Ipsec: you want IPComp? Please add to the bounty, see last post
-
I don't think deflate is a required parameter to connect. Sort of like PFS. If you have one side set for PFS and the other has it off, they can still negotiate (Counter-intuitive to how IPsec usually works, but just one of it's "features")
I see how that it may be that you need that in place of esp as you said, but I haven't tried that.
If you're up for some experimenting, you could try to add "ipcomp" into the drop-down choice where you pick esp and ah:
Edit /etc/inc/ipsec.inc, on line 88, add an entry to that array:
$p2_protos = array( 'esp' => 'ESP', 'ipcomp' => 'IPCOMP', 'ah' => 'AH');Edit /etc/inc/vpn.inc, and change line 653 from this:
if($ph2ent['protocol'] == 'esp') {To this:
if(($ph2ent['protocol'] == 'esp') || ($ph2ent['protocol'] == 'ipcomp')) { -
Thank you :) :)
I'll try that out tonight or tomorrow when there are no users at the remote sites.
-
Found one more you might have to change:
In /usr/local/www/vpn_ipsec_phase2.php, lin 296 should change from:
if (value == 'esp')To:
if ((value == 'esp') || (value == 'ipcomp')) -
Ok, I wanted to try it out already :D
It does and does not work though.
On the remote site I get: Phase-2 proposal failed: remote No 1, number of protos 1 <-> local No 1, number of protos 2
I'm using aes-cbc + hmac sha1 + deflate on the remote site.
Maybe doing this change disabled the encryption proto needed? To test this when I change to no esp at all, but deflate at the remote site, pfsense of course complains about not being able to get the certificate. -
It may require more tweaking than the simple changes I suggested, though unless I see an example of a working configuration for that kind of setup I can't say for sure.
-
Looks like it might require an additional line in the config, and isn't used instead of esp. (whoops)
:-)
I'll see if I can make up a better set of changes.
-
Okay,
could you tell me where to configure this manually? racoon.conf ok, but where are the other config files for racoon?
Thanks!
-
Looks like it might require an additional line in the config, and isn't used instead of esp. (whoops)
:-)
I'll see if I can make up a better set of changes.
Great!! :)
-
Try this change in /etc/inc/vpn.inc (remove the other changes first)
At line 785, change this if statement like so:
if($ph2ent['mode'] == "tunnel") { $spdconf .= "spdadd {$localid} {$remoteid} any -P out ipsec "; $spdconf .= "ipcomp/tunnel/{$ep}-{$rgip}/use "; $spdconf .= "{$ph2ent['protocol']}/tunnel/{$ep}-{$rgip}/unique;\n"; $spdconf .= "spdadd {$remoteid} {$localid} any -P in ipsec "; $spdconf .= "ipcomp/tunnel/{$ep}-{$rgip}/use "; $spdconf .= "{$ph2ent['protocol']}/tunnel/{$rgip}-{$ep}/unique;\n"; } else {If that does work some GUI code would be needed to add a checkbox and add that conditionally.
-
Ouch, this change resulted in all tunnels going offline..
Jul 16 18:54:10 racoon: ERROR: failed to pre-process packet. Jul 16 18:54:10 racoon: ERROR: no suitable policy found. Jul 16 18:54:10 last message repeated 2 times Jul 16 18:54:10 racoon: ERROR: not matched Jul 16 18:54:10 last message repeated 2 times Jul 16 18:54:10 racoon: WARNING: trns_id mismatched: my:AES peer:BLOWFISH Jul 16 18:54:10 racoon: ERROR: not matched Jul 16 18:54:10 racoon: ERROR: not matched Jul 16 18:54:10 racoon: [Liezen]: INFO: respond new phase 2 negotiation: <pfsenseremoteip>[500]<=><remotesiteremoteip>[500]</remotesiteremoteip></pfsenseremoteip>Update2: they have blowfish as proposal 2, but it matches with proposal 1 usually which is aes
-
Yeah that would require ipcomp on all tunnels, but without the (much harder) GUI bits to make it conditional, it was the quickest test. Back those changes out then and try this:
Hand edit /var/etc/spd.conf and reload that with setkey.
Change a line like this:
spdadd x.x.x.0/24 y.y.y.0/24 any -P out ipsec esp/tunnel/b.b.b.b-a.a.a.a/unique; spdadd y.y.y.0/24 x.x.x.0/24 any -P in ipsec esp/tunnel/a.a.a.a-b.b.b.b/unique;To:
spdadd x.x.x.0/24 y.y.y.0/24 any -P out ipsec ipcomp/tunnel/b.b.b.b-a.a.a.a/use esp/tunnel/b.b.b.b-a.a.a.a/unique; spdadd y.y.y.0/24 x.x.x.0/24 any -P in ipsec ipcomp/tunnel/a.a.a.a-b.b.b.b/use esp/tunnel/a.a.a.a-b.b.b.b/unique; -
Ahhh ok, didn't test this one tunnel with ipcomp since all went offline and I was a little bit "pressed" to act fast :D
Will try that on this one
-
Okay, I removed the spds and readded them.. also removed the sads, now I have the following sads for this connection:
<pfsense>IPCOMP 0000b6a1 deflate Jul <remote>IPCOMP 0000e2b9 deflate Jul</remote></pfsense>But there's only one SPD :
IPCOMP <remoteip>-></remoteip>
-
I really really HATE ipsec
-
Yeah with OpenVPN it's as easy as checking "Enable LZO compression" :-)
Not sure what might be up with the one-direction entry, unless there was a typo in the edit.
-
Yes it might have been a typo :D
all offline so I can mess around :D
I re did the change you suggested and it worked (well not really). Now I got both spds but tunnel doesn't get established
sads are strange:IPCOMP 0000c3b5 none pid=19528 IPCOMP 0000da34 none pid=19528enc algorthm none?
auth algorithm pid? :D -
Jul 16 19:54:32 racoon: ERROR: failed to get sainfo. Jul 16 19:54:32 racoon: ERROR: failed to get sainfo. Jul 16 19:54:32 racoon: ERROR: failed to pre-process packet. -
Okay SADs changed to
esp aes-cbc hmac-sha1spds are both ipcomp
-
I saved this tunnel config again and sads changed to
IPCOMP 0000de3d deflate Jul
Before that, when sads were set to esp and spd set to ipcomp, I got
IKE info: Phase-2 proposal failed: remote No 1, missing protocol <-> local No 1 contains IPSEC_ESP
at the remote siteWhat's about that auth algorithm Jul? :D
-
Hi,
any news about any upcoming support for ipsec compression?
Are you planning to support it?
BTW: Very VERY, EXTREMELY nice work :) .. using pfsense beta4 without any problems for multi wan, multi lan, dmz, nat, aon, shaping, openvpn site to site and ipsec site to site without ANY issues since many weeks.. still doing upgrades every other day.. it's so stable and nice, wow! A BIG THANK YOU ALL!
Thanks!
