IPFW problem with passing IPSEC through in-kernel NAT
Dr. Rolf Jansen
rj at obsigna.com
Fri Dec 9 12:55:40 UTC 2016
> Am 09.12.2016 um 02:11 schrieb Karl Denninger <karl at denninger.net>:
> ...
> Some more information on this issue.... I suspect that something is
> getting mangled somewhere in the IP stack, perhaps related to hardware
> checksumming or similar -- or in the ipfw code.
I had always ran into IPsec-NAT-UDP checksumming issues since I started working with FreeBSD, that tim v8.0. With a rather simple change in the respective kernel source file at least my issue can be resolved. This may be related to your issue or even not, anyway, I guess it is worth to give it a try.
I am now running FreeBSD 11-RELEASE-p5. On line 462 of file /usr/src/sys/netinet/udp_usrreq.c, I replaced:
if (uh->uh_sum) {
with:
if (uh->uh_sum &&
uh->uh_dport != htons(1701) &&
uh->uh_dport != htons(4500)) {
This effectively skips extended UDP checksumming for certain UDP ports -- here the L2TP and IPsec-NAT-T ports. When I investigated the issue, I found in one related RFC, that IPsec-NAT-T isn't supposed to do UDP checksumming on the encapsulated packets anyway, and my patch enforces this behaviour.
Best regards
Rolf
More information about the freebsd-ipfw
mailing list