From owner-freebsd-stable@FreeBSD.ORG Mon Apr 16 19:54:51 2012 Return-Path: Delivered-To: stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B2296106566C; Mon, 16 Apr 2012 19:54:51 +0000 (UTC) (envelope-from zmiterby@gmail.com) Received: from mail-bk0-f54.google.com (mail-bk0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id 0AA3A8FC0C; Mon, 16 Apr 2012 19:54:50 +0000 (UTC) Received: by bkcjc3 with SMTP id jc3so5508269bkc.13 for ; Mon, 16 Apr 2012 12:54:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=pInsxhYBo6eSAkHuSmnZShFYZzYoghDNvb8+5dJVYvo=; b=PnzpHonepmJvJaDvBJvAbMWaSIG3FzstfeBEaqNlnCMdP+TYLjL5jEY8XDdn11RVFW AsYWGd7knyK84ga2eMsCAypj9kNUWvEkjn4w2gKFCjCuw6nUHG5edLXj872/QbcpFXBY 4jXfZoM2W22ejE+VIWQECTtJf3fmLU8V8nKRHXc+7Yxsqv4WGTs7F1072aycvmuAoKhH PiTCL32myI6kRXuZrEy4pyCPjPoe+/rWfoxVp+kqH96MvafnuIXXx2GZOFWV9tsUanEQ WSNW17y9wFKP2NHmPMthZwZoH89uJuHIgIjgxBQcNE10zF9xMXntjbUugSqgE1JpLZ9R MRcA== Received: by 10.204.152.27 with SMTP id e27mr3762064bkw.55.1334606089789; Mon, 16 Apr 2012 12:54:49 -0700 (PDT) Received: from [127.0.0.1] (mm-124-140-84-93.dynamic.pppoe.mgts.by. [93.84.140.124]) by mx.google.com with ESMTPS id s16sm33559900bkt.3.2012.04.16.12.54.47 (version=SSLv3 cipher=OTHER); Mon, 16 Apr 2012 12:54:48 -0700 (PDT) Message-ID: <4F8C78EE.1070701@gmail.com> Date: Mon, 16 Apr 2012 22:54:22 +0300 From: Zmiter User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20120327 Thunderbird/11.0.1 MIME-Version: 1.0 To: VANHULLEBUS Yvan References: <4F87AB6F.4050504@gmail.com> <22CC7FDB-162E-44CD-8EEA-0B5B8B560F8B@lists.zabbadoz.net> <4F8ACFB3.5040807@gmail.com> <20120416095945.GA29824@zeninc.net> In-Reply-To: <20120416095945.GA29824@zeninc.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Cc: stable@freebsd.org Subject: Re: Support for IPSec NAT-T in transoprt mode X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Apr 2012 19:54:51 -0000 16.04.2012 12:59, VANHULLEBUS Yvan написал: > I didn't review/try the patch, but kernel part seems to be done. Upon my testing it's not so good as it seems. I found some trouble with it. 1. sysctl net.inet.esp.esp_ignore_natt_cksum works not as expected. If there is troubles with function key_compute_natt_cksum, bad (not recalculated) checksums are not ignored and packets are droped, increasing bad udp checksums counter. 2. received by L2TP daemon decrypted packets seemed to it as packets originated from NAT address, but not from LAN behind the NAT. So, L2TP daemon answers them back to NAT, and ofcourse they not satisfy the SPD policy and not being encrypted through IPSec, as a result they are never arrive to the NATed host. May be I'm doing something wrong, but my little research shows me described results. I'll be appressiating any help with that. 16.04.2012 Zmiter