From owner-freebsd-net@FreeBSD.ORG  Thu Jul 23 20:42:13 2009
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 736291065686
	for <freebsd-net@freebsd.org>; Thu, 23 Jul 2009 20:42:13 +0000 (UTC)
	(envelope-from if@xip.at)
Received: from chile.gbit.at (ns1.xip.at [193.239.188.99])
	by mx1.freebsd.org (Postfix) with ESMTP id AD7BA8FC1F
	for <freebsd-net@freebsd.org>; Thu, 23 Jul 2009 20:42:11 +0000 (UTC)
	(envelope-from if@xip.at)
Received: (qmail 30177 invoked from network); 23 Jul 2009 22:15:30 +0200
Received: from unknown (HELO filebunker.xip.at) (86.59.10.180)
	by chile.gbit.at with (DHE-RSA-AES256-SHA encrypted) SMTP;
	23 Jul 2009 22:15:30 +0200
Date: Thu, 23 Jul 2009 22:15:25 +0200 (CEST)
From: Ingo Flaschberger <if@xip.at>
To: freebsd-net@freebsd.org
Message-ID: <alpine.LFD.1.10.0907232208260.25323@filebunker.xip.at>
User-Agent: Alpine 1.10 (LFD 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
Cc: vanhu@FreeBSD.org
Subject: natt (again) in 7.2 stable and a forticlient
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jul 2009 20:42:13 -0000

Dear Yvan,

I have tried to get natt at freebsd 7.2 stable with your patch
http://people.freebsd.org/~vanhu/NAT-T/patch-natt-7.2-2009-05-12.diff
and ipsec-tools 0.7.2 and 0.8-alpha20090525+natt running,
but have no success.

negotiation works, but traffic from forticlient gives
esp_input_cb: authentication hash mismatch for packet in SA x.x.x.x/009320d9
error.

Also there is no traffic seen incoming at the forticlient, but leaves the 
freebsd-box.

I have tried to figure out changes at freebsd 8.0 and the patchset
http://people.freebsd.org/~bz/20090523-04-natt.diff, but that is at some
places new code.

Do you have any idea what breaks?
Will it work at 8.0? and does it make sense to go with 8.0?
(have seen some other ipsec patches from you that address stability)

Kind regards,
 	Ingo Flaschberger