In testing racoon, I found that when it sends an
SADB_ADD message to the kernel for IPComp, the replay
window size is set to 4. This causes the kernel to
reject any inbound IPComp packets. This patch makes
sure the replay window size is set to 0 for IPComp, to
prevent this from happening.
Also, racoon needs to specify the min and max CPI for
IPComp, so that the kernel does not allocate one that
is 4 bytes instead of 2 bytes. Currently, the Linux
kernel does not make sure to only use 2 bytes for CPIs.
This can also cause packets to be dropped by the
kernel, due to the CPI in the packet not matching the
one the kernel has. This fix also ensures that the min
and max CPI are set for IPComp so that the kernel
chooses one that is in the correct range.
These patches are against ipsec-tools-0.2.2. They have
been tested with the 2.6.0-test4 kernel. I have not
seen any changes to the handling of IPComp by the
kernel in any of the latest 2.6.0-test releases, so the
fix should work on later kernels as well.
If there are any questions regarding this patch, please
5775 Morehouse Dr.
San Diego, CA 92121
Log in to post a comment.