Date: 24 Sep 2001 15:31:28 -0700 From: Bjoern Groenvall <bg@sics.se> To: freebsd-net@freebsd.org, freebsd-questions@freebsd.org Cc: bg@sics.se Subject: Problems with IPsec and IPCOMP Message-ID: <wuvgi8kypr.fsf@bg.sics.se>
next in thread | raw e-mail | index | archive | help
Hi, I am trying to enable IPCOMP between a FreeBSD 4.3(172.16.11.153=A) and a 4.2(172.16.11.8=B) machine. It seems like A produces compressed packets but B is unable to decompress them (see tcpdump log). Can somebody see what I'm doing wrong? Does anybody have an example configuration (that uses IPCOMP) that actually works? I would love to have such a configuration as a starting point. Cheers, Björn ------ The configuration # On both 172.16.11.153 and 172.16.11.8 setkey -c <<END flush; add 172.16.11.8 172.16.11.153 ah 1000 -m any -A keyed-md5 "MYSECRETMYSECRET"; add 172.16.11.153 172.16.11.8 ah 1001 -m any -A keyed-md5 "MYSECRETMYSECRET"; add 172.16.11.8 172.16.11.153 ipcomp 1004 -m transport -C deflate; add 172.16.11.153 172.16.11.8 ipcomp 1005 -m transport -C deflate; END # On 172.16.11.8 setkey -c <<END spdflush; spdadd 172.16.11.8/32 172.16.11.153/32 any -P out ipsec ipcomp/transport//default ah/transport//require; spdadd 172.16.11.153/32 172.16.11.8/32 any -P in ipsec ipcomp/transport//default ah/transport//require; END # On 172.16.11.153 setkey -c <<END spdflush; spdadd 172.16.11.153/32 172.16.11.8/32 any -P out ipsec ipcomp/transport//default ah/transport//require; spdadd 172.16.11.8/32 172.16.11.153/32 any -P in ipsec ipcomp/transport//default ah/transport//require; END --- # tcpdump -n -p -s 1500 host hel tcpdump: listening on ep0 15:24:37.114361 arp who-has 172.16.11.8 tell 172.16.11.153 15:24:37.114667 arp reply 172.16.11.8 is-at 0:60:97:c3:c4:14 15:24:37.114799 172.16.11.153 > 172.16.11.8: AH(spi=0x000003e9,seq=0x1): icmp: echo request 15:24:37.115322 172.16.11.8 > 172.16.11.153: AH(spi=0x000003e8,seq=0x1): icmp: echo reply 15:24:38.122541 172.16.11.153 > 172.16.11.8: AH(spi=0x000003e9,seq=0x2): icmp: echo request 15:24:38.122958 172.16.11.8 > 172.16.11.153: AH(spi=0x000003e8,seq=0x2): icmp: echo reply 15:24:39.132541 172.16.11.153 > 172.16.11.8: AH(spi=0x000003e9,seq=0x3): icmp: echo request 15:24:39.132959 172.16.11.8 > 172.16.11.153: AH(spi=0x000003e8,seq=0x3): icmp: echo reply 15:24:40.142557 172.16.11.153 > 172.16.11.8: AH(spi=0x000003e9,seq=0x4): icmp: echo request 15:24:40.142974 172.16.11.8 > 172.16.11.153: AH(spi=0x000003e8,seq=0x4): icmp: echo reply 15:24:48.796453 172.16.11.153 > 172.16.11.8: AH(spi=0x000003e9,seq=0x5): 1045 > 23: S 2680451051:2680451051(0) win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 1078640 0,nop,nop,ccnew 24> (DF) [tos 0x10] 15:24:48.796936 172.16.11.8 > 172.16.11.153: AH(spi=0x000003e8,seq=0x5): 23 > 1045: S 2119201956:2119201956(0) ack 2680451052 win 17520 <mss 1460> (DF) 15:24:48.797173 172.16.11.153 > 172.16.11.8: AH(spi=0x000003e9,seq=0x6): 1045 > 23: . ack 1 win 17520 (DF) [tos 0x10] 15:24:48.798584 172.16.11.153 > 172.16.11.8: AH(spi=0x000003e9,seq=0x7): 1045 > 23: P 1:37(36) ack 1 win 17520 (DF) [tos 0x10] 15:24:48.821877 172.16.11.8 > 172.16.11.153: AH(spi=0x000003e8,seq=0x6): 23 > 1045: P 1:4(3) ack 37 win 17484 (DF) [tos 0x10] 15:24:48.822139 172.16.11.153 > 172.16.11.8: AH(spi=0x000003e9,seq=0x8): 1045 > 23: . ack 4 win 17517 (DF) [tos 0x10] 15:24:48.822633 172.16.11.8 > 172.16.11.153: AH(spi=0x000003e8,seq=0x7): 23 > 1045: P 4:53(49) ack 37 win 17520 (DF) [tos 0x10] 15:24:48.822823 172.16.11.153 > 172.16.11.8: AH(spi=0x000003e9,seq=0x9): 1045 > 23: . ack 53 win 17471 (DF) [tos 0x10] 15:24:48.824418 172.16.11.153 > 172.16.11.8: AH(spi=0x000003e9,seq=0xa): IPComp(cpi=0x0002) (DF) [tos 0x10] 15:24:49.823821 172.16.11.153 > 172.16.11.8: AH(spi=0x000003e9,seq=0xb): IPComp(cpi=0x0002) (DF) [tos 0x10] 15:24:51.823787 172.16.11.153 > 172.16.11.8: AH(spi=0x000003e9,seq=0xc): IPComp(cpi=0x0002) (DF) [tos 0x10] 15:24:55.823845 172.16.11.153 > 172.16.11.8: AH(spi=0x000003e9,seq=0xd): IPComp(cpi=0x0002) (DF) [tos 0x10] 15:24:59.760189 172.16.11.153 > 172.16.11.8: AH(spi=0x000003e9,seq=0xe): 1045 > 23: FP 127:128(1) ack 53 win 17520 (DF) [tos 0x10] 15:24:59.760622 172.16.11.8 > 172.16.11.153: AH(spi=0x000003e8,seq=0x8): 23 > 1045: . ack 37 win 17520 (DF) [tos 0x10] 15:25:03.824115 172.16.11.153 > 172.16.11.8: AH(spi=0x000003e9,seq=0xf): IPComp(cpi=0x0002) (DF) [tos 0x10] 15:25:19.824283 172.16.11.153 > 172.16.11.8: AH(spi=0x000003e9,seq=0x10): IPComp(cpi=0x0002) (DF) [tos 0x10] ^C 27 packets received by filter 0 packets dropped by kernel # -- _ _ ,_______________. Bjorn Gronvall (Björn Grönvall) /_______________/| Swedish Institute of Computer Science | || PO Box 1263, S-164 29 Kista, Sweden | Schroedingers || Email: bg@sics.se, Phone +46 -8 633 15 25 | Cat |/ Cellular +46 -70 768 06 35, Fax +46 -8 751 72 30 `---------------' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?wuvgi8kypr.fsf>