From owner-freebsd-net@FreeBSD.ORG Tue Feb 23 12:21:30 2010 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 106261065692 for ; Tue, 23 Feb 2010 12:21:30 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from smtp.zeninc.net (smtp.zeninc.net [80.67.176.25]) by mx1.freebsd.org (Postfix) with ESMTP id BC39A8FC17 for ; Tue, 23 Feb 2010 12:21:29 +0000 (UTC) Received: from astro.zen.inc (astro.zen.inc [192.168.1.239]) by smtp.zeninc.net (smtpd) with ESMTP id E008E2798BC; Tue, 23 Feb 2010 13:21:27 +0100 (CET) Received: by astro.zen.inc (Postfix, from userid 1000) id DEE8117050; Tue, 23 Feb 2010 13:21:27 +0100 (CET) Date: Tue, 23 Feb 2010 13:21:27 +0100 From: VANHULLEBUS Yvan To: Denis Antrushin Message-ID: <20100223122127.GA45649@zeninc.net> References: <4B73E902.6050301@mail.ru> <20100211124756.GA9528@zeninc.net> <20100211125420.G27327@maildrop.int.zabbadoz.net> <4B83B79F.102@mail.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4B83B79F.102@mail.ru> User-Agent: All mail clients suck. This one just sucks less. Cc: "Bjoern A. Zeeb" , freebsd-net@freebsd.org Subject: Re: IPSec connection troubles X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Feb 2010 12:21:30 -0000 On Tue, Feb 23, 2010 at 02:10:23PM +0300, Denis Antrushin wrote: [...] > ipsec-tools understand NAT-OA payload in IKE exchange, but then simply > discard it and do not send this information to kernel. > In ipsec-tool mailing list archives I found mention that linux does not > need this OA info, because it simply recomputes/ignore TCP checksums. Userland part is the most simple to do, as PFKey extension for NAT-OA already exists, it haven't been done so far because it's useless until someone does the big part of the kob on a kernel... > Can we do the same or this is unacceptable for FreeBSD and we want > NAT-OA communicated to kernel by IKEd? > I made a simple patch to ipsec_common_input_cb() to ignore TCP/UDP > checksums of ESP-protected packets and I happily can connect to > Solaris VPN server from behind the NAT device (after working around > some security policy matching issues). Just adding some code to always ignore such checksums sounds like a bad idea for me..... But maybe we could have at least a sysctl (disabled by default) to ignore them..... Yvan.