Re: [PROBLEM] IPSec: IPComp CPI size

From: James Morris (
Date: Thu Aug 14 2003 - 21:51:17 EST

On Fri, 15 Aug 2003, James Morris wrote:

> > a two-byte CPI is sent in the IPComp header. Thus, when an IP packet
> > with IPComp is received, the two-byte CPI is expanded to four bytes and
> > used to index into the SAD. However, since the original SPI that was
> > installed into the SAD was 4 bytes, the kernel does not find a match for
> > the CPI, and thus drops the packet.
> This should be working ok, as two bytes of the internal SPI will simply be
> zero. I've just verified that ipcomp is working in 2.6.0-test3.

Ahh, now I know what you might be seeing: IKE needs to specify the range
of the SPI. Both pfkey and the native xfrm interfaces support this.

- James
James Morris

To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at