[Openswan Users] Problem with CISCO 1841 IOS12.3 eating packets??

Carsten Schlote c.schlote at konzeptpark.de
Fri Dec 1 04:11:05 EST 2006



I've setup a VPN connection between two servers using X509 certificates.
One server is located in the Inet and the other behind a CISCO 1841
router running firmware 12.3 within the DMZ. So both servers have valid
public IPs and the CISCO router is assumed to simply pass on all IPSec
packets between those hosts.


The connection is started as expected and the ISAKMP and IPSec SAs are
created. It's possible to ping and connect via ssh from both sides.


The problem is now as follows: 

*	Ping packets of specific sizes, eg. 1363 to 1400 bytes, are not
passed on by the cisco router. I tried packets with up to 64k, which
work as expected. But there are specific sizes of packets, which do not
work. It's like having 'gaps' or blackholes in the connection.
*	SSH connections work will, as long as the created packets
lengths do not all inside the 'gaps' described above. Obviously this
will happen within a few seconds for things like 'find /' or 'mc', which
output large amounts of data. The connections itself is never terminated
or shut down. Packets get simply lost in the router. I checked packets
received and sent on both sides with tcpdump - everything looks fine.


Both servers use linux kernel 2.6.17 and openswan (Version 2.4.6

endor ID OElLO]RdWNRD) / Linux Openswan U2.4.6/K2.6.17-2-686 (netkey)
from the debian etch (testing) archive. 


So before I start running nuts, I'd like to ask the following questions:

*	Has anybody heard about such problems before? 
*	Is this a CISCO bug? 
*	Are there workarounds known for this?




Carsten Schlote



Virus checked by G DATA AntiVirus
Version: AVK 17.1178 from 01.12.2006
Virus news: www.antiviruslab.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20061201/f6d12c65/attachment-0001.html 

More information about the Users mailing list