In testing racoon, I found that when it sends an SADB_ADD message to the
kernel for IPComp, the replay window size is set to 4. This causes the
kernel to reject any inbound IPComp packets. This patch makes sure the
replay window size is set to 0 for IPComp, to prevent this from happening.
Also, racoon needs to specify the min and max CPI for IPComp, so that
the kernel does not allocate one that is 4 bytes instead of 2 bytes.
Currently, the Linux kernel does not make sure to only use 2 bytes for
CPIs. This can also cause packets to be dropped by the kernel, due to
the CPI in the packet not matching the one the kernel has. This fix also
ensures that the min and max CPI are set for IPComp so that the kernel
chooses one that is in the correct range.
These patches are against ipsec-tools-0.2.2. They have been tested with
the 2.6.0-test4 kernel. I have not seen any changes to the handling of
IPComp by the kernel in any of the latest 2.6.0-test releases, so the
fix should work on later kernels as well.
If there are any questions regarding this patch, please contact me.
5775 Morehouse Dr.
San Diego, CA 92121
Get latest updates about Open Source Projects, Conferences and News.