IPSec NAT-T in transport mode
David Murray
david000 at davidmurray.name
Fri Jan 22 18:01:10 UTC 2010
Hi Yvan,
On 10-01-22 Fri 5:15 pm, David Murray wrote:
> On 10-01-22 Fri 1:19 pm, VANHULLEBUS Yvan wrote:
>
>> On Thu, Jan 21, 2010 at 04:36:12PM +0000, David Murray wrote:
>>
>>> On 2010-01-20 Wed 1:22 pm, Crest wrote:
>>>
>>>> Yes the NAT-T Patch has been integrated into FreeBSD 8.0.
>>>
>>> Are we saying that the NAT-T patch is there, but is missing checksum
>>> re-calculation, so MPD's packets are going to be discarded?
>>
>> Yes, see my other mail in this thread.
>>
>>
>>> (FWIW, this seems to be what happens. All the negotiation to set up
>>> IPSEC SAs happens, but MPD's log never shows a single entry. I
>>> hadn't got as far as packet dumps when this thread popped up.)
>>
>> And if you have a look at system stats, you'll see lots of UDP
>> packets dropped because of invalid checksums....
>
> Actually, I find that each attempt to connect causes netstat -s -p udp
> to show a few UDP packets arriving and being dropped due to no socket,
> rather than bad checksums, so maybe I've got some other sort of
> problem with my mpd config, which I'll look into.
Ah, yes, I'd forgotten that my external IP address had changed since I
last tried this, so I needed to restart racoon and ipsec.
So now, like you say, I see UDP packets dropped due to bad checksums.
I'll have a look at the NAT-T RFQs just in case support for NAT-OA
payloads is something I could help with, but I suspect it'll need an
in-depth knowledge of the IP stack.
Thanks!
--
David Murray
More information about the freebsd-stable
mailing list