[strongSwan-dev] Question about Nat and IPcomp

Robin robin_chang at foxmail.com
Mon Dec 23 04:09:09 CET 2013


Thanks for your help Thomas.
I am sorry not bring the detail of this question in my first mail. 
My testing system about the Strongswan and linux release version information as folow.


OS, I am running two IPsec box with Opensuse 11.3.
Strongswan, also Using Opensuse default 5.0.1 release (possible in Opensuse 11.3 DVD image).
IPsec box config file, 'compress=yes' and 'forceencaps=yes' in /etc/ipsec.conf.


The debug messages from ipsec running that indicated 'IPComp is not supported if either peer is natted, IPComp disabled'.


Recently I've checked source code that the message about 'IPComp is not supported if either peer is natted.....' is placed in function 'add_ipcomp_notify' of 'child_create.c' line 683 '.


From your information, I've checked Strongswan 5.1.1 and this warning message was removed already.


That why I want to know this warning message from early Strongswan release version is caused by Linux implemention or IPsec standard?


Strongswan 5.0.1
-------------------
static void add_ipcomp_notify(private_child_create_t *this,
								  message_t *message, u_int8_t ipcomp)
{
	if (this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY))
	{
		DBG1(DBG_IKE, "IPComp is not supported if either peer is natted, "
			 "IPComp disabled");
		return;
	}


	this->my_cpi = this->child_sa->alloc_cpi(this->child_sa);
	if (this->my_cpi)
	{
		this->ipcomp = ipcomp;
		message->add_notify(message, FALSE, IPCOMP_SUPPORTED,
							chunk_cata("cc", chunk_from_thing(this->my_cpi),
									   chunk_from_thing(ipcomp)));
	}
	else
	{
		DBG1(DBG_IKE, "unable to allocate a CPI from kernel, IPComp disabled");
	}
}

-------------------


Strongswan 5.1.1
-------------------
/**
 * Adds an IPCOMP_SUPPORTED notify to the message, allocating a CPI
 */
static void add_ipcomp_notify(private_child_create_t *this,
								  message_t *message, u_int8_t ipcomp)
{
	this->my_cpi = this->child_sa->alloc_cpi(this->child_sa);
	if (this->my_cpi)
	{
		this->ipcomp = ipcomp;
		message->add_notify(message, FALSE, IPCOMP_SUPPORTED,
							chunk_cata("cc", chunk_from_thing(this->my_cpi),
									   chunk_from_thing(ipcomp)));
	}
	else
	{
		DBG1(DBG_IKE, "unable to allocate a CPI from kernel, IPComp disabled");
	}
}

------------------- 


Best regards.
Robin.


------------------ Original ------------------
From:  "Thomas Klute";<thomas2.klute at uni-dortmund.de>;
Date:  Sun, Dec 22, 2013 09:53 PM
To:  "dev"<dev at lists.strongswan.org>; 

Subject:  Re: [strongSwan-dev] Question about Nat and IPcomp



Am 20.12.2013 03:59, schrieb Robin:
> Hello everyone, I am new member here.
> When I use strongswan I find something conflict about IPcomp and UDP encapsulating. 
> 
> After I checked mail list, some one says it's a Linux implement bug
> but no one point out what's the problem exectly is.
> 
> Is this problem cause by Rfcs (IPcomp and UDP  encapsulating) or original IPSec implement?

I have a working setup with both NAT traversal and IPcomp, so I'm fairly
sure that there is no fundamental conflict between the two. ;-)

If you can provide more information about your problem, like error
messages, kernel and Strongswan versions, configuration and log files
(make sure to remove private information, e.g. encryption keys!),
someone here might be able to help you.

Regards,
Thomas

_______________________________________________
Dev mailing list
Dev at lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/dev
.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20131223/02a3fc0f/attachment.html>


More information about the Dev mailing list