Re: patch for IPSEC_NAT_T
- From: VANHULLEBUS Yvan <vanhu_bsd@xxxxxxxxxx>
- Date: Thu, 26 Jun 2008 13:47:52 +0200
On Thu, Jun 26, 2008 at 04:09:00PM +0600, Daniil Harun wrote:
Dear sirs!
Hi.
I forgot to reply your private mail this morning, but it's still
better to have the question and the answer on a public ML, it may be
useful for other people.
Sorry for my bad English! I ask to help me, if you have some spare time.
I'm using the patch for support IPSEC NAT Traversal on FreeBSD 7.0.Will not
work NAT-T with Windows XP in the real situation.
[....]
But when the host is placed over NAT, everything stops working.
After negotiates IKE and key additions to the database SA traffic does not
pass. "tcpdump enc0" shows that traffic is decoded normaly, but then he does
not processed, packets discarded.
Counters ipfw to rule 1 does not grow. At FreeBSD 6.2 I have the same problem
(FAST_IPSEC or KAME IPSEC).
ESP transport with NAT-T may need NAT-OA support, which is not
provided by the actual patch, nor by userland.
"may", because checksums (which needs that NAT-OA payload to be
correctly recomputed by the destination) are optionnal on UDP, and,
afaik, L2TP is encapsulated in UDP datagrams.
Looks like XP sets the checksums for UDP datagrams.....
Yvan.
--
NETASQ
http://www.netasq.com
_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"
- Follow-Ups:
- Re: patch for IPSEC_NAT_T
- From: Daniil Harun
- Re: patch for IPSEC_NAT_T
- References:
- patch for IPSEC_NAT_T
- From: Daniil Harun
- patch for IPSEC_NAT_T
- Prev by Date: patch for IPSEC_NAT_T
- Next by Date: Re: patch for IPSEC_NAT_T
- Previous by thread: patch for IPSEC_NAT_T
- Next by thread: Re: patch for IPSEC_NAT_T
- Index(es):
Relevant Pages
|
