patch for IPSEC_NAT_T
Daniil Harun
harunaga at harunaga.ru
Thu Jun 26 13:44:41 UTC 2008
Hi!
> > But when the host is placed over NAT, everything stops working.
> > After negotiates IKE and key additions to the database SA traffic does
> > not pass. "tcpdump enc0" shows that traffic is decoded normaly, but then
> > he does not processed, packets discarded.
> > Counters ipfw to rule 1 does not grow. At FreeBSD 6.2 I have the same
> > problem (FAST_IPSEC or KAME IPSEC).
>
> ESP transport with NAT-T may need NAT-OA support, which is not
> provided by the actual patch, nor by userland.
>
> "may", because checksums (which needs that NAT-OA payload to be
> correctly recomputed by the destination) are optionnal on UDP, and,
> afaik, L2TP is encapsulated in UDP datagrams.
>
> Looks like XP sets the checksums for UDP datagrams.....
In such a case should help it:
sysctl net.inet.udp.checksum=0 ?
--
Best regards, Harun Daniil
More information about the freebsd-net
mailing list