Date: Thu, 29 Apr 2004 17:53:40 +0200 From: "Marco Berizzi" <pupilla@hotmail.com> To: "Karim Fodil-Lemelin" <kfl@xiphos.ca> Cc: freebsd-net@freebsd.org Subject: Re: ipsec ipcomp between FreeS/WAN 2.04 and FreeBSD 5.2 Message-ID: <SEA2-DAV72zGNsokLQ800007976@hotmail.com> References: <Sea2-DAV70BAZg1jlMo00012e8e@hotmail.com> <4091167D.5040401@xiphos.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
Wow! Great. I will wait your news. Karim Fodil-Lemelin wrote: > Hi, >=20 > I have fixed IPComp for tunnel mode in FreeBSD 4.8 (I still need = to=20 > cleanup the code). I beleive it should be easy for you to apply the=20 > diffs to FreeBSD 5.2. I will contact the Kame group and try to see how = I=20 > can deleiver the patch. Since the R&D was done on the company's time I = > would like to have myself and Xiphos mentionned in realsing the patch. >=20 > Regards, >=20 > Karim Fodil-Lemelin > Xiphos Technologies Inc >=20 > Marco Berizzi wrote: >=20 > >Hello everybody. > > > >I'm running an interop issue with IPSec tunnels > >between FreeS/WAN and FreeBSD 5.2 > >Without IPComp tunnel are successfully established. > >With IPComp enabled tunnel are again successfully > >established but there is no traffic flow. > > > >This is my setkey init (FreeBSD box side): > > > >/usr/local/sbin/setkey -c <<EOF > >flush; > >spdflush; > >spdadd 10.1.2.0/24 10.1.1.0/24 any -P in ipsec > > ipcomp/tunnel/172.16.1.247-172.16.1.226/use > > esp/tunnel/172.16.1.247-172.16.1.226/require;=20 > > > >spdadd 10.1.1.0/24 10.1.2.0/24 any -P out ipsec > > ipcomp/tunnel/172.16.1.226-172.16.1.247/use > > esp/tunnel/172.16.1.226-172.16.1.247/require; > >EOF > > > >However with this kind of init file FreeS/WAN is dropping packet = coming from the FreeBSD box.=20 > >Michael Richardson (fsw mantainer) reply me telling: > > > >"... The packets that racoon is telling the system to build > >would appear to have been constructed like: > > > >orig IPsrc =3D 10.1.1.1,IPdst =3D 10.1.2.1 > > IPcomp > >* IPsrc =3D 172.16.1.247,IPdst=3D172.16.1.226 > > ESP > >outer IPsrc =3D 172.16.1.247,IPdst=3D172.16.1.226 > > > >[...] This packet format is in error. It defeats most of the point = of using > >IPcomp, which is to compress the inner-IP header out. It appears that = a new > >IP header has been added. > >If the 2.6.0 kernel accepts this, then I wonder what other things it > >might accept! The IPIP header marked "*" is completely superfluous = and > >a waste of 20 bytes. ..." > > > >The full thread available at = https://lists.freeswan.org/archives/design/2003-December/msg00032.html > > > >The thread is about FreeS/WAN and kernel 2.6 (2.6 IPSec stack is a = KAME based). However Linux 2.6 and FreeBSD have the same behaviour. > > > >Comments? > > > >TIA
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?SEA2-DAV72zGNsokLQ800007976>