[Openswan Users] Xl2tpd freeze with high cpu utilization when dealing with Linux road warrior
Sheng Yang
sheng at yasker.org
Fri May 16 21:04:59 EDT 2014
Hi,
This issue may more regarding xl2tpd rather than openswan, I hope here is a
good place to ask.
I don't know if I hit a bug or it just configuration file error. When I try
to connect a Linux road warrior(openswan + xl2tpd + pppd) to a linux VPN
server(openswan + xl2tpd + pppd), xl2tpd in the server freezed, and take a
large amount of CPU time during some kernel work.
And it generate endless tcpdump like this(which client try to ping the
server, which become unsuccess later):
00:48:18.791170 IP 10.1.2.1.1701 > 10.223.195.113.1701:
l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701:
l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701:
l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701:
l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701:
l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701:
l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701:
l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701:
l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701:
l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701:
l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701:
l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701:
l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701:
l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701:
l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701:
l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701:
l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701:
l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701:
l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701:
l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701:
l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701:
l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701:
l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701:
l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701:
l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701:
l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701:
l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701:
l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701:
l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701:
l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701:
l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701:
l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701:
l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701:
l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701:
l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701:
l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701:
l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701:
l2tp:[](64610/20812) {IP 10.1.2.1.1701 > 10.223.195.113.1701:
l2tp:[](64610/20812) {IP 10.1.2.1 > 10.223.195.113:
ip-proto-17}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}
00:48:18.791186 IP 10.1.2.1.1701 > 10.223.195.113.1701:
l2tp:[](64610/20812) {IP truncated-ip - 16 bytes missing! 10.1.2.1.1701 >
10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 >
10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 >
10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 >
10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 >
10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 >
10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 >
10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 >
10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 >
10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 >
10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 >
10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 >
10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 >
10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 >
10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 >
10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 >
10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 >
10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 >
10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 >
10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 >
10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 >
10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 >
10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 >
10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 >
10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 >
10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 >
10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 >
10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 >
10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 >
10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 >
10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 >
10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 >
10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 >
10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 >
10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 >
10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 >
10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 >
10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1.1701 >
10.223.195.113.1701: l2tp:[](64610/20812) {IP 10.1.2.1 > 10.223.195.113:
ip-proto-17}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}
I don't understand what's happened. OpenSwan in fact works well, and ipsec
tunnel is already established. This happened when client try to connect(by
using echo "c server" > l2tp_control), then try to ping vpn server(using
VPN gateway ip, 10.1.2.1 shows above), then xl2tpd seems go crazy...
And with the same configuration file, if Linux client is behind NAT, it
works well.
And if I use a Windows machine to connect server directly(not behind nat),
it works well too.
I am really confused. Can someone shed a little light?
Ipsec client version: Linux Openswan U2.6.32/K2.6.18-194.el5 (netkey)
Ipsec server version: Linux Openswan U2.6.37/K3.2.0-4-686-pae (netkey)
xl2tpd client version: 1.3.1(some rpm for CentOS).
xl2tpd server version: 1.3.1(Debian stable)
pppd client version: pppd version 2.4.4
pppd server version: pppd version 2.4.5
Here are the configurations:
ipsec.conf on client:
# Authentication is through a Preshared Key.
conn L2TP-PSK-CLIENT
#
# ----------------------------------------------------------
# Use a Preshared Key. Disable Perfect Forward Secrecy.
# Initiate rekeying.
# Connection type _must_ be Transport Mode.
#
authby=secret
pfs=no
rekey=yes
keyingtries=3
type=transport
#
# ----------------------------------------------------------
# The local Linux machine that connects as a client.
#
# The external network interface is used to connect to the server.
# If you want to use a different interface or if there is no
# defaultroute, you can use: left=your.ip.addr.ess
left=%defaultroute
#left=10.223.195.1
#
leftprotoport=17/1701
#leftprotoport=17/%any
#
# ----------------------------------------------------------
# The remote server.
#
# Connect to the server at this IP address.
right=10.223.161.22
#
rightprotoport=17/1701
# ----------------------------------------------------------
#
# Change 'ignore' to 'add' to enable this configuration.
#
auto=add
Ipsec.conf on server:
conn L2TP-PSK
authby=secret
pfs=no
rekey=no
keyingtries=3
#
# ----------------------------------------------------------
# The VPN server.
#
# Allow incoming connections on the external network interface.
# If you want to use a different interface or if there is no
# defaultroute, you can use: left=10.223.161.22
#
left=10.223.161.22
#
leftprotoport=17/1701
# If you insist on supporting non-updated Windows clients,
# you can use: leftprotoport=17/%any
#
# ----------------------------------------------------------
# The remote user(s).
#
# Allow incoming connections only from this IP address.
right=%any
# If you want to allow multiple connections from any IP address,
# you can use: right=%any
#
rightprotoport=17/%any
#
# ----------------------------------------------------------
# Change 'ignore' to 'add' to enable this configuration.
#
auto=add
xl2tpd config on client:
[lac L2TPserver]
lns = 10.223.161.22
require chap = yes
refuse pap = yes
require authentication = yes
name = test
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd.client
length bit = yes
pppd on client:
ipcp-accept-local
ipcp-accept-remote
refuse-eap
noccp
noauth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
#proxyarp
connect-delay 5000
Xl2tpd on server:
[lns default]
ip range = 10.1.2.2-10.1.2.8
local ip = 10.1.2.1
require chap = yes
refuse pap = yes
pppoptfile = /etc/ppp/options.xl2tpd
pppd on server:
proxyarp
ipcp-accept-local
ipcp-accept-remote
noccp
idle 1800
auth
crtscts
mtu 1410
mru 1410
nodefaultroute
debug
lock
connect-delay 5000
ms-dns 10.1.2.1
Thanks!
--Sheng
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20140516/e4e897a6/attachment-0001.html>
More information about the Users
mailing list