Bug#301466: ipcomp doesn't work with small packets

[Михаил]

Package: ipsec-tools
Version: 0.3.3-7
There is a ipsec in transport mode between host A and host 
B with manual keying.
Config for A:
flush;
spdflush;

add 192.168.117.3 80.242.66.18 ah 15700 -A hmac-md5 
"1234567890123456";
add 80.242.66.18 192.168.117.3 ah 24500 -A hmac-md5 
"1234567890123456";

# ESP
add 192.168.117.3 80.242.66.18 esp 15701 -E 3des-cbc 
"123456789012123456789012";
add 80.242.66.18 192.168.117.3 esp 24501 -E 3des-cbc 
"123456789012123456789012";

# IPComp
add 192.168.117.3 80.242.66.18 ipcomp 0x100 -C deflate;
add 80.242.66.18 192.168.117.3 ipcomp 0x200 -C deflate;
spdadd 80.242.66.18 192.168.117.3 any -P in ipsec
    ipcomp/transport//require
    esp/transport//require
    ah/transport//require;
spdadd 192.168.117.3 80.242.66.18 any -P out ipsec
    ipcomp/transport//require
    esp/transport//require
    ah/transport//require;
Config for B:
flush;
spdflush;
add 192.168.117.3 80.242.66.18 ah 15700 -A hmac-md5 
"1234567890123456";
add 80.242.66.18 192.168.117.3 ah 24500 -A hmac-md5 
"1234567890123456";

# ESP
add 192.168.117.3 80.242.66.18 esp 15701 -E 3des-cbc 
"123456789012123456789012";
add 80.242.66.18 192.168.117.3 esp 24501 -E 3des-cbc 
"123456789012123456789012";

# IPComp
add 192.168.117.3 80.242.66.18 ipcomp 0x100 -C deflate;
add 80.242.66.18 192.168.117.3 ipcomp 0x200 -C deflate;
spdadd 80.242.66.18 192.168.117.3 any -P out ipsec
    ipcomp/transport//require
    esp/transport//require
    ah/transport//require;
spdadd 192.168.117.3 80.242.66.18 any -P in ipsec
    ipcomp/transport//require
    esp/transport//require
    ah/transport//require;
Applying these SA's and SP's on both hosts I have:
Host A:
A:/etc# ping 80.242.66.18 -c 3
PING 80.242.66.18 (80.242.66.18) 56(84) bytes of data.
--- 80.242.66.18 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 
2000ms

Host B:
B:/etc# tcpdump -ni eth1 host 192.168.117.3
tcpdump: verbose output suppressed, use -v or -vv for full 
protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture 
size 96 bytes
12:53:51.642539 IP 192.168.117.3 > 80.242.66.18: 
AH(spi=0x00003d54,seq=0x27): ESP(spi=0x00003d55,seq=0x27)
12:53:52.643306 IP 192.168.117.3 > 80.242.66.18: 
AH(spi=0x00003d54,seq=0x28): ESP(spi=0x00003d55,seq=0x28)
12:53:53.674159 IP 192.168.117.3 > 80.242.66.18: 
AH(spi=0x00003d54,seq=0x29): ESP(spi=0x00003d55,seq=0x29)

But if I'll increase packet size everything will be ok:
Host A:
A:/etc# ping 80.242.66.18 -c 3 -s 300
PING 80.242.66.18 (80.242.66.18) 300(328) bytes of data.
308 bytes from 80.242.66.18: icmp_seq=1 ttl=59 time=32.9 
ms
308 bytes from 80.242.66.18: icmp_seq=2 ttl=59 time=33.3 
ms
308 bytes from 80.242.66.18: icmp_seq=3 ttl=59 time=16.1 
ms

--- 80.242.66.18 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 
2001ms

Host B:
B:/etc# tcpdump -ni eth1 host 192.168.117.3
tcpdump: verbose output suppressed, use -v or -vv for full 
protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture 
size 96 bytes
12:56:15.824309 IP 192.168.117.3 > 80.242.66.18: 
AH(spi=0x00003d54,seq=0x2d): ESP(spi=0x00003d55,seq=0x2d)
12:56:15.824731 IP 80.242.66.18 > 192.168.117.3: 
AH(spi=0x00005fb4,seq=0x11): ESP(spi=0x00005fb5,seq=0x11)
12:56:16.831618 IP 192.168.117.3 > 80.242.66.18: 
AH(spi=0x00003d54,seq=0x2e): ESP(spi=0x00003d55,seq=0x2e)
12:56:16.832075 IP 80.242.66.18 > 192.168.117.3: 
AH(spi=0x00005fb4,seq=0x12): ESP(spi=0x00005fb5,seq=0x12)
12:56:17.827163 IP 192.168.117.3 > 80.242.66.18: 
AH(spi=0x00003d54,seq=0x2f): ESP(spi=0x00003d55,seq=0x2f)
12:56:17.827613 IP 80.242.66.18 > 192.168.117.3: 
AH(spi=0x00005fb4,seq=0x13): ESP(spi=0x00005fb5,seq=0x13)

And there is no problem even with small packets when there 
is no ipcomp but only ah,esp.

I'm using Sarge with latest updates on P4-2.8Ггц 512Mb RAM 
p4p800-e deluxe and kernel-image-2.6.8-2-686-smp 
(kernel-image-2.6.8-2-686-smp_2.6.8-13_i386.deb) on both 
hosts.

---------------------------------------------------------
http://mobile.ngs.ru/games - Java-игры для мобильников и не только...
http://love.ngs.ru - Знакомства в Новосибирске



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]