From owner-freebsd-questions@FreeBSD.ORG Sun Nov 14 10:15:38 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 149CB16A4CE for ; Sun, 14 Nov 2004 10:15:38 +0000 (GMT) Received: from hosea.tallye.com (joel.tallye.com [216.99.199.78]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2A49D43D2F for ; Sun, 14 Nov 2004 10:15:37 +0000 (GMT) (envelope-from lorenl@alzatex.com) Received: from hosea.tallye.com (hosea.tallye.com [127.0.0.1]) by hosea.tallye.com (8.12.8/8.12.10) with ESMTP id iAEAFaYs021274 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sun, 14 Nov 2004 02:15:36 -0800 Received: (from sttng359@localhost) by hosea.tallye.com (8.12.8/8.12.10/Submit) id iAEAFaKp021272 for freebsd-questions@freebsd.org; Sun, 14 Nov 2004 02:15:36 -0800 X-Authentication-Warning: hosea.tallye.com: sttng359 set sender to lorenl@alzatex.com using -f Date: Sun, 14 Nov 2004 02:15:36 -0800 From: "Loren M. Lang" To: FreeBSD Mailing list Message-ID: <20041114101536.GA21222@alzatex.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Mutt/1.4.1i X-GPG-Key: ftp://ftp.tallye.com/pub/lorenl_pubkey.asc X-GPG-Fingerprint: B3B9 D669 69C9 09EC 1BCD 835A FAF3 7A46 E4A3 280C Subject: IPComp won't compress data X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Nov 2004 10:15:38 -0000 I recently got a IPSec VPN working between two FreeBSD 5.3 boxes with ESP and AH. I decided to try adding IPComp to the mix to compress the data, but it doesn't seem to do anything. All sniffs of the network traffic show the VPN working, but IPComp never shows up. I first tried IP in ESP in IPComp in AH in IP, but all I see is ESP in AH in IP like IPComp isn't enabled. I changed the config to remove ESP, then I see IP in AH in IP. Also, I tried just IPComp by itself and all I had was a IP in IP tunnel. I'm using racoon for ESP and AH, does racoon also work with IPComp and set it up automatically? The ipsec.conf file I used for ESP in IPComp in AH is as follows: spdadd 192.168.1.2/32 192.168.1.1/32 ipencap -P out ipsec \ esp/transport//require ipcomp/transport//require ah/transport//require; spdadd 192.168.1.1/32 192.168.1.2/32 ipencap -P in ipsec \ esp/transport//require ipcomp/transport//require ah/transport//require; I then added the lines below when that didn't work: add 192.168.1.2 192.168.1.1 ipcomp 2010 -C deflate; add 192.168.1.1 192.168.1.2 ipcomp 1020 -C deflate; After that I changed the first two lines to: spdadd 192.168.1.2/32 192.168.1.1/32 ipencap -P out ipsec \ ipcomp/transport//require ah/transport//require; spdadd 192.168.1.1/32 192.168.1.2/32 ipencap -P in ipsec \ ipcomp/transport//require ah/transport//require; And then: spdadd 192.168.1.2/32 192.168.1.1/32 ipencap -P out ipsec \ ipcomp/transport//require; spdadd 192.168.1.1/32 192.168.1.2/32 ipencap -P in ipsec \ ipcomp/transport//require; In every case I saw the ESP and AH protocols appear as appropriate, but IPComp never showed up in any packet captures. Is there anything I'm missing? --=20 I sense much NT in you. NT leads to Bluescreen. Bluescreen leads to downtime. Downtime leads to suffering. NT is the path to the darkside. Powerful Unix is. Public Key: ftp://ftp.tallye.com/pub/lorenl_pubkey.asc Fingerprint: B3B9 D669 69C9 09EC 1BCD 835A FAF3 7A46 E4A3 280C =20