Date: Mon, 16 Apr 2012 22:54:22 +0300 From: Zmiter <zmiterby@gmail.com> To: VANHULLEBUS Yvan <vanhu@FreeBSD.org> Cc: stable@freebsd.org Subject: Re: Support for IPSec NAT-T in transoprt mode Message-ID: <4F8C78EE.1070701@gmail.com> In-Reply-To: <20120416095945.GA29824@zeninc.net> References: <4F87AB6F.4050504@gmail.com> <22CC7FDB-162E-44CD-8EEA-0B5B8B560F8B@lists.zabbadoz.net> <4F8ACFB3.5040807@gmail.com> <20120416095945.GA29824@zeninc.net>
next in thread | previous in thread | raw e-mail | index | archive | help
16.04.2012 12:59, VANHULLEBUS Yvan написал: > I didn't review/try the patch, but kernel part seems to be done. Upon my testing it's not so good as it seems. I found some trouble with it. 1. sysctl net.inet.esp.esp_ignore_natt_cksum works not as expected. If there is troubles with function key_compute_natt_cksum, bad (not recalculated) checksums are not ignored and packets are droped, increasing bad udp checksums counter. 2. received by L2TP daemon decrypted packets seemed to it as packets originated from NAT address, but not from LAN behind the NAT. So, L2TP daemon answers them back to NAT, and ofcourse they not satisfy the SPD policy and not being encrypted through IPSec, as a result they are never arrive to the NATed host. May be I'm doing something wrong, but my little research shows me described results. I'll be appressiating any help with that. 16.04.2012 Zmiter
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4F8C78EE.1070701>