patch for IPSEC_NAT_T
VANHULLEBUS Yvan
vanhu_bsd at zeninc.net
Thu Jun 26 11:47:55 UTC 2008
On Thu, Jun 26, 2008 at 04:09:00PM +0600, Daniil Harun wrote:
> Dear sirs!
Hi.
I forgot to reply your private mail this morning, but it's still
better to have the question and the answer on a public ML, it may be
useful for other people.
> Sorry for my bad English! I ask to help me, if you have some spare time.
>
> I'm using the patch for support IPSEC NAT Traversal on FreeBSD 7.0.Will not
> work NAT-T with Windows XP in the real situation.
[....]
> But when the host is placed over NAT, everything stops working.
> After negotiates IKE and key additions to the database SA traffic does not
> pass. "tcpdump enc0" shows that traffic is decoded normaly, but then he does
> not processed, packets discarded.
> Counters ipfw to rule 1 does not grow. At FreeBSD 6.2 I have the same problem
> (FAST_IPSEC or KAME IPSEC).
ESP transport with NAT-T may need NAT-OA support, which is not
provided by the actual patch, nor by userland.
"may", because checksums (which needs that NAT-OA payload to be
correctly recomputed by the destination) are optionnal on UDP, and,
afaik, L2TP is encapsulated in UDP datagrams.
Looks like XP sets the checksums for UDP datagrams.....
Yvan.
--
NETASQ
http://www.netasq.com
More information about the freebsd-net
mailing list