It is currently Sun Aug 18, 2019 5:42 am

All times are UTC [ DST ]




Post new topic Reply to topic  [ 3 posts ] 
Author Message
 Post subject: Openswan/strongSwan + openl2tpd
PostPosted: Mon Nov 22, 2010 11:07 am 

Joined: Tue Oct 19, 2010 12:01 pm
Posts: 27
In non-ephemeral ports setup, the following issue pops up:

When trying to run openl2tpd as LNS with either Openswan (confirmed) or strongSwan, connection issues arise (confirmed with Micorosft Windows Vista as LAC). These issues are caused by the automatic configuration of the Security Policy Database by Openswan/strongSwan, and the way openl2tpd opens connections. To my best understanding, the creation of the outgoing policy in the SPD happens after openl2tpd tries to create an outgoing connection. Because the connection of openl2tpd already is open, it won't match the newly created rule by openswan/strongswan.

The best documentation I've found on why these issues arise is here:
https://lists.strongswan.org/pipermail/ ... 00200.html

However, I lack the technical knowledge to say whether the proposed solution is acceptable, and/or whether openl2tpd should be changed to work around these issues. The fact that this patch did not get accepted into upstream is not a good sign though.

A working 'hack' for this problem is to use the ipsec.so plugin + setkey to let openl2tpd duplicate the SPD modifications that openswan/strongswan make. However, these would not be needed if the creation of SPD rules by openswan/strongswan matched the needs of openl2tpd. Further more, the af_key interface used by setkey/ipsec.so seems to be old and solving this issue is a step in switching over to the xfrm interface (and doing away with dependencies like ipsec-tools).

Mr. Chapman, would you mind looking into the issue described in the link I posted above, and see if either openswan/strongswan or openl2tp is the most logical target for changes to fix this issue? I'm sure the maintainers of these software packages would listen to you if they are the ones that need to be fixed.


Top
 Profile  
 
 Post subject: Re: Openswan/strongSwan + openl2tpd
PostPosted: Tue Nov 23, 2010 10:32 am 

Joined: Tue Oct 19, 2010 12:01 pm
Posts: 27
I've filed a bugreport at https://gsoc.xelerance.com/issues/1173


Top
 Profile  
 
 Post subject: Re: Openswan/strongSwan + openl2tpd
PostPosted: Sat Dec 17, 2011 10:35 pm 

Joined: Tue Oct 19, 2010 12:01 pm
Posts: 27
After more than a year, there is still no activity on Openswan's end to fix this issue (regardless of having recognized the issue and assigning someone to fix it). Strongswan and Racoon ike daemons also suffer from this issue.

It is not completely clear to me whether this behaviour is due to the way the IPSEC rfc are worded or by the implementations in the ike daemons.

While the ipsec.so plugin + racoon's setkey are a hack to work around this issue, it is not desired as it requires installation of extra packages (when racoon is not the IKE daemon), and does not work with IPSEC implementations other than NETKEY (i.e. KLIPS).

Is it possible to add a switch in openl2tp that specifies a delay before responding to requests by a connecting LAC? This might allow the IPSEC IKE time to set up an outgoing SPD before openl2tp responds.

In this scenario openl2tp still does not know whether the outgoing SPD has been established, but the chances will probably increase a lot. I can't immediately think of a better way to do work around this issue...


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

All times are UTC [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group