From owner-freebsd-net@FreeBSD.ORG Tue Feb 23 11:10:58 2010 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AEF4F1065672 for ; Tue, 23 Feb 2010 11:10:58 +0000 (UTC) (envelope-from DAntrushin@mail.ru) Received: from gmp-eb-inf-1.sun.com (gmp-eb-inf-1.sun.com [192.18.6.21]) by mx1.freebsd.org (Postfix) with ESMTP id 3F6CA8FC19 for ; Tue, 23 Feb 2010 11:10:58 +0000 (UTC) Received: from fe-emea-09.sun.com (gmp-eb-lb-1-fe1.eu.sun.com [192.18.6.7] (may be forged)) by gmp-eb-inf-1.sun.com (8.13.7+Sun/8.12.9) with ESMTP id o1NBAvbR003593 for ; Tue, 23 Feb 2010 11:10:57 GMT MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; CHARSET=US-ASCII; format=flowed Received: from conversion-daemon.fe-emea-09.sun.com by fe-emea-09.sun.com (Sun Java(tm) System Messaging Server 7u2-7.04 64bit (built Jul 2 2009)) id <0KYA00800JITZT00@fe-emea-09.sun.com> for freebsd-net@freebsd.org; Tue, 23 Feb 2010 11:10:52 +0000 (GMT) Received: from [129.159.126.126] ([unknown] [129.159.126.126]) by fe-emea-09.sun.com (Sun Java(tm) System Messaging Server 7u2-7.04 64bit (built Jul 2 2009)) with ESMTPSA id <0KYA0050XKDQB2C0@fe-emea-09.sun.com>; Tue, 23 Feb 2010 11:10:39 +0000 (GMT) Date: Tue, 23 Feb 2010 14:10:23 +0300 From: Denis Antrushin In-reply-to: <20100211125420.G27327@maildrop.int.zabbadoz.net> Sender: Denis.Antrushin@Sun.COM To: "Bjoern A. Zeeb" Message-id: <4B83B79F.102@mail.ru> References: <4B73E902.6050301@mail.ru> <20100211124756.GA9528@zeninc.net> <20100211125420.G27327@maildrop.int.zabbadoz.net> User-Agent: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.9.1.5) Gecko/20091202 Lightning/1.0pre Thunderbird/3.0 Cc: freebsd-net@freebsd.org Subject: Re: IPSec connection troubles X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Feb 2010 11:10:58 -0000 On 02/11/10 15:55, Bjoern A. Zeeb wrote: > On Thu, 11 Feb 2010, VANHULLEBUS Yvan wrote: > >>> How can I further debug this problem? >> >> You can check on responder that you have lots of TCP checksums errors, >> which will confirm that you would need support for NAT-OA extension of >> NAT-T RFC, as you want to do some Transport IPsec of TCP flows using >> NAT-T. >> >> Unfortunately, actually, there is no support for NAT-OA extension, >> there are just specifications on PFKey interface to send them to >> kernel. > > Him saying it works on linux - hsa ipsec-tools grown porper OA support > these days? If that would be the case the kernel would probably a > minor task. ipsec-tools understand NAT-OA payload in IKE exchange, but then simply discard it and do not send this information to kernel. In ipsec-tool mailing list archives I found mention that linux does not need this OA info, because it simply recomputes/ignore TCP checksums. Can we do the same or this is unacceptable for FreeBSD and we want NAT-OA communicated to kernel by IKEd? I made a simple patch to ipsec_common_input_cb() to ignore TCP/UDP checksums of ESP-protected packets and I happily can connect to Solaris VPN server from behind the NAT device (after working around some security policy matching issues).