Bundled SAs and ESP/IPCOMP support ...

Matthew Grooms mgrooms at shrew.net
Tue Sep 26 11:29:58 PDT 2006


All,

	I have been working on ipsec-tools development a bit and am currently 
scratching my head over issues related to esp and ipcomp. Since I do 
most of my testing with FreeBSD, I tried both the kame ipsec and fast 
ipsec support but have had no success to date.

Here are the SPD entries being generated with the kame ipsec stack 
compiled into the kernel ...

10.2.1.128[any] 10.1.1.2[any] any
         in ipsec
         ipcomp/tunnel/10.22.200.119-10.22.200.1/unique:3
         esp/transport//unique:3
         created: Sep 26 11:01:42 2006  lastused: Sep 26 11:01:42 2006
         lifetime: 3600(s) validtime: 0(s)
         spid=16483 seq=1 pid=886
         refcnt=1
10.1.1.2[any] 10.2.1.128[any] any
         out ipsec
         ipcomp/tunnel/10.22.200.1-10.22.200.119/unique:3
         esp/transport//unique:3
         created: Sep 26 11:01:42 2006  lastused: Sep 26 11:01:42 2006
         lifetime: 3600(s) validtime: 0(s)
         spid=16484 seq=0 pid=886
         refcnt=1

... and here are the SAD entries being generated ...

10.22.200.1 10.22.200.119
         ipcomp mode=tunnel spi=2480390087(0x93d7bfc7) reqid=4(0x00000004)
         C: deflate      seq=0x00000000 replay=0 flags=0x00000080 
state=mature
         created: Sep 26 11:01:42 2006   current: Sep 26 11:02:07 2006
         diff: 25(s)     hard: 3600(s)   soft: 2880(s)
         last:                           hard: 0(s)      soft: 0(s)
         current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
         allocated: 0    hard: 0 soft: 0
         sadb_seq=3 pid=889 refcnt=1
10.22.200.1 10.22.200.119
         esp mode=transport spi=3351238547(0xc7bfd793) reqid=3(0x00000003)
         E: 3des-cbc  7380862e 482939f0 9f4753d8 9b97ab37 b13e4412 82a151ba
         A: hmac-md5  cb0829bf 4a51917e 6a023484 b9ea96d7
         seq=0x00000000 replay=4 flags=0x00000000 state=mature
         created: Sep 26 11:01:42 2006   current: Sep 26 11:02:07 2006
         diff: 25(s)     hard: 3600(s)   soft: 2880(s)
         last:                           hard: 0(s)      soft: 0(s)
         current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
         allocated: 0    hard: 0 soft: 0
         sadb_seq=2 pid=889 refcnt=1
10.22.200.119 10.22.200.1
         ipcomp mode=tunnel spi=20406(0x00004fb6) reqid=4(0x00000004)
         C: deflate      seq=0x00000000 replay=0 flags=0x00000080 
state=mature
         created: Sep 26 11:01:42 2006   current: Sep 26 11:02:07 2006
         diff: 25(s)     hard: 3600(s)   soft: 2880(s)
         last:                           hard: 0(s)      soft: 0(s)
         current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
         allocated: 0    hard: 0 soft: 0
         sadb_seq=1 pid=889 refcnt=1
10.22.200.119 10.22.200.1
         esp mode=transport spi=13587562(0x00cf546a) reqid=3(0x00000003)
         E: 3des-cbc  89f5c6b5 8598b99d feea7460 2f59c9b4 c21e1280 20c02c1d
         A: hmac-md5  2a293fed 7e02d586 f3f42012 8923582a
         seq=0x00000000 replay=4 flags=0x00000000 state=mature
         created: Sep 26 11:01:42 2006   current: Sep 26 11:02:07 2006
         diff: 25(s)     hard: 3600(s)   soft: 2880(s)
         last:                           hard: 0(s)      soft: 0(s)
         current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
         allocated: 0    hard: 0 soft: 0
         sadb_seq=0 pid=889 refcnt=1

...

	With fast ipsec compiled into the kernel, I can see the outbound esp 
transport SAD entry increase the current byte count but the ipcomp entry 
shows nothing to indicate its use. It seems strange that the kernel will 
send acquire messages via PF_KEY as a pre-requisite to performing the 
required security processing but doesn't use them once they are added by 
the key daemon.

	I have heard reports from NetBSD developers that it doesn't work on 
their platform either. I have no idea about OpenBSD. It is reported to 
work correctly with the Linux 2.6 kernel but I haven't had a chance to 
verify yet.

	So, has anyone had any success with esp/ipcomp bundled SAs? Is this a 
known issue and is anyone working to correct the problem?

Thanks in advance,

-Matthew


More information about the freebsd-net mailing list