[Openswan Users] Fw: [Ipsec-tools-devel] ipcomp between racoon and FreeS/WAN 2.04

Marco Berizzi pupilla at hotmail.com
Thu Mar 25 18:30:46 CET 2004


Hello everybody.

What are you thinking about this?
Could be Openswan modified for better interop?

Michal Ludvig wrote:

> On Thu, 18 Mar 2004, Matthew Grant wrote:
> 
> > Hi THere!
> >
> > I have run into this at work.
> >
> > RFC 2401 (or 2041?) for IPSEC does not clearly say how the packet
> > headers for ipcomp over ESP should be done - there is ambiguity over the
> > presence of an ip-ip tunnel header between the VPN endpounts, which is
> > place just inside the ESP tunnel encapsulation.  On the IPSEC working
> > group mailing list there is a clarification, which says that the headers
> > SHOULD be there.
> >
> > Everyone (OpenBSD, FreeBSD, NetBSD, PGP Net, Cisco?) but Free S/WAN
> > follows the recommendation, but Free S/WAN chose not to because the
> > ip-ip tunnel header cause a security problem due to a tunnel being
> > inside the tunnel allowing security to be evaded.
> >
> > The IP addresses in the ip-ip header are checked by the IPSEC stacks in
> > the end points, as well as the lower layer addresses of packets in the
> > encapsulated ipcomp tunnel - go figure!!!
> >
> > The Free S/WAN KLIPS ipcomp feature will never inter operate the way it
> > is...  That is why the 2.4.x KLIPS IPSEC stack will not work using
> > ipcomp with 2.6.x KAME based IPSEC stack
> >
> > Cheers,
> >
> > Matthew Grant


More information about the Users mailing list