Bug 11550 - strongswan: IPsec tunnels don't pass any traffic when compression is enabled with kernel 4.14
Summary: strongswan: IPsec tunnels don't pass any traffic when compression is enabled ...
Status: CLOSED FIXED
Alias: None
Product: IPFire
Classification: Unclassified
Component: --- (show other bugs)
Version: 2
Hardware: unspecified Unspecified
: Will affect most users Crash
Assignee: Michael Tremer
QA Contact: Arne.F
URL:
Keywords:
Depends on:
Blocks: KERNEL414
  Show dependency treegraph
 
Reported: 2017-11-29 14:21 UTC by Michael Tremer
Modified: 2018-02-20 12:35 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Tremer 2017-11-29 14:21:28 UTC
As soon as compression is disabled, traffic is being passed through the tunnels again.
Comment 1 Tom Rymes 2017-12-17 00:49:40 UTC
Is this related to this note included with 4.14?

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/tree/Documentation/networking/ipsec.txt?h=v4.14.6

"Here documents known IPsec corner cases which need to be keep in mind when
deploy various IPsec configuration in real world production environment.

1. IPcomp: Small IP packet won't get compressed at sender, and failed on
	   policy check on receiver.

Quote from RFC3173:
2.2. Non-Expansion Policy

   If the total size of a compressed payload and the IPComp header, as
   defined in section 3, is not smaller than the size of the original
   payload, the IP datagram MUST be sent in the original non-compressed
   form.  To clarify: If an IP datagram is sent non-compressed, no

   IPComp header is added to the datagram.  This policy ensures saving
   the decompression processing cycles and avoiding incurring IP
   datagram fragmentation when the expanded datagram is larger than the
   MTU.

   Small IP datagrams are likely to expand as a result of compression.
   Therefore, a numeric threshold should be applied before compression,
   where IP datagrams of size smaller than the threshold are sent in the
   original form without attempting compression.  The numeric threshold
   is implementation dependent.

Current IPComp implementation is indeed by the book, while as in practice
when sending non-compressed packet to the peer(whether or not packet len
is smaller than the threshold or the compressed len is large than original
packet len), the packet is dropped when checking the policy as this packet
matches the selector but not coming from any XFRM layer, i.e., with no
security path. Such naked packet will not eventually make it to upper layer.
The result is much more wired to the user when ping peer with different
payload length.

One workaround is try to set "level use" for each policy if user observed
above scenario. The consequence of doing so is small packet(uncompressed)
will skip policy checking on receiver side."
Comment 2 Michael Tremer 2017-12-18 14:42:44 UTC
Unfortunately I cannot reproduce this. When I try to ping through the tunnel with larger packets, they still won't show up in the packet counters and I do not see any outgoing packets at all. Neither compressed nor non-compressed.

That tells us that the problem is on the local side though which is at least something.

When pinging back from the remote site, packets are coming in and are also shown in the packet counters. However, there are no responses going out.
Comment 3 Tom Rymes 2017-12-18 15:15:53 UTC
We have multiple units in the field testing 4.14.2 from Arne F and they are working with IPsec with compression disabled.
Comment 4 Michael Tremer 2017-12-29 14:42:01 UTC
Timo just confirmed that this is a problem with the default Gentoo kernel. There is also a post on the strongswan mailing list about Debian. Therefore we can say that this isn't an IPFire problem.

> https://lists.strongswan.org/pipermail/users/2017-December/011941.html
Comment 5 Michael Tremer 2018-02-20 00:57:53 UTC
https://wiki.strongswan.org/issues/2478