Menu
▾
▴
RE: [BULK] Re: [Devil-Linux-discuss] IPSec Problem, extremely weird.
|
From: Matthew H. <mat...@va...> - 2006-05-17 08:20:05
|
Possible workaround: iptables --new-chain clamp iptables --insert clamp -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1372 iptables --insert OUTPUT -p tcp --tcp-flags SYN,RST SYN -j clamp iptables --insert FORWARD -o <ext interface> -p tcp --tcp-flags SYN,RST SYN -j clamp This may do the trick for you. Cheers Mat -----Original Message----- From: dev...@li... [mailto:dev...@li...] On Behalf Of Frank Weis Sent: 16 May 2006 13:45 To: dev...@li... Subject: Re: [BULK] Re: [Devil-Linux-discuss] IPSec Problem, extremely weird. > > Did you try your luck with the Openswan folks? We just use their stock > patch without any modifications. I DID try with them, and below is what Paul Wouters said. I didn't try anything yet, but on discussing it over with the remote admin, it=20 appears that the crashing servers are all win2k3 without SP1. Those with SP1=20 don't crash. Unfortunately most of these servers belong to Citrix farms, and=20 there seems to be some issue upgrading them to SP1. For the moment we're back=20 to the old version (firewall/*swan), but probably not for too long. Anyway, it's hard to believe we're in the third millennium, and people buy=20 expensive operating system software that can be crashed just by sending them=20 a single (totally valid) IP packet :-P Thanks a lot Frank ------------8<----------- > I have an extremely weird problem with IPsec tunnels in Devil-Linux: > > I have two sites that are linked LAN-2-LAN by an IPSec tunnel that runs on > dedicated Linux firewalls. > > I have upgraded the two firewalls from gibraltar > to Devil-Linux-1.2.9 (Gibraltar had Freeswan 2.0.4, DL has Openswan 2.4.4) > > When I try to establish a TCP connection to any windows server (2k, 2k3),=20 the > server restarts immediately (bluescreen, complaining about TCPIP.SYS error, > and reboots). wow. that's pretty bad. Are those machines running with all service packs and updates installed? > The crashing can be triggered either by normal windows clients trying to > connect to the server, or by a linux client that does 'telnet x.y.z.t 25' to > the server. Obviously, those servers are in need of fixing, but perhaps as a work around you can set the mtu on both openswan servers to 1440 or 1400? My guess is it would be related to mtu/packetsize/df-bit issues. Paul ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D120709&bid=3D263057&dat=3D= 121642 _______________________________________________ Devil-linux-discuss mailing list Dev...@li... https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss |
