connections are dropped over ipsec tunnel
This is a discussion on connections are dropped over ipsec tunnel within the Linux Security forums, part of the System Security and Security Related category; Hi, We've setup an ipsec tunnel mode VPN connecting two sites. One side is Linux ipsec + racoon, the other ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
07-11-2005
|
|||
|
|||
connections are dropped over ipsec tunnel
Hi,
We've setup an ipsec tunnel mode VPN connecting two sites. One side is Linux ipsec + racoon, the other is a netscreen device. It basically works, however, TCP connections between any two hosts on the two sites are consistently dropped every now and then (about 20min to 40min). Our testing (ping) shows that the linux ipsec router does lose connectivity to the Internet every now and then but each time it recovers in a few seconds. In principle this shouldn't affect the TCP connections over the tunnel, right? How would you diagnose this problem? TIA! 
|
|
07-11-2005
|
|||
|
|||
|
Re: connections are dropped over ipsec tunnel
buddy, check the TCP Flow Control Channel, i am sure you have two of
them... one outside the VPN and 1 inside the VPN... this add too much weight to packets try to create a TCP/IP vpn over UDP over IP (sound wierd) if not, check you ipsec configuration, IPSec is really tricky, if you can switch to SSL it is easier and faster... and i think is safer than IPSec
|
|
07-12-2005
|
|||
|
|||
|
Re: connections are dropped over ipsec tunnel
Mr. Boy wrote:
> buddy, check the TCP Flow Control Channel, i am sure you have two of > them... one outside the VPN and 1 inside the VPN... this add too much > weight to packets try to create a TCP/IP vpn over UDP over IP (sound > wierd) Sorry, what do you mean by TCP flow control channel? TCP uses a single channel for both data and flow control. What tool can be used to check the flow control channel? Thanks!
|
|
07-13-2005
|
|||
|
|||
|
Re: connections are dropped over ipsec tunnel
kent@cpttm.org.mo wrote:
> Mr. Boy wrote: >> buddy, check the TCP Flow Control Channel, i am sure you have two of >> them... one outside the VPN and 1 inside the VPN... this add too much >> weight to packets try to create a TCP/IP vpn over UDP over IP (sound >> wierd) > > Sorry, what do you mean by TCP flow control channel? TCP uses a single > channel for both data and flow control. What tool can be used to check > the flow control channel? > > Thanks! If you use TCP-over-IP-over-IPSec-over-TCP-over-IP, there's two TCP channels; both have flow control. I've also observed this behaviour, albeit between two linux hosts. The CIFS kernel code didn't like it much, though it usually worked. Joachim
|
|
07-15-2005
|
|||
|
|||
|
Re: connections are dropped over ipsec tunnel
On 12.07.2005, Joachim Schipper <jDOTschipper@math.uu.nl> wrote:
> kent@cpttm.org.mo wrote: >> Mr. Boy wrote: >>> buddy, check the TCP Flow Control Channel, i am sure you have two of >>> them... one outside the VPN and 1 inside the VPN... this add too much >>> weight to packets try to create a TCP/IP vpn over UDP over IP (sound >>> wierd) >> >> Sorry, what do you mean by TCP flow control channel? TCP uses a single >> channel for both data and flow control. What tool can be used to check >> the flow control channel? >> >> Thanks! > > If you use TCP-over-IP-over-IPSec-over-TCP-over-IP, there's two TCP > channels; both have flow control. Can you explain me, when IPsec is tunneled in _TCP_? I know about NAT-traversal, but this uses UDP datagrams, not TCP packets. Only such situation which comes into my mind is when you're tunneling IPsec in other tunneling protocol (SSL/TLS?), but this is obvious unnecessary redundancy. -- Feel free to correct my English Stanislaw Klekot
|
Linear Mode
