Ipsec: you want IPComp? Please add to the bounty, see last post
-
It may require more tweaking than the simple changes I suggested, though unless I see an example of a working configuration for that kind of setup I can't say for sure.
-
Looks like it might require an additional line in the config, and isn't used instead of esp. (whoops)
:-)
I'll see if I can make up a better set of changes.
-
Okay,
could you tell me where to configure this manually? racoon.conf ok, but where are the other config files for racoon?
Thanks!
-
Looks like it might require an additional line in the config, and isn't used instead of esp. (whoops)
:-)
I'll see if I can make up a better set of changes.
Great!! :)
-
Try this change in /etc/inc/vpn.inc (remove the other changes first)
At line 785, change this if statement like so:
if($ph2ent['mode'] == "tunnel") { $spdconf .= "spdadd {$localid} {$remoteid} any -P out ipsec "; $spdconf .= "ipcomp/tunnel/{$ep}-{$rgip}/use "; $spdconf .= "{$ph2ent['protocol']}/tunnel/{$ep}-{$rgip}/unique;\n"; $spdconf .= "spdadd {$remoteid} {$localid} any -P in ipsec "; $spdconf .= "ipcomp/tunnel/{$ep}-{$rgip}/use "; $spdconf .= "{$ph2ent['protocol']}/tunnel/{$rgip}-{$ep}/unique;\n"; } else {If that does work some GUI code would be needed to add a checkbox and add that conditionally.
-
Ouch, this change resulted in all tunnels going offline..
Jul 16 18:54:10 racoon: ERROR: failed to pre-process packet. Jul 16 18:54:10 racoon: ERROR: no suitable policy found. Jul 16 18:54:10 last message repeated 2 times Jul 16 18:54:10 racoon: ERROR: not matched Jul 16 18:54:10 last message repeated 2 times Jul 16 18:54:10 racoon: WARNING: trns_id mismatched: my:AES peer:BLOWFISH Jul 16 18:54:10 racoon: ERROR: not matched Jul 16 18:54:10 racoon: ERROR: not matched Jul 16 18:54:10 racoon: [Liezen]: INFO: respond new phase 2 negotiation: <pfsenseremoteip>[500]<=><remotesiteremoteip>[500]</remotesiteremoteip></pfsenseremoteip>Update2: they have blowfish as proposal 2, but it matches with proposal 1 usually which is aes
-
Yeah that would require ipcomp on all tunnels, but without the (much harder) GUI bits to make it conditional, it was the quickest test. Back those changes out then and try this:
Hand edit /var/etc/spd.conf and reload that with setkey.
Change a line like this:
spdadd x.x.x.0/24 y.y.y.0/24 any -P out ipsec esp/tunnel/b.b.b.b-a.a.a.a/unique; spdadd y.y.y.0/24 x.x.x.0/24 any -P in ipsec esp/tunnel/a.a.a.a-b.b.b.b/unique;To:
spdadd x.x.x.0/24 y.y.y.0/24 any -P out ipsec ipcomp/tunnel/b.b.b.b-a.a.a.a/use esp/tunnel/b.b.b.b-a.a.a.a/unique; spdadd y.y.y.0/24 x.x.x.0/24 any -P in ipsec ipcomp/tunnel/a.a.a.a-b.b.b.b/use esp/tunnel/a.a.a.a-b.b.b.b/unique; -
Ahhh ok, didn't test this one tunnel with ipcomp since all went offline and I was a little bit "pressed" to act fast :D
Will try that on this one
-
Okay, I removed the spds and readded them.. also removed the sads, now I have the following sads for this connection:
<pfsense>IPCOMP 0000b6a1 deflate Jul <remote>IPCOMP 0000e2b9 deflate Jul</remote></pfsense>But there's only one SPD :
IPCOMP <remoteip>-></remoteip>
-
I really really HATE ipsec
-
Yeah with OpenVPN it's as easy as checking "Enable LZO compression" :-)
Not sure what might be up with the one-direction entry, unless there was a typo in the edit.
-
Yes it might have been a typo :D
all offline so I can mess around :D
I re did the change you suggested and it worked (well not really). Now I got both spds but tunnel doesn't get established
sads are strange:IPCOMP 0000c3b5 none pid=19528 IPCOMP 0000da34 none pid=19528enc algorthm none?
auth algorithm pid? :D -
Jul 16 19:54:32 racoon: ERROR: failed to get sainfo. Jul 16 19:54:32 racoon: ERROR: failed to get sainfo. Jul 16 19:54:32 racoon: ERROR: failed to pre-process packet. -
Okay SADs changed to
esp aes-cbc hmac-sha1spds are both ipcomp
-
I saved this tunnel config again and sads changed to
IPCOMP 0000de3d deflate Jul
Before that, when sads were set to esp and spd set to ipcomp, I got
IKE info: Phase-2 proposal failed: remote No 1, missing protocol <-> local No 1 contains IPSEC_ESP
at the remote siteWhat's about that auth algorithm Jul? :D
-
Hi,
any news about any upcoming support for ipsec compression?
Are you planning to support it?
BTW: Very VERY, EXTREMELY nice work :) .. using pfsense beta4 without any problems for multi wan, multi lan, dmz, nat, aon, shaping, openvpn site to site and ipsec site to site without ANY issues since many weeks.. still doing upgrades every other day.. it's so stable and nice, wow! A BIG THANK YOU ALL!
Thanks!
-
Hi guys,
Just to butt in, do IPSec or OpenVPN do TCP Acceleration aside from Compression?
like this one http://www.[anti seo]expan[anti seo]d.com/ , more likely a wan OPTIMIZATION this is a vast of users needing this, especially in Satellite field.
TCP acceleration is the most needed in sat link because of its latency and TCP Session limitation.
-
Just to butt in, do IPSec or OpenVPN do TCP Acceleration aside from Compression?
No. Nor is there anything open source that does so. Such boxes cost a gigantic pile of money because it costs vast sums to develop.
-
I agree, but there is one though under linux and not that mature also.. http://www.trafficsqueezer.org/Doc_TCP_Optimization.html which does almost the same, but without the Single TCP tunnel which does not solve the issue of TCP Session limits of most newest sat modems like (IPST[anti ceo]AR) aside from scpc and mcpc. but to that effect, it drives more bandwidth and lessen latency, since the roundtrip time is minimal and compressed data traffic and since it almost convert TCP traffic somewhat like UDP traffic.
And yes, its a ton of money needed, agree, agree.
-
Okay, but what about IPComp for ipsec? :P
