[Openswan Users] OpenSwan/xl2tpd stalls for 2s mid-connection

Giles dev.first at digitalchild.co.uk
Tue Apr 10 04:55:07 EDT 2012 

Hi folks,

 

I have successfully got an IPSec/L2TP server running under Debian 6 using
OpenSwan and xl2tpd. My clients are a mixture of Windows 7 (for testing) and
Draytek Vigor 2830 routers (for the production environment). Using a LOT of
Googling I've got the clients connecting successfully and all is almost
well.

 

Once Openswan (pluto?) has negotiated the IPSec SA it hands control to
xl2tpd, that much I understand. Here's an output of my logs for this stage
in the proceedings. This is running on my test LAN so no Internet, NAT or
anything else in the way between the client and server.

 

 

Apr  3 09:21:41 tatia pluto[2977]: "TEST-L2TP-PSK"[1] 172.16.1.6 #2:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2 

 

Apr  3 09:21:41 tatia pluto[2977]: "TEST-L2TP-PSK"[1] 172.16.1.6 #2:
STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x31848fd9
<0x3d72c06a xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none} 

 

Apr  3 09:21:43 tatia xl2tpd[1089]: control_finish: Peer requested tunnel 10
twice, ignoring second one.

 

Apr  3 09:21:43 tatia xl2tpd[1089]: Connection established to 172.16.1.6,
1701.  Local: 7144, Remote: 10 (ref=0/0).  LNS session is 'default'

 

 

That's all fine - xl2tpd takes over the connection and later a ppp link is
established correctly. But here's the thing, there is a 2 second delay in
there. You can see in the timestamps the last output from pluto is 09:21:41
and the first output from xl2tpd is 09:21:43. This "stall" period is
reliably 2 seconds and happens every time I connect with both Windows and
Draytek clients. If it was just a delay I wouldn't worry about it, but
during this time no traffic passes through the L2TP/IPSec server. Packets do
eventually come through once the stall passes leading to some long ping
delays, but the main problem is I'm intending to pass SIP traffic over this
link and a 2s delay will rather inconvenience those in phonecalls at the
time.

 

I have tried three different Debian VMs on two different ESXi hypervisors. I
have tried the Debian stable packages of OpenSwan and xl2tpd, and also tried
compiling them from source (currently settled on the compiled versions to
get the latest bugfixes). Even turning all the debug log output on that I
can find, nothing has yet given me a clue as to what's causing the delay.

 

Has anyone seen this before? What's happening during this "stall" period;
which daemon is likely to be the troublemaker? So far Google has been unable
to help me in this respect.

 

Any advice welcomed,

Thanks,

Giles.

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openswan.org/pipermail/users/attachments/20120410/60b518df/attachment.html>

More information about the Users mailing list