From owner-freebsd-stable@FreeBSD.ORG Sat Jan 23 18:03:51 2010 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A5AA1106566B for ; Sat, 23 Jan 2010 18:03:51 +0000 (UTC) (envelope-from freebsd-stable@track.pupworks.com) Received: from pupworks.com (cl-252.chi-02.us.sixxs.net [IPv6:2001:4978:f:fb::2]) by mx1.freebsd.org (Postfix) with ESMTP id 6D1A08FC1C for ; Sat, 23 Jan 2010 18:03:51 +0000 (UTC) Received: from [IPv6:2001:4978:168::225:ff:fe4e:60d1] (unknown [IPv6:2001:4978:168:0:225:ff:fe4e:60d1]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by pupworks.com (Postfix) with ESMTPSA id 91C521E63CF1; Sat, 23 Jan 2010 18:03:50 +0000 (UTC) Mime-Version: 1.0 (Apple Message framework v1077) Content-Type: text/plain; charset=us-ascii From: Nat Howard In-Reply-To: <20100123100713.X50938@maildrop.int.zabbadoz.net> Date: Sat, 23 Jan 2010 13:03:49 -0500 Content-Transfer-Encoding: quoted-printable Message-Id: <54E2892F-3F65-473E-9660-D2E8276E631B@track.pupworks.com> References: <20100123100713.X50938@maildrop.int.zabbadoz.net> To: "Bjoern A. Zeeb" X-Mailer: Apple Mail (2.1077) Cc: freebsd-stable@freebsd.org Subject: Re: IPSec NAT-T in transport mode X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Jan 2010 18:03:51 -0000 Much obliged for the answer, Bjoern, but I don't follow your logic --=20 If the NAT-T implementation on the L2TP Server (a freebsd box) is = broken, wouldn't it be the one generating things with the wrong = checksum? If that's so, then surely=20 the point "A" wouldn't record seeing any incoming checksum errors, as = they would all be outgoing packets, correct? =20 Thanks for helping to shed light on this puzzle! On Jan 23, 2010, at 5:09 AM, Bjoern A. Zeeb wrote: > On Fri, 22 Jan 2010, Nat Howard wrote: >=20 >> I'm very interested in this problem -- I want to run an L2TP server = myself. Is anyone actually working on this? I might be able to chip = in a few bucks... >>=20 >> But I'm not seeing bad checksums. Here's my setup: >>=20 >>=20 >> L2tp server A<---------------->B Freebsd NAT box C = <-----------internal network----------->D my mac >>=20 >> Where should I be seeing the bad checksums? A, B, C, or D? >>=20 >>=20 >> Looking only at B, I don't see any bad udp checksums, but I'm seeing = a bunch of these (IP numbers changed to bracketed names): >=20 > This doesn't say if you are using IPsec but I will asume so, that > would mean that you D "my mac" would initiate the connection and > the A node "L2tp server" would then be the other end. If that's a > FreeBSD box as well, you should check statistics there. The NAT > gateway in between has nothing to do with this, only the IPsec ends. >=20 > /bz >=20 > --=20 > Bjoern A. Zeeb It will not break if you know what you are = doing.