(I am resending this mail with the correct subject, because it went out
yesterday unintentionally with the subject "IPSEC" - sorry for that).
I have a strange problem with Freeswan 1.9.7.
The configuration looks like this:
Server <--> FW2 <--> IPSEC GW <--> FW1 <--> (IP net) <--> Road Warrior
(FW1 and FW2 are firewalls)
The road warrior establishes an IPSEC (ESP) tunnel to the IPSEC gateway,
then a TCP session to the server, tunneled through the IPSEC connection.
Both the road warrior and the IPSEC gateway are using Linux and Freeswan
1.9.7.
Sometimes (not always) the road warrior notices a delay of around 3
seconds before the TCP session can be established.
A tcpdump shows, that the Road Warrior sends a SYN to the server
(through the tunnel), then the server responds with a SYN-ACK, which is
*not* put into the tunnel by the IPSEC gateway, but sent directly,
unencrypted. Of course, FW1 drops the SYN-ACK, because it has
not seen the corresponding SYN (because the SYN was encrypted).
The delay happens, because, after 3 seconds, the road warrior simply
sends the SYN again by using the normal TCP mechanisms, because the road
warrior has never seen the SYN-ACK (because it was dropped by FW1).
After resending the SYN, the session can always be established.
Does anybody know why the SYN-ACK does not become encrypted sometimes?
Looks like a race condition to me! How can this problem be solved?
Best regards
Manfred Härtel
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:17 CEST