[Openswan Users] openswan<->openswan tunnel with compress=yes - KLIPS needed?

Dawid Kowalski dawid at texasnet.pl
Thu May 8 10:48:17 EDT 2008


Thanks for your input!

So, it smells like a bug.

Does anyone knows how to gather some more data which might be help full 
for developers to fix that bug?

Thanks,
Dawid

nd bento wrote:
> Hi David,
> 
> Have problem with compress=yes too with peers 2.6.22.18 patched with 
> klips version 2.4.12.
> 
> Every peers have the same kernel version and the same openswan version, 
> and with compress=yes tunnels established, but kernel freezes after some 
> packets go through tunnels, i tried with 2.6.22.19 and 2.6.24.x and have 
> the same problem.
> Before i used 2.6.18.4 with klips and openswan 2.4.8 and no porblem with 
> compress=yes.
> 
> Now to solve this problem i had to disable compression.
> 
> Dawid Kowalski a écrit :
>> Hi All,
>>
>> I have correctly working tunnel between two openswan boxes. Problem
>> starts as soon as I try to use compression. I've found that when
>> compression is enables, VPN gateway starts new negotiation as soon as it
>> receives packet which should be forwarded via VPN. Below output was
>> produced using ICMP echo request.
>> On both sides I'm running kernel 2.6.22 (left) 2.6.13 (right) and same
>> openswan version 2.4.12. I'm not using KLIPS modules as it's not
>> included in any gentoo kernel sources.
>>
>> Am I falling into problem described at
>> http://www.openswan.org/docs/local/README.Kernel26 as:
>> * compression seems to be incompatible between KLIPS and NETKEY.
>>
>> ?
>>
>> I thought so, but after further investingation it looks like not necessarly.
>> http://lists.virus.org/users-openswan-0504/msg00261.html
>>
>>
>> What I might be missing? What should I check if without "compress=yes"
>> everything works fine?
>> I'm fighting with it for some time and can't find good explanation or
>> working solution. If it should work, could you please provide me with
>> some hints how can I troubleshoot it further?
>>
>> Thanks in advance for your time!
>>
>>
>> ### Dump of information
>> adding tunnel and setting up
>> soleil:
>> 000 "soleil-galileo-lan":
>> 10.20.9.0/24===172.0.0.1[@soleil.ex1.domain]---172.0.0.254...172.0.0.254---192.168.0.252[@galileo.ex2.domain]===10.20.2.0/24; 
>>
>> erouted; eroute owner: #2
>> 000 "soleil-galileo-lan":     srcip=10.20.9.1; dstip=10.20.2.1;
>> srcup=ipsec _updown; dstup=ipsec _updown;
>> 000 "soleil-galileo-lan":   ike_life: 3600s; ipsec_life: 28800s;
>> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
>> 000 "soleil-galileo-lan":   policy:
>> RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP; prio: 24,24; interface: ext;
>> encap: esp;
>> 000 "soleil-galileo-lan":   newest ISAKMP SA: #1; newest IPsec SA: #2;
>> 000 "soleil-galileo-lan":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
>> 000
>> 000 #2: "soleil-galileo-lan":500 STATE_QUICK_I2 (sent QI2, IPsec SA
>> established); EVENT_SA_REPLACE in 27790s; newest IPSEC; eroute owner
>> 000 #2: "soleil-galileo-lan" esp.aa16f518 at 192.168.0.252
>> esp.b4d8f4d2 at 172.0.0.1 comp.2b29 at 192.168.0.252 comp.2370 at 172.0.0.1
>> tun.0 at 192.168.0.252 tun.0 at 172.0.0.1
>> 000 #1: "soleil-galileo-lan":500 STATE_MAIN_I4 (ISAKMP SA established);
>> EVENT_SA_REPLACE in 2831s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
>> 000
>>
>> gal:
>> 000 "soleil-galileo-lan":
>> 10.20.2.0/24===192.168.0.252[@galileo.ex2.domain]---192.168.0.254...192.168.0.254---172.0.0.1[@soleil.ex1.domain]===10.20.9.0/24; 
>>
>> erouted; eroute owner: #2
>> 000 "soleil-galileo-lan":     srcip=10.20.2.1; dstip=10.20.9.1;
>> srcup=ipsec _updown; dstup=ipsec _updown;
>> 000 "soleil-galileo-lan":   ike_life: 3600s; ipsec_life: 28800s;
>> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
>> 000 "soleil-galileo-lan":   policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS;
>> prio: 24,24; interface: eth1; encap: esp;
>> 000 "soleil-galileo-lan":   newest ISAKMP SA: #1; newest IPsec SA: #2;
>> 000 "soleil-galileo-lan":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
>> 000
>> 000 #2: "soleil-galileo-lan":500 STATE_QUICK_R2 (IPsec SA established);
>> EVENT_SA_REPLACE in 28454s; newest IPSEC; eroute owner
>> 000 #2: "soleil-galileo-lan" esp.b4d8f4d2 at 172.0.0.1
>> esp.aa16f518 at 192.168.0.252 comp.2370 at 172.0.0.1 comp.2b29 at 192.168.0.252
>> tun.0 at 172.0.0.1 tun.0 at 192.168.0.252
>> 000 #1: "soleil-galileo-lan":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA
>> established); EVENT_SA_REPLACE in 3253s; newest ISAKMP; lastdpd=-1s(seq
>> in:0 out:0)
>> 000
>>
>>
>> after ping
>> soleil:
>>
>> 000 "soleil-galileo-lan":
>> 10.20.9.0/24===172.0.0.1[@soleil.ex1.domain]---172.0.0.254...172.0.0.254---192.168.0.252[@galileo.ex2.domain]===10.20.2.0/24; 
>>
>> erouted; eroute owner: #3
>> 000 "soleil-galileo-lan":     srcip=10.20.9.1; dstip=10.20.2.1;
>> srcup=ipsec _updown; dstup=ipsec _updown;
>> 000 "soleil-galileo-lan":   ike_life: 3600s; ipsec_life: 28800s;
>> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
>> 000 "soleil-galileo-lan":   policy:
>> RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP; prio: 24,24; interface: ext;
>> encap: esp;
>> 000 "soleil-galileo-lan":   newest ISAKMP SA: #1; newest IPsec SA: #3;
>> 000 "soleil-galileo-lan":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
>> 000
>> 000 #3: "soleil-galileo-lan":500 STATE_QUICK_I2 (sent QI2, IPsec SA
>> established); EVENT_SA_REPLACE in 27878s; newest IPSEC; eroute owner
>> 000 #3: "soleil-galileo-lan" esp.8b3cb351 at 192.168.0.252
>> esp.1eb2569b at 172.0.0.1 comp.eb78 at 192.168.0.252 comp.a266 at 172.0.0.1
>> tun.0 at 192.168.0.252 tun.0 at 172.0.0.1
>> 000 #2: "soleil-galileo-lan":500 STATE_QUICK_I2 (sent QI2, IPsec SA
>> established); EVENT_SA_REPLACE in 27690s
>> 000 #2: "soleil-galileo-lan" esp.aa16f518 at 192.168.0.252
>> esp.b4d8f4d2 at 172.0.0.1 comp.2b29 at 192.168.0.252 comp.2370 at 172.0.0.1
>> tun.0 at 192.168.0.252 tun.0 at 172.0.0.1
>> 000 #1: "soleil-galileo-lan":500 STATE_MAIN_I4 (ISAKMP SA established);
>> EVENT_SA_REPLACE in 2731s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
>> 000
>>
>>
>> gal:
>> 000 "soleil-galileo-lan":
>> 10.20.2.0/24===192.168.0.252[@galileo.ex2.domain]---192.168.0.254...192.168.0.254---172.0.0.1[@soleil.ex1.domain]===10.20.9.0/24; 
>>
>> erouted; eroute owner: #3
>> 000 "soleil-galileo-lan":     srcip=10.20.2.1; dstip=10.20.9.1;
>> srcup=ipsec _updown; dstup=ipsec _updown;
>> 000 "soleil-galileo-lan":   ike_life: 3600s; ipsec_life: 28800s;
>> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
>> 000 "soleil-galileo-lan":   policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS;
>> prio: 24,24; interface: eth1; encap: esp;
>> 000 "soleil-galileo-lan":   newest ISAKMP SA: #1; newest IPsec SA: #3;
>> 000 "soleil-galileo-lan":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
>> 000
>> 000 #3: "soleil-galileo-lan":500 STATE_QUICK_R2 (IPsec SA established);
>> EVENT_SA_REPLACE in 28519s; newest IPSEC; eroute owner
>> 000 #3: "soleil-galileo-lan" esp.1eb2569b at 172.0.0.1
>> esp.8b3cb351 at 192.168.0.252 comp.a266 at 172.0.0.1 comp.eb78 at 192.168.0.252
>> tun.0 at 172.0.0.1 tun.0 at 192.168.0.252
>> 000 #2: "soleil-galileo-lan":500 STATE_QUICK_R2 (IPsec SA established);
>> EVENT_SA_REPLACE in 28404s
>> 000 #2: "soleil-galileo-lan" esp.b4d8f4d2 at 172.0.0.1
>> esp.aa16f518 at 192.168.0.252 comp.2370 at 172.0.0.1 comp.2b29 at 192.168.0.252
>> tun.0 at 172.0.0.1 tun.0 at 192.168.0.252
>> 000 #1: "soleil-galileo-lan":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA
>> established); EVENT_SA_REPLACE in 3203s; newest ISAKMP; lastdpd=-1s(seq
>> in:0 out:0)
>> 000
>>
>> when pinging logs look like below for each sent packet, but nothing is
>> forwarded through tunnel:
>> May  4 15:15:10 soleil pluto[16343]: initiate on demand from
>> 10.20.9.10:0 to 10.20.2.8:0 proto=0 state: fos_start because: acquire
>> May  4 15:15:10 soleil pluto[16343]: "soleil-galileo-lan" #3: initiating
>> Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {using isakmp#1}
>> May  4 15:15:11 soleil pluto[16343]: "soleil-galileo-lan" #3: transition
>> from state STATE_QUICK_I1 to state STATE_QUICK_I2
>> May  4 15:15:11 soleil pluto[16343]: "soleil-galileo-lan" #3:
>> STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x8b3cb351
>> <0x1eb2569b xfrm=AES_0-HMAC_SHA1 IPCOMP=>0x0000eb78 <0x0000a266
>> NATD=none DPD=none}
>>
>> Regards,
>> Dawid
>>
>> _______________________________________________
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>> Building and Integrating Virtual Private Networks with Openswan: 
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>
>>
>>   
> 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155



More information about the Users mailing list