IPSec NAT-T in transport mode
VANHULLEBUS Yvan
vanhu at FreeBSD.org
Fri Jan 22 13:19:39 UTC 2010
Hi.
On Thu, Jan 21, 2010 at 04:36:12PM +0000, David Murray wrote:
[...]
> On 2010-01-20 Wed 1:22 pm, Crest wrote:
>
> >Yes the NAT-T Patch has been integrated into FreeBSD 8.0.
> >
> >Just rebuild your kernel with this options:
> >device crypto # IPsec depends on this
> >options IPSEC
> >options IPSEC_DEBUG
> >options IPSEC_NAT_T
>
> I'm trying to do the same thing as the OP, so thanks for these replies.
>
> However, they seem to be at odds. Are we saying that the NAT-T patch is
> there, but is missing checksum re-calculation, so MPD's packets are
> going to be discarded?
Yes, see my other mail in this thread.
> (FWIW, this seems to be what happens. All the negotiation to set up
> IPSEC SAs happens, but MPD's log never shows a single entry. I hadn't
> got as far as packet dumps when this thread popped up.)
And if you have a look at system stats, you'll see lots of UDP packets
dropped because of invalid checksums....
Yvan.
More information about the freebsd-stable
mailing list