IPSec connection troubles
Denis Antrushin
DAntrushin at mail.ru
Tue Feb 23 12:50:14 UTC 2010
On 02/23/10 15:21, VANHULLEBUS Yvan wrote:
> On Tue, Feb 23, 2010 at 02:10:23PM +0300, Denis Antrushin wrote:
> [...]
>> ipsec-tools understand NAT-OA payload in IKE exchange, but then simply
>> discard it and do not send this information to kernel.
>> In ipsec-tool mailing list archives I found mention that linux does not
>> need this OA info, because it simply recomputes/ignore TCP checksums.
>
> Userland part is the most simple to do, as PFKey extension for NAT-OA
> already exists, it haven't been done so far because it's useless until
> someone does the big part of the kob on a kernel...
Taking into account this quote:
On 02/11/10 15:55, Bjoern A. Zeeb wrote:
> Him saying it works on linux - has ipsec-tools grown proper OA support
> these days? If that would be the case the kernel would probably a
> minor task.
this means that I have to come up with patches for both FreeBSD kernel
and racoon at the same time. :-)
May I contact you off-list with patches for both, when ready?
As far as I understand, you are the one who can review both.
>> Can we do the same or this is unacceptable for FreeBSD and we want
>> NAT-OA communicated to kernel by IKEd?
>> I made a simple patch to ipsec_common_input_cb() to ignore TCP/UDP
>> checksums of ESP-protected packets and I happily can connect to
>> Solaris VPN server from behind the NAT device (after working around
>> some security policy matching issues).
>
> Just adding some code to always ignore such checksums sounds like a
> bad idea for me.....
>
> But maybe we could have at least a sysctl (disabled by default) to
> ignore them.....
>
> Yvan.
More information about the freebsd-net
mailing list