I have just got ipcomp working between 2 hosts as follows:
- Install the ipsec-tools program
- Add the following config to /etc/ipsec-tools.d/peername.conf
spdadd MY_IP PEER_IP any -P out ipsec ipcomp/transport//use;
add MY_IP PEER_IP ipcomp 1000 -m transport -C deflate;spdadd PEER_IP MY_IP any -P in ipsec ipcomp/transport//use;
add PEER_IP MY_IP ipcomp 1000 -m transport -C deflate; - Run /etc/init.d/setkey restart
- Repeat for the other end
Since ipsec does not compress small packets, it does not work through a stateful firewall, since some packets will come through as TCP/UDP packets, and others will come through as IPCOMP packets. This is the reason why the last option in spdadd is "use" instead of "require".