Date: Thu, 29 Apr 2004 10:51:41 -0400 From: Karim Fodil-Lemelin <kfl@xiphos.ca> To: Marco Berizzi <pupilla@hotmail.com> Cc: freebsd-net@freebsd.org Subject: Re: ipsec ipcomp between FreeS/WAN 2.04 and FreeBSD 5.2 Message-ID: <4091167D.5040401@xiphos.ca> In-Reply-To: <Sea2-DAV70BAZg1jlMo00012e8e@hotmail.com> References: <Sea2-DAV70BAZg1jlMo00012e8e@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi,
I have fixed IPComp for tunnel mode in FreeBSD 4.8 (I still need to
cleanup the code). I beleive it should be easy for you to apply the
diffs to FreeBSD 5.2. I will contact the Kame group and try to see how I
can deleiver the patch. Since the R&D was done on the company's time I
would like to have myself and Xiphos mentionned in realsing the patch.
Regards,
Karim Fodil-Lemelin
Xiphos Technologies Inc
Marco Berizzi wrote:
>Hello everybody.
>
>I'm running an interop issue with IPSec tunnels
>between FreeS/WAN and FreeBSD 5.2
>Without IPComp tunnel are successfully established.
>With IPComp enabled tunnel are again successfully
>established but there is no traffic flow.
>
>This is my setkey init (FreeBSD box side):
>
>/usr/local/sbin/setkey -c <<EOF
>flush;
>spdflush;
>spdadd 10.1.2.0/24 10.1.1.0/24 any -P in ipsec
> ipcomp/tunnel/172.16.1.247-172.16.1.226/use
> esp/tunnel/172.16.1.247-172.16.1.226/require;
>
>spdadd 10.1.1.0/24 10.1.2.0/24 any -P out ipsec
> ipcomp/tunnel/172.16.1.226-172.16.1.247/use
> esp/tunnel/172.16.1.226-172.16.1.247/require;
>EOF
>
>However with this kind of init file FreeS/WAN is dropping packet coming from the FreeBSD box.
>Michael Richardson (fsw mantainer) reply me telling:
>
>"... The packets that racoon is telling the system to build
>would appear to have been constructed like:
>
>orig IPsrc = 10.1.1.1,IPdst = 10.1.2.1
> IPcomp
>* IPsrc = 172.16.1.247,IPdst=172.16.1.226
> ESP
>outer IPsrc = 172.16.1.247,IPdst=172.16.1.226
>
>[...] This packet format is in error. It defeats most of the point of using
>IPcomp, which is to compress the inner-IP header out. It appears that a new
>IP header has been added.
>If the 2.6.0 kernel accepts this, then I wonder what other things it
>might accept! The IPIP header marked "*" is completely superfluous and
>a waste of 20 bytes. ..."
>
>The full thread available at https://lists.freeswan.org/archives/design/2003-December/msg00032.html
>
>The thread is about FreeS/WAN and kernel 2.6 (2.6 IPSec stack is a KAME based). However Linux 2.6 and FreeBSD have the same behaviour.
>
>Comments?
>
>TIA
>
>PS: Please CC me. I'm not subscribed to the list.
>_______________________________________________
>freebsd-net@freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-net
>To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
>
>
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4091167D.5040401>