Date: Thu, 26 Jun 2008 19:44:38 +0600 From: Daniil Harun <harunaga@harunaga.ru> To: freebsd-net@freebsd.org Subject: Re: patch for IPSEC_NAT_T Message-ID: <200806261944.39032.harunaga@harunaga.ru> In-Reply-To: <20080626114752.GA3121@zen.inc> References: <200806261609.01289.harunaga@harunaga.ru> <20080626114752.GA3121@zen.inc>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi! > > But when the host is placed over NAT, everything stops working. > > After negotiates IKE and key additions to the database SA traffic does > > not pass. "tcpdump enc0" shows that traffic is decoded normaly, but then > > he does not processed, packets discarded. > > Counters ipfw to rule 1 does not grow. At FreeBSD 6.2 I have the same > > problem (FAST_IPSEC or KAME IPSEC). > > ESP transport with NAT-T may need NAT-OA support, which is not > provided by the actual patch, nor by userland. > > "may", because checksums (which needs that NAT-OA payload to be > correctly recomputed by the destination) are optionnal on UDP, and, > afaik, L2TP is encapsulated in UDP datagrams. > > Looks like XP sets the checksums for UDP datagrams..... In such a case should help it: sysctl net.inet.udp.checksum=0 ? -- Best regards, Harun Daniil
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200806261944.39032.harunaga>