[Openswan Users] Re : not enough room in input packet for ISAKMP

Pompon pompon2 at gmail.com
Fri Oct 20 04:16:35 EDT 2006


Many thanks Paul,

2006/10/19, Paul Wouters <paul at xelerance.com>:
> On Thu, 19 Oct 2006, Pompon wrote:
>
> > I am trying to resolv a problem with phase2 establishment with a
> > cicso-Pix515 peer. My server is a debian stable with kernel 2.6.8 and the
> > lastest stable version of klips (2.4.6) ans openswan.
> >
> > I already have VPNs working with some linux box running racoon or openswan
> > but it doesn't work with cisco.
>
> > Oct 19 16:23:36 localhost pluto[8227]: Starting Pluto (Openswan Version
> > 2.2.0 X.509-1.5.4 PLUTO_USES_KEYRR)
>
> Your userland is opnswan-2.2.0. Upgrade

Nice shot, you were right, I compile openswan userland but forgot to
make install, so the debian stable openswan 2.2.0 was used. Upgrading
correct the problem and the us of (new options?) left / rightprotoport
seems to fill our needs on policies.

> > subnet behind the VPN) was still seen and decrypted by 26sec but never
> > forwarded to radius just as if they were simply dropped by an invisible
> > kernel part.
>
> 2.6.8 is WAY too buggy for NETKEY, so to use netkey you should upgrade your
> kernel to at least 2.6.11. Also, various /proc entries to disable varios
> kind of receiving/sending redirect packets need to be disabled for NETKEY.

Could you be a more bit precise ?

We used to test racoon/netkey on two server with 2.6.8 and 2.6.15
kernels but fall to the same problem after 3-4 days of usage. That's
why we decide to test Klips.
I forgot to say that playing with /proc disable_policy option seems to
make it work but we are not proud of this temporary solution as we
don't understand exaclty what is done by the kernel with this option
and that we need policies.

Is there a prefered kernel version you suggest me to use with Klips
(and eventually with netkey)?

> See 'ipsec verify' on new enough openswan userland.

Here it is :
karlmarx:/var/log# ipsec version
Linux Openswan 2.4.6 (klips)
See `ipsec --copyright' for copyright information.
karlmarx:/var/log# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan 2.4.6 (klips)
Checking for IPsec support in kernel                            [OK]
Checking for RSA private key (/etc/ipsec.secrets)               [DISABLED]
  ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                                  [OK]
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]


Thanks,
Jean-Michel.


More information about the Users mailing list