From owner-freebsd-net@FreeBSD.ORG Thu Apr 29 07:41:21 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 46C9816A4CE for ; Thu, 29 Apr 2004 07:41:21 -0700 (PDT) Received: from mx03.ca.mci.com (mx03.ca.mci.com [142.77.2.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0790943D31 for ; Thu, 29 Apr 2004 07:41:19 -0700 (PDT) (envelope-from kfl@xiphos.ca) Received: from xiphos.ca (unknown [216.95.199.150]) by mx03.ca.mci.com (Postfix) with ESMTP id 48C923C81D; Thu, 29 Apr 2004 10:41:17 -0400 (EDT) Message-ID: <4091167D.5040401@xiphos.ca> Date: Thu, 29 Apr 2004 10:51:41 -0400 From: Karim Fodil-Lemelin User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6) Gecko/20040113 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Marco Berizzi References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-net@freebsd.org Subject: Re: ipsec ipcomp between FreeS/WAN 2.04 and FreeBSD 5.2 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Apr 2004 14:41:21 -0000 Hi, I have fixed IPComp for tunnel mode in FreeBSD 4.8 (I still need to cleanup the code). I beleive it should be easy for you to apply the diffs to FreeBSD 5.2. I will contact the Kame group and try to see how I can deleiver the patch. Since the R&D was done on the company's time I would like to have myself and Xiphos mentionned in realsing the patch. Regards, Karim Fodil-Lemelin Xiphos Technologies Inc Marco Berizzi wrote: >Hello everybody. > >I'm running an interop issue with IPSec tunnels >between FreeS/WAN and FreeBSD 5.2 >Without IPComp tunnel are successfully established. >With IPComp enabled tunnel are again successfully >established but there is no traffic flow. > >This is my setkey init (FreeBSD box side): > >/usr/local/sbin/setkey -c <flush; >spdflush; >spdadd 10.1.2.0/24 10.1.1.0/24 any -P in ipsec > ipcomp/tunnel/172.16.1.247-172.16.1.226/use > esp/tunnel/172.16.1.247-172.16.1.226/require; > >spdadd 10.1.1.0/24 10.1.2.0/24 any -P out ipsec > ipcomp/tunnel/172.16.1.226-172.16.1.247/use > esp/tunnel/172.16.1.226-172.16.1.247/require; >EOF > >However with this kind of init file FreeS/WAN is dropping packet coming from the FreeBSD box. >Michael Richardson (fsw mantainer) reply me telling: > >"... The packets that racoon is telling the system to build >would appear to have been constructed like: > >orig IPsrc = 10.1.1.1,IPdst = 10.1.2.1 > IPcomp >* IPsrc = 172.16.1.247,IPdst=172.16.1.226 > ESP >outer IPsrc = 172.16.1.247,IPdst=172.16.1.226 > >[...] This packet format is in error. It defeats most of the point of using >IPcomp, which is to compress the inner-IP header out. It appears that a new >IP header has been added. >If the 2.6.0 kernel accepts this, then I wonder what other things it >might accept! The IPIP header marked "*" is completely superfluous and >a waste of 20 bytes. ..." > >The full thread available at https://lists.freeswan.org/archives/design/2003-December/msg00032.html > >The thread is about FreeS/WAN and kernel 2.6 (2.6 IPSec stack is a KAME based). However Linux 2.6 and FreeBSD have the same behaviour. > >Comments? > >TIA > >PS: Please CC me. I'm not subscribed to the list. >_______________________________________________ >freebsd-net@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-net >To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > > >