From owner-freebsd-questions  Mon Sep 24 15:31:43 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from bg.sics.se (cpe-66-1-164-86.az.sprintbbd.net [66.1.164.86])
	by hub.freebsd.org (Postfix) with ESMTP
	id 4F36937B41F; Mon, 24 Sep 2001 15:31:34 -0700 (PDT)
Received: (from bg@localhost)
	by bg.sics.se (8.11.3/8.11.3) id f8OMVTi00679;
	Mon, 24 Sep 2001 15:31:29 -0700 (MST)
	(envelope-from bg)
To: freebsd-net@freebsd.org, freebsd-questions@freebsd.org
Cc: bg@sics.se
Subject: Problems with IPsec and IPCOMP
From: Bjoern Groenvall <bg@sics.se>
Date: 24 Sep 2001 15:31:28 -0700
Message-ID: <wuvgi8kypr.fsf@bg.sics.se>
Lines: 83
X-Mailer: Gnus v5.7/Emacs 20.6
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG


Hi,

I am trying to enable IPCOMP between a FreeBSD 4.3(172.16.11.153=A)
and a 4.2(172.16.11.8=B) machine. It seems like A produces compressed
packets but B is unable to decompress them (see tcpdump log). 

Can somebody see what I'm doing wrong? Does anybody have an example
configuration (that uses IPCOMP) that actually works? I would love to
have such a configuration as a starting point.

Cheers,
Björn

------
The configuration

# On both 172.16.11.153 and 172.16.11.8
setkey -c <<END
flush;
add 172.16.11.8 172.16.11.153 ah  1000 -m any -A keyed-md5 "MYSECRETMYSECRET";
add 172.16.11.153 172.16.11.8 ah  1001 -m any -A keyed-md5 "MYSECRETMYSECRET";
add 172.16.11.8 172.16.11.153 ipcomp 1004 -m transport -C deflate;
add 172.16.11.153 172.16.11.8 ipcomp 1005 -m transport -C deflate;
END

# On 172.16.11.8
setkey -c <<END
spdflush;
spdadd 172.16.11.8/32 172.16.11.153/32 any -P out ipsec ipcomp/transport//default ah/transport//require;
spdadd 172.16.11.153/32 172.16.11.8/32 any -P in  ipsec ipcomp/transport//default ah/transport//require;
END

# On 172.16.11.153
setkey -c <<END
spdflush;
spdadd 172.16.11.153/32 172.16.11.8/32 any -P out ipsec ipcomp/transport//default ah/transport//require;
spdadd 172.16.11.8/32 172.16.11.153/32 any -P in  ipsec ipcomp/transport//default ah/transport//require;
END

---

# tcpdump -n -p -s 1500 host hel
tcpdump: listening on ep0
15:24:37.114361 arp who-has 172.16.11.8 tell 172.16.11.153
15:24:37.114667 arp reply 172.16.11.8 is-at 0:60:97:c3:c4:14
15:24:37.114799 172.16.11.153 > 172.16.11.8: AH(spi=0x000003e9,seq=0x1): icmp: echo request
15:24:37.115322 172.16.11.8 > 172.16.11.153: AH(spi=0x000003e8,seq=0x1): icmp: echo reply
15:24:38.122541 172.16.11.153 > 172.16.11.8: AH(spi=0x000003e9,seq=0x2): icmp: echo request
15:24:38.122958 172.16.11.8 > 172.16.11.153: AH(spi=0x000003e8,seq=0x2): icmp: echo reply
15:24:39.132541 172.16.11.153 > 172.16.11.8: AH(spi=0x000003e9,seq=0x3): icmp: echo request
15:24:39.132959 172.16.11.8 > 172.16.11.153: AH(spi=0x000003e8,seq=0x3): icmp: echo reply
15:24:40.142557 172.16.11.153 > 172.16.11.8: AH(spi=0x000003e9,seq=0x4): icmp: echo request
15:24:40.142974 172.16.11.8 > 172.16.11.153: AH(spi=0x000003e8,seq=0x4): icmp: echo reply
15:24:48.796453 172.16.11.153 > 172.16.11.8: AH(spi=0x000003e9,seq=0x5): 1045 > 23: S 2680451051:2680451051(0) win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 1078640 0,nop,nop,ccnew 24> (DF) [tos 0x10] 
15:24:48.796936 172.16.11.8 > 172.16.11.153: AH(spi=0x000003e8,seq=0x5): 23 > 1045: S 2119201956:2119201956(0) ack 2680451052 win 17520 <mss 1460> (DF)
15:24:48.797173 172.16.11.153 > 172.16.11.8: AH(spi=0x000003e9,seq=0x6): 1045 > 23: . ack 1 win 17520 (DF) [tos 0x10] 
15:24:48.798584 172.16.11.153 > 172.16.11.8: AH(spi=0x000003e9,seq=0x7): 1045 > 23: P 1:37(36) ack 1 win 17520 (DF) [tos 0x10] 
15:24:48.821877 172.16.11.8 > 172.16.11.153: AH(spi=0x000003e8,seq=0x6): 23 > 1045: P 1:4(3) ack 37 win 17484 (DF) [tos 0x10] 
15:24:48.822139 172.16.11.153 > 172.16.11.8: AH(spi=0x000003e9,seq=0x8): 1045 > 23: . ack 4 win 17517 (DF) [tos 0x10] 
15:24:48.822633 172.16.11.8 > 172.16.11.153: AH(spi=0x000003e8,seq=0x7): 23 > 1045: P 4:53(49) ack 37 win 17520 (DF) [tos 0x10] 
15:24:48.822823 172.16.11.153 > 172.16.11.8: AH(spi=0x000003e9,seq=0x9): 1045 > 23: . ack 53 win 17471 (DF) [tos 0x10] 
15:24:48.824418 172.16.11.153 > 172.16.11.8: AH(spi=0x000003e9,seq=0xa): IPComp(cpi=0x0002) (DF) [tos 0x10] 
15:24:49.823821 172.16.11.153 > 172.16.11.8: AH(spi=0x000003e9,seq=0xb): IPComp(cpi=0x0002) (DF) [tos 0x10] 
15:24:51.823787 172.16.11.153 > 172.16.11.8: AH(spi=0x000003e9,seq=0xc): IPComp(cpi=0x0002) (DF) [tos 0x10] 
15:24:55.823845 172.16.11.153 > 172.16.11.8: AH(spi=0x000003e9,seq=0xd): IPComp(cpi=0x0002) (DF) [tos 0x10] 
15:24:59.760189 172.16.11.153 > 172.16.11.8: AH(spi=0x000003e9,seq=0xe): 1045 > 23: FP 127:128(1) ack 53 win 17520 (DF) [tos 0x10] 
15:24:59.760622 172.16.11.8 > 172.16.11.153: AH(spi=0x000003e8,seq=0x8): 23 > 1045: . ack 37 win 17520 (DF) [tos 0x10] 
15:25:03.824115 172.16.11.153 > 172.16.11.8: AH(spi=0x000003e9,seq=0xf): IPComp(cpi=0x0002) (DF) [tos 0x10] 
15:25:19.824283 172.16.11.153 > 172.16.11.8: AH(spi=0x000003e9,seq=0x10): IPComp(cpi=0x0002) (DF) [tos 0x10] 
^C
27 packets received by filter
0 packets dropped by kernel
# 


-- 
  _     _                                               ,_______________.  
Bjorn Gronvall (Björn Grönvall)                        /_______________/|     
Swedish Institute of Computer Science                  |               ||
PO Box 1263, S-164 29 Kista, Sweden                    | Schroedingers ||
Email: bg@sics.se, Phone +46 -8 633 15 25              |      Cat      |/
Cellular +46 -70 768 06 35, Fax +46 -8 751 72 30       `---------------' 

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message