[Openswan Users] openswan<->openswan tunnel with compress=yes - KLIPS needed?

Dawid Kowalski dawid at texasnet.pl
Sun May 4 09:34:28 EDT 2008 

Hi All,

I have correctly working tunnel between two openswan boxes. Problem 
starts as soon as I try to use compression. I've found that when 
compression is enables, VPN gateway starts new negotiation as soon as it 
receives packet which should be forwarded via VPN. Below output was 
produced using ICMP echo request.
On both sides I'm running kernel 2.6.22 (left) 2.6.13 (right) and same 
openswan version 2.4.12. I'm not using KLIPS modules as it's not 
included in any gentoo kernel sources.

Am I falling into problem described at 
http://www.openswan.org/docs/local/README.Kernel26 as:
* compression seems to be incompatible between KLIPS and NETKEY.

?

I thought so, but after further investingation it looks like not necessarly.
http://lists.virus.org/users-openswan-0504/msg00261.html


What I might be missing? What should I check if without "compress=yes" 
everything works fine?
I'm fighting with it for some time and can't find good explanation or 
working solution. If it should work, could you please provide me with 
some hints how can I troubleshoot it further?

Thanks in advance for your time!


### Dump of information
adding tunnel and setting up
soleil:
000 "soleil-galileo-lan": 
10.20.9.0/24===172.0.0.1[@soleil.ex1.domain]---172.0.0.254...172.0.0.254---192.168.0.252[@galileo.ex2.domain]===10.20.2.0/24; 
erouted; eroute owner: #2
000 "soleil-galileo-lan":     srcip=10.20.9.1; dstip=10.20.2.1; 
srcup=ipsec _updown; dstup=ipsec _updown;
000 "soleil-galileo-lan":   ike_life: 3600s; ipsec_life: 28800s; 
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "soleil-galileo-lan":   policy: 
RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP; prio: 24,24; interface: ext; 
encap: esp;
000 "soleil-galileo-lan":   newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "soleil-galileo-lan":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000
000 #2: "soleil-galileo-lan":500 STATE_QUICK_I2 (sent QI2, IPsec SA 
established); EVENT_SA_REPLACE in 27790s; newest IPSEC; eroute owner
000 #2: "soleil-galileo-lan" esp.aa16f518 at 192.168.0.252 
esp.b4d8f4d2 at 172.0.0.1 comp.2b29 at 192.168.0.252 comp.2370 at 172.0.0.1 
tun.0 at 192.168.0.252 tun.0 at 172.0.0.1
000 #1: "soleil-galileo-lan":500 STATE_MAIN_I4 (ISAKMP SA established); 
EVENT_SA_REPLACE in 2831s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
000

gal:
000 "soleil-galileo-lan": 
10.20.2.0/24===192.168.0.252[@galileo.ex2.domain]---192.168.0.254...192.168.0.254---172.0.0.1[@soleil.ex1.domain]===10.20.9.0/24; 
erouted; eroute owner: #2
000 "soleil-galileo-lan":     srcip=10.20.2.1; dstip=10.20.9.1; 
srcup=ipsec _updown; dstup=ipsec _updown;
000 "soleil-galileo-lan":   ike_life: 3600s; ipsec_life: 28800s; 
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "soleil-galileo-lan":   policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS; 
prio: 24,24; interface: eth1; encap: esp;
000 "soleil-galileo-lan":   newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "soleil-galileo-lan":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000
000 #2: "soleil-galileo-lan":500 STATE_QUICK_R2 (IPsec SA established); 
EVENT_SA_REPLACE in 28454s; newest IPSEC; eroute owner
000 #2: "soleil-galileo-lan" esp.b4d8f4d2 at 172.0.0.1 
esp.aa16f518 at 192.168.0.252 comp.2370 at 172.0.0.1 comp.2b29 at 192.168.0.252 
tun.0 at 172.0.0.1 tun.0 at 192.168.0.252
000 #1: "soleil-galileo-lan":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA 
established); EVENT_SA_REPLACE in 3253s; newest ISAKMP; lastdpd=-1s(seq 
in:0 out:0)
000


after ping
soleil:

000 "soleil-galileo-lan": 
10.20.9.0/24===172.0.0.1[@soleil.ex1.domain]---172.0.0.254...172.0.0.254---192.168.0.252[@galileo.ex2.domain]===10.20.2.0/24; 
erouted; eroute owner: #3
000 "soleil-galileo-lan":     srcip=10.20.9.1; dstip=10.20.2.1; 
srcup=ipsec _updown; dstup=ipsec _updown;
000 "soleil-galileo-lan":   ike_life: 3600s; ipsec_life: 28800s; 
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "soleil-galileo-lan":   policy: 
RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP; prio: 24,24; interface: ext; 
encap: esp;
000 "soleil-galileo-lan":   newest ISAKMP SA: #1; newest IPsec SA: #3;
000 "soleil-galileo-lan":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000
000 #3: "soleil-galileo-lan":500 STATE_QUICK_I2 (sent QI2, IPsec SA 
established); EVENT_SA_REPLACE in 27878s; newest IPSEC; eroute owner
000 #3: "soleil-galileo-lan" esp.8b3cb351 at 192.168.0.252 
esp.1eb2569b at 172.0.0.1 comp.eb78 at 192.168.0.252 comp.a266 at 172.0.0.1 
tun.0 at 192.168.0.252 tun.0 at 172.0.0.1
000 #2: "soleil-galileo-lan":500 STATE_QUICK_I2 (sent QI2, IPsec SA 
established); EVENT_SA_REPLACE in 27690s
000 #2: "soleil-galileo-lan" esp.aa16f518 at 192.168.0.252 
esp.b4d8f4d2 at 172.0.0.1 comp.2b29 at 192.168.0.252 comp.2370 at 172.0.0.1 
tun.0 at 192.168.0.252 tun.0 at 172.0.0.1
000 #1: "soleil-galileo-lan":500 STATE_MAIN_I4 (ISAKMP SA established); 
EVENT_SA_REPLACE in 2731s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
000


gal:
000 "soleil-galileo-lan": 
10.20.2.0/24===192.168.0.252[@galileo.ex2.domain]---192.168.0.254...192.168.0.254---172.0.0.1[@soleil.ex1.domain]===10.20.9.0/24; 
erouted; eroute owner: #3
000 "soleil-galileo-lan":     srcip=10.20.2.1; dstip=10.20.9.1; 
srcup=ipsec _updown; dstup=ipsec _updown;
000 "soleil-galileo-lan":   ike_life: 3600s; ipsec_life: 28800s; 
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "soleil-galileo-lan":   policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS; 
prio: 24,24; interface: eth1; encap: esp;
000 "soleil-galileo-lan":   newest ISAKMP SA: #1; newest IPsec SA: #3;
000 "soleil-galileo-lan":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000
000 #3: "soleil-galileo-lan":500 STATE_QUICK_R2 (IPsec SA established); 
EVENT_SA_REPLACE in 28519s; newest IPSEC; eroute owner
000 #3: "soleil-galileo-lan" esp.1eb2569b at 172.0.0.1 
esp.8b3cb351 at 192.168.0.252 comp.a266 at 172.0.0.1 comp.eb78 at 192.168.0.252 
tun.0 at 172.0.0.1 tun.0 at 192.168.0.252
000 #2: "soleil-galileo-lan":500 STATE_QUICK_R2 (IPsec SA established); 
EVENT_SA_REPLACE in 28404s
000 #2: "soleil-galileo-lan" esp.b4d8f4d2 at 172.0.0.1 
esp.aa16f518 at 192.168.0.252 comp.2370 at 172.0.0.1 comp.2b29 at 192.168.0.252 
tun.0 at 172.0.0.1 tun.0 at 192.168.0.252
000 #1: "soleil-galileo-lan":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA 
established); EVENT_SA_REPLACE in 3203s; newest ISAKMP; lastdpd=-1s(seq 
in:0 out:0)
000

when pinging logs look like below for each sent packet, but nothing is 
forwarded through tunnel:
May  4 15:15:10 soleil pluto[16343]: initiate on demand from 
10.20.9.10:0 to 10.20.2.8:0 proto=0 state: fos_start because: acquire
May  4 15:15:10 soleil pluto[16343]: "soleil-galileo-lan" #3: initiating 
Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {using isakmp#1}
May  4 15:15:11 soleil pluto[16343]: "soleil-galileo-lan" #3: transition 
from state STATE_QUICK_I1 to state STATE_QUICK_I2
May  4 15:15:11 soleil pluto[16343]: "soleil-galileo-lan" #3: 
STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x8b3cb351 
<0x1eb2569b xfrm=AES_0-HMAC_SHA1 IPCOMP=>0x0000eb78 <0x0000a266 
NATD=none DPD=none}

Regards,
Dawid

More information about the Users mailing list