Hello everybody. I have a problem with a sapgui<->sapserver connection after I have migrated an ipsec gateway, from linux 2.4.29/KLIPS FreeS/SWAN 2.05 to linux 2.6.16.1/NETKEY Openswan 2.4.5rc6 Here is my network schema (I hope it is clear):
customer private network 10.0.0.0/8 | | +ipsec customer gateway (nokia/checkpoint) | | | |---ipsec tunnel 10.0.0.0/8<->172.29.128.0/28 (3DES/MD5) | | | +---ipsec gateway (pleiadi)---priv net (172.16.0.0/23) | / | /---ipsec tunnel 10.0.0.0/8<->172.16.0.0/23(AES/MD5) | / ipsec tunnel 172.18.1.0/24<->172.16.0.0/23(AES/MD5) |/ +upgraded ipsec gateway (mimosa) from klips to 2.6.16 | | | priv network (172.18.1.0/24) The two ipsec endpoint are named pleiadi and mimosa plus the customer ipsec endpoint (nokia/checkpoint). Traffic from 172.16.0.0 to 172.18.1.0 and viceversa is delivered by the ipsec tunnel 172.18.1.0<->172.16.0.0. Mimosa has established the ipsec tunnel to our customer: it delivery traffic from 172.29.128.0/28 to 10.0.0.0/8 and viceversa. On mimosa gateway I'm snatting packets from 172.16.0.0/12 to 10.0.0.0/8 with this rule: $IPTABLES -t nat -A POSTROUTING -s 172.16.0.0/12 -d 10.0.0.0/8 -j SNAT --to 172.29.128.1 Hosts must connect to the customer network (10.0.0.0) from both 172.18.1.0 and 172.16.0.0 networks. From 172.18.1.0 network, things are simple: packets are sent to mimosa, they are snatted to 172.29.128.1 and they are tunneled through the ipsec tunnel (172.29.128.0<->10.0.0.0). Things are working good both with 2.4.29/klips ipsec stack and with the new 2.6.16/netkey. Users haven't see any performance issue.
From 172.16.0.0 network, things are a little more complicated:
packets are sent to pleiadi, they are tunneled through the ipsec tunnel (172.16.0.0<->10.0.0.0), they are decrypted by mimosa, they are snatted to 172.29.128.1 and finally they are tunneled through the ipsec tunnel (172.29.128.0<->10.0.0.0). After mimosa has been migrated to 2.6.16/netkey, users from 172.16.0.0 network are complaining that the sapgui is very slow connecting to customer network (10.0.0.0/8) and I don't understand why. Firewall rules haven't been touched bewteen klips-> netkey migration. Running tcpdump I see an MSS set to 1460. Lowering to 1440 did the trick. For now I have workarounded the problem with this rule on pleiadi: $IPTABLES -t mangle -A FORWARD -s 172.16.0.0/23 -d 10.0.0.0/8 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1440 Client hosts are windows XP with sapgui (connected to both 172.18.1.0 and 172.16.0.0). Sap servers are HP-UX (10.0.0.0/8). Does anyone have an explanation for this? Is there any problem doing a double ipsec lookup with large packets? MTU issue? - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
