[Openswan Users] openswan<->openswan tunnel with compress=yes - KLIPS needed?

Dawid Kowalski dawid at texasnet.pl
Tue May 6 15:28:08 EDT 2008 

Hi All,

I have correctly working tunnel between two openswan boxes. Problem
starts as soon as I try to use compression. I've found that when
compression is enables, VPN gateway starts new negotiation as soon as it
receives packet which should be forwarded via VPN. Below output was
produced using ICMP echo request.
On both sides I'm running kernel 2.6.22 (left) 2.6.13 (right) and same
openswan version 2.4.12. I'm not using KLIPS modules as it's not
included in any gentoo kernel sources.

Am I falling into problem described at
http://www.openswan.org/docs/local/README.Kernel26 as:
* compression seems to be incompatible between KLIPS and NETKEY.

?

I thought so, but after further investingation it looks like not necessarly.
http://lists.virus.org/users-openswan-0504/msg00261.html


What I might be missing? What should I check if without "compress=yes"
everything works fine?
I'm fighting with it for some time and can't find good explanation or
working solution. If it should work, could you please provide me with
some hints how can I troubleshoot it further?

Thanks in advance for your time!


### Dump of information
adding tunnel and setting up
soleil:
000 "soleil-galileo-lan":
10.20.9.0/24===172.0.0.1[@soleil.ex1.domain]---172.0.0.254...172.0.0.254---192.168.0.252[@galileo.ex2.domain]===10.20.2.0/24; 

erouted; eroute owner: #2
000 "soleil-galileo-lan":     srcip=10.20.9.1; dstip=10.20.2.1;
srcup=ipsec _updown; dstup=ipsec _updown;
000 "soleil-galileo-lan":   ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "soleil-galileo-lan":   policy:
RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP; prio: 24,24; interface: ext;
encap: esp;
000 "soleil-galileo-lan":   newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "soleil-galileo-lan":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000
000 #2: "soleil-galileo-lan":500 STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 27790s; newest IPSEC; eroute owner
000 #2: "soleil-galileo-lan" esp.aa16f518 at 192.168.0.252
esp.b4d8f4d2 at 172.0.0.1 comp.2b29 at 192.168.0.252 comp.2370 at 172.0.0.1
tun.0 at 192.168.0.252 tun.0 at 172.0.0.1
000 #1: "soleil-galileo-lan":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 2831s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
000

gal:
000 "soleil-galileo-lan":
10.20.2.0/24===192.168.0.252[@galileo.ex2.domain]---192.168.0.254...192.168.0.254---172.0.0.1[@soleil.ex1.domain]===10.20.9.0/24; 

erouted; eroute owner: #2
000 "soleil-galileo-lan":     srcip=10.20.2.1; dstip=10.20.9.1;
srcup=ipsec _updown; dstup=ipsec _updown;
000 "soleil-galileo-lan":   ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "soleil-galileo-lan":   policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS;
prio: 24,24; interface: eth1; encap: esp;
000 "soleil-galileo-lan":   newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "soleil-galileo-lan":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000
000 #2: "soleil-galileo-lan":500 STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 28454s; newest IPSEC; eroute owner
000 #2: "soleil-galileo-lan" esp.b4d8f4d2 at 172.0.0.1
esp.aa16f518 at 192.168.0.252 comp.2370 at 172.0.0.1 comp.2b29 at 192.168.0.252
tun.0 at 172.0.0.1 tun.0 at 192.168.0.252
000 #1: "soleil-galileo-lan":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_REPLACE in 3253s; newest ISAKMP; lastdpd=-1s(seq
in:0 out:0)
000


after ping
soleil:

000 "soleil-galileo-lan":
10.20.9.0/24===172.0.0.1[@soleil.ex1.domain]---172.0.0.254...172.0.0.254---192.168.0.252[@galileo.ex2.domain]===10.20.2.0/24; 

erouted; eroute owner: #3
000 "soleil-galileo-lan":     srcip=10.20.9.1; dstip=10.20.2.1;
srcup=ipsec _updown; dstup=ipsec _updown;
000 "soleil-galileo-lan":   ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "soleil-galileo-lan":   policy:
RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP; prio: 24,24; interface: ext;
encap: esp;
000 "soleil-galileo-lan":   newest ISAKMP SA: #1; newest IPsec SA: #3;
000 "soleil-galileo-lan":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000
000 #3: "soleil-galileo-lan":500 STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 27878s; newest IPSEC; eroute owner
000 #3: "soleil-galileo-lan" esp.8b3cb351 at 192.168.0.252
esp.1eb2569b at 172.0.0.1 comp.eb78 at 192.168.0.252 comp.a266 at 172.0.0.1
tun.0 at 192.168.0.252 tun.0 at 172.0.0.1
000 #2: "soleil-galileo-lan":500 STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 27690s
000 #2: "soleil-galileo-lan" esp.aa16f518 at 192.168.0.252
esp.b4d8f4d2 at 172.0.0.1 comp.2b29 at 192.168.0.252 comp.2370 at 172.0.0.1
tun.0 at 192.168.0.252 tun.0 at 172.0.0.1
000 #1: "soleil-galileo-lan":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 2731s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
000


gal:
000 "soleil-galileo-lan":
10.20.2.0/24===192.168.0.252[@galileo.ex2.domain]---192.168.0.254...192.168.0.254---172.0.0.1[@soleil.ex1.domain]===10.20.9.0/24; 

erouted; eroute owner: #3
000 "soleil-galileo-lan":     srcip=10.20.2.1; dstip=10.20.9.1;
srcup=ipsec _updown; dstup=ipsec _updown;
000 "soleil-galileo-lan":   ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "soleil-galileo-lan":   policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS;
prio: 24,24; interface: eth1; encap: esp;
000 "soleil-galileo-lan":   newest ISAKMP SA: #1; newest IPsec SA: #3;
000 "soleil-galileo-lan":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000
000 #3: "soleil-galileo-lan":500 STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 28519s; newest IPSEC; eroute owner
000 #3: "soleil-galileo-lan" esp.1eb2569b at 172.0.0.1
esp.8b3cb351 at 192.168.0.252 comp.a266 at 172.0.0.1 comp.eb78 at 192.168.0.252
tun.0 at 172.0.0.1 tun.0 at 192.168.0.252
000 #2: "soleil-galileo-lan":500 STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 28404s
000 #2: "soleil-galileo-lan" esp.b4d8f4d2 at 172.0.0.1
esp.aa16f518 at 192.168.0.252 comp.2370 at 172.0.0.1 comp.2b29 at 192.168.0.252
tun.0 at 172.0.0.1 tun.0 at 192.168.0.252
000 #1: "soleil-galileo-lan":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_REPLACE in 3203s; newest ISAKMP; lastdpd=-1s(seq
in:0 out:0)
000

when pinging logs look like below for each sent packet, but nothing is
forwarded through tunnel:
May  4 15:15:10 soleil pluto[16343]: initiate on demand from
10.20.9.10:0 to 10.20.2.8:0 proto=0 state: fos_start because: acquire
May  4 15:15:10 soleil pluto[16343]: "soleil-galileo-lan" #3: initiating
Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {using isakmp#1}
May  4 15:15:11 soleil pluto[16343]: "soleil-galileo-lan" #3: transition
from state STATE_QUICK_I1 to state STATE_QUICK_I2
May  4 15:15:11 soleil pluto[16343]: "soleil-galileo-lan" #3:
STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x8b3cb351
<0x1eb2569b xfrm=AES_0-HMAC_SHA1 IPCOMP=>0x0000eb78 <0x0000a266
NATD=none DPD=none}

Regards,
Dawid

More information about the Users mailing list