[strongSwan] Strongswan using VTI

[Ulrich Schwarz]

Hi,
>>>>> "OP" == Olivier PELERIN <olivier_pelerin at hotmail.com> writes:

OP> Tried to follow this kernel commit - it does not work

OP> https://lists.ubuntu.com/archives/kernel-team/2013-November/034116.html

OP> It seems utterly broken

OP> From: olivier_pelerin at hotmail.com
OP> To: avalentin at marcant.net; users at lists.strongswan.org
OP> Date: Thu, 18 Dec 2014 10:11:23 +0100
OP> Subject: Re: [strongSwan] Strongswan using VTI

OP> Will try it out

OP> When I strace my ping I'm getting  (Resource temporarily unavailable) when we receive the echo-reply

OP> sendmsg(3, {msg_name(16)={sa_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("10.0.0.2")}, msg_iov(1)=[{"\10\0\312\350Y\362\00096\231\222T\0\0\0\0K+\0\0\0\0\0\0\20\21\22\23\24\25\26\27"..., 64}], msg_controllen=32, {cmsg_len=28, cmsg_level=SOL_IP, cmsg_type=, ...}, msg_flags=0}, 0) = 64
OP> recvmsg(3, 0x7fff93401680, 0)           = -1 EAGAIN (Resource temporarily unavailable)
OP> gettimeofday({1418893623, 10985}, NULL) = 0
OP> gettimeofday({1418893623, 11029}, NULL) = 0

check your kernel parameter xfrm4_gc_thresh with:

     cat /proc/sys/net/ipv4/xfrm4_gc_thresh

if you see 1024 or even 2048 as the result, it's way to low.  bump it
up with:

     echo 262144 > /proc/sys/net/ipv4/xfrm4_gc_thresh

and check your ping/traceroute again.  if you succseed, make your
setting permanet and add

     net.ipv4.xfrm4_gc_thresh = 262144

to /etc/sysctl.conf.
					kind regards, schwarz

-- 
 Gärtner Datensysteme GmbH & Co. KG                  Komplementärin:
                                                     Gärtner Datensysteme
 Hamburger Str. 273a      Tel. (0531) 2 33 55 55     Verwaltungs GmbH
 38114 Braunschweig       Fax  (0531) 2 33 55 56
                                                     Amtsgericht Braunschweig
 Amtsgericht Braunschweig HRA 200 848                HRB 202 115

 GmbH-Geschäftsführung:
 Christine Müller   Martin Neitzel   Ulrich Schwarz  Dr. Stefan Gärtner