From mboxrd@z Thu Jan  1 00:00:00 1970
From: Serguei Ivantsov <me@2gw.net>
Subject: IPSec tunnels with compression are broken since 4.14
Date: Sun, 24 Dec 2017 23:20:34 +0200
Message-ID: <649412da69e9f89340085af638f88f3d@gsc-game.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII;
 format=flowed
Content-Transfer-Encoding: 7bit
To: netdev@vger.kernel.org
Return-path: <netdev-owner@vger.kernel.org>
Received: from mail.gsc-game.com ([5.9.10.59]:35443 "EHLO mail.gsc-game.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1751661AbdLXVsS (ORCPT <rfc822;netdev@vger.kernel.org>);
        Sun, 24 Dec 2017 16:48:18 -0500
Received: from localhost ([127.0.0.1]:51552 helo=mail.gsc-game.com)
        by mail.gsc-game.com with esmtp (Exim 4.90)
        (envelope-from <me@2gw.net>)
        id 1eTDhC-0001nt-Rs
        for netdev@vger.kernel.org; Sun, 24 Dec 2017 22:20:34 +0100
Sender: netdev-owner@vger.kernel.org
List-ID: <netdev.vger.kernel.org>

Hi,

Found weird issue starting from 4.14 kernels.
IPSec tunnels with IPComp enabled are not working.
There are a couple of similar reports in strongSwan's wiki and mailing 
list.
Resolution is simple - disable compression.
I have tested all kernels from 4.14 to 4.14.8 - does not work. But works 
fine with any earlier kernel like 4.13.x
Both ikev1 and ikev2 are affected.
According to ipsec statusall, connection was established, but no traffic 
routed - can't ping, etc.

rt6-center[6]: ESTABLISHED 3 minutes ago, 
XX.XX.XX.XX[rt6]...YY.YY.YY.YY[center]
rt6-center[6]: IKEv2 SPIs: d7bd02a630bcd9b9_i 676e1ad3da512c68_r*, 
rekeying in 2 hours
rt6-center[6]: IKE proposal: 
AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519
rt6-center{2}:  INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: c1b5ec2b_i 
ce572160_o, IPCOMP CPIs: 2c8c_i 0ca7_o
rt6-center{2}:  AES_CBC_128/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, 
rekeying in 35 minutes
rt6-center{2}:   XX.XX.XX.XX/32 === 10.1.0.1/32


Regards,
  Serguei