Thanks for your help Thomas.
I am sorry not bring the detail of this question in my first mail.
My testing system about the Strongswan and linux release version information as
folow.
OS, I am running two IPsec box with Opensuse 11.3.
Strongswan, also Using Opensuse default 5.0.1 release (possible in Opensuse
11.3 DVD image).
IPsec box config file, 'compress=yes' and 'forceencaps=yes' in /etc/ipsec.conf.
The debug messages from ipsec running that indicated 'IPComp is not supported
if either peer is natted, IPComp disabled'.
Recently I've checked source code that the message about 'IPComp is not
supported if either peer is natted.....' is placed in function
'add_ipcomp_notify' of 'child_create.c' line 683 '.
From your information, I've checked Strongswan 5.1.1 and this warning message
was removed already.
That why I want to know this warning message from early Strongswan release
version is caused by Linux implemention or IPsec standard?
Strongswan 5.0.1
-------------------
static void add_ipcomp_notify(private_child_create_t *this,
message_t
*message, u_int8_t ipcomp)
{
if (this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY))
{
DBG1(DBG_IKE, "IPComp is not supported if either peer is
natted, "
"IPComp disabled");
return;
}
this->my_cpi = this->child_sa->alloc_cpi(this->child_sa);
if (this->my_cpi)
{
this->ipcomp = ipcomp;
message->add_notify(message, FALSE, IPCOMP_SUPPORTED,
chunk_cata("cc",
chunk_from_thing(this->my_cpi),
chunk_from_thing(ipcomp)));
}
else
{
DBG1(DBG_IKE, "unable to allocate a CPI from kernel, IPComp
disabled");
}
}
-------------------
Strongswan 5.1.1
-------------------
/**
* Adds an IPCOMP_SUPPORTED notify to the message, allocating a CPI
*/
static void add_ipcomp_notify(private_child_create_t *this,
message_t
*message, u_int8_t ipcomp)
{
this->my_cpi = this->child_sa->alloc_cpi(this->child_sa);
if (this->my_cpi)
{
this->ipcomp = ipcomp;
message->add_notify(message, FALSE, IPCOMP_SUPPORTED,
chunk_cata("cc",
chunk_from_thing(this->my_cpi),
chunk_from_thing(ipcomp)));
}
else
{
DBG1(DBG_IKE, "unable to allocate a CPI from kernel, IPComp
disabled");
}
}
-------------------
Best regards.
Robin.
------------------ Original ------------------
From: "Thomas Klute";<[email protected]>;
Date: Sun, Dec 22, 2013 09:53 PM
To: "dev"<[email protected]>;
Subject: Re: [strongSwan-dev] Question about Nat and IPcomp
Am 20.12.2013 03:59, schrieb Robin:
> Hello everyone, I am new member here.
> When I use strongswan I find something conflict about IPcomp and UDP
> encapsulating.
>
> After I checked mail list, some one says it's a Linux implement bug
> but no one point out what's the problem exectly is.
>
> Is this problem cause by Rfcs (IPcomp and UDP encapsulating) or original
> IPSec implement?
I have a working setup with both NAT traversal and IPcomp, so I'm fairly
sure that there is no fundamental conflict between the two. ;-)
If you can provide more information about your problem, like error
messages, kernel and Strongswan versions, configuration and log files
(make sure to remove private information, e.g. encryption keys!),
someone here might be able to help you.
Regards,
Thomas
_______________________________________________
Dev mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/dev
._______________________________________________
Dev mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/dev
