ipsec ipcomp between FreeS/WAN 2.04 and FreeBSD 5.2
Marco Berizzi
pupilla at hotmail.com
Tue Feb 3 09:19:14 PST 2004
Hello everybody.
I'm running an interop issue with IPSec tunnels
between FreeS/WAN and FreeBSD 5.2
Without IPComp tunnel are successfully established.
With IPComp enabled tunnel are again successfully
established but there is no traffic flow.
This is my setkey init (FreeBSD box side):
/usr/local/sbin/setkey -c <<EOF
flush;
spdflush;
spdadd 10.1.2.0/24 10.1.1.0/24 any -P in ipsec
ipcomp/tunnel/172.16.1.247-172.16.1.226/use
esp/tunnel/172.16.1.247-172.16.1.226/require;
spdadd 10.1.1.0/24 10.1.2.0/24 any -P out ipsec
ipcomp/tunnel/172.16.1.226-172.16.1.247/use
esp/tunnel/172.16.1.226-172.16.1.247/require;
EOF
However with this kind of init file FreeS/WAN is dropping packet coming from the FreeBSD box.
Michael Richardson (fsw mantainer) reply me telling:
"... The packets that racoon is telling the system to build
would appear to have been constructed like:
orig IPsrc = 10.1.1.1,IPdst = 10.1.2.1
IPcomp
* IPsrc = 172.16.1.247,IPdst=172.16.1.226
ESP
outer IPsrc = 172.16.1.247,IPdst=172.16.1.226
[...] This packet format is in error. It defeats most of the point of using
IPcomp, which is to compress the inner-IP header out. It appears that a new
IP header has been added.
If the 2.6.0 kernel accepts this, then I wonder what other things it
might accept! The IPIP header marked "*" is completely superfluous and
a waste of 20 bytes. ..."
The full thread available at https://lists.freeswan.org/archives/design/2003-December/msg00032.html
The thread is about FreeS/WAN and kernel 2.6 (2.6 IPSec stack is a KAME based). However Linux 2.6 and FreeBSD have the same behaviour.
Comments?
TIA
PS: Please CC me. I'm not subscribed to the list.
More information about the freebsd-net
mailing list