Re: ipsec ipcomp between FreeS/WAN 2.04 and FreeBSD 5.2
From: Marco Berizzi (pupilla_at_hotmail.com)
Date: 04/29/04
- Previous message: The Jetman: "Re: [4.9-R]Can I Make My DSL Connect Go Faster ?"
- In reply to: Karim Fodil-Lemelin: "Re: ipsec ipcomp between FreeS/WAN 2.04 and FreeBSD 5.2"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
To: "Karim Fodil-Lemelin" <kfl@xiphos.ca> Date: Thu, 29 Apr 2004 17:53:40 +0200
Wow! Great. I will wait your news.
Karim Fodil-Lemelin wrote:
> Hi,
>
> I have fixed IPComp for tunnel mode in FreeBSD 4.8 (I still need to
> cleanup the code). I beleive it should be easy for you to apply the
> diffs to FreeBSD 5.2. I will contact the Kame group and try to see how I
> can deleiver the patch. Since the R&D was done on the company's time I
> would like to have myself and Xiphos mentionned in realsing the patch.
>
> Regards,
>
> Karim Fodil-Lemelin
> Xiphos Technologies Inc
>
> Marco Berizzi wrote:
>
> >Hello everybody.
> >
> >I'm running an interop issue with IPSec tunnels
> >between FreeS/WAN and FreeBSD 5.2
> >Without IPComp tunnel are successfully established.
> >With IPComp enabled tunnel are again successfully
> >established but there is no traffic flow.
> >
> >This is my setkey init (FreeBSD box side):
> >
> >/usr/local/sbin/setkey -c <<EOF
> >flush;
> >spdflush;
> >spdadd 10.1.2.0/24 10.1.1.0/24 any -P in ipsec
> > ipcomp/tunnel/172.16.1.247-172.16.1.226/use
> > esp/tunnel/172.16.1.247-172.16.1.226/require;
> >
> >spdadd 10.1.1.0/24 10.1.2.0/24 any -P out ipsec
> > ipcomp/tunnel/172.16.1.226-172.16.1.247/use
> > esp/tunnel/172.16.1.226-172.16.1.247/require;
> >EOF
> >
> >However with this kind of init file FreeS/WAN is dropping packet coming from the FreeBSD box.
> >Michael Richardson (fsw mantainer) reply me telling:
> >
> >"... The packets that racoon is telling the system to build
> >would appear to have been constructed like:
> >
> >orig IPsrc = 10.1.1.1,IPdst = 10.1.2.1
> > IPcomp
> >* IPsrc = 172.16.1.247,IPdst=172.16.1.226
> > ESP
> >outer IPsrc = 172.16.1.247,IPdst=172.16.1.226
> >
> >[...] This packet format is in error. It defeats most of the point of using
> >IPcomp, which is to compress the inner-IP header out. It appears that a new
> >IP header has been added.
> >If the 2.6.0 kernel accepts this, then I wonder what other things it
> >might accept! The IPIP header marked "*" is completely superfluous and
> >a waste of 20 bytes. ..."
> >
> >The full thread available at https://lists.freeswan.org/archives/design/2003-December/msg00032.html
> >
> >The thread is about FreeS/WAN and kernel 2.6 (2.6 IPSec stack is a KAME based). However Linux 2.6 and FreeBSD have the same behaviour.
> >
> >Comments?
> >
> >TIA
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
- Previous message: The Jetman: "Re: [4.9-R]Can I Make My DSL Connect Go Faster ?"
- In reply to: Karim Fodil-Lemelin: "Re: ipsec ipcomp between FreeS/WAN 2.04 and FreeBSD 5.2"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
