tech-net archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: IPv6 + tunnel + ESP + IPcomp?
On Thu, 19 May 2022 at 09:23, Michael Richardson <mcr%sandelman.ca@localhost> wrote:
>
>
> Andrew Cagney <andrew.cagney%gmail.com@localhost> wrote:
> > for reference, here's the SADB/SPD entries for outgoing on NetBSD the
> > current: byte counts would suggest the packet is being both compressed
> > and encrypted (I filed about about that being silly, I don't see signs
> > of ESN - another bug):
>
> Are you configuring this using an IKEv2 daemon, or manually?
> Can you just turn off IPCOMP?
Yes, and that works. I filed https://gnats.netbsd.org/56836 - it's a
regression.
Which reminds me, I should file a bug about racoon setting SADB_X_EXT_RAWCPI.
> > Looking at xfrm_stats, each packet increments this: XfrmInNoStates 7
> > which is described as No state is found i.e. Either inbound SPI,
> > address, or IPsec protocol at SA is wrong
>
> I've debugging through the part of the Linux kernel where XfrmInNoStates is
> incremented a lot recently, chasing ESP over IPv6-LL problems. I could
> believe that in situations where IPCOMP is not used, because the packet did
> not compress, that there might be problems still.
Yea. XfrmInNoStates isn't the most helpful. For my case it was being
incremented because the inner IPcomp header was wrong.
Home |
Main Index |
Thread Index |
Old Index