Date: Tue, 26 Sep 2006 13:25:29 -0500 From: Matthew Grooms <mgrooms@shrew.net> To: freebsd-net@freebsd.org Subject: Bundled SAs and ESP/IPCOMP support ... Message-ID: <45197099.8060406@shrew.net>
next in thread | raw e-mail | index | archive | help
All, I have been working on ipsec-tools development a bit and am currently scratching my head over issues related to esp and ipcomp. Since I do most of my testing with FreeBSD, I tried both the kame ipsec and fast ipsec support but have had no success to date. Here are the SPD entries being generated with the kame ipsec stack compiled into the kernel ... 10.2.1.128[any] 10.1.1.2[any] any in ipsec ipcomp/tunnel/10.22.200.119-10.22.200.1/unique:3 esp/transport//unique:3 created: Sep 26 11:01:42 2006 lastused: Sep 26 11:01:42 2006 lifetime: 3600(s) validtime: 0(s) spid=16483 seq=1 pid=886 refcnt=1 10.1.1.2[any] 10.2.1.128[any] any out ipsec ipcomp/tunnel/10.22.200.1-10.22.200.119/unique:3 esp/transport//unique:3 created: Sep 26 11:01:42 2006 lastused: Sep 26 11:01:42 2006 lifetime: 3600(s) validtime: 0(s) spid=16484 seq=0 pid=886 refcnt=1 ... and here are the SAD entries being generated ... 10.22.200.1 10.22.200.119 ipcomp mode=tunnel spi=2480390087(0x93d7bfc7) reqid=4(0x00000004) C: deflate seq=0x00000000 replay=0 flags=0x00000080 state=mature created: Sep 26 11:01:42 2006 current: Sep 26 11:02:07 2006 diff: 25(s) hard: 3600(s) soft: 2880(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=3 pid=889 refcnt=1 10.22.200.1 10.22.200.119 esp mode=transport spi=3351238547(0xc7bfd793) reqid=3(0x00000003) E: 3des-cbc 7380862e 482939f0 9f4753d8 9b97ab37 b13e4412 82a151ba A: hmac-md5 cb0829bf 4a51917e 6a023484 b9ea96d7 seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Sep 26 11:01:42 2006 current: Sep 26 11:02:07 2006 diff: 25(s) hard: 3600(s) soft: 2880(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=2 pid=889 refcnt=1 10.22.200.119 10.22.200.1 ipcomp mode=tunnel spi=20406(0x00004fb6) reqid=4(0x00000004) C: deflate seq=0x00000000 replay=0 flags=0x00000080 state=mature created: Sep 26 11:01:42 2006 current: Sep 26 11:02:07 2006 diff: 25(s) hard: 3600(s) soft: 2880(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=1 pid=889 refcnt=1 10.22.200.119 10.22.200.1 esp mode=transport spi=13587562(0x00cf546a) reqid=3(0x00000003) E: 3des-cbc 89f5c6b5 8598b99d feea7460 2f59c9b4 c21e1280 20c02c1d A: hmac-md5 2a293fed 7e02d586 f3f42012 8923582a seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Sep 26 11:01:42 2006 current: Sep 26 11:02:07 2006 diff: 25(s) hard: 3600(s) soft: 2880(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=0 pid=889 refcnt=1 ... With fast ipsec compiled into the kernel, I can see the outbound esp transport SAD entry increase the current byte count but the ipcomp entry shows nothing to indicate its use. It seems strange that the kernel will send acquire messages via PF_KEY as a pre-requisite to performing the required security processing but doesn't use them once they are added by the key daemon. I have heard reports from NetBSD developers that it doesn't work on their platform either. I have no idea about OpenBSD. It is reported to work correctly with the Linux 2.6 kernel but I haven't had a chance to verify yet. So, has anyone had any success with esp/ipcomp bundled SAs? Is this a known issue and is anyone working to correct the problem? Thanks in advance, -Matthew
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45197099.8060406>