Bundled SAs and ESP/IPCOMP support ...
Matthew Grooms
mgrooms at shrew.net
Tue Sep 26 11:29:58 PDT 2006
All,
I have been working on ipsec-tools development a bit and am currently
scratching my head over issues related to esp and ipcomp. Since I do
most of my testing with FreeBSD, I tried both the kame ipsec and fast
ipsec support but have had no success to date.
Here are the SPD entries being generated with the kame ipsec stack
compiled into the kernel ...
10.2.1.128[any] 10.1.1.2[any] any
in ipsec
ipcomp/tunnel/10.22.200.119-10.22.200.1/unique:3
esp/transport//unique:3
created: Sep 26 11:01:42 2006 lastused: Sep 26 11:01:42 2006
lifetime: 3600(s) validtime: 0(s)
spid=16483 seq=1 pid=886
refcnt=1
10.1.1.2[any] 10.2.1.128[any] any
out ipsec
ipcomp/tunnel/10.22.200.1-10.22.200.119/unique:3
esp/transport//unique:3
created: Sep 26 11:01:42 2006 lastused: Sep 26 11:01:42 2006
lifetime: 3600(s) validtime: 0(s)
spid=16484 seq=0 pid=886
refcnt=1
... and here are the SAD entries being generated ...
10.22.200.1 10.22.200.119
ipcomp mode=tunnel spi=2480390087(0x93d7bfc7) reqid=4(0x00000004)
C: deflate seq=0x00000000 replay=0 flags=0x00000080
state=mature
created: Sep 26 11:01:42 2006 current: Sep 26 11:02:07 2006
diff: 25(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=3 pid=889 refcnt=1
10.22.200.1 10.22.200.119
esp mode=transport spi=3351238547(0xc7bfd793) reqid=3(0x00000003)
E: 3des-cbc 7380862e 482939f0 9f4753d8 9b97ab37 b13e4412 82a151ba
A: hmac-md5 cb0829bf 4a51917e 6a023484 b9ea96d7
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Sep 26 11:01:42 2006 current: Sep 26 11:02:07 2006
diff: 25(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=2 pid=889 refcnt=1
10.22.200.119 10.22.200.1
ipcomp mode=tunnel spi=20406(0x00004fb6) reqid=4(0x00000004)
C: deflate seq=0x00000000 replay=0 flags=0x00000080
state=mature
created: Sep 26 11:01:42 2006 current: Sep 26 11:02:07 2006
diff: 25(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=889 refcnt=1
10.22.200.119 10.22.200.1
esp mode=transport spi=13587562(0x00cf546a) reqid=3(0x00000003)
E: 3des-cbc 89f5c6b5 8598b99d feea7460 2f59c9b4 c21e1280 20c02c1d
A: hmac-md5 2a293fed 7e02d586 f3f42012 8923582a
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Sep 26 11:01:42 2006 current: Sep 26 11:02:07 2006
diff: 25(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=889 refcnt=1
...
With fast ipsec compiled into the kernel, I can see the outbound esp
transport SAD entry increase the current byte count but the ipcomp entry
shows nothing to indicate its use. It seems strange that the kernel will
send acquire messages via PF_KEY as a pre-requisite to performing the
required security processing but doesn't use them once they are added by
the key daemon.
I have heard reports from NetBSD developers that it doesn't work on
their platform either. I have no idea about OpenBSD. It is reported to
work correctly with the Linux 2.6 kernel but I haven't had a chance to
verify yet.
So, has anyone had any success with esp/ipcomp bundled SAs? Is this a
known issue and is anyone working to correct the problem?
Thanks in advance,
-Matthew
More information about the freebsd-net
mailing list