I have fixed IPComp for tunnel mode in FreeBSD 4.8 (I still need to cleanup the code). I beleive it should be easy for you to apply the diffs to FreeBSD 5.2. I will contact the Kame group and try to see how I can deleiver the patch. Since the R&D was done on the company's time I would like to have myself and Xiphos mentionned in realsing the patch.
Regards,
Karim Fodil-Lemelin Xiphos Technologies Inc
Marco Berizzi wrote:
Hello everybody.
I'm running an interop issue with IPSec tunnels between FreeS/WAN and FreeBSD 5.2 Without IPComp tunnel are successfully established. With IPComp enabled tunnel are again successfully established but there is no traffic flow.
This is my setkey init (FreeBSD box side):
/usr/local/sbin/setkey -c <<EOF
flush;
spdflush;
spdadd 10.1.2.0/24 10.1.1.0/24 any -P in ipsec
ipcomp/tunnel/172.16.1.247-172.16.1.226/use
esp/tunnel/172.16.1.247-172.16.1.226/require;
spdadd 10.1.1.0/24 10.1.2.0/24 any -P out ipsec ipcomp/tunnel/172.16.1.226-172.16.1.247/use esp/tunnel/172.16.1.226-172.16.1.247/require; EOF
However with this kind of init file FreeS/WAN is dropping packet coming from the FreeBSD box. Michael Richardson (fsw mantainer) reply me telling:
"... The packets that racoon is telling the system to build would appear to have been constructed like:
orig IPsrc = 10.1.1.1,IPdst = 10.1.2.1 IPcomp * IPsrc = 172.16.1.247,IPdst=172.16.1.226 ESP outer IPsrc = 172.16.1.247,IPdst=172.16.1.226
[...] This packet format is in error. It defeats most of the point of using IPcomp, which is to compress the inner-IP header out. It appears that a new IP header has been added. If the 2.6.0 kernel accepts this, then I wonder what other things it might accept! The IPIP header marked "*" is completely superfluous and a waste of 20 bytes. ..."
The full thread available at https://lists.freeswan.org/archives/design/2003-December/msg00032.html
The thread is about FreeS/WAN and kernel 2.6 (2.6 IPSec stack is a KAME based). However Linux 2.6 and FreeBSD have the same behaviour.
Comments?
TIA
PS: Please CC me. I'm not subscribed to the list. _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
_______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
