IPSec NAT-T in transport mode
David Murray
david000 at davidmurray.name
Fri Jan 22 17:15:50 UTC 2010
Hi Yvan,
On 10-01-22 Fri 1:19 pm, VANHULLEBUS Yvan wrote:
> On Thu, Jan 21, 2010 at 04:36:12PM +0000, David Murray wrote:
>
>> On 2010-01-20 Wed 1:22 pm, Crest wrote:
>>
>>> Yes the NAT-T Patch has been integrated into FreeBSD 8.0.
>>
>> Are we saying that the NAT-T patch is there, but is missing checksum
>> re-calculation, so MPD's packets are going to be discarded?
>
> Yes, see my other mail in this thread.
>
>
>> (FWIW, this seems to be what happens. All the negotiation to set up
>> IPSEC SAs happens, but MPD's log never shows a single entry. I hadn't
>> got as far as packet dumps when this thread popped up.)
>
> And if you have a look at system stats, you'll see lots of UDP packets
> dropped because of invalid checksums....
Thanks for taking the time to reply.
Actually, I find that each attempt to connect causes netstat -s -p udp
to show a few UDP packets arriving and being dropped due to no socket,
rather than bad checksums, so maybe I've got some other sort of problem
with my mpd config, which I'll look into.
--
David Murray
More information about the freebsd-stable
mailing list