[Openswan Users] Fw: [Ipsec-tools-devel] ipcomp between racoon and FreeS/WAN 2.04

Marco Berizzi pupilla at hotmail.com
Fri Mar 26 15:41:06 CET 2004

Michael Richardson wrote:

> The problem with 26sec's use of IPCOMP is a clear problem.
> If OpenBSD, FreeBSD, NetBSD, PGP Net and Cisco accept those packets,
> then those systems are broken.


Tunnel mode IPComp is not working right.
KAME box can generate tunnelled IPComp
packet, however, *cannot* accept tunneled
IPComp packet.

> If you like, I know the developers of each of these systems personally,
> and I can phone them and talk to them directly. If you like, we can
> call Stephen Kent himself.

Some time ago I wrote to kame mailing, but no results.

> At best, putting a second IPIP header in between ESP and IPcomp is a
> simple waste of 20 bytes. 

Perhaps you could add an ipsec.conf option something like:

compress=yes  (correct IPComp)
compress=kame (buggy IPComp)
> At worst, the code that permits such a packet to be received and
> processed may in fact permit IP source address spoofing *inside* of the
> tunnel. I don't know, I haven't looked at it.

I think this could be work arounded by firewall rules.

More information about the Users mailing list