ipsec ipcomp between FreeS/WAN 2.04 and FreeBSD 5.2
Karim Fodil-Lemelin
kfl at xiphos.ca
Wed Feb 4 12:41:38 PST 2004
Hi,
I tried that before and couldn't get it working :(
Then I asked the Kame peps and it seems that ipcomp
is not supported yet in tunnel mode. That was for
FreeBSD 4.8 and I don't think it has changed since then.
Karim.
> -----Original Message-----
> From: owner-freebsd-net at freebsd.org
> [mailto:owner-freebsd-net at freebsd.org]On Behalf Of Marco Berizzi
> Sent: 3 février, 2004 12:19
> To: freebsd-net at freebsd.org
> Subject: ipsec ipcomp between FreeS/WAN 2.04 and FreeBSD 5.2
>
>
> Hello everybody.
>
> I'm running an interop issue with IPSec tunnels
> between FreeS/WAN and FreeBSD 5.2
> Without IPComp tunnel are successfully established.
> With IPComp enabled tunnel are again successfully
> established but there is no traffic flow.
>
> This is my setkey init (FreeBSD box side):
>
> /usr/local/sbin/setkey -c <<EOF
> flush;
> spdflush;
> spdadd 10.1.2.0/24 10.1.1.0/24 any -P in ipsec
> ipcomp/tunnel/172.16.1.247-172.16.1.226/use
> esp/tunnel/172.16.1.247-172.16.1.226/require;
>
> spdadd 10.1.1.0/24 10.1.2.0/24 any -P out ipsec
> ipcomp/tunnel/172.16.1.226-172.16.1.247/use
> esp/tunnel/172.16.1.226-172.16.1.247/require;
> EOF
>
> However with this kind of init file FreeS/WAN is dropping packet
> coming from the FreeBSD box.
> Michael Richardson (fsw mantainer) reply me telling:
>
> "... The packets that racoon is telling the system to build
> would appear to have been constructed like:
>
> orig IPsrc = 10.1.1.1,IPdst = 10.1.2.1
> IPcomp
> * IPsrc = 172.16.1.247,IPdst=172.16.1.226
> ESP
> outer IPsrc = 172.16.1.247,IPdst=172.16.1.226
>
> [...] This packet format is in error. It defeats most of the
> point of using
> IPcomp, which is to compress the inner-IP header out. It appears
> that a new
> IP header has been added.
> If the 2.6.0 kernel accepts this, then I wonder what other things it
> might accept! The IPIP header marked "*" is completely superfluous and
> a waste of 20 bytes. ..."
>
> The full thread available at
https://lists.freeswan.org/archives/design/2003-December/msg00032.html
The thread is about FreeS/WAN and kernel 2.6 (2.6 IPSec stack is a KAME
based). However Linux 2.6 and FreeBSD have the same behaviour.
Comments?
TIA
PS: Please CC me. I'm not subscribed to the list.
_______________________________________________
freebsd-net at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
More information about the freebsd-net
mailing list