Re: IPv6 + tunnel + ESP + IPcomp?

[Andrew Cagney <andrew.cagney%gmail.com@localhost>]

> While I can get an IPv4+IPcomp+ESP interop between NetBSD and Linux to
> work, I can't say the same for IPv6+IPcomp+ESP.
>
> Now presumably this is just some mistake on my part, and a look at the
> IPv6 + IPcomp + ESP test will reveal all.  Except that is only testing
> NetBSD-NetBSD and for me my config that seems to work.

Yea.

I found two quirks:

- the test adds transport entries with no address vis:
     esp/transport//require
   where as I was including them vis:
      esp/transport/fc00::1-fc00::2/require
   setkey(8) waffles on this but
draft-schilcher-mobike-pfkey-extension-01 says don't (lots of examples
on the interweb do)

  leaving this out made no difference

- kern/56833 meant that I was ending up with an esp entry like:
  2001:db8:1:2::23 2001:db8:1:2::45
        esp mode=tunnel spi=182168845(0x0adbad0d) reqid=0(0x00000000)
  when it should have had mode=transport

   like the test, setting it to mode=any made no difference

  It's with noting that IPv4 -> IPcomp -> ESP -> IPv4 tunnels with
with this set wrong do interop with small packets at least).  Scary.

With these tweaks I'm left with one difference - I configure aes-sha1
whereas the test configures just aes (ulgh).

So.

Is IPv6 -> IPcomp -> ESP(aes-sha1) known to interop?

> So before I dig further, has IPv6 IPsec ESP  been shown to interop
> with non NetBSD systems?
>
> > I tend to do transport mode ipsec and use GRE when I tunnel.
> >
> > Andy