FAQ: Difference between revisions
Paul Wouters (talk | contribs) mNo edit summary |
Paul Wouters (talk | contribs) (MTU FAQ) |
||
| Line 34: | Line 34: | ||
This has been fixed in libreswan-3.9. Please upgrade | This has been fixed in libreswan-3.9. Please upgrade | ||
== My ssh sessions hang or connectivity is very slow == | |||
This could be an MTU issue. The overhead of IPsec encryption (and possibly ESPinUDP encapsulation) yields a slightly smaller packet size. This can cause problems. A good way to confirm MTU problems is if you can login remotely over the IPsec tunnel using ssh, but issuing "ls -l /usr" causes the session to hang. Try adjusting the MTU with: | |||
<pre> | |||
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu | |||
</pre> | |||
If that does not help, try hardcoded it yourself: | |||
<pre> | |||
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1460 | |||
</pre> | |||
As a last case alternative, you can try lowering the MTU on the internal interface of your IPsec server so that the PMTU discovery locally already goes back to 1460, eg using ''ifconfig eth1 mtu 1460''. | |||
Revision as of 18:52, 15 April 2014
FAQ
( we will sort this in categories once we have more )
Which IKE Exchange modes does libreswan support?
The IANA Registry lists all official Exchange Modes. There are a few IKEv1 Modes that are very common despite never gotten past the draft stage.
Supported:
- IKEv2 (PSK, raw RSA, X509)
- IKEv1 Main Mode (PSK, raw RSA, X509)
- IKEv1 Aggressive Mode (PSK, raw RSA, X509)
- IKEv1 XAUTH/RSA and XAUTH/PSK with ModeConfig (aka "Cisco IPsec mode")
Not supported
- IKEv2 CP mode (planned, not yet implemented)
- IKEv1 Revised Mode
- IKEv1 Hybrid Mode (aka "Mutual Group Authentication") although there is some unmaintained contributed code
Is Libreswan vulnerable to the OpenSSL "Heartbleed" exploit?
No, see Libreswan_and_Heartbleed
Module unloading error on shutdown or restart: Module esp4 is in use
ERROR: Module xfrm4_mode_tunnel is in use ERROR: Module esp4 is in use FAILURE to unload NETKEY esp4/esp6 module
This has been fixed in libreswan-3.9. Please upgrade
My ssh sessions hang or connectivity is very slow
This could be an MTU issue. The overhead of IPsec encryption (and possibly ESPinUDP encapsulation) yields a slightly smaller packet size. This can cause problems. A good way to confirm MTU problems is if you can login remotely over the IPsec tunnel using ssh, but issuing "ls -l /usr" causes the session to hang. Try adjusting the MTU with:
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
If that does not help, try hardcoded it yourself:
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1460
As a last case alternative, you can try lowering the MTU on the internal interface of your IPsec server so that the PMTU discovery locally already goes back to 1460, eg using ifconfig eth1 mtu 1460.