configuring ipsec.conf with ipcomp seem to be difficult then I thought.
I enable ipcomp
# sysctl -a | grep ipcomp
net.inet.ipcomp.enable=1
ipcomp is enabled on both gateways. Here is ipsec.conf:
flow ipcomp from 10.10.10.0/24 to 10.10.2.0/24 \
peer 192.168.1.57
ike esp from 10.10.10.0/24 to 10.10.2.0/24 \
peer 192.168.1.57 \
main auth hmac-sha2-256 enc 3des group modp1024 lifetime 86400 \
quick auth hmac-sha2-256 enc 3des lifetime 86400 \
psk f15490b4ebc2bfc41a9a009509c91ceb443547f6
my local LAN 10.10.10.0/24
remote LAN 10.10.2.0/24
# ipsecctl -s all
FLOWS:
flow esp in from 10.10.2.0/24 to 10.10.10.0/24 peer 192.168.1.57 type
require
flow esp out from 10.10.10.0/24 to 10.10.2.0/24 peer 192.168.1.57 type
require
SAD:
esp tunnel from 192.168.1.57 to 192.168.125.157 spi 0xc259f59d auth
hmac-sha2-256 enc 3des-cbc
esp tunnel from 192.168.125.157 to 192.168.1.57 spi 0xe9b1976d auth
hmac-sha2-256 enc 3des-cbc
#
any ideas? documentation man ipsec.conf has poor information about
ipcomp, in my point of view.
