Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 3 Feb 2004 18:19:17 +0100
From:      "Marco Berizzi" <pupilla@hotmail.com>
To:        <freebsd-net@freebsd.org>
Subject:   ipsec ipcomp between FreeS/WAN 2.04 and FreeBSD 5.2
Message-ID:  <Sea2-DAV70BAZg1jlMo00012e8e@hotmail.com>
next in thread | raw e-mail | index | archive | help 
Hello everybody.

I'm running an interop issue with IPSec tunnels
between FreeS/WAN and FreeBSD 5.2
Without IPComp tunnel are successfully established.
With IPComp enabled tunnel are again successfully
established but there is no traffic flow.

This is my setkey init (FreeBSD box side):

/usr/local/sbin/setkey -c <<EOF
flush;
spdflush;
spdadd 10.1.2.0/24 10.1.1.0/24 any -P in ipsec
    ipcomp/tunnel/172.16.1.247-172.16.1.226/use
    esp/tunnel/172.16.1.247-172.16.1.226/require;=20

spdadd 10.1.1.0/24 10.1.2.0/24 any -P out ipsec
    ipcomp/tunnel/172.16.1.226-172.16.1.247/use
    esp/tunnel/172.16.1.226-172.16.1.247/require;
EOF

However with this kind of init file FreeS/WAN is dropping packet coming =
from the FreeBSD box.=20
Michael Richardson (fsw mantainer) reply me telling:

"... The packets that racoon is telling the system to build
would appear to have been constructed like:

orig     IPsrc =3D 10.1.1.1,IPdst =3D 10.1.2.1
           IPcomp
*         IPsrc =3D 172.16.1.247,IPdst=3D172.16.1.226
           ESP
outer   IPsrc =3D 172.16.1.247,IPdst=3D172.16.1.226

[...]   This packet format is in error. It defeats most of the point of =
using
IPcomp, which is to compress the inner-IP header out. It appears that a =
new
IP header has been added.
If the 2.6.0 kernel accepts this, then I wonder what other things it
might accept!   The IPIP header marked "*" is completely superfluous and
a waste of 20 bytes. ..."

The full thread available at =
https://lists.freeswan.org/archives/design/2003-December/msg00032.html

The thread is about FreeS/WAN and kernel 2.6 (2.6 IPSec stack is a KAME =
based). However Linux 2.6 and FreeBSD have the same behaviour.

Comments?

TIA

PS: Please CC me. I'm not subscribed to the list.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Sea2-DAV70BAZg1jlMo00012e8e>