pfSense

I'm testing stock FreeBSD 10.3 and will report back.

Test and config pushed here: https://github.com/gvnn3/netperf/tree/master/IPSEC/Tests/iperf-null-ipcomp-nopmc

What I'm seeing is that ipcomp doesn't work at all even in the absence of ESP etc. I'm digging into this now.

It works fine on stock FreeBSD 10.3.

Is this already in the snapshots? Last I checked dataflow is still blocked when I enable IPComp...

Luiz merged the upstream fix for this in 384ae63efc9d676414c45591c9b6095197919513. With the note: "I changed the IPv6 part to use struct ip6protosw and wrote a wrapper for v4 version of ipcomp_nonexp_input()"

latest snapshot with that change exhibits the same behavior. Large packets are fine, small ones are dropped.

Chris Buechler wrote:

We'll leave this as-is for 2.3.1 to avoid introducing any regressions for something that's little-used and off by default. I just pushed a change to not enable ipcomp regardless of config to prevent hitting the issue for 2.3.1.

I understand everything you wrote, except for the “little-used” part. Been using this on just abøut every platform that supports it for years, and most of the time it results in a performance increase well worth checking an option…
…frankly, I wonder why that’s even an option.

Anyway, main point I’m trying to make: it’s being used, so please don’t forget about it….

Also: the current band-aid fix only works when there’s pfSense on both sides of the connection, because generally a connection is only established when the options agree, and if pfSense ignores the setting, but the other side does not, the connection still won’t work and people will pull their hair…

BTW: the release notes for the 3.2 releases don’t list open issues, you could probably save a lot of people hassle and take traffic off the forums, if the release notes would list known issues, not just issues fixed, that way there’s a first document to check if things don’t behave as expected. Took me a while to find the IPComp issue after upgrading to 2.3, since the issue was listed in the blog, but not the release notes.

Is there any progress on this, other than that the target version moves to the next version each time a new version is released? :D
It would improve my network throughput quite a bit, since I'm on a bandwidth limited link...

Is this actually ever going to happen? For three years now, this is just moving from one release to the next, without visible progress, meanwhile, it would improve things were it done...

I have this enabled with other firewall solutions and observed noticeable savings in bandwidth usage. I was hoping to enable this for a site seeing unexpected increase in traffic but it looks like it doesn't work yet with pfsense. Is there a workaround to get IPcomp working?

Ping, Ping, Ping...

Is this thing working? It's been well over three years, different IPSec, kernel, BSD version,...
...and nothing?

Is this ever going to get any attention? I could use the bandwidth savings...

Seeing that 2.5 is progressing, any chance this will finally make it?

Not sure what sort of wide, bandwidth-is-no-issue nets you all are working with, but I have a limited bandwidth and a monthly data limit, so any bit of extra performance and data cap I can squeeze out of the VPN is more than just "nice to have".

Renato Botelho wrote in #note-25:

When it's fixed on FreeBSD we can import the fix and target it to a version

Is there any chance they are actually going to work on it? Is the FreeBSD team even aware of the problem, i.e. is it in their bug tracker? (If so, where?)

Even if IPComp isn't working (as it should), at the very least it never should just silently fail....

Thanks!