Support for IPSec NAT-T in transoprt mode
zmiterby at gmail.com
Mon Apr 16 19:54:51 UTC 2012
16.04.2012 12:59, VANHULLEBUS Yvan написал:
> I didn't review/try the patch, but kernel part seems to be done.
Upon my testing it's not so good as it seems. I found some trouble with it.
1. sysctl net.inet.esp.esp_ignore_natt_cksum works not as expected. If
there is troubles with function key_compute_natt_cksum, bad (not
recalculated) checksums are not ignored and packets are droped,
increasing bad udp checksums counter.
2. received by L2TP daemon decrypted packets seemed to it as packets
originated from NAT address, but not from LAN behind the NAT. So, L2TP
daemon answers them back to NAT, and ofcourse they not satisfy the SPD
policy and not being encrypted through IPSec, as a result they are never
arrive to the NATed host.
May be I'm doing something wrong, but my little research shows me
I'll be appressiating any help with that.
More information about the freebsd-stable