Order of IPCOMP encapsulation

["Svenning Sørensen" <svenning@post5.tele.dk>]

Hello there.

I have had a shot at implementing IPCOMP (Deflate) into FreeS/WAN, and it
has been working flawlessly for a couple of months between 2 FreeS/WAN
gateways.
However, I ran into a problem when trying to communicate with PGPNet.
Transport mode between PGPNet and FS works fine, but tunnel mode does not,
because I have used a different ordering of the IPCOMP encapsulation than
PGPNet has.

PGPNet does ESP(IPCOMP(IPIP(payload))), while I have done
ESP(IPIP(IPCOMP(payload))).

My implementation has no problem decoding packets from PGPNet, but PGPNet
rejects my packets.

I wondered what would be the most correct order of doing the IPCOMP
processing.

RFC2393 states that IPCOMP must be done before any IPSec processing. While
IPIP tunnelling isn't strictly an IPSec protocol, it nevertheless is a part
of FreeS/Wan, and other IPSec implementations, I suspect, so that statement
seems a bit ambiguos to me.

Also, RFC2393 proposes to use ISAKMP to negotiate an IPCA (which I also do)
together with an IPSec SA. Since IPIP encapsulation is negotiated as an
attribute (ENCAPSULATION_MODE_TUNNEL) of the ESP transform, it would suggest
to me, that ESP and IPIP should be closely tied together. Thus, putting
IPCOMP in between seems incorrect to me.

OTOH, doing the compression after the IPIP encapsulation may gain a few more
bytes of compression.

I wondered if anybody on the lists has any comments about this?
How do other implementations do it?

Cheers,
Svenning

---

Follow-Ups:

• Re: Order of IPCOMP encapsulation
• From: Henry Spencer <henry@spsystems.net>

---

• Prev by Date: Cisco "dynamic-map"s
• Next by Date: VPN Bakeoff question
• Prev by thread: Re: Cisco "dynamic-map"s
• Next by thread: Re: Order of IPCOMP encapsulation
• Index(es):
  • Main
  • Thread