Your message dated Tue, 27 Dec 2005 14:23:45 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug no longer present as reported by user
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 9 Oct 2004 12:12:36 +0000
>From [EMAIL PROTECTED] Sat Oct 09 05:12:36 2004
Return-path: <[EMAIL PROTECTED]>
Received: from starburst.bimseln.de [217.69.80.99]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1CGG5T-0008Hz-00; Sat, 09 Oct 2004 05:12:35 -0700
Received: from omega.sprocloud.vpn ([192.168.104.254] ident=mail)
by starburst.bimseln.de with esmtp (Exim 3.35 #1 (Debian))
id 1CGG5R-0002lb-00; Sat, 09 Oct 2004 14:12:34 +0200
Received: from chojin by omega.sprocloud.vpn with local (Exim 3.36 #1 (Debian))
id 1CGG5o-00014N-00; Sat, 09 Oct 2004 14:12:56 +0200
Date: Sat, 9 Oct 2004 14:12:55 +0200
From: "Marc H. Thoben" <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: openswan: ssh through tunnel triggers kernel pmtu discovery with
kernel 2.4 native ipsec support
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
X-Reportbug-Version: 2.63
User-Agent: Mutt/1.5.6+20040722i
Sender: Marc <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
Package: openswan
Version: 2.1.3-1
Severity: important
Hi there,
this is my first bug report to debian ever. Please tell me, if I
missed or messed up somehting.
I've been using ipsec tunnels for quite a while, but since I
upgraded a few machines to sarge/openswan/2.4.27 I have a serious
problem:
MachineA has a 100mbit internet connection with mtu 1500 on its eth0
device. MachineB has a dsl internet connection with mtu 1492 on its
ppp0 device.
Now, when I log into MachineA from MachineB with ssh through the
tunnel and do simple stuff (like starting apt-get or mc) that
creates more traffic, the ssh session hangs and stops working. I
have to kill that ssh session then, it does not recover.
On MachineA there is a message in syslog:
Oct 8 23:06:41 MachineA kernel: pmtu discovery on SA ESP/9a0f2210/d9ff20ee
Oct 8 23:06:43 MachineA last message repeated 8 times
Running nmap on MachineA shows:
12:34:24.814345 IP MachineB > MachineA:
ESP(spi=0xd0f3201c,seq=0x30)
12:34:24.816207 IP MachineA > MachineB:
ESP(spi=0x1d410c19,seq=0x31)
12:34:24.834583 IP PTP-of-MachineB > MachineA:
icmp 36: MachineB unreachable - need to frag (mtu 1492)
Having a closer look with nmap (-vvv) shows, that some ESP packets
are sent with a length of 1496 (!) and flag DF.
The problem also occures when I ssh from a dsl machine with mtu 1452
into a dsl machine with mtu 1492 (both sarge/openswan/2.4.27).
The problem does _not_ occure, when using the native ipsec support
of kernel 2.6.8.1 with racoon on the client side (MachineB).
The problem does _not_ occure, when not using the tunnel.
To work around this problem, changing mtu of MachineA to the same
value MachineB has (1492) helps.
But since it is not an option for our heterogeneous vpn structure
(with 16 computers, some with ethernet internet, some with dsl that
need mtu 1492, some with dsl that need mtu 1452) to synchronize all
mtu, I'm at a loss...
As a sidenote: Before I upgraded those machines we were using
freeswan with ipsec module. mtu has never been a problem before.
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i586)
Kernel: Linux 2.4.27-1-586tsc
Locale: LANG=C, LC_CTYPE=de_DE
Versions of packages openswan depends on:
ii bind9-host [host] 1:9.2.3+9.2.4-rc5-1 Version of 'host' bundled with BIN
ii bsdmainutils 6.0.15 collection of more utilities from
ii debianutils 2.8.4 Miscellaneous utilities specific t
ii devfsd 1.3.25-19 Daemon for the device file system
ii gawk 1:3.1.4-1 GNU awk, a pattern scanning and pr
ii iproute 20010824-13.1 Professional tools to control the
ii ipsec-tools 0.3.3-1 IPsec tools for Linux
ii libc6 2.3.2.ds1-16 GNU C Library: Shared libraries an
ii libgmp3 4.1.4-1 Multiprecision arithmetic library
ii libssl0.9.7 0.9.7d-5 SSL shared libraries
ii makedev 2.3.1-75 Creates device files in /dev
ii openssl 0.9.7d-5 Secure Socket Layer (SSL) binary a
-- debconf information:
openswan/existing_x509_key_filename:
openswan/x509_state_name:
openswan/x509_email_address:
openswan/x509_country_code: AT
openswan/x509_self_signed: true
openswan/rsa_key_length: 2048
openswan/restart: true
openswan/start_level: earliest
* openswan/enable-oe: false
openswan/x509_organizational_unit:
openswan/x509_locality_name:
openswan/existing_x509_certificate: false
openswan/existing_x509_certificate_filename:
openswan/x509_common_name:
* openswan/create_rsa_key: false
openswan/rsa_key_type: x509
openswan/x509_organization_name:
---------------------------------------
Received: (at 275662-done) by bugs.debian.org; 27 Dec 2005 14:24:29 +0000
>From [EMAIL PROTECTED] Tue Dec 27 06:24:29 2005
Return-path: <[EMAIL PROTECTED]>
Received: from jupiter.gibraltar.at ([80.120.3.32])
by spohr.debian.org with esmtp (Exim 4.50)
id 1ErFka-0003tp-Vh
for [EMAIL PROTECTED]; Tue, 27 Dec 2005 06:24:29 -0800
Received: from localhost (jupiter.gibraltar.at [127.0.0.1])
by jupiter.gibraltar.at (Postfix) with ESMTP id 95DDB1806355
for <[EMAIL PROTECTED]>; Tue, 27 Dec 2005 15:23:56 +0100 (CET)
Received: from jupiter.gibraltar.at ([127.0.0.1])
by localhost (jupiter.gibraltar.at [127.0.0.1]) (amavisd-new, port
10024)
with ESMTP id 11316-02 for <[EMAIL PROTECTED]>;
Tue, 27 Dec 2005 15:23:50 +0100 (CET)
Received: from [10.0.1.43] (unknown [194.112.227.222])
(using TLSv1 with cipher EXP1024-RC4-SHA (56/128 bits))
(No client certificate requested)
by jupiter.gibraltar.at (Postfix) with ESMTP id 9367D18062F8
for <[EMAIL PROTECTED]>; Tue, 27 Dec 2005 15:23:50 +0100 (CET)
From: Rene Mayrhofer <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Bug no longer present as reported by user
Date: Tue, 27 Dec 2005 14:23:45 +0000
User-Agent: KMail/1.8.3
MIME-Version: 1.0
Content-Type: multipart/signed;
boundary="nextPart1307074.ScQ9Ojticy";
protocol="application/pgp-signature";
micalg=pgp-sha1
Content-Transfer-Encoding: 7bit
Message-Id: <[EMAIL PROTECTED]>
X-Virus-Scanned: by amavisd-new-2.3.3 (20050822) (Debian) at gibraltar.at
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no
version=2.60-bugs.debian.org_2005_01_02
--nextPart1307074.ScQ9Ojticy
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Christoph Haas reported that with kernel 2.6.10, this problem no longer=20
happens.
--nextPart1307074.ScQ9Ojticy
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQBDsU50q7SPDcPCS94RAh40AKCcgSCrlPZOC4zcNGChNzTiMvdJtgCcDLcb
J0BgTbAs9I6aOTWs4p/RGsI=
=c2jj
-----END PGP SIGNATURE-----
--nextPart1307074.ScQ9Ojticy--
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
