Support for IPSec NAT-T in transoprt mode

Zmiter zmiterby at
Mon Apr 16 19:54:51 UTC 2012

16.04.2012 12:59, VANHULLEBUS Yvan написал:
> I didn't review/try the patch, but kernel part seems to be done.
Upon my testing it's not so good as it seems. I found some trouble with it.
1. sysctl net.inet.esp.esp_ignore_natt_cksum works not as expected. If 
there is troubles with function key_compute_natt_cksum, bad (not 
recalculated) checksums are not ignored and packets are droped, 
increasing bad udp checksums counter.
2. received by L2TP daemon decrypted packets seemed to it as packets 
originated from NAT address, but not from LAN behind the NAT. So, L2TP 
daemon answers them back to NAT, and ofcourse they not satisfy the SPD 
policy and not being encrypted through IPSec, as a result they are never 
arrive to the NATed host.

May be I'm doing something wrong, but my little research shows me 
described results.
I'll be appressiating any help with that.


More information about the freebsd-stable mailing list