[Openswan Users] openswan<->openswan tunnel with compress=yes - KLIPS needed?
nd bento
nd.bento at free.fr
Thu May 8 05:09:02 EDT 2008
Hi David,
Have problem with compress=yes too with peers 2.6.22.18 patched with
klips version 2.4.12.
Every peers have the same kernel version and the same openswan version,
and with compress=yes tunnels established, but kernel freezes after some
packets go through tunnels, i tried with 2.6.22.19 and 2.6.24.x and have
the same problem.
Before i used 2.6.18.4 with klips and openswan 2.4.8 and no porblem with
compress=yes.
Now to solve this problem i had to disable compression.
Dawid Kowalski a écrit :
> Hi All,
>
> I have correctly working tunnel between two openswan boxes. Problem
> starts as soon as I try to use compression. I've found that when
> compression is enables, VPN gateway starts new negotiation as soon as it
> receives packet which should be forwarded via VPN. Below output was
> produced using ICMP echo request.
> On both sides I'm running kernel 2.6.22 (left) 2.6.13 (right) and same
> openswan version 2.4.12. I'm not using KLIPS modules as it's not
> included in any gentoo kernel sources.
>
> Am I falling into problem described at
> http://www.openswan.org/docs/local/README.Kernel26 as:
> * compression seems to be incompatible between KLIPS and NETKEY.
>
> ?
>
> I thought so, but after further investingation it looks like not necessarly.
> http://lists.virus.org/users-openswan-0504/msg00261.html
>
>
> What I might be missing? What should I check if without "compress=yes"
> everything works fine?
> I'm fighting with it for some time and can't find good explanation or
> working solution. If it should work, could you please provide me with
> some hints how can I troubleshoot it further?
>
> Thanks in advance for your time!
>
>
> ### Dump of information
> adding tunnel and setting up
> soleil:
> 000 "soleil-galileo-lan":
> 10.20.9.0/24===172.0.0.1[@soleil.ex1.domain]---172.0.0.254...172.0.0.254---192.168.0.252[@galileo.ex2.domain]===10.20.2.0/24;
>
> erouted; eroute owner: #2
> 000 "soleil-galileo-lan": srcip=10.20.9.1; dstip=10.20.2.1;
> srcup=ipsec _updown; dstup=ipsec _updown;
> 000 "soleil-galileo-lan": ike_life: 3600s; ipsec_life: 28800s;
> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
> 000 "soleil-galileo-lan": policy:
> RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP; prio: 24,24; interface: ext;
> encap: esp;
> 000 "soleil-galileo-lan": newest ISAKMP SA: #1; newest IPsec SA: #2;
> 000 "soleil-galileo-lan": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
> 000
> 000 #2: "soleil-galileo-lan":500 STATE_QUICK_I2 (sent QI2, IPsec SA
> established); EVENT_SA_REPLACE in 27790s; newest IPSEC; eroute owner
> 000 #2: "soleil-galileo-lan" esp.aa16f518 at 192.168.0.252
> esp.b4d8f4d2 at 172.0.0.1 comp.2b29 at 192.168.0.252 comp.2370 at 172.0.0.1
> tun.0 at 192.168.0.252 tun.0 at 172.0.0.1
> 000 #1: "soleil-galileo-lan":500 STATE_MAIN_I4 (ISAKMP SA established);
> EVENT_SA_REPLACE in 2831s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
> 000
>
> gal:
> 000 "soleil-galileo-lan":
> 10.20.2.0/24===192.168.0.252[@galileo.ex2.domain]---192.168.0.254...192.168.0.254---172.0.0.1[@soleil.ex1.domain]===10.20.9.0/24;
>
> erouted; eroute owner: #2
> 000 "soleil-galileo-lan": srcip=10.20.2.1; dstip=10.20.9.1;
> srcup=ipsec _updown; dstup=ipsec _updown;
> 000 "soleil-galileo-lan": ike_life: 3600s; ipsec_life: 28800s;
> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
> 000 "soleil-galileo-lan": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS;
> prio: 24,24; interface: eth1; encap: esp;
> 000 "soleil-galileo-lan": newest ISAKMP SA: #1; newest IPsec SA: #2;
> 000 "soleil-galileo-lan": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
> 000
> 000 #2: "soleil-galileo-lan":500 STATE_QUICK_R2 (IPsec SA established);
> EVENT_SA_REPLACE in 28454s; newest IPSEC; eroute owner
> 000 #2: "soleil-galileo-lan" esp.b4d8f4d2 at 172.0.0.1
> esp.aa16f518 at 192.168.0.252 comp.2370 at 172.0.0.1 comp.2b29 at 192.168.0.252
> tun.0 at 172.0.0.1 tun.0 at 192.168.0.252
> 000 #1: "soleil-galileo-lan":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA
> established); EVENT_SA_REPLACE in 3253s; newest ISAKMP; lastdpd=-1s(seq
> in:0 out:0)
> 000
>
>
> after ping
> soleil:
>
> 000 "soleil-galileo-lan":
> 10.20.9.0/24===172.0.0.1[@soleil.ex1.domain]---172.0.0.254...172.0.0.254---192.168.0.252[@galileo.ex2.domain]===10.20.2.0/24;
>
> erouted; eroute owner: #3
> 000 "soleil-galileo-lan": srcip=10.20.9.1; dstip=10.20.2.1;
> srcup=ipsec _updown; dstup=ipsec _updown;
> 000 "soleil-galileo-lan": ike_life: 3600s; ipsec_life: 28800s;
> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
> 000 "soleil-galileo-lan": policy:
> RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP; prio: 24,24; interface: ext;
> encap: esp;
> 000 "soleil-galileo-lan": newest ISAKMP SA: #1; newest IPsec SA: #3;
> 000 "soleil-galileo-lan": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
> 000
> 000 #3: "soleil-galileo-lan":500 STATE_QUICK_I2 (sent QI2, IPsec SA
> established); EVENT_SA_REPLACE in 27878s; newest IPSEC; eroute owner
> 000 #3: "soleil-galileo-lan" esp.8b3cb351 at 192.168.0.252
> esp.1eb2569b at 172.0.0.1 comp.eb78 at 192.168.0.252 comp.a266 at 172.0.0.1
> tun.0 at 192.168.0.252 tun.0 at 172.0.0.1
> 000 #2: "soleil-galileo-lan":500 STATE_QUICK_I2 (sent QI2, IPsec SA
> established); EVENT_SA_REPLACE in 27690s
> 000 #2: "soleil-galileo-lan" esp.aa16f518 at 192.168.0.252
> esp.b4d8f4d2 at 172.0.0.1 comp.2b29 at 192.168.0.252 comp.2370 at 172.0.0.1
> tun.0 at 192.168.0.252 tun.0 at 172.0.0.1
> 000 #1: "soleil-galileo-lan":500 STATE_MAIN_I4 (ISAKMP SA established);
> EVENT_SA_REPLACE in 2731s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
> 000
>
>
> gal:
> 000 "soleil-galileo-lan":
> 10.20.2.0/24===192.168.0.252[@galileo.ex2.domain]---192.168.0.254...192.168.0.254---172.0.0.1[@soleil.ex1.domain]===10.20.9.0/24;
>
> erouted; eroute owner: #3
> 000 "soleil-galileo-lan": srcip=10.20.2.1; dstip=10.20.9.1;
> srcup=ipsec _updown; dstup=ipsec _updown;
> 000 "soleil-galileo-lan": ike_life: 3600s; ipsec_life: 28800s;
> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
> 000 "soleil-galileo-lan": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS;
> prio: 24,24; interface: eth1; encap: esp;
> 000 "soleil-galileo-lan": newest ISAKMP SA: #1; newest IPsec SA: #3;
> 000 "soleil-galileo-lan": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
> 000
> 000 #3: "soleil-galileo-lan":500 STATE_QUICK_R2 (IPsec SA established);
> EVENT_SA_REPLACE in 28519s; newest IPSEC; eroute owner
> 000 #3: "soleil-galileo-lan" esp.1eb2569b at 172.0.0.1
> esp.8b3cb351 at 192.168.0.252 comp.a266 at 172.0.0.1 comp.eb78 at 192.168.0.252
> tun.0 at 172.0.0.1 tun.0 at 192.168.0.252
> 000 #2: "soleil-galileo-lan":500 STATE_QUICK_R2 (IPsec SA established);
> EVENT_SA_REPLACE in 28404s
> 000 #2: "soleil-galileo-lan" esp.b4d8f4d2 at 172.0.0.1
> esp.aa16f518 at 192.168.0.252 comp.2370 at 172.0.0.1 comp.2b29 at 192.168.0.252
> tun.0 at 172.0.0.1 tun.0 at 192.168.0.252
> 000 #1: "soleil-galileo-lan":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA
> established); EVENT_SA_REPLACE in 3203s; newest ISAKMP; lastdpd=-1s(seq
> in:0 out:0)
> 000
>
> when pinging logs look like below for each sent packet, but nothing is
> forwarded through tunnel:
> May 4 15:15:10 soleil pluto[16343]: initiate on demand from
> 10.20.9.10:0 to 10.20.2.8:0 proto=0 state: fos_start because: acquire
> May 4 15:15:10 soleil pluto[16343]: "soleil-galileo-lan" #3: initiating
> Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {using isakmp#1}
> May 4 15:15:11 soleil pluto[16343]: "soleil-galileo-lan" #3: transition
> from state STATE_QUICK_I1 to state STATE_QUICK_I2
> May 4 15:15:11 soleil pluto[16343]: "soleil-galileo-lan" #3:
> STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x8b3cb351
> <0x1eb2569b xfrm=AES_0-HMAC_SHA1 IPCOMP=>0x0000eb78 <0x0000a266
> NATD=none DPD=none}
>
> Regards,
> Dawid
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
>
More information about the Users
mailing list