Date: Fri, 22 Jan 2010 14:19:37 +0100 From: VANHULLEBUS Yvan <vanhu@FreeBSD.org> To: David Murray <david000@davidmurray.name> Cc: freebsd-stable@freebsd.org Subject: Re: IPSec NAT-T in transport mode Message-ID: <20100122131937.GA50007@zeninc.net> In-Reply-To: <hj9vps$dnm$1@ger.gmane.org> References: <659350866.20100120151602@mail.ru> <4B5703A3.6010507@cyb0rg.org> <hj9vps$dnm$1@ger.gmane.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi. On Thu, Jan 21, 2010 at 04:36:12PM +0000, David Murray wrote: [...] > On 2010-01-20 Wed 1:22 pm, Crest wrote: > > >Yes the NAT-T Patch has been integrated into FreeBSD 8.0. > > > >Just rebuild your kernel with this options: > >device crypto # IPsec depends on this > >options IPSEC > >options IPSEC_DEBUG > >options IPSEC_NAT_T > > I'm trying to do the same thing as the OP, so thanks for these replies. > > However, they seem to be at odds. Are we saying that the NAT-T patch is > there, but is missing checksum re-calculation, so MPD's packets are > going to be discarded? Yes, see my other mail in this thread. > (FWIW, this seems to be what happens. All the negotiation to set up > IPSEC SAs happens, but MPD's log never shows a single entry. I hadn't > got as far as packet dumps when this thread popped up.) And if you have a look at system stats, you'll see lots of UDP packets dropped because of invalid checksums.... Yvan.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100122131937.GA50007>