10720 (DF)
> [tos 0x10] } (DF)
> 10:46:05.977842 195.246.28.67.l2tp > 193.2.211.10.l2tp:
> l2tp:[L](58959/38422) {IP 93: 192.168.3.2.1123 > 192.168.15.50.ssh: P
> 21348:21400(52) ack 66107 win 9520 (DF)}
> 10:46:06.057516 195.246.28.67.l2tp > 193.2.211.10.l2tp:
> l2tp:[L](58959/38422) {IP 93: 192.168.3.2.1123 > 192.168.15.50.ssh: P
> 21400:21452(52) ack 66107 win 9520 (DF)}
> 10:46:06.057892 193.2.211.10.l2tp > 195.246.28.67.l2tp:  l2tp:[L](10/1)
> {IP 41: 192.168.15.50.ssh > 192.168.3.2.1123: . ack 21452 win 10720 (DF)
> [tos 0x10] } (DF)
> 10:46:11.949561 193.2.211.10.l2tp > 195.246.28.67.l2tp:  l2tp:[L](10/1)
> {IP 1384: truncated-ip - 17 bytes missing!192.168.15.50.ssh >
> 192.168.3.2.1123: . 66107:67467(1360) ack 21452 win 10720 (DF) [tos
> 0x10] } (frag 35299:1400 at 0+)
> 10:46:11.949664 193.2.211.10 > 195.246.28.67: (frag 35299:17 at 1400)
> 10:46:24.690026 193.2.211.10.l2tp > 195.246.28.67.l2tp:  l2tp:[L](10/1)
> {IP 1384: truncated-ip - 17 bytes missing!192.168.15.50.ssh >
> 192.168.3.2.1123: . 66107:67467(1360) ack 21452 win 10720 (DF) [tos
> 0x10] } (frag 35300:1400 at 0+)
> 10:46:24.690129 193.2.211.10 > 195.246.28.67: (frag 35300:17 at 1400)
> 
> 
> Notice the "... truncated-ip - 17 bytes missing!..." errors. Any ideas?
<snip>
Ah, interesting.  So I wonder if the problem is large file transfers or
large packets.  You said that you could successfully ping.  What happens
if you ping with a large packet size (ping -s or -l depending on your
OS)? Do you break immediately? - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

If you would like to participate in the development of an open source
enterprise class network security management system, please visit
http://iscs.sourceforge.net