From owner-freebsd-stable@FreeBSD.ORG Fri Jan 22 18:01:10 2010 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B2F3F106566C for ; Fri, 22 Jan 2010 18:01:10 +0000 (UTC) (envelope-from freebsd-stable@m.gmane.org) Received: from lo.gmane.org (lo.gmane.org [80.91.229.12]) by mx1.freebsd.org (Postfix) with ESMTP id 400C28FC33 for ; Fri, 22 Jan 2010 18:01:10 +0000 (UTC) Received: from list by lo.gmane.org with local (Exim 4.50) id 1NYNog-0000lA-3k for freebsd-stable@freebsd.org; Fri, 22 Jan 2010 19:01:06 +0100 Received: from static-195-248-102-183.adsl.hotchilli.net ([195.248.102.183]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 22 Jan 2010 19:01:06 +0100 Received: from david000 by static-195-248-102-183.adsl.hotchilli.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 22 Jan 2010 19:01:06 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-stable@freebsd.org From: David Murray Date: Fri, 22 Jan 2010 18:00:45 +0000 Lines: 45 Message-ID: <4B59E7CD.10604@davidmurray.name> References: <659350866.20100120151602@mail.ru> <4B5703A3.6010507@cyb0rg.org> <20100122131937.GA50007@zeninc.net> <4B59DD29.6020607@davidmurray.name> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: static-195-248-102-183.adsl.hotchilli.net User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.7) Gecko/20100111 Thunderbird/3.0.1 In-Reply-To: <4B59DD29.6020607@davidmurray.name> Sender: news Subject: Re: IPSec NAT-T in transport mode X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Jan 2010 18:01:10 -0000 Hi Yvan, On 10-01-22 Fri 5:15 pm, David Murray wrote: > On 10-01-22 Fri 1:19 pm, VANHULLEBUS Yvan wrote: > >> On Thu, Jan 21, 2010 at 04:36:12PM +0000, David Murray wrote: >> >>> On 2010-01-20 Wed 1:22 pm, Crest wrote: >>> >>>> Yes the NAT-T Patch has been integrated into FreeBSD 8.0. >>> >>> Are we saying that the NAT-T patch is there, but is missing checksum >>> re-calculation, so MPD's packets are going to be discarded? >> >> Yes, see my other mail in this thread. >> >> >>> (FWIW, this seems to be what happens. All the negotiation to set up >>> IPSEC SAs happens, but MPD's log never shows a single entry. I >>> hadn't got as far as packet dumps when this thread popped up.) >> >> And if you have a look at system stats, you'll see lots of UDP >> packets dropped because of invalid checksums.... > > Actually, I find that each attempt to connect causes netstat -s -p udp > to show a few UDP packets arriving and being dropped due to no socket, > rather than bad checksums, so maybe I've got some other sort of > problem with my mpd config, which I'll look into. Ah, yes, I'd forgotten that my external IP address had changed since I last tried this, so I needed to restart racoon and ipsec. So now, like you say, I see UDP packets dropped due to bad checksums. I'll have a look at the NAT-T RFQs just in case support for NAT-OA payloads is something I could help with, but I suspect it'll need an in-depth knowledge of the IP stack. Thanks! -- David Murray