On 23/02/16 23:03, Paul Wouters wrote:
On Mon, 22 Feb 2016, Erik Andersson wrote:
Subject: [Swan] klips_error:ipsec_xmit_encap_init
right=10.48.28.60
left=10.48.28.70
rightsubnet=2001:470:dc8c:5000::/64
leftsubnet=2001:470:dc8c:4000::/64
connaddrfamily=ipv6
Sending and receiving ICMPv6 and UDP traffic between the two subnets
work. I've trouble with TCP connections. E.g. when starting a new ssh
connection from the the host 2001:470:dc8c:4000::20 (centos 7) to the
host 2001:470:dc8c:5000::20 (centos 7) several of these KLIPS errors
are printed in the kernel log (on both gateways):
[ 1731.562351] klips_error:ipsec_xmit_encap_init: tried to skb_put 29,
19 available. Retuning IPSEC_XMIT_ESP_PUSHPULLERR This should never
happen, please report.
[ 1731.768707] klips_error:ipsec_xmit_encap_init: tried to skb_put 29,
19 available. Retuning IPSEC_XMIT_ESP_PUSHPULLERR This should never
happen, please report.
[ 1731.975623] klips_error:ipsec_xmit_encap_init: tried to skb_put 29,
19 available. Retuning IPSEC_XMIT_ESP_PUSHPULLERR This should never
happen, please report.
David might know more about this.
Doing IPv4-in-IPv6 tunnel works fine. No KLIPS errors when using TCP.
Is there a compelling reason for you to prefer KLIPS over NETKEY/XFRM ?
I guess old habits die hard :) The primary reason is the filtering
possibility on the ipsecX interfaces.
Regards,
Erik
Paul
_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan