Date: Thu, 21 Jan 2010 16:36:12 +0000 From: David Murray <david000@davidmurray.name> To: freebsd-stable@freebsd.org Subject: Re: IPSec NAT-T in transport mode Message-ID: <hj9vps$dnm$1@ger.gmane.org> In-Reply-To: <4B5703A3.6010507@cyb0rg.org> References: <659350866.20100120151602@mail.ru> <4B5703A3.6010507@cyb0rg.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Chaps, On 10-01-20 Wed 1:04 pm, VANHULLEBUS Yvan wrote: > On Wed, Jan 20, 2010 at 03:16:02PM +0600, Rabidinov M.A. wrote: > >> Does FreeBSD 8.0 support IPSec NAT-T in transport mode? >> I want to create a L2TP/IPSec server. My VPN clients are NATed. >> L2TP server (MPD5.x) makes tunnel, so I need working IPSec NAT-T in >> transport mode. > > It may work..... or not.... > > The missing part is support of NAT-OA payloads, which are used to > update checksums when receiving packets. > > But afaik, most L2TP implementations computes checksums, so they will > be checked, and of course will be wrong.... On 2010-01-20 Wed 1:22 pm, Crest wrote: > Yes the NAT-T Patch has been integrated into FreeBSD 8.0. > > Just rebuild your kernel with this options: > device crypto # IPsec depends on this > options IPSEC > options IPSEC_DEBUG > options IPSEC_NAT_T I'm trying to do the same thing as the OP, so thanks for these replies. However, they seem to be at odds. Are we saying that the NAT-T patch is there, but is missing checksum re-calculation, so MPD's packets are going to be discarded? (FWIW, this seems to be what happens. All the negotiation to set up IPSEC SAs happens, but MPD's log never shows a single entry. I hadn't got as far as packet dumps when this thread popped up.) -- David Murray
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?hj9vps$dnm$1>