Hi folks,
I read the FAQ entry about VLAN with OpenS/WAN [1] and
thought that it
should work. My impression was that ESP over VLAN is a
supported
scenario.
However, outgoing traffic (simple ICMP echo requests) gets
stuck, the
TX error counter of the ipsec0 interface will increase with
each
packet. I use Linux 2.6.19 and OpenS/WAN 2.4.7.
Debugging revealed that the ESP packets seem to be dropped
in
linux/net/ipv4/route.c:ip_route_output_slow(). More
specific, the
__in_dev_get_rtnl() call in this function returns NULL. In
the
consequence, ipsec_tunnel_send() fails at the
ip_route_output_key()
call.
My ipsec0 interface is tied to the VLAN interface of eth0:
$ whack --status | head -1
000 interface ipsec0/eth0.0004 192.168.151.1
However, in ip_route_output_slow(), dev_out points to eth0
instead of
eth0.0004. As eth0 has no IP configured, the
__in_dev_get_rtnl() call
fails. If I force dev_out to point to eth0.0004, the ESP
packets are
transmitted and the VPN works.
Is this a bug? Or is this scenario not supported at all?
Thanks in advance and regards,
Tino
[1] h
ttp://wiki.openswan.org/index.php/Openswan/FAQ#a28
--
Tino Keitel
Software Engineer
Innominate Security Technologies AG
/protecting industrial networks/
Tel: +49.30.6392-3309
Fax: +49.30.6392-3307
Albert-Einstein-Str. 14
D-12489 Berlin
http://www.innominate.com/
Register Court: AG Charlottenburg, HR B 81603
Management Board: Joachim Fietz, Dirk Seewald
Chairman of the Supervisory Board: Edward M. Stadum
_______________________________________________
Dev mailing list
Dev openswan.org
http:/
/lists.openswan.org/mailman/listinfo/dev
|