Problems with IPsec and IPCOMP

Bjoern Groenvall Mon, 24 Sep 2001 15:02:35 -0700

Hi,

I am trying to enable IPCOMP between a FreeBSD 4.3(172.16.11.153=A)
and a 4.2(172.16.11.8=B) machine. It seems like A produces compressed
packets but B is unable to decompress them (see tcpdump log). 

Can somebody see what I'm doing wrong? Does anybody have an example
configuration (that uses IPCOMP) that actually works? I would love to
have such a configuration as a starting point.

Cheers,
Björn

------
The configuration

# On both 172.16.11.153 and 172.16.11.8
setkey -c <<END
flush;
add 172.16.11.8 172.16.11.153 ah  1000 -m any -A keyed-md5 "MYSECRETMYSECRET";
add 172.16.11.153 172.16.11.8 ah  1001 -m any -A keyed-md5 "MYSECRETMYSECRET";
add 172.16.11.8 172.16.11.153 ipcomp 1004 -m transport -C deflate;
add 172.16.11.153 172.16.11.8 ipcomp 1005 -m transport -C deflate;
END

# On 172.16.11.8
setkey -c <<END
spdflush;
spdadd 172.16.11.8/32 172.16.11.153/32 any -P out ipsec ipcomp/transport//default 
ah/transport//require;
spdadd 172.16.11.153/32 172.16.11.8/32 any -P in  ipsec ipcomp/transport//default 
ah/transport//require;
END

# On 172.16.11.153
setkey -c <<END
spdflush;
spdadd 172.16.11.153/32 172.16.11.8/32 any -P out ipsec ipcomp/transport//default 
ah/transport//require;
spdadd 172.16.11.8/32 172.16.11.153/32 any -P in  ipsec ipcomp/transport//default 
ah/transport//require;
END

---

# tcpdump -n -p -s 1500 host hel
tcpdump: listening on ep0
15:24:37.114361 arp who-has 172.16.11.8 tell 172.16.11.153
15:24:37.114667 arp reply 172.16.11.8 is-at 0:60:97:c3:c4:14
15:24:37.114799 172.16.11.153 > 172.16.11.8: AH(spi=0x000003e9,seq=0x1): icmp: echo 
request
15:24:37.115322 172.16.11.8 > 172.16.11.153: AH(spi=0x000003e8,seq=0x1): icmp: echo 
reply
15:24:38.122541 172.16.11.153 > 172.16.11.8: AH(spi=0x000003e9,seq=0x2): icmp: echo 
request
15:24:38.122958 172.16.11.8 > 172.16.11.153: AH(spi=0x000003e8,seq=0x2): icmp: echo 
reply
15:24:39.132541 172.16.11.153 > 172.16.11.8: AH(spi=0x000003e9,seq=0x3): icmp: echo 
request
15:24:39.132959 172.16.11.8 > 172.16.11.153: AH(spi=0x000003e8,seq=0x3): icmp: echo 
reply
15:24:40.142557 172.16.11.153 > 172.16.11.8: AH(spi=0x000003e9,seq=0x4): icmp: echo 
request
15:24:40.142974 172.16.11.8 > 172.16.11.153: AH(spi=0x000003e8,seq=0x4): icmp: echo 
reply
15:24:48.796453 172.16.11.153 > 172.16.11.8: AH(spi=0x000003e9,seq=0x5): 1045 > 23: S 
2680451051:2680451051(0) win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 1078640 
0,nop,nop,ccnew 24> (DF) [tos 0x10] 
15:24:48.796936 172.16.11.8 > 172.16.11.153: AH(spi=0x000003e8,seq=0x5): 23 > 1045: S 
2119201956:2119201956(0) ack 2680451052 win 17520 <mss 1460> (DF)
15:24:48.797173 172.16.11.153 > 172.16.11.8: AH(spi=0x000003e9,seq=0x6): 1045 > 23: . 
ack 1 win 17520 (DF) [tos 0x10] 
15:24:48.798584 172.16.11.153 > 172.16.11.8: AH(spi=0x000003e9,seq=0x7): 1045 > 23: P 
1:37(36) ack 1 win 17520 (DF) [tos 0x10] 
15:24:48.821877 172.16.11.8 > 172.16.11.153: AH(spi=0x000003e8,seq=0x6): 23 > 1045: P 
1:4(3) ack 37 win 17484 (DF) [tos 0x10] 
15:24:48.822139 172.16.11.153 > 172.16.11.8: AH(spi=0x000003e9,seq=0x8): 1045 > 23: . 
ack 4 win 17517 (DF) [tos 0x10] 
15:24:48.822633 172.16.11.8 > 172.16.11.153: AH(spi=0x000003e8,seq=0x7): 23 > 1045: P 
4:53(49) ack 37 win 17520 (DF) [tos 0x10] 
15:24:48.822823 172.16.11.153 > 172.16.11.8: AH(spi=0x000003e9,seq=0x9): 1045 > 23: . 
ack 53 win 17471 (DF) [tos 0x10] 
15:24:48.824418 172.16.11.153 > 172.16.11.8: AH(spi=0x000003e9,seq=0xa): 
IPComp(cpi=0x0002) (DF) [tos 0x10] 
15:24:49.823821 172.16.11.153 > 172.16.11.8: AH(spi=0x000003e9,seq=0xb): 
IPComp(cpi=0x0002) (DF) [tos 0x10] 
15:24:51.823787 172.16.11.153 > 172.16.11.8: AH(spi=0x000003e9,seq=0xc): 
IPComp(cpi=0x0002) (DF) [tos 0x10] 
15:24:55.823845 172.16.11.153 > 172.16.11.8: AH(spi=0x000003e9,seq=0xd): 
IPComp(cpi=0x0002) (DF) [tos 0x10] 
15:24:59.760189 172.16.11.153 > 172.16.11.8: AH(spi=0x000003e9,seq=0xe): 1045 > 23: FP 
127:128(1) ack 53 win 17520 (DF) [tos 0x10] 
15:24:59.760622 172.16.11.8 > 172.16.11.153: AH(spi=0x000003e8,seq=0x8): 23 > 1045: . 
ack 37 win 17520 (DF) [tos 0x10] 
15:25:03.824115 172.16.11.153 > 172.16.11.8: AH(spi=0x000003e9,seq=0xf): 
IPComp(cpi=0x0002) (DF) [tos 0x10] 
15:25:19.824283 172.16.11.153 > 172.16.11.8: AH(spi=0x000003e9,seq=0x10): 
IPComp(cpi=0x0002) (DF) [tos 0x10] 
^C
27 packets received by filter
0 packets dropped by kernel
# 


-- 
  _     _                                               ,_______________.  
Bjorn Gronvall (Björn Grönvall)                        /_______________/|     
Swedish Institute of Computer Science                  |               ||
PO Box 1263, S-164 29 Kista, Sweden                    | Schroedingers ||
Email: [EMAIL PROTECTED], Phone +46 -8 633 15 25              |      Cat      |/
Cellular +46 -70 768 06 35, Fax +46 -8 751 72 30       `---------------' 

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
Problems with IPsec and IPCOMP

Reply via email to
