From: Brian B. <bbu...@qu...> - 2003-11-05 00:47:05
Attachments:
ipcomp.patch
|
In testing racoon, I found that when it sends an SADB_ADD message to the kernel for IPComp, the replay window size is set to 4. This causes the kernel to reject any inbound IPComp packets. This patch makes sure the replay window size is set to 0 for IPComp, to prevent this from happening. Also, racoon needs to specify the min and max CPI for IPComp, so that the kernel does not allocate one that is 4 bytes instead of 2 bytes. Currently, the Linux kernel does not make sure to only use 2 bytes for CPIs. This can also cause packets to be dropped by the kernel, due to the CPI in the packet not matching the one the kernel has. This fix also ensures that the min and max CPI are set for IPComp so that the kernel chooses one that is in the correct range. These patches are against ipsec-tools-0.2.2. They have been tested with the 2.6.0-test4 kernel. I have not seen any changes to the handling of IPComp by the kernel in any of the latest 2.6.0-test releases, so the fix should work on later kernels as well. If there are any questions regarding this patch, please contact me. Brian Buesker Engineer QUALCOMM 5775 Morehouse Dr. San Diego, CA 92121 Email: bbu...@qu... Phone: 858-658-2918 |