Migrate from GitHub to SourceForge with this tool. Check out all of SourceForge's recent improvements.

#2 IPComp fixes


In testing racoon, I found that when it sends an
SADB_ADD message to the kernel for IPComp, the replay
window size is set to 4. This causes the kernel to
reject any inbound IPComp packets. This patch makes
sure the replay window size is set to 0 for IPComp, to
prevent this from happening.

Also, racoon needs to specify the min and max CPI for
IPComp, so that the kernel does not allocate one that
is 4 bytes instead of 2 bytes. Currently, the Linux
kernel does not make sure to only use 2 bytes for CPIs.
This can also cause packets to be dropped by the
kernel, due to the CPI in the packet not matching the
one the kernel has. This fix also ensures that the min
and max CPI are set for IPComp so that the kernel
chooses one that is in the correct range.

These patches are against ipsec-tools-0.2.2. They have
been tested with the 2.6.0-test4 kernel. I have not
seen any changes to the handling of IPComp by the
kernel in any of the latest 2.6.0-test releases, so the
fix should work on later kernels as well.

If there are any questions regarding this patch, please
contact me.

Brian Buesker
5775 Morehouse Dr.
San Diego, CA 92121

Email: bbuesker@qualcomm.com
Phone: 858-658-2918


  • Nobody/Anonymous

    Patch to fix IPComp CPI size and replay window size

  • alan johnson

    alan johnson - 2004-11-19

    Logged In: YES

    kernel is 2.6.0

  • Nobody/Anonymous

    Logged In: NO

    It looks like this patch is in ipsec-tools. I reviewed the
    source in 0.5, and the fixes from this patch are in there.

  • Aidas Kasparas

    Aidas Kasparas - 2005-05-13
    • status: open --> closed
  • Timo Teras

    Timo Teras - 2009-01-16

    Closing all sourceforge.net bugs. If this issue has not been cared for please submit a new bug report to https://trac.ipsec-tools.net/ issue tracker. Thank you.


Log in to post a comment.