[Swan] klips_error:ipsec_xmit_encap_init
Erik Andersson
erik at ingate.com
Thu Feb 25 09:26:49 UTC 2016
On 23/02/16 23:03, Paul Wouters wrote:
> On Mon, 22 Feb 2016, Erik Andersson wrote:
>
>> Subject: [Swan] klips_error:ipsec_xmit_encap_init
>
>> right=10.48.28.60
>> left=10.48.28.70
>> rightsubnet=2001:470:dc8c:5000::/64
>> leftsubnet=2001:470:dc8c:4000::/64
>> connaddrfamily=ipv6
>
>> Sending and receiving ICMPv6 and UDP traffic between the two subnets
>> work. I've trouble with TCP connections. E.g. when starting a new ssh
>> connection from the the host 2001:470:dc8c:4000::20 (centos 7) to the
>> host 2001:470:dc8c:5000::20 (centos 7) several of these KLIPS errors
>> are printed in the kernel log (on both gateways):
>>
>> [ 1731.562351] klips_error:ipsec_xmit_encap_init: tried to skb_put 29,
>> 19 available. Retuning IPSEC_XMIT_ESP_PUSHPULLERR This should never
>> happen, please report.
>> [ 1731.768707] klips_error:ipsec_xmit_encap_init: tried to skb_put 29,
>> 19 available. Retuning IPSEC_XMIT_ESP_PUSHPULLERR This should never
>> happen, please report.
>> [ 1731.975623] klips_error:ipsec_xmit_encap_init: tried to skb_put 29,
>> 19 available. Retuning IPSEC_XMIT_ESP_PUSHPULLERR This should never
>> happen, please report.
>
> David might know more about this.
>
>> Doing IPv4-in-IPv6 tunnel works fine. No KLIPS errors when using TCP.
>
> Is there a compelling reason for you to prefer KLIPS over NETKEY/XFRM ?
>
I guess old habits die hard :) The primary reason is the filtering
possibility on the ipsecX interfaces.
Regards,
Erik
> Paul
More information about the Swan
mailing list