IPSec connection troubles
Denis Antrushin
DAntrushin at mail.ru
Tue Feb 23 11:10:58 UTC 2010
On 02/11/10 15:55, Bjoern A. Zeeb wrote:
> On Thu, 11 Feb 2010, VANHULLEBUS Yvan wrote:
>
>>> How can I further debug this problem?
>>
>> You can check on responder that you have lots of TCP checksums errors,
>> which will confirm that you would need support for NAT-OA extension of
>> NAT-T RFC, as you want to do some Transport IPsec of TCP flows using
>> NAT-T.
>>
>> Unfortunately, actually, there is no support for NAT-OA extension,
>> there are just specifications on PFKey interface to send them to
>> kernel.
>
> Him saying it works on linux - hsa ipsec-tools grown porper OA support
> these days? If that would be the case the kernel would probably a
> minor task.
ipsec-tools understand NAT-OA payload in IKE exchange, but then simply
discard it and do not send this information to kernel.
In ipsec-tool mailing list archives I found mention that linux does not
need this OA info, because it simply recomputes/ignore TCP checksums.
Can we do the same or this is unacceptable for FreeBSD and we want
NAT-OA communicated to kernel by IKEd?
I made a simple patch to ipsec_common_input_cb() to ignore TCP/UDP
checksums of ESP-protected packets and I happily can connect to
Solaris VPN server from behind the NAT device (after working around
some security policy matching issues).
More information about the freebsd-net
mailing list