Hi there.
I've been playing around with IPSec, and I came across a problem with
encrypting data sent directly by the kernel.
Specifically, attempts to encrypt a GRE or IPIP tunnel with ipsec in
transport mode result in one of:
1) No data sent.
2) Data sent, ignored by peer.
3) Kernel panic, with no SysRq.
Numbers 1 and 2 might be configuration problems on my part, but I have
other ipsec setups running fine, and can't see anything different for
these. Number 3 is a big problem.
This is on 2.5.70. No third-party modules or other tainting. I can
provide .configs on request.
I don't have the panic copied down, but I can reproduce it and get a
copy if required.
I know I could certainly accomplish what I want with ipsec tunnel mode,
but I'm just playing around, and it's a kernel bug in any case.
Thanks.
--
Julian Blake Kongslie <[email protected]>
On 16 Jun 2003, Julian Blake Kongslie wrote:
> Specifically, attempts to encrypt a GRE or IPIP tunnel with ipsec in
> transport mode result in one of:
> 1) No data sent.
> 2) Data sent, ignored by peer.
> 3) Kernel panic, with no SysRq.
>
> Numbers 1 and 2 might be configuration problems on my part, but I have
> other ipsec setups running fine, and can't see anything different for
> these. Number 3 is a big problem.
>
> This is on 2.5.70. No third-party modules or other tainting. I can
> provide .configs on request.
>
> I don't have the panic copied down, but I can reproduce it and get a
> copy if required.
Please post the oops (preferrably to the netdev mailing list).
Also, which system panics, and what direction is the traffic when this
happens? (i.e. is it happening during tunnel encapsulation or
decapsulation?)
- James
--
James Morris
<[email protected]>
On 16 Jun 2003, Julian Blake Kongslie wrote:
> Hi there.
>
> I've been playing around with IPSec, and I came across a problem with
> encrypting data sent directly by the kernel.
>
> Specifically, attempts to encrypt a GRE or IPIP tunnel with ipsec in
> transport mode result in one of:
> 1) No data sent.
> 2) Data sent, ignored by peer.
> 3) Kernel panic, with no SysRq.
>
> Numbers 1 and 2 might be configuration problems on my part, but I have
> other ipsec setups running fine, and can't see anything different for
> these. Number 3 is a big problem.
I've not been able to reproduce the panic, but there is a potential issue
with path mtu which could explain (1) and (2): the transport mode SAs
between the gateways are not aware of the gre tunnel.
You need to lower the mtu on the gre tunnel at each end to take the ipsec
overhead into account. This will cause the gateways to generate
appropriate icmp pmtu messages.
This is handled automatically for tunnel mode ipsec configurations.
- James
--
James Morris
<[email protected]>
Thanks for the help, but the problem wasn't with the tunnel at all. One
of the machines had a bad memory card, and upon changing that the issue
disappeared. All now seems to be working well.
I hadn't noticed the MTU issue before, but thanks for that, too.
--
Julian Blake Kongslie <[email protected]>