Re: [PROBLEM] IPSec: IPComp CPI size

From: James Morris (jmorris@intercode.com.au)
Date: Thu Aug 14 2003 - 21:51:17 EST


On Fri, 15 Aug 2003, James Morris wrote:

> > a two-byte CPI is sent in the IPComp header. Thus, when an IP packet
> > with IPComp is received, the two-byte CPI is expanded to four bytes and
> > used to index into the SAD. However, since the original SPI that was
> > installed into the SAD was 4 bytes, the kernel does not find a match for
> > the CPI, and thus drops the packet.
>
> This should be working ok, as two bytes of the internal SPI will simply be
> zero. I've just verified that ipcomp is working in 2.6.0-test3.


Ahh, now I know what you might be seeing: IKE needs to specify the range
of the SPI. Both pfkey and the native xfrm interfaces support this.


- James
--
James Morris
<jmorris@xxxxxxxxxxxxxxxx>

-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html