Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[Solved] Openswan using Netkey and Ipcomp (compress=yes)
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Rexilion
Veteran
Veteran


Joined: 17 Mar 2009
Posts: 1044

PostPosted: Wed Sep 15, 2010 2:13 pm    Post subject: [Solved] Openswan using Netkey and Ipcomp (compress=yes) Reply with quote

Hello,

I have finally managed to get openswan (2.6.28 on server and client) running on Gentoo. The client correctly connects to my server and client and server can communicate just fine. However, there is one thing that I just can't get to work: compression. It would be nice to get it working whenever I'm behind a slow connection (e.g. bad wireless connectivity). I'm currently running kernel 2.6.32 on the client and kernel 2.6.34 on the server. The server is running a higher version because it doesn't behave well with 2.6.32.

Now, whenever I add 'compress=yes' to my ipsec.conf on the client (the server automatically picks it up) then I get the following error on the server:

ERROR: netlink response for Add SAcomp.a5b0 <at> xxx.xxx.xxx.xxx included errno 22: Invalid argument

I searched these forums and on google. One related page was this:

http://blog.gmane.org/gmane.network.openswan.user/month=20090901/page=12

They simply said: Disable compression. (I did not mess with rekeying and whenever connection works 'ip xfrm state' shows two normal entries)

I was also thinking that the kernel version is related to this, but this error came up with multiple kernel versions so that should rule this possibility out.

About the IPSEC connection: It's in tunneled mode using ESP. If the laptop is outside my home network, it uses ESP over UDP (forceencaps=yes), when inside my home network it uses 'plain' ESP. Setting compress=yes failes with the same error in both situations. Furthermore I'm using automatic keying using the Pluto IKE daemon which authenticates both ends using certificates and more specifically with a certificate authority.

Both kernels have:

CONFIG_XFRM_IPCOMP=y
CONFIG_INET_IPCOMP=y

enabled.

Now my question is: Is it possible to enable compression with the netkey stack?


Last edited by Rexilion on Sun Feb 12, 2012 11:55 am; edited 1 time in total
Back to top
View user's profile Send private message
Rexilion
Veteran
Veteran


Joined: 17 Mar 2009
Posts: 1044

PostPosted: Sun Feb 12, 2012 11:54 am    Post subject: Reply with quote

Don't know if this helps anybody...

I figured it out (sort of). These days I use strongswan-4.6.1, of which previous versions also failed to enable compression, like openswan. However, with this version I get this very informative message:

[charon] 13[IKE] IPComp is not supported if either peer is natted, IPComp disabled

Ow wel...
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum