Date: Thu, 26 Jun 2008 13:47:52 +0200 From: VANHULLEBUS Yvan <vanhu_bsd@zeninc.net> To: Daniil Harun <harunaga@harunaga.ru> Cc: freebsd-net@freebsd.org Subject: Re: patch for IPSEC_NAT_T Message-ID: <20080626114752.GA3121@zen.inc> In-Reply-To: <200806261609.01289.harunaga@harunaga.ru> References: <200806261609.01289.harunaga@harunaga.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Jun 26, 2008 at 04:09:00PM +0600, Daniil Harun wrote: > Dear sirs! Hi. I forgot to reply your private mail this morning, but it's still better to have the question and the answer on a public ML, it may be useful for other people. > Sorry for my bad English! I ask to help me, if you have some spare time. > > I'm using the patch for support IPSEC NAT Traversal on FreeBSD 7.0.Will not > work NAT-T with Windows XP in the real situation. [....] > But when the host is placed over NAT, everything stops working. > After negotiates IKE and key additions to the database SA traffic does not > pass. "tcpdump enc0" shows that traffic is decoded normaly, but then he does > not processed, packets discarded. > Counters ipfw to rule 1 does not grow. At FreeBSD 6.2 I have the same problem > (FAST_IPSEC or KAME IPSEC). ESP transport with NAT-T may need NAT-OA support, which is not provided by the actual patch, nor by userland. "may", because checksums (which needs that NAT-OA payload to be correctly recomputed by the destination) are optionnal on UDP, and, afaik, L2TP is encapsulated in UDP datagrams. Looks like XP sets the checksums for UDP datagrams..... Yvan. -- NETASQ http://www.netasq.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080626114752.GA3121>