[Openswan Users] Packet has no Non-ESP marker

Stefan Denker Stefan at dn-kr.de
Thu Jan 25 19:04:31 EST 2007

On Sun, Jan 21, 2007 at 03:50:09AM +0100, Paul Wouters wrote:
> On Sun, 21 Jan 2007, Gerhard Massenbichler wrote:
> > Ping with less/equal than 73 bytes work fine. But ping with more then 73
> > bytes will fail. The pluto-logs shwo the following line for every ping:
> > "pluto[2711]: packet from recvfrom
> > has no Non-ESP marker".
> It is probably fragmentation. Try changing the mtu.

The problem in this case is not the MTU. It's the kernel's e1000 driver.

|     Make udp_encap_rcv use pskb_may_pull
|     IPsec with NAT-T breaks on some notebooks using the latest
|     e1000 chipset, when header split is enabled. When receiving
|     sufficiently large packets, the driver puts everything up to and
|     including the UDP header into the header portion of the skb, and
|     the rest goes into the paged part. udp_encap_rcv forgets to use
|     pskb_may_pull, and fails to decapsulate it. Instead, it passes it
|     up it to the IKE daemon.

Applying this patch fixed the problem. A kernel-update (to 2.6.19 or
newer) should fix it, too. 

Besser schweigen und als Narr scheinen,
als sprechen und jeden Zweifel beseitigen.
Abraham Lincoln
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.openswan.org/pipermail/users/attachments/20070126/ca6ba882/attachment.bin 

More information about the Users mailing list