[Openswan Users] Fw: [Ipsec-tools-devel] ipcomp between racoon
and FreeS/WAN 2.04
pupilla at hotmail.com
Fri Mar 26 15:41:06 CET 2004
Michael Richardson wrote:
> The problem with 26sec's use of IPCOMP is a clear problem.
> If OpenBSD, FreeBSD, NetBSD, PGP Net and Cisco accept those packets,
> then those systems are broken.
Tunnel mode IPComp is not working right.
KAME box can generate tunnelled IPComp
packet, however, *cannot* accept tunneled
> If you like, I know the developers of each of these systems personally,
> and I can phone them and talk to them directly. If you like, we can
> call Stephen Kent himself.
Some time ago I wrote to kame mailing, but no results.
> At best, putting a second IPIP header in between ESP and IPcomp is a
> simple waste of 20 bytes.
Perhaps you could add an ipsec.conf option something like:
compress=yes (correct IPComp)
compress=kame (buggy IPComp)
> At worst, the code that permits such a packet to be received and
> processed may in fact permit IP source address spoofing *inside* of the
> tunnel. I don't know, I haven't looked at it.
I think this could be work arounded by firewall rules.
More information about the Users