[Openswan Users] not enough room in input packet for ISAKMP

Paul Wouters paul at xelerance.com
Thu Oct 19 13:18:20 EDT 2006


On Thu, 19 Oct 2006, Pompon wrote:

> I am trying to resolv a problem with phase2 establishment with a
> cicso-Pix515 peer. My server is a debian stable with kernel 2.6.8 and the
> lastest stable version of klips (2.4.6) ans openswan.
>
> I already have VPNs working with some linux box running racoon or openswan
> but it doesn't work with cisco.

> Oct 19 16:23:36 localhost pluto[8227]: Starting Pluto (Openswan Version
> 2.2.0 X.509-1.5.4 PLUTO_USES_KEYRR)

Your userland is opnswan-2.2.0. Upgrade

> subnet behind the VPN) was still seen and decrypted by 26sec but never
> forwarded to radius just as if they were simply dropped by an invisible
> kernel part.

2.6.8 is WAY too buggy for NETKEY, so to use netkey you should upgrade your
kernel to at least 2.6.11. Also, various /proc entries to disable varios
kind of receiving/sending redirect packets need to be disabled for NETKEY.
See 'ipsec verify' on new enough openswan userland.

> So here are my questions :
>
> Did you heard about such a problem?
> Did you know how to implement specific security policy with openswan related
> to a tunnel?
> Did you know how/if a security policies declared on cisco could influence
> the phase2 negociation?

Tell us how the cisco is configured.

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list