Please add compression support for ipsec $200
-
Hi,
it would be great if there was an option to use compression for ipsec tunnels.
Sorry, I really have no clue as to how much work this would take. I simply posted the maximum amount I can spend.
Maybe someone else will add to the bounty, can't imagine that I'm the only one who'd like to have this feature ;)Thank you!
Max
Edit: increased bounty to 200USD
-
Hi,
are you talking about IPCOMP? compression_algorithm directive in racoon? -
Yes..
It's already in racoon.conf, but this is not enough.. it doesn't have any effect.. I think you need "ipcomp" instead of "esp".. -
How do you test? What methodology would you use to say 'it works'?
-
when there's a tunnel created that makes use of it :P
I did only some lousy tests with my existing config which consists of a few Lancom 1811 -> pfsense's racoon. This config works great, but if I just add deflate to the parameters on the Lancom sites, the parties can't negotiate.
I'm aware that this could be a problem with the Lancom devices, but it's unlikely. As far as I know the setting "compression_algorithm deflate;" in racoon.conf is mandatory.. if a specific tunnel was to be configured for (optional) ipcomp or not, it would have to be set for the SPD.
I don't think that anything has changed in this domain since my thread a few months ago as I have watched the activity about ipsec changes on redmine… But if it did, I'm sorry to have brought something up which already exists..http://forum.pfsense.org/index.php/topic,26517.0.html
-
Have you tried Jimp's actions?
–-edited---
I'd be interested in implementing this but it does not look feasible without being able to test it. -
Already replied in the other thread in the 2.0 forum, though wanted to add: PLEASE DO IT ;) and good luck!
Tried with shrewsoft? -
@mxx:
Tried with shrewsoft?
Yes, it is successfully negotiate with both ipcomp turned on and off but only if pfSense acts as a server for Mobile Client. I did not manage to make shresoft client to work with pfSense in site-to-site tunnel mode.
-
Hi,
this is great news. If you've gotten this far, I'm sure you'll succeed with the remaining site-to-site mode as well ;)
-
@mxx:
Hi,
this is great news. If you've gotten this far, I'm sure you'll succeed with the remaining site-to-site mode as well ;)
Hi,
I am afraid it's not about me, it is about shrewsoft client - it just does not want to negotiate in site-to-site mode and to be honest I do not see how it is expected to work using threwsoft client. You install it on your PC and vpn into the office, that works.
As far as I understand you use other software/equipment, why don't we return to your set up? -
Hi,
thanks for your reply.
I'm using several Lancom 1811 VPN gateways to build site-to-site tunnels with a central pfsense box.
This of course is a setup you can't test as long as you don't have such a device.Is there no way to verify if a tunnel between 2 pfsense boxes is actually effectively using ipcomp?
If that works, it will work with the Lancoms too.. -
Or do you have any other hardware vpn gateway which you could use for testing?
When I setup ipcomp (using deflate) on the Lancoms, they won't connect if the other side isn't using it. -
@mxx:
Is there no way to verify if a tunnel between 2 pfsense boxes is actually effectively using ipcomp?
If that works, it will work with the Lancoms too..I have configuration that allows two pfSense boxes to set up tunnel with ipcomp in SPDs but I do not know a method to prove that ipcomp is actually 'in use' when passing traffic as I do not see any compression.
-
@mxx:
Or do you have any other hardware vpn gateway which you could use for testing?
When I setup ipcomp (using deflate) on the Lancoms, they won't connect if the other side isn't using it.We can try to configure pfSense in the way I did and if it works with Lancoms then we can think about adding this feature to GUI.
-
Okay, good idea.
How would we do this? -
@mxx:
Okay, good idea.
How would we do this?Now I am busy at work but I'll pm you later and we'll agree on when and how.
-
Ok, being busy too, won't be able to do the test until tomorrow