Re: patch for IPSEC_NAT_T
- From: Daniil Harun <harunaga@xxxxxxxxxxx>
- Date: Thu, 26 Jun 2008 19:44:38 +0600
Hi!
But when the host is placed over NAT, everything stops working.
After negotiates IKE and key additions to the database SA traffic does
not pass. "tcpdump enc0" shows that traffic is decoded normaly, but then
he does not processed, packets discarded.
Counters ipfw to rule 1 does not grow. At FreeBSD 6.2 I have the same
problem (FAST_IPSEC or KAME IPSEC).
ESP transport with NAT-T may need NAT-OA support, which is not
provided by the actual patch, nor by userland.
"may", because checksums (which needs that NAT-OA payload to be
correctly recomputed by the destination) are optionnal on UDP, and,
afaik, L2TP is encapsulated in UDP datagrams.
Looks like XP sets the checksums for UDP datagrams.....
In such a case should help it:
sysctl net.inet.udp.checksum=0 ?
--
Best regards, Harun Daniil
_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"
- References:
- patch for IPSEC_NAT_T
- From: Daniil Harun
- Re: patch for IPSEC_NAT_T
- From: VANHULLEBUS Yvan
- patch for IPSEC_NAT_T
- Prev by Date: Re: patch for IPSEC_NAT_T
- Next by Date: Re: kern/125003: [gif] incorrect EtherIP header format.
- Previous by thread: Re: patch for IPSEC_NAT_T
- Next by thread: Re: patch for IPSEC_NAT_T
- Index(es):
Relevant Pages
|
