From owner-freebsd-net@FreeBSD.ORG Thu Apr 29 08:53:38 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1A4A416A4CE for ; Thu, 29 Apr 2004 08:53:38 -0700 (PDT) Received: from hotmail.com (sea2-dav72.sea2.hotmail.com [207.68.164.207]) by mx1.FreeBSD.org (Postfix) with ESMTP id E7E4643D1F for ; Thu, 29 Apr 2004 08:53:37 -0700 (PDT) (envelope-from pupilla@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Thu, 29 Apr 2004 08:53:37 -0700 Received: from 80.204.235.254 by sea2-dav72.sea2.hotmail.com with DAV; Thu, 29 Apr 2004 15:53:37 +0000 X-Originating-IP: [80.204.235.254] X-Originating-Email: [pupilla@hotmail.com] X-Sender: pupilla@hotmail.com From: "Marco Berizzi" To: "Karim Fodil-Lemelin" References: <4091167D.5040401@xiphos.ca> Date: Thu, 29 Apr 2004 17:53:40 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1123 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1123 Message-ID: X-OriginalArrivalTime: 29 Apr 2004 15:53:37.0887 (UTC) FILETIME=[229EEEF0:01C42E02] cc: freebsd-net@freebsd.org Subject: Re: ipsec ipcomp between FreeS/WAN 2.04 and FreeBSD 5.2 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Apr 2004 15:53:38 -0000 Wow! Great. I will wait your news. Karim Fodil-Lemelin wrote: > Hi, >=20 > I have fixed IPComp for tunnel mode in FreeBSD 4.8 (I still need = to=20 > cleanup the code). I beleive it should be easy for you to apply the=20 > diffs to FreeBSD 5.2. I will contact the Kame group and try to see how = I=20 > can deleiver the patch. Since the R&D was done on the company's time I = > would like to have myself and Xiphos mentionned in realsing the patch. >=20 > Regards, >=20 > Karim Fodil-Lemelin > Xiphos Technologies Inc >=20 > Marco Berizzi wrote: >=20 > >Hello everybody. > > > >I'm running an interop issue with IPSec tunnels > >between FreeS/WAN and FreeBSD 5.2 > >Without IPComp tunnel are successfully established. > >With IPComp enabled tunnel are again successfully > >established but there is no traffic flow. > > > >This is my setkey init (FreeBSD box side): > > > >/usr/local/sbin/setkey -c < >flush; > >spdflush; > >spdadd 10.1.2.0/24 10.1.1.0/24 any -P in ipsec > > ipcomp/tunnel/172.16.1.247-172.16.1.226/use > > esp/tunnel/172.16.1.247-172.16.1.226/require;=20 > > > >spdadd 10.1.1.0/24 10.1.2.0/24 any -P out ipsec > > ipcomp/tunnel/172.16.1.226-172.16.1.247/use > > esp/tunnel/172.16.1.226-172.16.1.247/require; > >EOF > > > >However with this kind of init file FreeS/WAN is dropping packet = coming from the FreeBSD box.=20 > >Michael Richardson (fsw mantainer) reply me telling: > > > >"... The packets that racoon is telling the system to build > >would appear to have been constructed like: > > > >orig IPsrc =3D 10.1.1.1,IPdst =3D 10.1.2.1 > > IPcomp > >* IPsrc =3D 172.16.1.247,IPdst=3D172.16.1.226 > > ESP > >outer IPsrc =3D 172.16.1.247,IPdst=3D172.16.1.226 > > > >[...] This packet format is in error. It defeats most of the point = of using > >IPcomp, which is to compress the inner-IP header out. It appears that = a new > >IP header has been added. > >If the 2.6.0 kernel accepts this, then I wonder what other things it > >might accept! The IPIP header marked "*" is completely superfluous = and > >a waste of 20 bytes. ..." > > > >The full thread available at = https://lists.freeswan.org/archives/design/2003-December/msg00032.html > > > >The thread is about FreeS/WAN and kernel 2.6 (2.6 IPSec stack is a = KAME based). However Linux 2.6 and FreeBSD have the same behaviour. > > > >Comments? > > > >TIA