[Openswan Users] Routing problem with NETKEY

Andy Gay andy at andynet.net
Fri Aug 4 06:55:44 EDT 2006


On Fri, 2006-08-04 at 11:32 -0400, Andy Gay wrote:
> On Fri, 2006-08-04 at 17:25 +0200, Paul Wouters wrote:
> > On Fri, 4 Aug 2006, Andy Gay wrote:
> > 
> > > > I did some tcpdumping, and I can
> > > >
> > > >  - see the esp packets coming in from eth2
> > > >
> > > > 19:43:46.402321 IP 27.127.49.158 > 22.236.122.253: ESP(spi=0x8b5ff54d,seq=0x76), length 468
> > > >
> > > >  - I can see the decrypted packets appear in eth2, with the correct
> > > >    origin and destination addresses
> > > >
> > > > 19:43:46.402321 IP 10.10.1.1.netinfo-local > 22.236.122.1.syslog: SYSLOG daemon.notice, length: 409
> > > >
> > > >    - Still, these never appear in the forward chain
> > > >  - and thus, I don't see them in the internal interface
> > > >
> > > > Except for icmp packets. They appear everywhere just like they should.
> > >
> > > That's why I'd suspect your iptables rules. That's really the only place
> > > where packets get treated differently depending on their type.
> > 
> > Or it could be MTU issues.
> Maybe. But that 1 example packet dump he gives us is only 468 bytes even
> for the encapsulated packet. No real world  MTU is that low, is it :)
> MTU problems tend to show up as connections getting set up OK but later
> packets getting lost.

Of course there could be other big packets getting lost here, I'm sure
that's what you meant. But this packet certainly made it OK and shows up
decrypted, but we're told it's not being forwarded. Why could that be?
The decrypted packet looks OK. So we're looking at a routing or firewall
problem, aren't we. And if ICMP gets through OK, routing must be good.

So I'd really like to see those iptables rules...

> 
> >  Try lowering the mtu, either on both sides, or the
> > remote side (eg not this end), or try disabling path MTU discovery on both
> > ends using: echo "0" > /proc/sys/net/ipv4/ip_no_pmtu_disc
> > 
> > Paul
> > -- 
> > Building and integrating Virtual Private Networks with Openswan:
> > http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> > 
> 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> 



More information about the Users mailing list