It is currently Wed Jul 18, 2018 3:15 pm

All times are UTC [ DST ]




Post new topic Reply to topic  [ 8 posts ] 
Author Message
 Post subject: Rekeying issue
PostPosted: Tue Nov 30, 2010 6:18 pm 

Joined: Tue Oct 19, 2010 12:01 pm
Posts: 27
one major issue remains on my setup when using openl2tp as L2TP daemon with Openswan using the NETKEY ipsec stack:

When my L2TP/IPsec client (MS Windows Vista) rekeys the IPsec connection (which seems to happen after transferring 172MB with ftp over the VPN), while I am transferring data (e.g. copying a file over smb/cifs, or over FTP), the transfer is interrupted for about 30-50 seconds.

The FTP client seems to recover from this interruption, and can continue transferring. When the rekey happens during copying network shares (cifs), the copying process fails fatally.

When using xl2tpd as l2tp daemon, these IPsec rekey events do not seem to interrupt the l2tp/ppp tunnel/session at all!

Is this interruptive effect of IPsec rekeying known when using openl2tp? can it be fixed?


Last edited by FrankL on Thu Dec 09, 2010 1:41 pm, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: Rekeying issue
PostPosted: Sat Dec 04, 2010 1:12 pm 

Joined: Tue Oct 19, 2010 12:01 pm
Posts: 27
as I'm not sure if the issue lies with openl2tpd or openswan or the NETKEY stack, I've posted a bugreport on the openswan list too.


Top
 Profile  
 
 Post subject: Re: Rekeying issue
PostPosted: Fri May 06, 2011 7:22 am 

Joined: Tue Oct 19, 2010 12:01 pm
Posts: 27
after waiting for nearly half a year, it doesn't seem the bug going to be fixed soon (OpenSwan team is busy fixing IPv6 issues). So I decided to use racoon/ipsec-tools instead. Only to find the same issue! The L2TP connection stalls after the client initiates a rekey, and it takes about a minute or longer for the L2TP layer to be reinitialized.

From my short testing on the KLIPS (OpenSwan) ipsec stack in linux, this issue does not arise at all (client rekeys just fine using klips stack+openl2tp).

So now my question is: is this a known issue with the NETKEY stack in linux? Or am I misconfiguring openl2tp on my server end that causes the delay on rekey?


Top
 Profile  
 
 Post subject: Re: Rekeying issue
PostPosted: Mon May 16, 2011 11:58 am 

Joined: Tue Oct 19, 2010 12:01 pm
Posts: 27
As racoon exhibits the same issues as openswan with NETKEY, I've filed a bugreport there too:
https://trac.ipsec-tools.net/ticket/530


Top
 Profile  
 
 Post subject: Re: Rekeying issue
PostPosted: Mon Dec 05, 2011 9:45 am 
Site Admin

Joined: Sun Jul 27, 2008 1:39 pm
Posts: 122
Does the below patch fix the problem?

Code:
When using l2tp over ipsec, the tunnel will hang when rekeying
occurs. Reason is that the transformer bundle attached to the dst entry
is now in STATE_DEAD and thus xfrm_output_one() drops all packets
(XfrmOutStateExpired increases).

Fix this by calling __sk_dst_check (which drops the stale dst
if xfrm dst->check callback finds that the bundle is no longer valid).

Cc: James Chapman <jchapman@katalix.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
net/l2tp/l2tp_core.c |    2 +-
1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
index cf0f308..89ff8c6 100644
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -1072,7 +1072,7 @@ int l2tp_xmit_skb(struct l2tp_session *session,
struct sk_buff *skb, int hdr_len

       /* Get routing info from the tunnel socket */
       skb_dst_drop(skb);
-       skb_dst_set(skb, dst_clone(__sk_dst_get(sk)));
+       skb_dst_set(skb, dst_clone(__sk_dst_check(sk, 0)));

       inet = inet_sk(sk);
       fl = &inet->cork.fl;
--


Top
 Profile  
 
 Post subject: Re: Rekeying issue
PostPosted: Fri Dec 16, 2011 12:50 pm 

Joined: Tue Oct 19, 2010 12:01 pm
Posts: 27
Is the following patch equivalent for the 2.6.32 branch (as used in Debian Squeeze 6)?

Code:
--- linux-2.6-2.6.32/drivers/net/pppol2tp.c     2009-12-03 04:51:21.000000000 +0100
+++ linux-2.6-2.6.32-patched/drivers/net/pppol2tp.c     2011-12-16 14:02:15.000000000 +0100
@@ -1172,7 +1172,7 @@

        /* Get routing info from the tunnel socket */
        skb_dst_drop(skb);
-       skb_dst_set(skb, dst_clone(__sk_dst_get(sk_tun)));
+       skb_dst_set(skb, dst_clone(__sk_dst_check(sk_tun, 0)));
        pppol2tp_skb_set_owner_w(skb, sk_tun);

        /* Calculate UDP checksum if configured to do so */


Top
 Profile  
 
 Post subject: Re: Rekeying issue
PostPosted: Fri Dec 16, 2011 10:20 pm 
Site Admin

Joined: Sun Jul 27, 2008 1:39 pm
Posts: 122
FrankL wrote:
Is the following patch equivalent for the 2.6.32 branch (as used in Debian Squeeze 6)?

Yes, I think so.


Top
 Profile  
 
 Post subject: Re: Rekeying issue
PostPosted: Sat Dec 17, 2011 8:03 pm 

Joined: Tue Oct 19, 2010 12:01 pm
Posts: 27
splendid! I tested the above patch for my Debian Squeeze setup. Rekeying the ipsec connection without dropping the l2tp tunnel works now!

Very good news! Now I wonder, how did this patch come about?


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 8 posts ] 

All times are UTC [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group