From owner-freebsd-net@FreeBSD.ORG Wed Feb 4 12:41:38 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A080216A4CE for ; Wed, 4 Feb 2004 12:41:38 -0800 (PST) Received: from mx02.ca.mci.com (mx02.ca.mci.com [142.77.2.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 959E243D41 for ; Wed, 4 Feb 2004 12:41:36 -0800 (PST) (envelope-from kfl@xiphos.ca) Received: from highway (modemcable012.96-200-24.mc.videotron.ca [24.200.96.12]) by mx02.ca.mci.com (Postfix) with SMTP id 3A753523DB; Wed, 4 Feb 2004 15:41:27 -0500 (EST) From: "Karim Fodil-Lemelin" To: "Marco Berizzi" , Date: Wed, 4 Feb 2004 15:34:43 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal Subject: RE: ipsec ipcomp between FreeS/WAN 2.04 and FreeBSD 5.2 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Feb 2004 20:41:38 -0000 Hi, I tried that before and couldn't get it working :( Then I asked the Kame peps and it seems that ipcomp is not supported yet in tunnel mode. That was for FreeBSD 4.8 and I don't think it has changed since then. Karim. > -----Original Message----- > From: owner-freebsd-net@freebsd.org > [mailto:owner-freebsd-net@freebsd.org]On Behalf Of Marco Berizzi > Sent: 3 février, 2004 12:19 > To: freebsd-net@freebsd.org > Subject: ipsec ipcomp between FreeS/WAN 2.04 and FreeBSD 5.2 > > > Hello everybody. > > I'm running an interop issue with IPSec tunnels > between FreeS/WAN and FreeBSD 5.2 > Without IPComp tunnel are successfully established. > With IPComp enabled tunnel are again successfully > established but there is no traffic flow. > > This is my setkey init (FreeBSD box side): > > /usr/local/sbin/setkey -c < flush; > spdflush; > spdadd 10.1.2.0/24 10.1.1.0/24 any -P in ipsec > ipcomp/tunnel/172.16.1.247-172.16.1.226/use > esp/tunnel/172.16.1.247-172.16.1.226/require; > > spdadd 10.1.1.0/24 10.1.2.0/24 any -P out ipsec > ipcomp/tunnel/172.16.1.226-172.16.1.247/use > esp/tunnel/172.16.1.226-172.16.1.247/require; > EOF > > However with this kind of init file FreeS/WAN is dropping packet > coming from the FreeBSD box. > Michael Richardson (fsw mantainer) reply me telling: > > "... The packets that racoon is telling the system to build > would appear to have been constructed like: > > orig IPsrc = 10.1.1.1,IPdst = 10.1.2.1 > IPcomp > * IPsrc = 172.16.1.247,IPdst=172.16.1.226 > ESP > outer IPsrc = 172.16.1.247,IPdst=172.16.1.226 > > [...] This packet format is in error. It defeats most of the > point of using > IPcomp, which is to compress the inner-IP header out. It appears > that a new > IP header has been added. > If the 2.6.0 kernel accepts this, then I wonder what other things it > might accept! The IPIP header marked "*" is completely superfluous and > a waste of 20 bytes. ..." > > The full thread available at https://lists.freeswan.org/archives/design/2003-December/msg00032.html The thread is about FreeS/WAN and kernel 2.6 (2.6 IPSec stack is a KAME based). However Linux 2.6 and FreeBSD have the same behaviour. Comments? TIA PS: Please CC me. I'm not subscribed to the list. _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"