Project

General

Profile

Actions

Bug #6167

open

IPsec IPComp not working

Added by Chris Buechler over 8 years ago. Updated 10 months ago.

Status:
Confirmed
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
Start date:
04/15/2016
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.3.x
Affected Architecture:

Description

IPsec connections that enable IPComp end up unable to pass traffic. Egress traffic goes out, ingress comes in, byte counters increment accordingly. Traffic is seen in tcpdump on enc0. But the traffic never makes it past enc0 on ingress. No apparent errors or anything. Multiple users have confirmed, and it's easily replicable by setting up a site to site VPN, verifying it works, then enabling IPComp on both sides.

Actions #2

Updated by Jim Thompson over 8 years ago

  • Assignee set to George Neville-Neil

Assigned to gnn, in case it's related to tryforward.

Actions #3

Updated by Chris Buechler over 8 years ago

I'm testing stock FreeBSD 10.3 and will report back.

Actions #4

Updated by George Neville-Neil over 8 years ago

Test and config pushed here: https://github.com/gvnn3/netperf/tree/master/IPSEC/Tests/iperf-null-ipcomp-nopmc

What I'm seeing is that ipcomp doesn't work at all even in the absence of ESP etc. I'm digging into this now.

Actions #5

Updated by Chris Buechler over 8 years ago

It works fine on stock FreeBSD 10.3.

Actions #6

Updated by Chris Buechler over 8 years ago

  • Status changed from Confirmed to Feedback

Pulled in the patch on https://reviews.freebsd.org/D6062 which gnn has confirmed fixes the issue.

Actions #7

Updated by Ronald Antony over 8 years ago

Is this already in the snapshots? Last I checked dataflow is still blocked when I enable IPComp...

Actions #8

Updated by Chris Buechler over 8 years ago

  • Status changed from Feedback to Confirmed

patch broke the build of cryptostats so was reverted.

Actions #9

Updated by Chris Buechler over 8 years ago

Luiz merged the upstream fix for this in 384ae63efc9d676414c45591c9b6095197919513. With the note: "I changed the IPv6 part to use struct ip6protosw and wrote a wrapper for v4 version of ipcomp_nonexp_input()"

latest snapshot with that change exhibits the same behavior. Large packets are fine, small ones are dropped.

Actions #10

Updated by Chris Buechler over 8 years ago

  • Target version changed from 2.3.1 to 2.3.2

We'll leave this as-is for 2.3.1 to avoid introducing any regressions for something that's little-used and off by default. I just pushed a change to not enable ipcomp regardless of config to prevent hitting the issue for 2.3.1.

Actions #11

Updated by Ronald Antony over 8 years ago

Chris Buechler wrote:

We'll leave this as-is for 2.3.1 to avoid introducing any regressions for something that's little-used and off by default. I just pushed a change to not enable ipcomp regardless of config to prevent hitting the issue for 2.3.1.

I understand everything you wrote, except for the “little-used” part. Been using this on just abøut every platform that supports it for years, and most of the time it results in a performance increase well worth checking an option…
…frankly, I wonder why that’s even an option.

Anyway, main point I’m trying to make: it’s being used, so please don’t forget about it….

Also: the current band-aid fix only works when there’s pfSense on both sides of the connection, because generally a connection is only established when the options agree, and if pfSense ignores the setting, but the other side does not, the connection still won’t work and people will pull their hair…

BTW: the release notes for the 3.2 releases don’t list open issues, you could probably save a lot of people hassle and take traffic off the forums, if the release notes would list known issues, not just issues fixed, that way there’s a first document to check if things don’t behave as expected. Took me a while to find the IPComp issue after upgrading to 2.3, since the issue was listed in the blog, but not the release notes.

Actions #12

Updated by Chris Buechler over 8 years ago

  • Target version changed from 2.3.2 to 2.4.0
  • Affected Version changed from 2.3 to 2.3.x
Actions #13

Updated by Jim Pingle over 7 years ago

  • Target version changed from 2.4.0 to 2.4.1
Actions #14

Updated by Jim Pingle about 7 years ago

  • Target version changed from 2.4.1 to 2.4.2
Actions #15

Updated by Jim Pingle about 7 years ago

  • Target version changed from 2.4.2 to 2.4.3
Actions #16

Updated by Jim Pingle almost 7 years ago

  • Target version changed from 2.4.3 to 2.4.4
Actions #17

Updated by Ronald Antony over 6 years ago

Is there any progress on this, other than that the target version moves to the next version each time a new version is released? :D
It would improve my network throughput quite a bit, since I'm on a bandwidth limited link...

Actions #18

Updated by Jim Pingle about 6 years ago

  • Target version changed from 2.4.4 to 2.4.4-GS
Actions #19

Updated by Jim Pingle almost 6 years ago

  • Target version changed from 2.4.4-GS to 48
Actions #20

Updated by Jim Pingle over 5 years ago

  • Target version changed from 48 to 2.5.0
Actions #21

Updated by Ronald Antony over 5 years ago

Is this actually ever going to happen? For three years now, this is just moving from one release to the next, without visible progress, meanwhile, it would improve things were it done...

Actions #22

Updated by Adam Gibson about 5 years ago

I have this enabled with other firewall solutions and observed noticeable savings in bandwidth usage. I was hoping to enable this for a site seeing unexpected increase in traffic but it looks like it doesn't work yet with pfsense. Is there a workaround to get IPcomp working?

Actions #23

Updated by Ronald Antony almost 5 years ago

Ping, Ping, Ping...

Is this thing working? It's been well over three years, different IPSec, kernel, BSD version,...
...and nothing?

Is this ever going to get any attention? I could use the bandwidth savings...

Actions #24

Updated by Ronald Antony over 4 years ago

Seeing that 2.5 is progressing, any chance this will finally make it?

Not sure what sort of wide, bandwidth-is-no-issue nets you all are working with, but I have a limited bandwidth and a monthly data limit, so any bit of extra performance and data cap I can squeeze out of the VPN is more than just "nice to have".

Actions #25

Updated by Renato Botelho about 4 years ago

  • Target version changed from 2.5.0 to Future

When it's fixed on FreeBSD we can import the fix and target it to a version

Actions #26

Updated by Ronald Antony over 1 year ago

Renato Botelho wrote in #note-25:

When it's fixed on FreeBSD we can import the fix and target it to a version

Is there any chance they are actually going to work on it? Is the FreeBSD team even aware of the problem, i.e. is it in their bug tracker? (If so, where?)

Even if IPComp isn't working (as it should), at the very least it never should just silently fail....

Thanks!

Actions #27

Updated by Marcos M 10 months ago

  • Assignee deleted (George Neville-Neil)

Some basic testing on 23.09.1 shows it works for policy-based tunnels, but not for route-based tunnels (VTI). Here's a test patch to try it out (enabled under IPsec Advanced Settings and per Phase 2): Show

Additional testing is needed such as with different (ESP/AH), algorithm types (-GCM and non -GCM), accelerators (IIMB/QAT/AES-NI), and filtering modes (VTI/tunnel).

Actions

Also available in: Atom PDF