Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Ipsec: you want IPComp? Please add to the bounty, see last post

    2.0-RC Snapshot Feedback and Problems - RETIRED
    5
    34
    10749
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mxx last edited by

      Hi,

      Finally I was successful in establishing a tunnel between a lancom 1811 and pfsense at last.

      Is it possible to configure some compression for the tunnel?
      In the section sainfo subnet I found "compression_algorithm deflate;" in /etc/var/racoon.conf.
      But when I select deflate in the remote device it can't complete phase 2 :(

      Does anyone know anything about that?
      Is it even possible yet?

      Thnx!

      Max

      1 Reply Last reply Reply Quote 0
      • M
        mxx last edited by

        Sorry to bring this up again, but I'd really like to know if you were planning to add this as an option.

        Also I know this isn't the racoon support forum, but I'm totally lost trying to get this to work manually. There's only the racoon.conf but no ipsec conf where I think you are supposed to actually activate deflate for the p2s.

        Thnx for any info and help on this!

        1 Reply Last reply Reply Quote 0
        • jimp
          jimp Rebel Alliance Developer Netgate last edited by

          "compression_algorithm deflate;" should be enough to trigger support for ipcomp.

          It may be a problem with how it's implemented on the other end.

          The same option is in 1.2.3 also. Does building a tunnel with ipcomp enabled on the far side work to a 1.2.3 box?

          1 Reply Last reply Reply Quote 0
          • M
            mxx last edited by

            Thnx for your answer!

            Hmm it's strange. I didn't test with 123 as I don't have a box set up with 123 at the moment.
            If deflate is enabled in racoon.conf (which it is) and this setting is actually activating deflate for the p2, why are clients able to connect without configured for deflate?
            When I set up tunnels between those vpn gateways (Lancom 1811) before and I selected deflate on one of them, the other side wouldn't be able to connect without it being configured for using deflate also.

            On racoon forums I read that only having compress algorith deflate in racoon.conf doesn't actually activate it. Instead I read that you had to set IPComp as parameter instead of ESP.

            1 Reply Last reply Reply Quote 0
            • jimp
              jimp Rebel Alliance Developer Netgate last edited by

              I don't think deflate is a required parameter to connect. Sort of like PFS. If you have one side set for PFS and the other has it off, they can still negotiate (Counter-intuitive to how IPsec usually works, but just one of it's "features")

              I see how that it may be that you need that in place of esp as you said, but I haven't tried that.

              If you're up for some experimenting, you could try to add "ipcomp" into the drop-down choice where you pick esp and ah:

              Edit /etc/inc/ipsec.inc, on line 88, add an entry to that array:

              $p2_protos = array(
              	'esp' => 'ESP',
              	'ipcomp' => 'IPCOMP',
              	'ah' => 'AH');
              

              Edit /etc/inc/vpn.inc, and change line 653 from this:

              if($ph2ent['protocol'] == 'esp') {
              

              To this:

              if(($ph2ent['protocol'] == 'esp') || ($ph2ent['protocol'] == 'ipcomp')) {
              
              1 Reply Last reply Reply Quote 0
              • M
                mxx last edited by

                Thank you :) :)

                I'll try that out tonight or tomorrow when there are no users at the remote sites.

                1 Reply Last reply Reply Quote 0
                • jimp
                  jimp Rebel Alliance Developer Netgate last edited by

                  Found one more you might have to change:

                  In /usr/local/www/vpn_ipsec_phase2.php, lin 296 should change from:

                  	if (value == 'esp')
                  

                  To:

                  	if ((value == 'esp') || (value == 'ipcomp'))
                  
                  1 Reply Last reply Reply Quote 0
                  • M
                    mxx last edited by

                    Ok, I wanted to try it out already :D

                    It does and does not work though.
                    On the remote site I get: Phase-2 proposal failed: remote No 1, number of protos 1 <-> local No 1,  number of protos 2
                    I'm using aes-cbc + hmac sha1 + deflate on the remote site.
                    Maybe doing this change disabled the encryption proto needed? To test this when I change to no esp at all, but deflate at the remote site, pfsense of course complains about not being able to get the certificate.

                    1 Reply Last reply Reply Quote 0
                    • jimp
                      jimp Rebel Alliance Developer Netgate last edited by

                      It may require more tweaking than the simple changes I suggested, though unless I see an example of a working configuration for that kind of setup I can't say for sure.

                      1 Reply Last reply Reply Quote 0
                      • jimp
                        jimp Rebel Alliance Developer Netgate last edited by

                        Looks like it might require an additional line in the config, and isn't used instead of esp. (whoops)

                        :-)

                        I'll see if I can make up a better set of changes.

                        1 Reply Last reply Reply Quote 0
                        • M
                          mxx last edited by

                          Okay,

                          could you tell me where to configure this manually? racoon.conf ok, but where are the other config files for racoon?

                          Thanks!

                          1 Reply Last reply Reply Quote 0
                          • M
                            mxx last edited by

                            @jimp:

                            Looks like it might require an additional line in the config, and isn't used instead of esp. (whoops)

                            :-)

                            I'll see if I can make up a better set of changes.

                            Great!! :)

                            1 Reply Last reply Reply Quote 0
                            • jimp
                              jimp Rebel Alliance Developer Netgate last edited by

                              Try this change in /etc/inc/vpn.inc (remove the other changes first)

                              At line 785, change this if statement like so:

                              				if($ph2ent['mode'] == "tunnel") {
                              
                              					$spdconf .= "spdadd {$localid} {$remoteid} any -P out ipsec ";
                              					$spdconf .= "ipcomp/tunnel/{$ep}-{$rgip}/use ";
                              					$spdconf .= "{$ph2ent['protocol']}/tunnel/{$ep}-{$rgip}/unique;\n";
                              
                              					$spdconf .= "spdadd {$remoteid} {$localid} any -P in ipsec ";
                              					$spdconf .= "ipcomp/tunnel/{$ep}-{$rgip}/use ";
                              					$spdconf .= "{$ph2ent['protocol']}/tunnel/{$rgip}-{$ep}/unique;\n";
                              
                              				} else {
                              

                              If that does work some GUI code would be needed to add a checkbox and add that conditionally.

                              1 Reply Last reply Reply Quote 0
                              • M
                                mxx last edited by

                                Ouch, this change resulted in all tunnels going offline..

                                
                                Jul 16 18:54:10 	racoon: ERROR: failed to pre-process packet.
                                Jul 16 18:54:10 	racoon: ERROR: no suitable policy found.
                                Jul 16 18:54:10 	last message repeated 2 times
                                Jul 16 18:54:10 	racoon: ERROR: not matched
                                Jul 16 18:54:10 	last message repeated 2 times
                                Jul 16 18:54:10 	racoon: WARNING: trns_id mismatched: my:AES peer:BLOWFISH
                                Jul 16 18:54:10 	racoon: ERROR: not matched
                                Jul 16 18:54:10 	racoon: ERROR: not matched
                                Jul 16 18:54:10 	racoon: [Liezen]: INFO: respond new phase 2 negotiation: <pfsenseremoteip>[500]<=><remotesiteremoteip>[500]</remotesiteremoteip></pfsenseremoteip> 
                                

                                Update2: they have blowfish as proposal 2, but it matches with proposal 1 usually which is aes

                                1 Reply Last reply Reply Quote 0
                                • jimp
                                  jimp Rebel Alliance Developer Netgate last edited by

                                  Yeah that would require ipcomp on all tunnels, but without the (much harder) GUI bits to make it conditional, it was the quickest test. Back those changes out then and try this:

                                  Hand edit /var/etc/spd.conf and reload that with setkey.

                                  Change a line like this:

                                  spdadd x.x.x.0/24 y.y.y.0/24 any -P out ipsec esp/tunnel/b.b.b.b-a.a.a.a/unique;
                                  spdadd y.y.y.0/24 x.x.x.0/24 any -P in ipsec esp/tunnel/a.a.a.a-b.b.b.b/unique;
                                  

                                  To:

                                  spdadd x.x.x.0/24 y.y.y.0/24 any -P out ipsec ipcomp/tunnel/b.b.b.b-a.a.a.a/use esp/tunnel/b.b.b.b-a.a.a.a/unique;
                                  spdadd y.y.y.0/24 x.x.x.0/24 any -P in ipsec ipcomp/tunnel/a.a.a.a-b.b.b.b/use esp/tunnel/a.a.a.a-b.b.b.b/unique;
                                  
                                  1 Reply Last reply Reply Quote 0
                                  • M
                                    mxx last edited by

                                    Ahhh ok, didn't test this one tunnel with ipcomp since all went offline and I was a little bit "pressed" to act fast :D

                                    Will try that on this one

                                    1 Reply Last reply Reply Quote 0
                                    • M
                                      mxx last edited by

                                      Okay, I removed the spds and readded them.. also removed the sads, now I have the following sads for this connection:

                                      
                                       <pfsense>IPCOMP  	0000b6a1  	deflate  	Jul
                                       <remote>IPCOMP  	0000e2b9  	deflate  	Jul</remote></pfsense> 
                                      

                                      But there's only one SPD :

                                      IPCOMP   <remoteip>-></remoteip>

                                      1 Reply Last reply Reply Quote 0
                                      • M
                                        mxx last edited by

                                        I really really HATE ipsec

                                        1 Reply Last reply Reply Quote 0
                                        • jimp
                                          jimp Rebel Alliance Developer Netgate last edited by

                                          Yeah with OpenVPN it's as easy as checking "Enable LZO compression" :-)

                                          Not sure what might be up with the one-direction entry, unless there was a typo in the edit.

                                          1 Reply Last reply Reply Quote 0
                                          • M
                                            mxx last edited by

                                            Yes it might have been a typo :D

                                            all offline so I can mess around :D

                                            I re did the change you suggested and it worked (well not really). Now I got both spds but tunnel doesn't get established
                                            sads are strange:

                                            
                                            IPCOMP  	0000c3b5  	none  	pid=19528  	
                                            IPCOMP 	0000da34 	none 	pid=19528
                                            
                                            

                                            enc algorthm none?
                                            auth algorithm pid? :D

                                            1 Reply Last reply Reply Quote 0
                                            • M
                                              mxx last edited by

                                              
                                              Jul 16 19:54:32 	racoon: ERROR: failed to get sainfo.
                                              Jul 16 19:54:32 	racoon: ERROR: failed to get sainfo.
                                              Jul 16 19:54:32 	racoon: ERROR: failed to pre-process packet.
                                              
                                              
                                              1 Reply Last reply Reply Quote 0
                                              • M
                                                mxx last edited by

                                                Okay SADs changed to
                                                esp aes-cbc  hmac-sha1

                                                spds are both ipcomp

                                                1 Reply Last reply Reply Quote 0
                                                • M
                                                  mxx last edited by

                                                  I saved this tunnel config again and sads changed to

                                                  IPCOMP   0000de3d   deflate   Jul

                                                  Before that, when sads were set to esp and spd set to ipcomp, I got
                                                  IKE info: Phase-2 proposal failed: remote No 1, missing protocol <-> local No 1 contains IPSEC_ESP
                                                  at the remote site

                                                  What's about that auth algorithm Jul? :D

                                                  1 Reply Last reply Reply Quote 0
                                                  • M
                                                    mxx last edited by

                                                    Hi,

                                                    any news about any upcoming support for ipsec compression?

                                                    Are you planning to support it?

                                                    BTW: Very VERY, EXTREMELY nice work :) .. using pfsense beta4 without any problems for multi wan, multi lan, dmz, nat, aon, shaping, openvpn site to site and ipsec site to site without ANY issues since many weeks.. still doing upgrades every other day.. it's so stable and nice, wow! A BIG THANK YOU ALL!

                                                    Thanks!

                                                    1 Reply Last reply Reply Quote 0
                                                    • A
                                                      axscode last edited by

                                                      Hi guys,

                                                      Just to butt in, do IPSec or OpenVPN do TCP Acceleration aside from Compression?

                                                      like this one http://www.[anti seo]expan[anti seo]d.com/ , more likely a wan OPTIMIZATION this is a vast of users needing this, especially in Satellite field.

                                                      TCP acceleration is the most needed in sat link because of its latency and TCP Session limitation.

                                                      1 Reply Last reply Reply Quote 0
                                                      • C
                                                        cmb last edited by

                                                        @axscode:

                                                        Just to butt in, do IPSec or OpenVPN do TCP Acceleration aside from Compression?

                                                        No. Nor is there anything open source that does so. Such boxes cost a gigantic pile of money because it costs vast sums to develop.

                                                        1 Reply Last reply Reply Quote 0
                                                        • A
                                                          axscode last edited by

                                                          @cmb

                                                          I agree, but there is one though under linux and not that mature also.. http://www.trafficsqueezer.org/Doc_TCP_Optimization.html which does almost the same, but without the Single TCP tunnel which does not solve the issue of TCP Session limits of most newest sat modems like (IPST[anti ceo]AR) aside from scpc and mcpc. but to that effect, it drives more bandwidth and lessen latency, since the roundtrip time is minimal and compressed data traffic and since it almost convert TCP traffic somewhat like UDP traffic.

                                                          And yes, its a ton of money needed, agree, agree.

                                                          1 Reply Last reply Reply Quote 0
                                                          • M
                                                            mxx last edited by

                                                            Okay, but what about IPComp for ipsec?  :P

                                                            1 Reply Last reply Reply Quote 0
                                                            • C
                                                              cmb last edited by

                                                              @axscode:

                                                              I agree, but there is one though under linux and not that mature also.. http://www.trafficsqueezer.org/Doc_TCP_Optimization.html which does almost the same,

                                                              I should have clarified - nothing even remotely close to being production capable. There are at least a couple projects along those lines, none of which are anywhere near being usable.

                                                              @mxx:

                                                              Okay, but what about IPComp for ipsec?  :P

                                                              It should work just by adding it to the config. Hack it in, try it out, and let us know how it works. It's not hard to add if it works, but we have no plans to do the leg work on that in the immediate future.

                                                              1 Reply Last reply Reply Quote 0
                                                              • M
                                                                mxx last edited by

                                                                Okay I'll try :) and report back

                                                                1 Reply Last reply Reply Quote 0
                                                                • E
                                                                  Eugene last edited by

                                                                  I've managed to bring a tunnel with ipcomp/esp between two pfSense boxes but I doubt that compression actually works. I am sending 508 byte icmp packets and I see 564 byte ESP packets. And surprisingly I can't find good info about troubleshooting ipcomp in racoon. Any thoughts/hints?

                                                                  1 Reply Last reply Reply Quote 0
                                                                  • M
                                                                    mxx last edited by

                                                                    Hi, yes I tried what Jimp suggested as good as I could ;) but then I had those problems and errors you can read in the aforementioned thread.

                                                                    Edit: ohh this thread it is :D sorry a  little bit confused over here.. thought to having replied to the corresponding thread in the bounty forum..

                                                                    Maybe you could test with Shrewsoft VPN Client.. I suppose the software would tell you if ipcomp was actually in use or not..

                                                                    1 Reply Last reply Reply Quote 0
                                                                    • M
                                                                      mxx last edited by

                                                                      To anyone else wanting that feature, please add to the bounty here: http://forum.pfsense.org/index.php/topic,31527.0.html also very little amounts make a difference ;)

                                                                      1 Reply Last reply Reply Quote 0
                                                                      • M
                                                                        mxx last edited by

                                                                        bump just a reminder: Anyone who would like to have compression support for ipsec, please add to the bounty. Even if it's just 5 USD ;)

                                                                        Thank you!

                                                                        http://forum.pfsense.org/index.php/topic,31527.0.html

                                                                        1 Reply Last reply Reply Quote 0
                                                                        • First post
                                                                          Last post

                                                                        Products

                                                                        • Platform Overview
                                                                        • TNSR
                                                                        • pfSense
                                                                        • Appliances

                                                                        Services

                                                                        • Training
                                                                        • Professional Services

                                                                        Support

                                                                        • Subscription Plans
                                                                        • Contact Support
                                                                        • Product Lifecycle
                                                                        • Documentation

                                                                        News

                                                                        • Media Coverage
                                                                        • Press
                                                                        • Events

                                                                        Resources

                                                                        • Blog
                                                                        • FAQ
                                                                        • Find a Partner
                                                                        • Resource Library
                                                                        • Security Information

                                                                        Company

                                                                        • About Us
                                                                        • Careers
                                                                        • Partners
                                                                        • Contact Us
                                                                        • Legal
                                                                        Our Mission

                                                                        We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                                                                        Subscribe to our Newsletter

                                                                        Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                                                                        © 2021 Rubicon Communications, LLC | Privacy Policy