[Openswan Users] Problems with multiple VPN tunnels and RoadWarrios

John A. Sullivan III jsullivan at opensourcedevel.com
Thu Sep 8 09:18:33 CEST 2005 

On Thu, 2005-09-08 at 11:35 +0200, Andrej Trobentar wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> John A. Sullivan III wrote:
> >>
> >>Here's my test :
> >>
> >>1) Only roadwarrior active
> >>- - "ping <internal server>" OK
> >>- - "ping -l 10240 <internal server>" OK
> >>
> >>Here's the trace :
> >>13:39:02.049680 192.168.3.2 > 192.168.15.50: icmp: echo request
> >>13:39:02.050144 192.168.15.50 > 192.168.3.2: icmp: echo reply
> >>13:39:03.049816 192.168.3.2 > 192.168.15.50: icmp: echo request
> >>13:39:03.050275 192.168.15.50 > 192.168.3.2: icmp: echo reply
> >>13:39:04.054154 192.168.3.2 > 192.168.15.50: icmp: echo request
> >>13:39:04.054622 192.168.15.50 > 192.168.3.2: icmp: echo reply
> >>13:39:05.047823 192.168.3.2 > 192.168.15.50: icmp: echo request
> >>13:39:05.048300 192.168.15.50 > 192.168.3.2: icmp: echo reply
> 
> Sorry, I posted the wrong trace. Here is the right one :
> 
> 1) Only roadwarrior active (static tunnel down)
> 
> - - "ping -n 3 -w 10000 -l 10240 <internal server>" OK
> 
> Trace on ppp0 interface :
> 
> 10:58:04.756663 192.168.3.2 > 192.168.15.50: icmp: echo request (frag
> 2381:1376 at 0+)
> 10:58:05.210018 192.168.3.2 > 192.168.15.50: (frag 2381:1376 at 1376+)
> 10:58:05.664597 192.168.3.2 > 192.168.15.50: (frag 2381:1376 at 2752+)
> 10:58:06.118750 192.168.3.2 > 192.168.15.50: (frag 2381:1376 at 4128+)
> 10:58:06.601797 192.168.3.2 > 192.168.15.50: (frag 2381:1376 at 5504+)
> 10:58:07.019152 192.168.3.2 > 192.168.15.50: (frag 2381:1376 at 6880+)
> 10:58:07.471866 192.168.3.2 > 192.168.15.50: (frag 2381:1376 at 8256+)
> 10:58:07.655055 192.168.3.2 > 192.168.15.50: (frag 2381:616 at 9632)
> 10:58:07.657233 192.168.15.50 > 192.168.3.2: icmp: echo reply (frag
> 13018:1376 at 0+)
> 10:58:07.657248 192.168.15.50 > 192.168.3.2: (frag 13018:1376 at 1376+)
> 10:58:07.657260 192.168.15.50 > 192.168.3.2: (frag 13018:1376 at 2752+)
> 10:58:07.657271 192.168.15.50 > 192.168.3.2: (frag 13018:1376 at 4128+)
> 10:58:07.657273 192.168.15.50 > 192.168.3.2: (frag 13018:1376 at 5504+)
> 10:58:07.657330 192.168.15.50 > 192.168.3.2: (frag 13018:1376 at 6880+)
> 10:58:07.657354 192.168.15.50 > 192.168.3.2: (frag 13018:1376 at 8256+)
> 10:58:07.657620 192.168.15.50 > 192.168.3.2: (frag 13018:616 at 9632)
> 10:58:13.549765 192.168.3.2 > 192.168.15.50: icmp: echo request (frag
> 2392:1376 at 0+)
> 10:58:14.004687 192.168.3.2 > 192.168.15.50: (frag 2392:1376 at 1376+)
> 10:58:14.465837 192.168.3.2 > 192.168.15.50: (frag 2392:1376 at 2752+)
> 10:58:14.933238 192.168.3.2 > 192.168.15.50: (frag 2392:1376 at 4128+)
> 10:58:15.379927 192.168.3.2 > 192.168.15.50: (frag 2392:1376 at 5504+)
> 10:58:15.831569 192.168.3.2 > 192.168.15.50: (frag 2392:1376 at 6880+)
> 10:58:16.250586 192.168.3.2 > 192.168.15.50: (frag 2392:1376 at 8256+)
> 10:58:16.456438 192.168.3.2 > 192.168.15.50: (frag 2392:616 at 9632)
> 10:58:16.458610 192.168.15.50 > 192.168.3.2: icmp: echo reply (frag
> 13019:1376 at 0+)
> 10:58:16.458626 192.168.15.50 > 192.168.3.2: (frag 13019:1376 at 1376+)
> 10:58:16.458653 192.168.15.50 > 192.168.3.2: (frag 13019:1376 at 2752+)
> 10:58:16.458664 192.168.15.50 > 192.168.3.2: (frag 13019:1376 at 4128+)
> 10:58:16.458666 192.168.15.50 > 192.168.3.2: (frag 13019:1376 at 5504+)
> 10:58:16.458727 192.168.15.50 > 192.168.3.2: (frag 13019:1376 at 6880+)
> 10:58:16.458738 192.168.15.50 > 192.168.3.2: (frag 13019:1376 at 8256+)
> 10:58:16.458979 192.168.15.50 > 192.168.3.2: (frag 13019:616 at 9632)
> 
> 
> Trace on ipsec0 interface :
> 
> 11:08:10.527335 195.246.29.79.l2tp > 193.2.211.10.l2tp:
> l2tp:[L](60426/54288) {IP 59: 192.168.3.2.1029 > 192.168.15.1.domain:
> 10729+[|domain]}
> 11:08:10.527620 193.2.211.10.l2tp > 195.246.29.79.l2tp:  l2tp:[L](6/1)
> {IP 134: 192.168.15.1.domain > 192.168.3.2.1029:  10729
> NXDomain[|domain] (DF)} (DF)
> 11:08:10.761411 195.246.29.79.l2tp > 193.2.211.10.l2tp:
> l2tp:[L](60426/54288) {IP 72: 192.168.3.2.1029 > 192.168.15.1.domain:
> 51691+[|domain]}
> 11:08:10.761940 193.2.211.10.l2tp > 195.246.29.79.l2tp:  l2tp:[L](6/1)
> {IP 161: 192.168.15.1.domain > 192.168.3.2.1029:  51691*[|domain] (DF)} (DF)
> 11:08:11.454528 195.246.29.79.l2tp > 193.2.211.10.l2tp:
> l2tp:[L](60426/54288) {IP 1397: 192.168.3.2 > 192.168.15.50: icmp: echo
> request (frag 2895:1376 at 0+)}
> 11:08:11.907202 195.246.29.79.l2tp > 193.2.211.10.l2tp:
> l2tp:[L](60426/54288) {IP 1397: 192.168.3.2 > 192.168.15.50: (frag
> 2895:1376 at 1376+)}
> 11:08:12.361858 195.246.29.79.l2tp > 193.2.211.10.l2tp:
> l2tp:[L](60426/54288) {IP 1397: 192.168.3.2 > 192.168.15.50: (frag
> 2895:1376 at 2752+)}
> 11:08:12.815708 195.246.29.79.l2tp > 193.2.211.10.l2tp:
> l2tp:[L](60426/54288) {IP 1397: 192.168.3.2 > 192.168.15.50: (frag
> 2895:1376 at 4128+)}
> 11:08:13.299623 195.246.29.79.l2tp > 193.2.211.10.l2tp:
> l2tp:[L](60426/54288) {IP 1397: 192.168.3.2 > 192.168.15.50: (frag
> 2895:1376 at 5504+)}
> 11:08:13.715742 195.246.29.79.l2tp > 193.2.211.10.l2tp:
> l2tp:[L](60426/54288) {IP 1397: 192.168.3.2 > 192.168.15.50: (frag
> 2895:1376 at 6880+)}
> 11:08:14.168075 195.246.29.79.l2tp > 193.2.211.10.l2tp:
> l2tp:[L](60426/54288) {IP 1397: 192.168.3.2 > 192.168.15.50: (frag
> 2895:1376 at 8256+)}
> 11:08:14.352820 195.246.29.79.l2tp > 193.2.211.10.l2tp:
> l2tp:[L](60426/54288) {IP 637: 192.168.3.2 > 192.168.15.50: (frag
> 2895:616 at 9632)}
> 11:08:14.355266 193.2.211.10.l2tp > 195.246.29.79.l2tp:  l2tp:[L](6/1)
> {IP 1397: 192.168.15.50 > 192.168.3.2: icmp: echo reply (frag
> 13035:1376 at 0+)} (DF)
> 11:08:14.355373 193.2.211.10.l2tp > 195.246.29.79.l2tp:  l2tp:[L](6/1)
> {IP 1397: 192.168.15.50 > 192.168.3.2: (frag 13035:1376 at 1376+)} (DF)
> 11:08:14.355524 193.2.211.10.l2tp > 195.246.29.79.l2tp:  l2tp:[L](6/1)
> {IP 1397: 192.168.15.50 > 192.168.3.2: (frag 13035:1376 at 2752+)} (DF)
> 11:08:14.355630 193.2.211.10.l2tp > 195.246.29.79.l2tp:  l2tp:[L](6/1)
> {IP 1397: 192.168.15.50 > 192.168.3.2: (frag 13035:1376 at 4128+)} (DF)
> 11:08:14.355753 193.2.211.10.l2tp > 195.246.29.79.l2tp:  l2tp:[L](6/1)
> {IP 1397: 192.168.15.50 > 192.168.3.2: (frag 13035:1376 at 5504+)} (DF)
> 11:08:14.355858 193.2.211.10.l2tp > 195.246.29.79.l2tp:  l2tp:[L](6/1)
> {IP 1397: 192.168.15.50 > 192.168.3.2: (frag 13035:1376 at 6880+)} (DF)
> 11:08:14.355961 193.2.211.10.l2tp > 195.246.29.79.l2tp:  l2tp:[L](6/1)
> {IP 1397: 192.168.15.50 > 192.168.3.2: (frag 13035:1376 at 8256+)} (DF)
> 11:08:14.356060 193.2.211.10.l2tp > 195.246.29.79.l2tp:  l2tp:[L](6/1)
> {IP 637: 192.168.15.50 > 192.168.3.2: (frag 13035:616 at 9632)} (DF)
> 11:08:17.638776 195.246.29.79.l2tp > 193.2.211.10.l2tp:
> l2tp:[L](60426/54288) {IP 1397: 192.168.3.2 > 192.168.15.50: icmp: echo
> request (frag 2906:1376 at 0+)}
> 11:08:18.092453 195.246.29.79.l2tp > 193.2.211.10.l2tp:
> l2tp:[L](60426/54288) {IP 1397: 192.168.3.2 > 192.168.15.50: (frag
> 2906:1376 at 1376+)}
> 11:08:18.545142 195.246.29.79.l2tp > 193.2.211.10.l2tp:
> l2tp:[L](60426/54288) {IP 1397: 192.168.3.2 > 192.168.15.50: (frag
> 2906:1376 at 2752+)}
> 11:08:18.999619 195.246.29.79.l2tp > 193.2.211.10.l2tp:
> l2tp:[L](60426/54288) {IP 1397: 192.168.3.2 > 192.168.15.50: (frag
> 2906:1376 at 4128+)}
> 11:08:19.465229 195.246.29.79.l2tp > 193.2.211.10.l2tp:
> l2tp:[L](60426/54288) {IP 1397: 192.168.3.2 > 192.168.15.50: (frag
> 2906:1376 at 5504+)}
> 11:08:19.917615 195.246.29.79.l2tp > 193.2.211.10.l2tp:
> l2tp:[L](60426/54288) {IP 1397: 192.168.3.2 > 192.168.15.50: (frag
> 2906:1376 at 6880+)}
> 11:08:20.336312 195.246.29.79.l2tp > 193.2.211.10.l2tp:
> l2tp:[L](60426/54288) {IP 1397: 192.168.3.2 > 192.168.15.50: (frag
> 2906:1376 at 8256+)}
> 11:08:20.537547 195.246.29.79.l2tp > 193.2.211.10.l2tp:
> l2tp:[L](60426/54288) {IP 637: 192.168.3.2 > 192.168.15.50: (frag
> 2906:616 at 9632)}
> 11:08:20.542779 193.2.211.10.l2tp > 195.246.29.79.l2tp:  l2tp:[L](6/1)
> {IP 1397: 192.168.15.50 > 192.168.3.2: icmp: echo reply (frag
> 13036:1376 at 0+)} (DF)
> 11:08:20.542911 193.2.211.10.l2tp > 195.246.29.79.l2tp:  l2tp:[L](6/1)
> {IP 1397: 192.168.15.50 > 192.168.3.2: (frag 13036:1376 at 1376+)} (DF)
> 11:08:20.543084 193.2.211.10.l2tp > 195.246.29.79.l2tp:  l2tp:[L](6/1)
> {IP 1397: 192.168.15.50 > 192.168.3.2: (frag 13036:1376 at 2752+)} (DF)
> 11:08:20.543211 193.2.211.10.l2tp > 195.246.29.79.l2tp:  l2tp:[L](6/1)
> {IP 1397: 192.168.15.50 > 192.168.3.2: (frag 13036:1376 at 4128+)} (DF)
> 11:08:20.543353 193.2.211.10.l2tp > 195.246.29.79.l2tp:  l2tp:[L](6/1)
> {IP 1397: 192.168.15.50 > 192.168.3.2: (frag 13036:1376 at 5504+)} (DF)
> 11:08:20.543545 193.2.211.10.l2tp > 195.246.29.79.l2tp:  l2tp:[L](6/1)
> {IP 1397: 192.168.15.50 > 192.168.3.2: (frag 13036:1376 at 6880+)} (DF)
> 11:08:20.543693 193.2.211.10.l2tp > 195.246.29.79.l2tp:  l2tp:[L](6/1)
> {IP 1397: 192.168.15.50 > 192.168.3.2: (frag 13036:1376 at 8256+)} (DF)
> 11:08:20.543818 193.2.211.10.l2tp > 195.246.29.79.l2tp:  l2tp:[L](6/1)
> {IP 637: 192.168.15.50 > 192.168.3.2: (frag 13036:616 at 9632)} (DF)
> 
> 
> Everything looks OK.
> Here comes the funny part now (test 2).
> 
> 
> 2) The roadwarrior tunnel up and the static tunnel up
> 
> - - "ping -n 3 -w 10000 -l 10240 <internal server>"  FAILED ("Request
> timed out" on Windows XP notebook)
> 
> 
> Trace on ppp0 interface :
> 
> 11:00:35.787590 192.168.3.2 > 192.168.15.50: icmp: echo request (frag
> 2585:1376 at 0+)
> 11:00:36.243428 192.168.3.2 > 192.168.15.50: (frag 2585:1376 at 1376+)
> 11:00:36.695949 192.168.3.2 > 192.168.15.50: (frag 2585:1376 at 2752+)
> 11:00:37.148897 192.168.3.2 > 192.168.15.50: (frag 2585:1376 at 4128+)
> 11:00:37.612016 192.168.3.2 > 192.168.15.50: (frag 2585:1376 at 5504+)
> 11:00:38.065546 192.168.3.2 > 192.168.15.50: (frag 2585:1376 at 6880+)
> 11:00:38.484157 192.168.3.2 > 192.168.15.50: (frag 2585:1376 at 8256+)
> 11:00:38.707614 192.168.3.2 > 192.168.15.50: (frag 2585:616 at 9632)
> 11:00:38.709779 192.168.15.50 > 192.168.3.2: icmp: echo reply (frag
> 13022:1376 at 0+)
> 11:00:38.709795 192.168.15.50 > 192.168.3.2: (frag 13022:1376 at 1376+)
> 11:00:38.709806 192.168.15.50 > 192.168.3.2: (frag 13022:1376 at 2752+)
> 11:00:38.709818 192.168.15.50 > 192.168.3.2: (frag 13022:1376 at 4128+)
> 11:00:38.709820 192.168.15.50 > 192.168.3.2: (frag 13022:1376 at 5504+)
> 11:00:38.710255 192.168.15.50 > 192.168.3.2: (frag 13022:1376 at 6880+)
> 11:00:38.710266 192.168.15.50 > 192.168.3.2: (frag 13022:1376 at 8256+)
> 11:00:38.710620 192.168.15.50 > 192.168.3.2: (frag 13022:616 at 9632)
> 11:00:47.195041 192.168.3.2 > 192.168.15.50: icmp: echo request (frag
> 2623:1376 at 0+)
> 11:00:47.647732 192.168.3.2 > 192.168.15.50: (frag 2623:1376 at 1376+)
> 11:00:48.102083 192.168.3.2 > 192.168.15.50: (frag 2623:1376 at 2752+)
> 11:00:48.557165 192.168.3.2 > 192.168.15.50: (frag 2623:1376 at 4128+)
> 11:00:49.019963 192.168.3.2 > 192.168.15.50: (frag 2623:1376 at 5504+)
> 11:00:49.474121 192.168.3.2 > 192.168.15.50: (frag 2623:1376 at 6880+)
> 11:00:49.894528 192.168.3.2 > 192.168.15.50: (frag 2623:1376 at 8256+)
> 11:00:50.086320 192.168.3.2 > 192.168.15.50: (frag 2623:616 at 9632)
> 11:00:50.089540 192.168.15.50 > 192.168.3.2: icmp: echo reply (frag
> 13023:1376 at 0+)
> 11:00:50.089557 192.168.15.50 > 192.168.3.2: (frag 13023:1376 at 1376+)
> 11:00:50.089586 192.168.15.50 > 192.168.3.2: (frag 13023:1376 at 2752+)
> 11:00:50.089618 192.168.15.50 > 192.168.3.2: (frag 13023:1376 at 4128+)
> 11:00:50.089620 192.168.15.50 > 192.168.3.2: (frag 13023:1376 at 5504+)
> 11:00:50.090261 192.168.15.50 > 192.168.3.2: (frag 13023:1376 at 6880+)
> 11:00:50.090272 192.168.15.50 > 192.168.3.2: (frag 13023:1376 at 8256+)
> 11:00:50.090727 192.168.15.50 > 192.168.3.2: (frag 13023:616 at 9632)
> 
> This look OK too me, but I don't uderstand why the roadwarrior client
> gets a "Request timed out". On the ipsec0 interface there's again the
> "... 13 bytes missing! ..." error.
> 
> 
> Trace on ipsec0 interface :
> 
> 11:13:54.057019 195.246.29.79.l2tp > 193.2.211.10.l2tp:
> l2tp:[L](60426/54288) {IP 1397: 192.168.3.2 > 192.168.15.50: icmp: echo
> request (frag 3043:1376 at 0+)}
> 11:13:54.511383 195.246.29.79.l2tp > 193.2.211.10.l2tp:
> l2tp:[L](60426/54288) {IP 1397: 192.168.3.2 > 192.168.15.50: (frag
> 3043:1376 at 1376+)}
> 11:13:54.965166 195.246.29.79.l2tp > 193.2.211.10.l2tp:
> l2tp:[L](60426/54288) {IP 1397: 192.168.3.2 > 192.168.15.50: (frag
> 3043:1376 at 2752+)}
> 11:13:55.419800 195.246.29.79.l2tp > 193.2.211.10.l2tp:
> l2tp:[L](60426/54288) {IP 1397: 192.168.3.2 > 192.168.15.50: (frag
> 3043:1376 at 4128+)}
> 11:13:55.904027 195.246.29.79.l2tp > 193.2.211.10.l2tp:
> l2tp:[L](60426/54288) {IP 1397: 192.168.3.2 > 192.168.15.50: (frag
> 3043:1376 at 5504+)}
> 11:13:56.337434 195.246.29.79.l2tp > 193.2.211.10.l2tp:
> l2tp:[L](60426/54288) {IP 1397: 192.168.3.2 > 192.168.15.50: (frag
> 3043:1376 at 6880+)}
> 11:13:56.774118 195.246.29.79.l2tp > 193.2.211.10.l2tp:
> l2tp:[L](60426/54288) {IP 1397: 192.168.3.2 > 192.168.15.50: (frag
> 3043:1376 at 8256+)}
> 11:13:56.959407 195.246.29.79.l2tp > 193.2.211.10.l2tp:
> l2tp:[L](60426/54288) {IP 637: 192.168.3.2 > 192.168.15.50: (frag
> 3043:616 at 9632)}
> 11:13:56.961839 193.2.211.10.l2tp > 195.246.29.79.l2tp:  l2tp:[L](6/1)
> {IP 1384: truncated-ip - 13 bytes missing!192.168.15.50 > 192.168.3.2:
> icmp: echo reply (frag 13045:1376 at 0+)} (frag 18662:1400 at 0+)
> 11:13:56.961950 193.2.211.10 > 195.246.29.79: (frag 18662:13 at 1400)
> 11:13:56.961971 193.2.211.10.l2tp > 195.246.29.79.l2tp:  l2tp:[L](6/1)
> {IP 1384: truncated-ip - 13 bytes missing!192.168.15.50 > 192.168.3.2:
> (frag 13045:1376 at 1376+)} (frag 18663:1400 at 0+)
> 11:13:56.962050 193.2.211.10 > 195.246.29.79: (frag 18663:13 at 1400)
> 11:13:56.962094 193.2.211.10.l2tp > 195.246.29.79.l2tp:  l2tp:[L](6/1)
> {IP 1384: truncated-ip - 13 bytes missing!192.168.15.50 > 192.168.3.2:
> (frag 13045:1376 at 2752+)} (frag 18664:1400 at 0+)
> 11:13:56.962171 193.2.211.10 > 195.246.29.79: (frag 18664:13 at 1400)
> 11:13:56.962189 193.2.211.10.l2tp > 195.246.29.79.l2tp:  l2tp:[L](6/1)
> {IP 1384: truncated-ip - 13 bytes missing!192.168.15.50 > 192.168.3.2:
> (frag 13045:1376 at 4128+)} (frag 18665:1400 at 0+)
> 11:13:56.962266 193.2.211.10 > 195.246.29.79: (frag 18665:13 at 1400)
> 11:13:56.962283 193.2.211.10.l2tp > 195.246.29.79.l2tp:  l2tp:[L](6/1)
> {IP 1384: truncated-ip - 13 bytes missing!192.168.15.50 > 192.168.3.2:
> (frag 13045:1376 at 5504+)} (frag 18666:1400 at 0+)
> 11:13:56.962360 193.2.211.10 > 195.246.29.79: (frag 18666:13 at 1400)
> 11:13:56.962380 193.2.211.10.l2tp > 195.246.29.79.l2tp:  l2tp:[L](6/1)
> {IP 1384: truncated-ip - 13 bytes missing!192.168.15.50 > 192.168.3.2:
> (frag 13045:1376 at 6880+)} (frag 18667:1400 at 0+)
> 11:13:56.962459 193.2.211.10 > 195.246.29.79: (frag 18667:13 at 1400)
> 11:13:56.962476 193.2.211.10.l2tp > 195.246.29.79.l2tp:  l2tp:[L](6/1)
> {IP 1384: truncated-ip - 13 bytes missing!192.168.15.50 > 192.168.3.2:
> (frag 13045:1376 at 8256+)} (frag 18668:1400 at 0+)
> 11:13:56.962555 193.2.211.10 > 195.246.29.79: (frag 18668:13 at 1400)
> 11:13:56.962565 193.2.211.10.l2tp > 195.246.29.79.l2tp:  l2tp:[L](6/1)
> {IP 637: 192.168.15.50 > 192.168.3.2: (frag 13045:616 at 9632)} (DF)
> 11:14:05.253993 195.246.29.79.l2tp > 193.2.211.10.l2tp:
> l2tp:[L](60426/54288) {IP 1397: 192.168.3.2 > 192.168.15.50: icmp: echo
> request (frag 3054:1376 at 0+)}
> 11:14:05.748867 195.246.29.79.l2tp > 193.2.211.10.l2tp:
> l2tp:[L](60426/54288) {IP 1397: 192.168.3.2 > 192.168.15.50: (frag
> 3054:1376 at 1376+)}
> 11:14:06.163696 195.246.29.79.l2tp > 193.2.211.10.l2tp:
> l2tp:[L](60426/54288) {IP 1397: 192.168.3.2 > 192.168.15.50: (frag
> 3054:1376 at 2752+)}
> 11:14:06.617696 195.246.29.79.l2tp > 193.2.211.10.l2tp:
> l2tp:[L](60426/54288) {IP 1397: 192.168.3.2 > 192.168.15.50: (frag
> 3054:1376 at 4128+)}
> 11:14:07.098576 195.246.29.79.l2tp > 193.2.211.10.l2tp:
> l2tp:[L](60426/54288) {IP 1397: 192.168.3.2 > 192.168.15.50: (frag
> 3054:1376 at 5504+)}
> 11:14:07.515669 195.246.29.79.l2tp > 193.2.211.10.l2tp:
> l2tp:[L](60426/54288) {IP 1397: 192.168.3.2 > 192.168.15.50: (frag
> 3054:1376 at 6880+)}
> 11:14:07.966943 195.246.29.79.l2tp > 193.2.211.10.l2tp:
> l2tp:[L](60426/54288) {IP 1397: 192.168.3.2 > 192.168.15.50: (frag
> 3054:1376 at 8256+)}
> 11:14:08.156455 195.246.29.79.l2tp > 193.2.211.10.l2tp:
> l2tp:[L](60426/54288) {IP 637: 192.168.3.2 > 192.168.15.50: (frag
> 3054:616 at 9632)}
> 11:14:08.159507 193.2.211.10.l2tp > 195.246.29.79.l2tp:  l2tp:[L](6/1)
> {IP 1397: 192.168.15.50 > 192.168.3.2: icmp: echo reply (frag
> 13046:1376 at 0+)} (DF)
> 11:14:08.159640 193.2.211.10.l2tp > 195.246.29.79.l2tp:  l2tp:[L](6/1)
> {IP 1384: truncated-ip - 13 bytes missing!192.168.15.50 > 192.168.3.2:
> (frag 13046:1376 at 1376+)} (frag 18669:1400 at 0+)
> 11:14:08.159731 193.2.211.10 > 195.246.29.79: (frag 18669:13 at 1400)
> 11:14:08.159778 193.2.211.10.l2tp > 195.246.29.79.l2tp:  l2tp:[L](6/1)
> {IP 1384: truncated-ip - 13 bytes missing!192.168.15.50 > 192.168.3.2:
> (frag 13046:1376 at 2752+)} (frag 18670:1400 at 0+)
> 11:14:08.159856 193.2.211.10 > 195.246.29.79: (frag 18670:13 at 1400)
> 11:14:08.159874 193.2.211.10.l2tp > 195.246.29.79.l2tp:  l2tp:[L](6/1)
> {IP 1384: truncated-ip - 13 bytes missing!192.168.15.50 > 192.168.3.2:
> (frag 13046:1376 at 4128+)} (frag 18671:1400 at 0+)
> 11:14:08.159967 193.2.211.10 > 195.246.29.79: (frag 18671:13 at 1400)
> 11:14:08.159990 193.2.211.10.l2tp > 195.246.29.79.l2tp:  l2tp:[L](6/1)
> {IP 1384: truncated-ip - 13 bytes missing!192.168.15.50 > 192.168.3.2:
> (frag 13046:1376 at 5504+)} (frag 18672:1400 at 0+)
> 11:14:08.160068 193.2.211.10 > 195.246.29.79: (frag 18672:13 at 1400)
> 11:14:08.160108 193.2.211.10.l2tp > 195.246.29.79.l2tp:  l2tp:[L](6/1)
> {IP 1384: truncated-ip - 13 bytes missing!192.168.15.50 > 192.168.3.2:
> (frag 13046:1376 at 6880+)} (frag 18673:1400 at 0+)
> 11:14:08.160186 193.2.211.10 > 195.246.29.79: (frag 18673:13 at 1400)
> 11:14:08.160203 193.2.211.10.l2tp > 195.246.29.79.l2tp:  l2tp:[L](6/1)
> {IP 1384: truncated-ip - 13 bytes missing!192.168.15.50 > 192.168.3.2:
> (frag 13046:1376 at 8256+)} (frag 18674:1400 at 0+)
> 11:14:08.160280 193.2.211.10 > 195.246.29.79: (frag 18674:13 at 1400)
> 11:14:08.160290 193.2.211.10.l2tp > 195.246.29.79.l2tp:  l2tp:[L](6/1)
> {IP 637: 192.168.15.50 > 192.168.3.2: (frag 13046:616 at 9632)} (DF)
> 11:14:16.266443 195.246.29.79.l2tp > 193.2.211.10.l2tp:
> l2tp:[L](60426/54288) {IP 1397: 192.168.3.2 > 192.168.15.50: icmp: echo
> request (frag 3065:1376 at 0+)}
> 11:14:16.721605 195.246.29.79.l2tp > 193.2.211.10.l2tp:
> l2tp:[L](60426/54288) {IP 1397: 192.168.3.2 > 192.168.15.50: (frag
> 3065:1376 at 1376+)}
> 11:14:17.176082 195.246.29.79.l2tp > 193.2.211.10.l2tp:
> l2tp:[L](60426/54288) {IP 1397: 192.168.3.2 > 192.168.15.50: (frag
> 3065:1376 at 2752+)}
> 11:14:17.629216 195.246.29.79.l2tp > 193.2.211.10.l2tp:
> l2tp:[L](60426/54288) {IP 1397: 192.168.3.2 > 192.168.15.50: (frag
> 3065:1376 at 4128+)}
> 11:14:18.097138 195.246.29.79.l2tp > 193.2.211.10.l2tp:
> l2tp:[L](60426/54288) {IP 1397: 192.168.3.2 > 192.168.15.50: (frag
> 3065:1376 at 5504+)}
> 11:14:18.548073 195.246.29.79.l2tp > 193.2.211.10.l2tp:
> l2tp:[L](60426/54288) {IP 1397: 192.168.3.2 > 192.168.15.50: (frag
> 3065:1376 at 6880+)}
> 11:14:18.967415 195.246.29.79.l2tp > 193.2.211.10.l2tp:
> l2tp:[L](60426/54288) {IP 1397: 192.168.3.2 > 192.168.15.50: (frag
> 3065:1376 at 8256+)}
> 11:14:19.167092 195.246.29.79.l2tp > 193.2.211.10.l2tp:
> l2tp:[L](60426/54288) {IP 637: 192.168.3.2 > 192.168.15.50: (frag
> 3065:616 at 9632)}
> 11:14:19.169500 193.2.211.10.l2tp > 195.246.29.79.l2tp:  l2tp:[L](6/1)
> {IP 1384: truncated-ip - 13 bytes missing!192.168.15.50 > 192.168.3.2:
> icmp: echo reply (frag 13047:1376 at 0+)} (frag 18675:1400 at 0+)
> 11:14:19.169591 193.2.211.10 > 195.246.29.79: (frag 18675:13 at 1400)
> 11:14:19.169612 193.2.211.10.l2tp > 195.246.29.79.l2tp:  l2tp:[L](6/1)
> {IP 1384: truncated-ip - 13 bytes missing!192.168.15.50 > 192.168.3.2:
> (frag 13047:1376 at 1376+)} (frag 18676:1400 at 0+)
> 11:14:19.169691 193.2.211.10 > 195.246.29.79: (frag 18676:13 at 1400)
> 11:14:19.169735 193.2.211.10.l2tp > 195.246.29.79.l2tp:  l2tp:[L](6/1)
> {IP 1384: truncated-ip - 13 bytes missing!192.168.15.50 > 192.168.3.2:
> (frag 13047:1376 at 2752+)} (frag 18677:1400 at 0+)
> 11:14:19.169812 193.2.211.10 > 195.246.29.79: (frag 18677:13 at 1400)
> 11:14:19.169830 193.2.211.10.l2tp > 195.246.29.79.l2tp:  l2tp:[L](6/1)
> {IP 1384: truncated-ip - 13 bytes missing!192.168.15.50 > 192.168.3.2:
> (frag 13047:1376 at 4128+)} (frag 18678:1400 at 0+)
> 11:14:19.169909 193.2.211.10 > 195.246.29.79: (frag 18678:13 at 1400)
> 11:14:19.169926 193.2.211.10.l2tp > 195.246.29.79.l2tp:  l2tp:[L](6/1)
> {IP 1384: truncated-ip - 13 bytes missing!192.168.15.50 > 192.168.3.2:
> (frag 13047:1376 at 5504+)} (frag 18679:1400 at 0+)
> 11:14:19.170004 193.2.211.10 > 195.246.29.79: (frag 18679:13 at 1400)
> 11:14:19.170023 193.2.211.10.l2tp > 195.246.29.79.l2tp:  l2tp:[L](6/1)
> {IP 1384: truncated-ip - 13 bytes missing!192.168.15.50 > 192.168.3.2:
> (frag 13047:1376 at 6880+)} (frag 18680:1400 at 0+)
> 11:14:19.170102 193.2.211.10 > 195.246.29.79: (frag 18680:13 at 1400)
> 11:14:19.170120 193.2.211.10.l2tp > 195.246.29.79.l2tp:  l2tp:[L](6/1)
> {IP 1384: truncated-ip - 13 bytes missing!192.168.15.50 > 192.168.3.2:
> (frag 13047:1376 at 8256+)} (frag 18681:1400 at 0+)
> 11:14:19.170198 193.2.211.10 > 195.246.29.79: (frag 18681:13 at 1400)
> 11:14:19.170208 193.2.211.10.l2tp > 195.246.29.79.l2tp:  l2tp:[L](6/1)
> {IP 637: 192.168.15.50 > 192.168.3.2: (frag 13047:616 at 9632)} (DF)
> 11:14:39.127128 193.2.211.10.l2tp > 195.246.29.79.l2tp:
> l2tp:[TLS](6/0)Ns=8,Nr=4 *MSGTYPE(HELLO)  (DF)
> 11:14:39.295596 195.246.29.79.l2tp > 193.2.211.10.l2tp:
> l2tp:[TLS](60426/0)Ns=4,Nr=9 ZLB
> 
> 
> > <snip>
> > Bizarre! At least we're getting closer. So we know it is a fragmentation
> > problem.  However, what changes when the LAN-to-LAN tunnel is activated?
> > Does it run any special updown script that manipulates fragments?
> 
> As seen from the ipsec.conf there aren't no other scripts run when the
> tunnel goes up.
> 
> > Let me see if I understand this trace correctly.  It mystifies me that
> > the change appears to be on the client side.  So you first do a large
> > ping without the LAN-to-LAN tunnel up.  Why does your trace not show the
> > fragments? 
> 
> I made a mistake in my previous post and posted the wrong trace, sorry.
> Any other ideas maybe?
> 
<snip>
Hmmm . . . I really don't know for sure, don't know a whole lot about
L2TP and PPP and I'm afraid I don't have the time right now to work
through it.

This may be a false lead but I find it interesting that the gateway side
is setting the do not fragment bit on the L2TP packets which contain the
ping fragments.  They appear to be missing in the failed transmission.

I do not know what that means.  First, I do not know what openswan does
when it encounters the need to encapsulate a packet with DF that will
not fit in the encapsulated packet.  I would assume it drops it rather
than truncates it.  I suppose if one really wanted to have fun, one
could increase the packet size from 1362 upwards and see when the DF bit
disappears from the L2TP packet, match the offset from 1362 with the
offset from the beginning of the IP header and see if openswan truncates
from the front of the packet!

Second, I have no idea why activating the LAN-to-LAN tunnel provokes the
problem.

Is it possible to tell the L2TP server to not set the DF bit or to use a
smaller MTU? Of course, this still doesn't explain why the L2L tunnel
causes the problem.

Does anyone else on the list know more about the internals of L2TP to
help here? Thanks - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

If you would like to participate in the development of an open source
enterprise class network security management system, please visit
http://iscs.sourceforge.net

More information about the Users mailing list