[Openswan Users] Fw: [Ipsec-tools-devel] ipcomp between racoon
and FreeS/WAN 2.04
Ken Bantoft
ken at xelerance.com
Thu Mar 25 19:51:12 CET 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Point me to the clarification from the IPsec WG, and we'd consider patches
to do this.
As was discussed on the FreeS/WAN design list, there are some security
concerns about doing this.
On Thu, 25 Mar 2004, Marco Berizzi wrote:
> Hello everybody.
>
> What are you thinking about this?
> Could be Openswan modified for better interop?
>
> Michal Ludvig wrote:
>
> > On Thu, 18 Mar 2004, Matthew Grant wrote:
> >
> > > Hi THere!
> > >
> > > I have run into this at work.
> > >
> > > RFC 2401 (or 2041?) for IPSEC does not clearly say how the packet
> > > headers for ipcomp over ESP should be done - there is ambiguity over the
> > > presence of an ip-ip tunnel header between the VPN endpounts, which is
> > > place just inside the ESP tunnel encapsulation. On the IPSEC working
> > > group mailing list there is a clarification, which says that the headers
> > > SHOULD be there.
> > >
> > > Everyone (OpenBSD, FreeBSD, NetBSD, PGP Net, Cisco?) but Free S/WAN
> > > follows the recommendation, but Free S/WAN chose not to because the
> > > ip-ip tunnel header cause a security problem due to a tunnel being
> > > inside the tunnel allowing security to be evaded.
> > >
> > > The IP addresses in the ip-ip header are checked by the IPSEC stacks in
> > > the end points, as well as the lower layer addresses of packets in the
> > > encapsulated ipcomp tunnel - go figure!!!
> > >
> > > The Free S/WAN KLIPS ipcomp feature will never inter operate the way it
> > > is... That is why the 2.4.x KLIPS IPSEC stack will not work using
> > > ipcomp with 2.6.x KAME based IPSEC stack
> > >
> > > Cheers,
> > >
> > > Matthew Grant
- --
Ken Bantoft VP Business Development
ken at xelerance.com Xelerance Corporation
sip://toronto.xelerance.com http://www.xelerance.com
The future is here. It's just not evenly distributed yet.
-- William Gibson
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQFAYyojPiOgilmwgkgRAsaaAJ9/lclc/AgbwEO2lzTBqBVf1WPe5wCfVBIB
kLsVrmk3QpuPQ1R8Vrzob+U=
=qoIB
-----END PGP SIGNATURE-----
More information about the Users
mailing list