IPSec connection troubles
Denis Antrushin
DAntrushin at mail.ru
Thu Feb 11 13:18:15 UTC 2010
On 02/11/10 15:55, Bjoern A. Zeeb wrote:
> On Thu, 11 Feb 2010, VANHULLEBUS Yvan wrote:
>
>>> How can I further debug this problem?
>>
>> You can check on responder that you have lots of TCP checksums errors,
>> which will confirm that you would need support for NAT-OA extension of
>> NAT-T RFC, as you want to do some Transport IPsec of TCP flows using
>> NAT-T.
>>
>>
>> Unfortunately, actually, there is no support for NAT-OA extension,
>> there are just specifications on PFKey interface to send them to
>> kernel.
>
> Him saying it works on linux - has ipsec-tools grown proper OA support
> these days? If that would be the case the kernel would probably a
> minor task.
Yes, I see some NAT-OA debug messages in racoon logs.
With ipsec-tools 0.7.3 they were missing and I could not even finish
quick mode exchange...
I'm sorry for ignorance, but can I workaround this problem using
UDP instead? Or it requires that NAT_OA stuff as well?
Thanks,
Denis
More information about the freebsd-net
mailing list