ipv6 + ah + esp

[Bjoern A. Zeeb]

On Tue, 4 Mar 2008, Cyrus Rahman wrote:

Hi,

> Is there a known problem running ah+esp on ip6?  I can set up an
> association and run ah+esp just fine on ip4,
> and ah or esp work well by themselves in ip6, but I've had no luck
> with combining them on ip6.
>
> I know that ipcomp is documented to be broken but I haven't seen
> anything about this problem.  This is on 7.0-RELEASE.
>
> For example this:
>
>    spdadd hostA hostB any -P out ipsec
>        esp/transport//require ah/transport//require;
>    spdadd hostB hostA any -P in ipsec
>        esp/transport//require ah/transport//require;
>
> results in no exchange but the following messages in syslog:
>
>    snowfall kernel: ip6_output (ipsec): error code 22
>
> Taking either ah or esp out of the policy works just fine.

22 is EINVAL.

The same error message is there twice in sys/netinet6/ip6_output.c
(search for "(ipsec)" w/o the "").

Could you alter them so we can tell them apart, recompile the kernel
and file a PR with this information and whether it is the printf after
ipsec6_output_trans or after ipsec6_output_tunnel.

/bz

-- 
Bjoern A. Zeeb                                 bzeeb at Zabbadoz dot NeT
Software is harder than hardware  so better get it right the first time.