ipcomp has not been implemented in ipsec/isakmpd. I've gotten it to work quite well with iked. iked is the key management daemon for IKEv2.
On Thu, Mar 17, 2016 at 6:00 PM, Motty Cruz wrote: > configuring ipsec.conf with ipcomp seem to be difficult then I thought. I > enable ipcomp > # sysctl -a | grep ipcomp > net.inet.ipcomp.enable=1 > > ipcomp is enabled on both gateways. Here is ipsec.conf: > > flow ipcomp from 10.10.10.0/24 to 10.10.2.0/24 \ > peer 192.168.1.57 > > ike esp from 10.10.10.0/24 to 10.10.2.0/24 \ > peer 192.168.1.57 \ > main auth hmac-sha2-256 enc 3des group modp1024 lifetime 86400 \ > quick auth hmac-sha2-256 enc 3des lifetime 86400 \ > psk f15490b4ebc2bfc41a9a009509c91ceb443547f6 > > my local LAN 10.10.10.0/24 > remote LAN 10.10.2.0/24 > > # ipsecctl -s all > FLOWS: > flow esp in from 10.10.2.0/24 to 10.10.10.0/24 peer 192.168.1.57 type > require > flow esp out from 10.10.10.0/24 to 10.10.2.0/24 peer 192.168.1.57 type > require > > SAD: > esp tunnel from 192.168.1.57 to 192.168.125.157 spi 0xc259f59d auth > hmac-sha2-256 enc 3des-cbc > esp tunnel from 192.168.125.157 to 192.168.1.57 spi 0xe9b1976d auth > hmac-sha2-256 enc 3des-cbc > # > > > any ideas? documentation man ipsec.conf has poor information about ipcomp, > in my point of view.