Date: Thu, 11 Feb 2010 12:55:25 +0000 (UTC) From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> To: VANHULLEBUS Yvan <vanhu@FreeBSD.org> Cc: freebsd-net@freebsd.org Subject: Re: IPSec connection troubles Message-ID: <20100211125420.G27327@maildrop.int.zabbadoz.net> In-Reply-To: <20100211124756.GA9528@zeninc.net> References: <4B73E902.6050301@mail.ru> <20100211124756.GA9528@zeninc.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 11 Feb 2010, VANHULLEBUS Yvan wrote: Hi, >> I'm trying to establish IPSec connection between FreeBSD and >> Solaris boxes. I use FreeBSD 8-STABLE (don't recall exact checkout >> date, but it contains recent IPComp fixes for sure). >> Since I'm behind NAT, I compiled 0.8alpha snapshot of ipsec-tools >> from their site. > [config] > >> When I try to connect to TCP port 2112 of solaris box, >> racoon successfully negotiates with remote peer, I see >> SA installed in kernel, > >> From developer's view, that's a good news :-) > > >> but then nothing happens. >> I see encapsulated TCP SYN packets sent on enc0, but >> nothing else. TCP connection is not established, nothing >> in racoon logs (except KA), nothing on PF_KEY socket. >> The very same setup works on Linux and Mac. >> >> How can I further debug this problem? > > You can check on responder that you have lots of TCP checksums errors, > which will confirm that you would need support for NAT-OA extension of > NAT-T RFC, as you want to do some Transport IPsec of TCP flows using > NAT-T. > > > Unfortunately, actually, there is no support for NAT-OA extension, > there are just specifications on PFKey interface to send them to > kernel. Him saying it works on linux - hsa ipsec-tools grown porpper OA support these days? If that would be the case the kernel would probably a minor task. /bz -- Bjoern A. Zeeb It will not break if you know what you are doing.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100211125420.G27327>