From: Al G. <al...@gr...> - 2004-05-28 00:23:49
|
Environment: ipsec-tools 0.3.1, kernel 2.6.6 First, I have had success using setkey/racoon to set up an esp tunnel, both straight esp and with nat traversal over port 4500. By the way, this only worked in my case using aggressive mode. Base mode didn't work. The documentation I've seen suggests I should be using main mode, so I report this experience. Adding ipcomp to this mix fails at IKE phase 1. Either there is a bug, or I have made errors in my config. I believe this is an important feature to get working. I'm looking to replace some site-to-site tunnels using CIPE with compression--which architecturally is very similar to IPSec with NAT traversal--with IPSec. In the target environment, compression of the tunnels made a significant difference, so lack of a working ipcomp is a show stopper for IPSec. Here is my racoon.conf: path include "/etc/racoon"; path pre_shared_key "/etc/racoon/psk.txt"; log debug; remote anonymous { exchange_mode aggressive; lifetime time 30 min; my_identifier fqdn "gw-a.bogus"; # nat_traversal force; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; } } sainfo anonymous { pfs_group 2; lifetime time 30 min; encryption_algorithm 3des; authentication_algorithm hmac_sha1; compression_algorithm deflate ; } And this is my policy established by setkey spdadd 192.168.100.0/24 172.20.104.0/24 any -P out ipsec ipcomp/transport//use esp/tunnel/10.0.1.1-10.0.1.2/require; spdadd 172.20.104.0/24 192.168.100.0/24 any -P in ipsec ipcomp/transport//use esp/tunnel/10.0.1.2-10.0.1.1/require; Finally, using setkey only, I believe I have ipcomp working with esp in transport mode. ESP traffic flows between the two endpoints, but I haven't researched how to get tcpdump or ethereal to decrypt the flow to see if it is compressed. This is to confirm, sort of, a report on this list that transport mode ipcomp has been known to work. -- al |