Hi all,

I've a Debian box with (Debian) kernel 2.6.11-3 and OpenSwan 2.3.0-2
(again, Debian package) and several Windows roadwarriors using a
safenet-
based client. X.509 certificate based authentication.
I can establish the SA, the traffic is encrypted, and I can do almost
everything.
BUT... I can't navigate some sites, or do certain network actions.
Originally I found that I've to lower the MTU, so it's now setup to
1400,
examining the traffic shows the IPSec overhead brings it to 1415,
that's
fine, well under 1500.
It still fails with some sites/actions. It is consistent and can be
repeated.
When this happens, an ipsec auto --status shows lines like this at the
end:


000 x.x.x.x/32:0 -17-> y.y.y.y/32:0 => %hold 0 %acquire-netlink
000 x.x.x.x/32:0 -17-> y.y.y.y/32:0 => %hold 0 %acquire-netlink
000 x.x.x.x/32:0 -17-> y.y.y.y/32:0 => %hold 0 %acquire-netlink
000 x.x.x.x/32:0 -17-> y.y.y.y/32:0 => %hold 0 %acquire-netlink
etc...


x.x.x.x is the remote site that fails, y.y.y.y is the roadwarrior.
Digging for information on that hasn't provided any answer to the
problem.
Did anyone ever had this issue???
Any help is appreciated.
TIA!