From owner-freebsd-net@FreeBSD.ORG Thu Jun 26 11:47:55 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 154B91065691 for ; Thu, 26 Jun 2008 11:47:55 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from smtp.zeninc.net (smtp.zeninc.net [80.67.176.25]) by mx1.freebsd.org (Postfix) with ESMTP id C53F58FC1F for ; Thu, 26 Jun 2008 11:47:54 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: by smtp.zeninc.net (smtpd, from userid 1000) id AE56E3F7A; Thu, 26 Jun 2008 13:47:52 +0200 (CEST) Date: Thu, 26 Jun 2008 13:47:52 +0200 From: VANHULLEBUS Yvan To: Daniil Harun Message-ID: <20080626114752.GA3121@zen.inc> References: <200806261609.01289.harunaga@harunaga.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200806261609.01289.harunaga@harunaga.ru> User-Agent: All mail clients suck. This one just sucks less. Cc: freebsd-net@freebsd.org Subject: Re: patch for IPSEC_NAT_T X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Jun 2008 11:47:55 -0000 On Thu, Jun 26, 2008 at 04:09:00PM +0600, Daniil Harun wrote: > Dear sirs! Hi. I forgot to reply your private mail this morning, but it's still better to have the question and the answer on a public ML, it may be useful for other people. > Sorry for my bad English! I ask to help me, if you have some spare time. > > I'm using the patch for support IPSEC NAT Traversal on FreeBSD 7.0.Will not > work NAT-T with Windows XP in the real situation. [....] > But when the host is placed over NAT, everything stops working. > After negotiates IKE and key additions to the database SA traffic does not > pass. "tcpdump enc0" shows that traffic is decoded normaly, but then he does > not processed, packets discarded. > Counters ipfw to rule 1 does not grow. At FreeBSD 6.2 I have the same problem > (FAST_IPSEC or KAME IPSEC). ESP transport with NAT-T may need NAT-OA support, which is not provided by the actual patch, nor by userland. "may", because checksums (which needs that NAT-OA payload to be correctly recomputed by the destination) are optionnal on UDP, and, afaik, L2TP is encapsulated in UDP datagrams. Looks like XP sets the checksums for UDP datagrams..... Yvan. -- NETASQ http://www.netasq.com