[Openswan Users] xl2tpd problems when IPSec tunnel goes down

Bradley P despite at gmail.com
Thu Feb 24 17:36:54 EST 2011


I'm seeing a few problems with an L2TP/IPSec server using xl2tpd.  I'm
looking for any advice on how to work around them.  These are my
observations so far, I may be wrong about some of it.

First, if xl2tpd is sending a packet while the IPSec tunnel is down,
it takes 30 seconds to error.  I'm using NETKEY and the error is
-ESRCH (No such process).  This happens in the sendmsg call in
udp_xmit.  What is causing the delay, and is there any way to shorten
it?  I think xl2tpd stops doing anything else while this is happening.

Sometimes that leads to an infinite loop in the scheduler.  Say a
hello gets scheduled.  It calls control_xmit, then schedules another
hello in 60 seconds.  control_xmit tries 5 times to send the packet,
each time taking 30 seconds.  The tunnel is marked as needclose or
closing, but isn't immediately closed.  By this time the next hello is
past due, so it runs, and the cycle continues.  Since there are always
events in the queue, process_schedule never exits.

Additionally, when the retries limit is hit in control_xmit it sets
needclose = -1 whether or not closing is already set.  This means the
tunnel can cycle between needclose = -1 closing = -1 and needclose = 0
closing = -1.  If it manages to break out of the scheduler when
needclose = -1 closing = -1, it won't be closed in build_fdset.

I'm looking for ideas on how to fix this.  First, I don't think hello
should schedule another hello if the tunnel is needclose or closing.
Actually, I would like to say that control_xmit should not send
anything if the tunnel is closing but I'm not sure if that's
acceptable in the protocol.


More information about the Users mailing list