On Thu, Dec 20, 2018 at 6:54 PM Theodore Wynnychenko <t...@uchicago.edu> wrote:
> Then, I took the advice above, and disable ipcomp on the tunnel, and, BAHM, 
> https (and imaps) were working without an issue from openbsd, Windows 7, and 
> Macs!
>
> Just to be sure, I updated this am to the 12/19 amd64 snapshot.
>
> When I turn on ipcomp, https/imaps hangs for most connections; when I turn 
> ipcomp off, https/imaps works.

I can confirm this behavior.  I've set up a simple RSA key VPN as
described at http://www.openbsd.org/faq/faq17.html#site2site, which
does not include ipcomp by default, and everything works fine,
including https.  After reading this I decided to test enabling
ipcomp, and sure enough, loading an https page across the VPN fails.
With ipcomp I also see some "unprotected" packets when running tcpdump
on enc0, e.g.:
13:32:19.600062 (authentic,confidential): SPI 0xee345270:
10.95.10.236.57254 > 10.95.0.233.443: P 273:518(245) ack 5604 win 455
<nop,nop,timestamp 1069884950 61011946> (DF) (encap)
13:32:19.614996 (unprotected): SPI 0x00005a04: 10.95.0.233.443 >
10.95.10.236.57254: . 5604:7052(1448) ack 518 win 252 <nop,nop,
timestamp 61011950 1069884950> (DF) (encap)

I don't know why that is happening, but as everything seems to work
well and perform decently without ipcomp, I'll be leaving it disabled.

> I noticed that the last change to sys/netinet/ip_ipcomp.c (I am guessing this 
> is the code that is involved) in the log (I think) was about 3 months ago, 
> and at this point, I can't recall if my last updated (prior to the one where 
> the instability began) was before or after that change.
>
> I was going to try to recompile it with the change undone, but am not sure 
> how to do that, or even if it can be done for just that one part of sys.

Yes, just use git or cvs (whatever you checked out the code with) to
fetch an earlier revision of that file (not the whole repo) and then
build a new kernel.  Sometimes you'd need to also revert other related
changes, but that does not appear to be the case here, assuming you're
referring to [1].  Note that some previous commits did touch multiple
files.

> And, after removing ipcomp from iked.conf, my subjective observation is that 
> things load a lot faster than they seemed to in the past with ipcomp on; so, 
> I am happy with where I am.
>
> I was just posting my observations in case anyone else has a similar issue.

Thank you for sharing.  I had (I think) been using ipcomp in my old
ikev1 (ipsec.conf/isakmpd) setup but had not yet gotten around to
enabling it in the ikev2 setup.  Based on this, I won't bother.


-Andrew

[1] https://github.com/openbsd/src/commit/4b5fa55

Reply via email to