Date: Fri, 22 Jan 2010 18:00:45 +0000 From: David Murray <david000@davidmurray.name> To: freebsd-stable@freebsd.org Subject: Re: IPSec NAT-T in transport mode Message-ID: <4B59E7CD.10604@davidmurray.name> In-Reply-To: <4B59DD29.6020607@davidmurray.name> References: <659350866.20100120151602@mail.ru> <4B5703A3.6010507@cyb0rg.org> <hj9vps$dnm$1@ger.gmane.org> <20100122131937.GA50007@zeninc.net> <4B59DD29.6020607@davidmurray.name>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Yvan, On 10-01-22 Fri 5:15 pm, David Murray wrote: > On 10-01-22 Fri 1:19 pm, VANHULLEBUS Yvan wrote: > >> On Thu, Jan 21, 2010 at 04:36:12PM +0000, David Murray wrote: >> >>> On 2010-01-20 Wed 1:22 pm, Crest wrote: >>> >>>> Yes the NAT-T Patch has been integrated into FreeBSD 8.0. >>> >>> Are we saying that the NAT-T patch is there, but is missing checksum >>> re-calculation, so MPD's packets are going to be discarded? >> >> Yes, see my other mail in this thread. >> >> >>> (FWIW, this seems to be what happens. All the negotiation to set up >>> IPSEC SAs happens, but MPD's log never shows a single entry. I >>> hadn't got as far as packet dumps when this thread popped up.) >> >> And if you have a look at system stats, you'll see lots of UDP >> packets dropped because of invalid checksums.... > > Actually, I find that each attempt to connect causes netstat -s -p udp > to show a few UDP packets arriving and being dropped due to no socket, > rather than bad checksums, so maybe I've got some other sort of > problem with my mpd config, which I'll look into. Ah, yes, I'd forgotten that my external IP address had changed since I last tried this, so I needed to restart racoon and ipsec. So now, like you say, I see UDP packets dropped due to bad checksums. I'll have a look at the NAT-T RFQs just in case support for NAT-OA payloads is something I could help with, but I suspect it'll need an in-depth knowledge of the IP stack. Thanks! -- David Murray
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B59E7CD.10604>