Please add compression support for ipsec $200



  • Hi,

    it would be great if there was an option to use compression for ipsec tunnels.
    Sorry, I really have no clue as to how much work this would take. I simply posted the maximum amount I can spend.
    Maybe someone else will add to the bounty, can't imagine that I'm the only one who'd like to have this feature ;)

    Thank you!

    Max

    Edit: increased bounty to 200USD



  • Hi,
    are you talking about IPCOMP? compression_algorithm directive in racoon?



  • Yes..
    It's already  in racoon.conf, but this is not enough.. it doesn't have any effect.. I think you need "ipcomp" instead of "esp"..



  • How do you test? What methodology would you use to say 'it works'?



  • when there's a tunnel created that makes use of it :P

    I did only some lousy tests with my existing config which consists of a few Lancom 1811 -> pfsense's racoon. This config works great, but if I just add deflate to the parameters on the Lancom sites, the parties can't negotiate.
    I'm aware that this could be a problem with the Lancom devices, but it's unlikely. As far as I know the setting "compression_algorithm deflate;" in racoon.conf is mandatory.. if a specific tunnel was to be configured for (optional) ipcomp or not, it would have to be set for the SPD.
    I don't think that anything has changed in this domain since my thread a few months ago as I have watched the activity about ipsec changes on redmine… But if it did, I'm sorry to have brought something up which already exists..

    http://forum.pfsense.org/index.php/topic,26517.0.html



  • Have you tried Jimp's actions?

    –-edited---
    I'd be interested in implementing this but it does not look feasible without being able to test it.



  • Already replied in the other thread in the 2.0 forum, though wanted to add: PLEASE DO IT ;) and good luck!
    Tried with shrewsoft?



  • @mxx:

    Tried with shrewsoft?

    Yes, it is successfully negotiate with both ipcomp turned on and off but only if pfSense acts as a server for Mobile Client. I did not manage to make shresoft client to work with pfSense in site-to-site tunnel mode.



  • Hi,

    this is great news. If you've gotten this far, I'm sure you'll succeed with the remaining site-to-site mode as well ;)



  • @mxx:

    Hi,

    this is great news. If you've gotten this far, I'm sure you'll succeed with the remaining site-to-site mode as well ;)

    Hi,
    I am afraid it's not about me, it is about shrewsoft client - it just does not want to negotiate in site-to-site mode and to be honest I do not see how it is expected to work using threwsoft client. You install it on your PC and vpn into the office, that works.
    As far as I understand you use other software/equipment, why don't we return to your set up?



  • Hi,

    thanks for your reply.
    I'm using several Lancom 1811 VPN gateways to build site-to-site tunnels with a central pfsense box.
    This of course is a setup you can't test as long as you don't have such a device.

    Is there no way to verify if a tunnel between 2 pfsense boxes is actually effectively using ipcomp?
    If that works, it will work with the Lancoms too..



  • Or do you have any other hardware vpn gateway which you could use for testing?
    When I setup ipcomp (using deflate) on the Lancoms, they won't connect if the other side isn't using it.



  • @mxx:

    Is there no way to verify if a tunnel between 2 pfsense boxes is actually effectively using ipcomp?
    If that works, it will work with the Lancoms too..

    I have configuration that allows two pfSense boxes to set up tunnel with ipcomp in SPDs but I do not know a method to prove that ipcomp is actually 'in use' when passing traffic as I do not see any compression.



  • @mxx:

    Or do you have any other hardware vpn gateway which you could use for testing?
    When I setup ipcomp (using deflate) on the Lancoms, they won't connect if the other side isn't using it.

    We can try to configure pfSense in the way I did and if it works with Lancoms then we can think about adding this feature to GUI.



  • Okay, good idea.
    How would we do this?



  • @mxx:

    Okay, good idea.
    How would we do this?

    Now I am busy at work but I'll pm you later and we'll agree on when and how.



  • Ok, being busy too, won't be able to do the test until tomorrow


Locked