> Hi there.
>
> I've been playing around with IPSec, and I came across a problem with
> encrypting data sent directly by the kernel.
>
> Specifically, attempts to encrypt a GRE or IPIP tunnel with ipsec in
> transport mode result in one of:
> 1) No data sent.
> 2) Data sent, ignored by peer.
> 3) Kernel panic, with no SysRq.
>
> Numbers 1 and 2 might be configuration problems on my part, but I have
> other ipsec setups running fine, and can't see anything different for
> these. Number 3 is a big problem.
I've not been able to reproduce the panic, but there is a potential issue
with path mtu which could explain (1) and (2): the transport mode SAs
between the gateways are not aware of the gre tunnel.
You need to lower the mtu on the gre tunnel at each end to take the ipsec
overhead into account. This will cause the gateways to generate
appropriate icmp pmtu messages.
This is handled automatically for tunnel mode ipsec configurations.
- James
-- James Morris <jmorris@intercode.com.au>- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/