IPsec support in FreeBSD
Ashish SHUKLA
ashish at FreeBSD.org
Tue Aug 24 04:40:13 UTC 2010
Hi VANHULLEBUS,
Ashish SHUKLA writes:
> VANHULLEBUS Yvan writes:
>> On Mon, Aug 23, 2010 at 02:37:16AM +0530, Ashish SHUKLA wrote:
>>> Hi,
>> Hi.
> Hi
>>> I'm running 8.1-RELEASE on amd64.
>>>
>>> I'm connecting to an IPsec VPN (IPv4, dynamic keying using racoon) from behind
>>> a NAT and I'm having strange issues working with it. IPsec negotiation
>>> succeeds but there are problems with sending traffic over the tunnel.
>> In fact, you're trying to set up an IPsec tunnel through a NAT, with
>> an userland probably compiled by default with NAT-T support, but a
>> kernel without NAT-T support according to your kernel configuration
>> file.
> Okay, right I'll do it. But any ideas why doing a `tcpdump` causes it to start
> sending packets ? I can ssh into the boxen in tunnel network from my local PC
> just fine.
>> To have it work, first add "options IPSEC_NAT_T" to your kernel conf
>> file, compile / install it again. Then install -HEAD version of
>> ipsec-tools, as it is actually the only one to be able to send
>> correctly NAT-T PFkey extensions to FreeBSD kernel.
> Okay, I'll install with IPSEC_NAT_T and install HEAD of ipsec-tools (from the
> ipsec-tools SF project).
ipsec-tools needs a bit of patching[1] to make it work with 8.1-R. But it
worked, and no more need to do 'tcpdump'.
References:
[1] http://people.freebsd.org/~ashish/diffs/ipsec-tools.diff
Thanks
--
Ashish SHUKLA | GPG: F682 CDCC 39DC 0FEA E116 20B6 C746 CFA9 E74F A4B0
freebsd.org!ashish | http://people.freebsd.org/~ashish/
“The sky above the port was the color of television, tuned to a dead
channel.” (William Gibson, "Neuromancer", 1984)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-net/attachments/20100824/17da2336/attachment.pgp
More information about the freebsd-net
mailing list