Date: Tue, 23 Feb 2010 14:10:23 +0300 From: Denis Antrushin <DAntrushin@mail.ru> To: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> Cc: freebsd-net@freebsd.org Subject: Re: IPSec connection troubles Message-ID: <4B83B79F.102@mail.ru> In-Reply-To: <20100211125420.G27327@maildrop.int.zabbadoz.net> References: <4B73E902.6050301@mail.ru> <20100211124756.GA9528@zeninc.net> <20100211125420.G27327@maildrop.int.zabbadoz.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 02/11/10 15:55, Bjoern A. Zeeb wrote: > On Thu, 11 Feb 2010, VANHULLEBUS Yvan wrote: > >>> How can I further debug this problem? >> >> You can check on responder that you have lots of TCP checksums errors, >> which will confirm that you would need support for NAT-OA extension of >> NAT-T RFC, as you want to do some Transport IPsec of TCP flows using >> NAT-T. >> >> Unfortunately, actually, there is no support for NAT-OA extension, >> there are just specifications on PFKey interface to send them to >> kernel. > > Him saying it works on linux - hsa ipsec-tools grown porper OA support > these days? If that would be the case the kernel would probably a > minor task. ipsec-tools understand NAT-OA payload in IKE exchange, but then simply discard it and do not send this information to kernel. In ipsec-tool mailing list archives I found mention that linux does not need this OA info, because it simply recomputes/ignore TCP checksums. Can we do the same or this is unacceptable for FreeBSD and we want NAT-OA communicated to kernel by IKEd? I made a simple patch to ipsec_common_input_cb() to ignore TCP/UDP checksums of ESP-protected packets and I happily can connect to Solaris VPN server from behind the NAT device (after working around some security policy matching issues).
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B83B79F.102>