IPSec connection troubles
VANHULLEBUS Yvan
vanhu at FreeBSD.org
Tue Feb 23 12:21:30 UTC 2010
On Tue, Feb 23, 2010 at 02:10:23PM +0300, Denis Antrushin wrote:
[...]
> ipsec-tools understand NAT-OA payload in IKE exchange, but then simply
> discard it and do not send this information to kernel.
> In ipsec-tool mailing list archives I found mention that linux does not
> need this OA info, because it simply recomputes/ignore TCP checksums.
Userland part is the most simple to do, as PFKey extension for NAT-OA
already exists, it haven't been done so far because it's useless until
someone does the big part of the kob on a kernel...
> Can we do the same or this is unacceptable for FreeBSD and we want
> NAT-OA communicated to kernel by IKEd?
> I made a simple patch to ipsec_common_input_cb() to ignore TCP/UDP
> checksums of ESP-protected packets and I happily can connect to
> Solaris VPN server from behind the NAT device (after working around
> some security policy matching issues).
Just adding some code to always ignore such checksums sounds like a
bad idea for me.....
But maybe we could have at least a sysctl (disabled by default) to
ignore them.....
Yvan.
More information about the freebsd-net
mailing list