From owner-freebsd-net@FreeBSD.ORG  Thu Jun 26 13:44:40 2008
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id E64E9106566B
	for <freebsd-net@freebsd.org>; Thu, 26 Jun 2008 13:44:40 +0000 (UTC)
	(envelope-from harunaga@harunaga.ru)
Received: from Harunaga.ru (harunaga.ru [80.85.150.78])
	by mx1.freebsd.org (Postfix) with ESMTP id 9263A8FC23
	for <freebsd-net@freebsd.org>; Thu, 26 Jun 2008 13:44:40 +0000 (UTC)
	(envelope-from harunaga@harunaga.ru)
Received: from thinkpad.kharun.tvit.ru (ThinkPad.kharun.tvit.ru
	[80.85.145.225])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by Harunaga.ru (Postfix) with ESMTP id BCF69159DFD
	for <freebsd-net@freebsd.org>; Thu, 26 Jun 2008 19:44:38 +0600 (YEKST)
From: Daniil Harun <harunaga@harunaga.ru>
To: freebsd-net@freebsd.org
Date: Thu, 26 Jun 2008 19:44:38 +0600
User-Agent: KMail/1.9.4
References: <200806261609.01289.harunaga@harunaga.ru>
	<20080626114752.GA3121@zen.inc>
In-Reply-To: <20080626114752.GA3121@zen.inc>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200806261944.39032.harunaga@harunaga.ru>
Subject: Re: patch for IPSEC_NAT_T
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Jun 2008 13:44:41 -0000

Hi!
> > But when the host is placed over NAT, everything stops working.
> > After negotiates IKE and key additions to the database SA traffic does
> > not pass. "tcpdump enc0" shows that traffic is decoded normaly, but then
> > he does not processed, packets discarded.
> > Counters ipfw to rule 1 does not grow. At FreeBSD 6.2 I have the same
> > problem (FAST_IPSEC or KAME IPSEC).
>
> ESP transport with NAT-T may need NAT-OA support, which is not
> provided by the actual patch, nor by userland.
>
> "may", because checksums (which needs that NAT-OA payload to be
> correctly recomputed by the destination) are optionnal on UDP, and,
> afaik, L2TP is encapsulated in UDP datagrams.
>
> Looks like XP sets the checksums for UDP datagrams.....

In such a case should help it:

sysctl net.inet.udp.checksum=0 ?

-- 
Best regards, Harun Daniil