tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: IPv6 + tunnel + ESP + IPcomp?



On Thu, 19 May 2022 at 09:23, Michael Richardson <mcr%sandelman.ca@localhost> wrote:
>
>
> Andrew Cagney <andrew.cagney%gmail.com@localhost> wrote:
>     > for reference, here's the SADB/SPD entries for outgoing on NetBSD the
>     > current: byte counts would suggest the packet is being both compressed
>     > and encrypted (I filed about about that being silly, I don't see signs
>     > of ESN - another bug):
>
> Are you configuring this using an IKEv2 daemon, or manually?
> Can you just turn off IPCOMP?

Yes, and that works.  I filed https://gnats.netbsd.org/56836 - it's a
regression.
Which reminds me, I should file a bug about racoon setting SADB_X_EXT_RAWCPI.

>     > Looking at xfrm_stats, each packet increments this: XfrmInNoStates 7
>     > which is described as No state is found i.e. Either inbound SPI,
>     > address, or IPsec protocol at SA is wrong
>
> I've debugging through the part of the Linux kernel where XfrmInNoStates is
> incremented a lot recently, chasing ESP over IPv6-LL problems.  I could
> believe that in situations where IPCOMP is not used, because the packet did
> not compress, that there might be problems still.

Yea.  XfrmInNoStates isn't the most helpful.  For my case it was being
incremented because the inner IPcomp header was wrong.


Home | Main Index | Thread Index | Old Index