[Openswan Users] SLES10 SP1 and openswan 2.4.11

Nicole Hähnel nicole.haehnel at gmx.net
Mon Feb 18 03:24:56 EST 2008


Paul Wouters schrieb:
>> If I grep for 'mode tunnel', I get 26 lines, but only 12 tunnels are
>> configured.
>>     
>> With 'ipsec status' are 13 tunnels up.
>>     
>
> Perhaps these are old policies from rekeys? New tunnels become valid while
> old tunnels linger a little bit to ensure there is no packet drops.
>
>   

Ok, can I differ between old and new tunnels?
Or can I say, if there are more than 12 tunnels up, all 12 tunnels are 
working?
In our planned network with 40 gateways, I have to be absolutely sure 
that all tunnels are up.

>
>> Yes, it would be nice to have some logfiles for debugging, but all
>> SLES10 SP1 servers I tried with just freeze.
>>     
>
> Unfortunately, then it is hard for us to diagnose things.
>
>   
>> Are there still any problems with smp kernels?
>>     
>
> There were two smp bugs. One was when using snmpd, and got fixed. The other
> was when using two ipsecX devices and forwarding packets (so KLIPS only)
>
>   
>> Or any problems with fragicmp=yes and compress=yes known?
>>     
>
> Not that I know.
>
> Paul

Here are the last lines from klipsdebug=all befor the server freezes:

Feb 18 09:13:45 pd9e8a872.dip0.t-ipconnect.de VPN-GW kernel: 
klips_debug:ipsec_sa_getbyid: linked entry in ipsec_sa table for hash=90 
of SA:tun.1006 at 217.110.xxx.xxx requested.
Feb 18 09:13:45 pd9e8a872.dip0.t-ipconnect.de VPN-GW kernel: 
klips_debug:ipsec_xmit_encap_bundle: Required head,tailroom: 0,0
Feb 18 09:13:45 pd9e8a872.dip0.t-ipconnect.de VPN-GW kernel: 
klips_debug:ipsec_xmit_encap_bundle: hard header already stripped.
Feb 18 09:13:45 pd9e8a872.dip0.t-ipconnect.de VPN-GW kernel: 
klips_debug:ipsec_xmit_encap_bundle: data fits in existing skb
Feb 18 09:13:45 pd9e8a872.dip0.t-ipconnect.de VPN-GW kernel: 
klips_debug:ipsec_xmit_encap_once: head,tailroom: 324,1513 before xform.
Feb 18 09:13:45 pd9e8a872.dip0.t-ipconnect.de VPN-GW kernel: 
klips_debug:ipsec_xmit_encap_once: head,tailroom: 324,1513 before xform.
Feb 18 09:13:45 pd9e8a872.dip0.t-ipconnect.de VPN-GW kernel: 
klips_debug:ipsec_xmit_encap_once: after <COMP_DEFLATE>, 
SA:comp.1db at 217.110.xxx.xxx:
Feb 18 09:13:45 pd9e8a872.dip0.t-ipconnect.de VPN-GW kernel: klips_dmp: 
at pre-encrypt, len=136:
Feb 18 09:13:45 pd9e8a872.dip0.t-ipconnect.de VPN-GW kernel: 
klips_debug:   @060: 00 00 00 18 11 11 00 ff 00 ff 00 01 02 03 04 05
Feb 18 09:13:45 pd9e8a872.dip0.t-ipconnect.de VPN-GW kernel: 
klips_debug:ipsec_alg_esp_encrypt: returned ret=80
Feb 18 09:13:45 pd9e8a872.dip0.t-ipconnect.de VPN-GW kernel: 
klips_error:ipsec_sa_put: null pointer passed in!
Feb 18 09:13:45 pd9e8a872.dip0.t-ipconnect.de VPN-GW kernel: 
klips_debug:rj_match: ***** not found.



Nicole


More information about the Users mailing list