Ipsec: you want IPComp? Please add to the bounty, see last post
-
Hi,
Finally I was successful in establishing a tunnel between a lancom 1811 and pfsense at last.
Is it possible to configure some compression for the tunnel?
In the section sainfo subnet I found "compression_algorithm deflate;" in /etc/var/racoon.conf.
But when I select deflate in the remote device it can't complete phase 2 :(Does anyone know anything about that?
Is it even possible yet?Thnx!
Max
-
Sorry to bring this up again, but I'd really like to know if you were planning to add this as an option.
Also I know this isn't the racoon support forum, but I'm totally lost trying to get this to work manually. There's only the racoon.conf but no ipsec conf where I think you are supposed to actually activate deflate for the p2s.
Thnx for any info and help on this!
-
"compression_algorithm deflate;" should be enough to trigger support for ipcomp.
It may be a problem with how it's implemented on the other end.
The same option is in 1.2.3 also. Does building a tunnel with ipcomp enabled on the far side work to a 1.2.3 box?
-
Thnx for your answer!
Hmm it's strange. I didn't test with 123 as I don't have a box set up with 123 at the moment.
If deflate is enabled in racoon.conf (which it is) and this setting is actually activating deflate for the p2, why are clients able to connect without configured for deflate?
When I set up tunnels between those vpn gateways (Lancom 1811) before and I selected deflate on one of them, the other side wouldn't be able to connect without it being configured for using deflate also.On racoon forums I read that only having compress algorith deflate in racoon.conf doesn't actually activate it. Instead I read that you had to set IPComp as parameter instead of ESP.
-
I don't think deflate is a required parameter to connect. Sort of like PFS. If you have one side set for PFS and the other has it off, they can still negotiate (Counter-intuitive to how IPsec usually works, but just one of it's "features")
I see how that it may be that you need that in place of esp as you said, but I haven't tried that.
If you're up for some experimenting, you could try to add "ipcomp" into the drop-down choice where you pick esp and ah:
Edit /etc/inc/ipsec.inc, on line 88, add an entry to that array:
$p2_protos = array( 'esp' => 'ESP', 'ipcomp' => 'IPCOMP', 'ah' => 'AH');Edit /etc/inc/vpn.inc, and change line 653 from this:
if($ph2ent['protocol'] == 'esp') {To this:
if(($ph2ent['protocol'] == 'esp') || ($ph2ent['protocol'] == 'ipcomp')) { -
Thank you :) :)
I'll try that out tonight or tomorrow when there are no users at the remote sites.
-
Found one more you might have to change:
In /usr/local/www/vpn_ipsec_phase2.php, lin 296 should change from:
if (value == 'esp')To:
if ((value == 'esp') || (value == 'ipcomp')) -
Ok, I wanted to try it out already :D
It does and does not work though.
On the remote site I get: Phase-2 proposal failed: remote No 1, number of protos 1 <-> local No 1, ย number of protos 2
I'm using aes-cbc + hmac sha1 + deflate on the remote site.
Maybe doing this change disabled the encryption proto needed? To test this when I change to no esp at all, but deflate at the remote site, pfsense of course complains about not being able to get the certificate. -
It may require more tweaking than the simple changes I suggested, though unless I see an example of a working configuration for that kind of setup I can't say for sure.
-
Looks like it might require an additional line in the config, and isn't used instead of esp. (whoops)
:-)
I'll see if I can make up a better set of changes.
-
Okay,
could you tell me where to configure this manually? racoon.conf ok, but where are the other config files for racoon?
Thanks!
-
Looks like it might require an additional line in the config, and isn't used instead of esp. (whoops)
:-)
I'll see if I can make up a better set of changes.
Great!! :)
-
Try this change in /etc/inc/vpn.inc (remove the other changes first)
At line 785, change this if statement like so:
if($ph2ent['mode'] == "tunnel") { $spdconf .= "spdadd {$localid} {$remoteid} any -P out ipsec "; $spdconf .= "ipcomp/tunnel/{$ep}-{$rgip}/use "; $spdconf .= "{$ph2ent['protocol']}/tunnel/{$ep}-{$rgip}/unique;\n"; $spdconf .= "spdadd {$remoteid} {$localid} any -P in ipsec "; $spdconf .= "ipcomp/tunnel/{$ep}-{$rgip}/use "; $spdconf .= "{$ph2ent['protocol']}/tunnel/{$rgip}-{$ep}/unique;\n"; } else {If that does work some GUI code would be needed to add a checkbox and add that conditionally.
-
Ouch, this change resulted in all tunnels going offline..
Jul 16 18:54:10 racoon: ERROR: failed to pre-process packet. Jul 16 18:54:10 racoon: ERROR: no suitable policy found. Jul 16 18:54:10 last message repeated 2 times Jul 16 18:54:10 racoon: ERROR: not matched Jul 16 18:54:10 last message repeated 2 times Jul 16 18:54:10 racoon: WARNING: trns_id mismatched: my:AES peer:BLOWFISH Jul 16 18:54:10 racoon: ERROR: not matched Jul 16 18:54:10 racoon: ERROR: not matched Jul 16 18:54:10 racoon: [Liezen]: INFO: respond new phase 2 negotiation: <pfsenseremoteip>[500]<=><remotesiteremoteip>[500]</remotesiteremoteip></pfsenseremoteip>Update2: they have blowfish as proposal 2, but it matches with proposal 1 usually which is aes
-
Yeah that would require ipcomp on all tunnels, but without the (much harder) GUI bits to make it conditional, it was the quickest test. Back those changes out then and try this:
Hand edit /var/etc/spd.conf and reload that with setkey.
Change a line like this:
spdadd x.x.x.0/24 y.y.y.0/24 any -P out ipsec esp/tunnel/b.b.b.b-a.a.a.a/unique; spdadd y.y.y.0/24 x.x.x.0/24 any -P in ipsec esp/tunnel/a.a.a.a-b.b.b.b/unique;To:
spdadd x.x.x.0/24 y.y.y.0/24 any -P out ipsec ipcomp/tunnel/b.b.b.b-a.a.a.a/use esp/tunnel/b.b.b.b-a.a.a.a/unique; spdadd y.y.y.0/24 x.x.x.0/24 any -P in ipsec ipcomp/tunnel/a.a.a.a-b.b.b.b/use esp/tunnel/a.a.a.a-b.b.b.b/unique; -
Ahhh ok, didn't test this one tunnel with ipcomp since all went offline and I was a little bit "pressed" to act fast :D
Will try that on this one
-
Okay, I removed the spds and readded them.. also removed the sads, now I have the following sads for this connection:
<pfsense>IPCOMP ย 0000b6a1 ย deflate ย Jul <remote>IPCOMP ย 0000e2b9 ย deflate ย Jul</remote></pfsense>But there's only one SPD :
IPCOMP ย <remoteip>-></remoteip>
-
I really really HATE ipsec
-
Yeah with OpenVPN it's as easy as checking "Enable LZO compression" :-)
Not sure what might be up with the one-direction entry, unless there was a typo in the edit.
-
Yes it might have been a typo :D
all offline so I can mess around :D
I re did the change you suggested and it worked (well not really). Now I got both spds but tunnel doesn't get established
sads are strange:IPCOMP ย 0000c3b5 ย none ย pid=19528 ย IPCOMP 0000da34 none pid=19528enc algorthm none?
auth algorithm pid? :D
