IPSec NAT-T in transport mode
Nat Howard
freebsd-stable at track.pupworks.com
Sat Jan 23 18:03:51 UTC 2010
Much obliged for the answer, Bjoern, but I don't follow your logic --
If the NAT-T implementation on the L2TP Server (a freebsd box) is broken, wouldn't it be the one generating things with the wrong checksum? If that's so, then surely
the point "A" wouldn't record seeing any incoming checksum errors, as they would all be outgoing packets, correct?
Thanks for helping to shed light on this puzzle!
On Jan 23, 2010, at 5:09 AM, Bjoern A. Zeeb wrote:
> On Fri, 22 Jan 2010, Nat Howard wrote:
>
>> I'm very interested in this problem -- I want to run an L2TP server myself. Is anyone actually working on this? I might be able to chip in a few bucks...
>>
>> But I'm not seeing bad checksums. Here's my setup:
>>
>>
>> L2tp server A<---------------->B Freebsd NAT box C <-----------internal network----------->D my mac
>>
>> Where should I be seeing the bad checksums? A, B, C, or D?
>>
>>
>> Looking only at B, I don't see any bad udp checksums, but I'm seeing a bunch of these (IP numbers changed to bracketed names):
>
> This doesn't say if you are using IPsec but I will asume so, that
> would mean that you D "my mac" would initiate the connection and
> the A node "L2tp server" would then be the other end. If that's a
> FreeBSD box as well, you should check statistics there. The NAT
> gateway in between has nothing to do with this, only the IPsec ends.
>
> /bz
>
> --
> Bjoern A. Zeeb It will not break if you know what you are doing.
More information about the freebsd-stable
mailing list