Ipsec: you want IPComp? Please add to the bounty, see last post

mxx

Hi,

Finally I was successful in establishing a tunnel between a lancom 1811 and pfsense at last.

Is it possible to configure some compression for the tunnel?
In the section sainfo subnet I found "compression_algorithm deflate;" in /etc/var/racoon.conf.
But when I select deflate in the remote device it can't complete phase 2 :(

Does anyone know anything about that?
Is it even possible yet?

Thnx!

Max

mxx

Sorry to bring this up again, but I'd really like to know if you were planning to add this as an option.

Also I know this isn't the racoon support forum, but I'm totally lost trying to get this to work manually. There's only the racoon.conf but no ipsec conf where I think you are supposed to actually activate deflate for the p2s.

Thnx for any info and help on this!

jimp

"compression_algorithm deflate;" should be enough to trigger support for ipcomp.

It may be a problem with how it's implemented on the other end.

The same option is in 1.2.3 also. Does building a tunnel with ipcomp enabled on the far side work to a 1.2.3 box?

mxx

Thnx for your answer!

Hmm it's strange. I didn't test with 123 as I don't have a box set up with 123 at the moment.
If deflate is enabled in racoon.conf (which it is) and this setting is actually activating deflate for the p2, why are clients able to connect without configured for deflate?
When I set up tunnels between those vpn gateways (Lancom 1811) before and I selected deflate on one of them, the other side wouldn't be able to connect without it being configured for using deflate also.

On racoon forums I read that only having compress algorith deflate in racoon.conf doesn't actually activate it. Instead I read that you had to set IPComp as parameter instead of ESP.

jimp

I don't think deflate is a required parameter to connect. Sort of like PFS. If you have one side set for PFS and the other has it off, they can still negotiate (Counter-intuitive to how IPsec usually works, but just one of it's "features")

I see how that it may be that you need that in place of esp as you said, but I haven't tried that.

If you're up for some experimenting, you could try to add "ipcomp" into the drop-down choice where you pick esp and ah:

Edit /etc/inc/ipsec.inc, on line 88, add an entry to that array:

$p2_protos = array(
	'esp' => 'ESP',
	'ipcomp' => 'IPCOMP',
	'ah' => 'AH');

Edit /etc/inc/vpn.inc, and change line 653 from this:

if($ph2ent['protocol'] == 'esp') {

To this:

if(($ph2ent['protocol'] == 'esp') || ($ph2ent['protocol'] == 'ipcomp')) {

mxx

Thank you :) :)

I'll try that out tonight or tomorrow when there are no users at the remote sites.

jimp

Found one more you might have to change:

In /usr/local/www/vpn_ipsec_phase2.php, lin 296 should change from:

	if (value == 'esp')

To:

	if ((value == 'esp') || (value == 'ipcomp'))

mxx

Ok, I wanted to try it out already :D

It does and does not work though.
On the remote site I get: Phase-2 proposal failed: remote No 1, number of protos 1 <-> local No 1,  number of protos 2
I'm using aes-cbc + hmac sha1 + deflate on the remote site.
Maybe doing this change disabled the encryption proto needed? To test this when I change to no esp at all, but deflate at the remote site, pfsense of course complains about not being able to get the certificate.

jimp

It may require more tweaking than the simple changes I suggested, though unless I see an example of a working configuration for that kind of setup I can't say for sure.

jimp

Looks like it might require an additional line in the config, and isn't used instead of esp. (whoops)

:-)

I'll see if I can make up a better set of changes.

mxx

Okay,

could you tell me where to configure this manually? racoon.conf ok, but where are the other config files for racoon?

Thanks!

mxx

@jimp:

Looks like it might require an additional line in the config, and isn't used instead of esp. (whoops)

:-)

I'll see if I can make up a better set of changes.

Great!! :)

jimp

Try this change in /etc/inc/vpn.inc (remove the other changes first)

At line 785, change this if statement like so:

				if($ph2ent['mode'] == "tunnel") {

					$spdconf .= "spdadd {$localid} {$remoteid} any -P out ipsec ";
					$spdconf .= "ipcomp/tunnel/{$ep}-{$rgip}/use ";
					$spdconf .= "{$ph2ent['protocol']}/tunnel/{$ep}-{$rgip}/unique;\n";

					$spdconf .= "spdadd {$remoteid} {$localid} any -P in ipsec ";
					$spdconf .= "ipcomp/tunnel/{$ep}-{$rgip}/use ";
					$spdconf .= "{$ph2ent['protocol']}/tunnel/{$rgip}-{$ep}/unique;\n";

				} else {

If that does work some GUI code would be needed to add a checkbox and add that conditionally.

mxx

Ouch, this change resulted in all tunnels going offline..

Jul 16 18:54:10 	racoon: ERROR: failed to pre-process packet.
Jul 16 18:54:10 	racoon: ERROR: no suitable policy found.
Jul 16 18:54:10 	last message repeated 2 times
Jul 16 18:54:10 	racoon: ERROR: not matched
Jul 16 18:54:10 	last message repeated 2 times
Jul 16 18:54:10 	racoon: WARNING: trns_id mismatched: my:AES peer:BLOWFISH
Jul 16 18:54:10 	racoon: ERROR: not matched
Jul 16 18:54:10 	racoon: ERROR: not matched
Jul 16 18:54:10 	racoon: [Liezen]: INFO: respond new phase 2 negotiation: <pfsenseremoteip>[500]<=><remotesiteremoteip>[500]</remotesiteremoteip></pfsenseremoteip> 

Update2: they have blowfish as proposal 2, but it matches with proposal 1 usually which is aes

jimp

Yeah that would require ipcomp on all tunnels, but without the (much harder) GUI bits to make it conditional, it was the quickest test. Back those changes out then and try this:

Hand edit /var/etc/spd.conf and reload that with setkey.

Change a line like this:

spdadd x.x.x.0/24 y.y.y.0/24 any -P out ipsec esp/tunnel/b.b.b.b-a.a.a.a/unique;
spdadd y.y.y.0/24 x.x.x.0/24 any -P in ipsec esp/tunnel/a.a.a.a-b.b.b.b/unique;

To:

spdadd x.x.x.0/24 y.y.y.0/24 any -P out ipsec ipcomp/tunnel/b.b.b.b-a.a.a.a/use esp/tunnel/b.b.b.b-a.a.a.a/unique;
spdadd y.y.y.0/24 x.x.x.0/24 any -P in ipsec ipcomp/tunnel/a.a.a.a-b.b.b.b/use esp/tunnel/a.a.a.a-b.b.b.b/unique;

mxx

Ahhh ok, didn't test this one tunnel with ipcomp since all went offline and I was a little bit "pressed" to act fast :D

Will try that on this one

mxx

Okay, I removed the spds and readded them.. also removed the sads, now I have the following sads for this connection:

 <pfsense>IPCOMP  	0000b6a1  	deflate  	Jul
 <remote>IPCOMP  	0000e2b9  	deflate  	Jul</remote></pfsense> 

But there's only one SPD :

IPCOMP   <remoteip>-></remoteip>

mxx

I really really HATE ipsec

jimp

Yeah with OpenVPN it's as easy as checking "Enable LZO compression" :-)

Not sure what might be up with the one-direction entry, unless there was a typo in the edit.

mxx

Yes it might have been a typo :D

all offline so I can mess around :D

I re did the change you suggested and it worked (well not really). Now I got both spds but tunnel doesn't get established
sads are strange:

IPCOMP  	0000c3b5  	none  	pid=19528  	
IPCOMP 	0000da34 	none 	pid=19528

enc algorthm none?
auth algorithm pid? :D

mxx

Jul 16 19:54:32 	racoon: ERROR: failed to get sainfo.
Jul 16 19:54:32 	racoon: ERROR: failed to get sainfo.
Jul 16 19:54:32 	racoon: ERROR: failed to pre-process packet.

mxx

Okay SADs changed to
esp aes-cbc  hmac-sha1

spds are both ipcomp

mxx

I saved this tunnel config again and sads changed to

IPCOMP   0000de3d   deflate   Jul

Before that, when sads were set to esp and spd set to ipcomp, I got
IKE info: Phase-2 proposal failed: remote No 1, missing protocol <-> local No 1 contains IPSEC_ESP
at the remote site

What's about that auth algorithm Jul? :D

mxx

Hi,

any news about any upcoming support for ipsec compression?

Are you planning to support it?

BTW: Very VERY, EXTREMELY nice work :) .. using pfsense beta4 without any problems for multi wan, multi lan, dmz, nat, aon, shaping, openvpn site to site and ipsec site to site without ANY issues since many weeks.. still doing upgrades every other day.. it's so stable and nice, wow! A BIG THANK YOU ALL!

Thanks!

axscode

Hi guys,

Just to butt in, do IPSec or OpenVPN do TCP Acceleration aside from Compression?

like this one http://www.[anti seo]expan[anti seo]d.com/ , more likely a wan OPTIMIZATION this is a vast of users needing this, especially in Satellite field.

TCP acceleration is the most needed in sat link because of its latency and TCP Session limitation.

cmb

@axscode:

Just to butt in, do IPSec or OpenVPN do TCP Acceleration aside from Compression?

No. Nor is there anything open source that does so. Such boxes cost a gigantic pile of money because it costs vast sums to develop.

axscode

@cmb

I agree, but there is one though under linux and not that mature also.. http://www.trafficsqueezer.org/Doc_TCP_Optimization.html which does almost the same, but without the Single TCP tunnel which does not solve the issue of TCP Session limits of most newest sat modems like (IPST[anti ceo]AR) aside from scpc and mcpc. but to that effect, it drives more bandwidth and lessen latency, since the roundtrip time is minimal and compressed data traffic and since it almost convert TCP traffic somewhat like UDP traffic.

And yes, its a ton of money needed, agree, agree.

mxx

Okay, but what about IPComp for ipsec?  :P

cmb

@axscode:

I agree, but there is one though under linux and not that mature also.. http://www.trafficsqueezer.org/Doc_TCP_Optimization.html which does almost the same,

I should have clarified - nothing even remotely close to being production capable. There are at least a couple projects along those lines, none of which are anywhere near being usable.

@mxx:

Okay, but what about IPComp for ipsec?  :P

It should work just by adding it to the config. Hack it in, try it out, and let us know how it works. It's not hard to add if it works, but we have no plans to do the leg work on that in the immediate future.

mxx

Okay I'll try :) and report back

Eugene

I've managed to bring a tunnel with ipcomp/esp between two pfSense boxes but I doubt that compression actually works. I am sending 508 byte icmp packets and I see 564 byte ESP packets. And surprisingly I can't find good info about troubleshooting ipcomp in racoon. Any thoughts/hints?

mxx

Hi, yes I tried what Jimp suggested as good as I could ;) but then I had those problems and errors you can read in the aforementioned thread.

Edit: ohh this thread it is :D sorry a  little bit confused over here.. thought to having replied to the corresponding thread in the bounty forum..

Maybe you could test with Shrewsoft VPN Client.. I suppose the software would tell you if ipcomp was actually in use or not..

mxx

To anyone else wanting that feature, please add to the bounty here: http://forum.pfsense.org/index.php/topic,31527.0.html also very little amounts make a difference ;)

mxx

bump just a reminder: Anyone who would like to have compression support for ipsec, please add to the bounty. Even if it's just 5 USD ;)

Thank you!

http://forum.pfsense.org/index.php/topic,31527.0.html