[Openswan Users] L2TP / IPSEC (certificate) with Cisco Systems, Inc./VPN 3000 Concentrator

Dick dm at chello.nl
Sat Dec 9 08:46:09 EST 2006


Hi All,

I've had some communication with Jacco de Leeuw about my Cisco 3000 Concentrator
troubles. I've learned a lot, ignoring unknown Vendor ID payload
[4048b7d56ebce88525e7de7f00d6c2d3c0000000] is about (echo -n
'FRAGMENTATION'|md5sum gives: 4048b7d56ebce88525e7de7f00d6c2d3) and fixed most
of the ipsec barf warnings.

I think my problem is related to the fragmentation, the Concentrator is crying
(by icmp) about timed out fragments.

On wiki.openswan.org
(http://wiki.openswan.org/index.php/Openswan/DebuggingTcpdump) I've found the
following statement: "Note that Linux sends the fragments *BEFORE* the initial
fragment." which could explain why my connection is working from Windows but
isn't working from Linux (there could be a crappy router in between).  But my
tests didn't confirm this behaviour (or is openswan playing a fragmentation 
trick?)

Fragmented ping seems to reply fine, maybe it is UDP related...

I hope someone knows what I might be doing wrong.

Thanks in advance,
Dick



More information about the Users mailing list