[Openswan Users] Packet has no Non-ESP marker
Stefan Denker
Stefan at dn-kr.de
Thu Jan 25 19:04:31 EST 2007
On Sun, Jan 21, 2007 at 03:50:09AM +0100, Paul Wouters wrote:
> On Sun, 21 Jan 2007, Gerhard Massenbichler wrote:
> > Ping with less/equal than 73 bytes work fine. But ping with more then 73
> > bytes will fail. The pluto-logs shwo the following line for every ping:
> > "pluto[2711]: packet from 84.102.104.147:4500: recvfrom
> > 84.102.104.147:4500 has no Non-ESP marker".
> It is probably fragmentation. Try changing the mtu.
The problem in this case is not the MTU. It's the kernel's e1000 driver.
,---[http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.19]-
| Make udp_encap_rcv use pskb_may_pull
|
| IPsec with NAT-T breaks on some notebooks using the latest
| e1000 chipset, when header split is enabled. When receiving
| sufficiently large packets, the driver puts everything up to and
| including the UDP header into the header portion of the skb, and
| the rest goes into the paged part. udp_encap_rcv forgets to use
| pskb_may_pull, and fails to decapsulate it. Instead, it passes it
| up it to the IKE daemon.
`---
Applying this patch fixed the problem. A kernel-update (to 2.6.19 or
newer) should fix it, too.
Stefan
--
Besser schweigen und als Narr scheinen,
als sprechen und jeden Zweifel beseitigen.
Abraham Lincoln
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.openswan.org/pipermail/users/attachments/20070126/ca6ba882/attachment.bin
More information about the Users
mailing list