From owner-freebsd-net@FreeBSD.ORG Tue Feb 23 12:50:14 2010 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 81928106566B; Tue, 23 Feb 2010 12:50:14 +0000 (UTC) (envelope-from DAntrushin@mail.ru) Received: from gmp-eb-inf-1.sun.com (gmp-eb-inf-1.sun.com [192.18.6.21]) by mx1.freebsd.org (Postfix) with ESMTP id 134A08FC1A; Tue, 23 Feb 2010 12:50:13 +0000 (UTC) Received: from fe-emea-10.sun.com (gmp-eb-lb-1-fe1.eu.sun.com [192.18.6.7] (may be forged)) by gmp-eb-inf-1.sun.com (8.13.7+Sun/8.12.9) with ESMTP id o1NCoCL8017849; Tue, 23 Feb 2010 12:50:13 GMT MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; CHARSET=US-ASCII; format=flowed Received: from conversion-daemon.fe-emea-10.sun.com by fe-emea-10.sun.com (Sun Java(tm) System Messaging Server 7u2-7.04 64bit (built Jul 2 2009)) id <0KYA00300OLQFT00@fe-emea-10.sun.com>; Tue, 23 Feb 2010 12:50:12 +0000 (GMT) Received: from [129.159.126.126] ([unknown] [129.159.126.126]) by fe-emea-10.sun.com (Sun Java(tm) System Messaging Server 7u2-7.04 64bit (built Jul 2 2009)) with ESMTPSA id <0KYA0031GOZ968G0@fe-emea-10.sun.com>; Tue, 23 Feb 2010 12:49:58 +0000 (GMT) Date: Tue, 23 Feb 2010 15:49:42 +0300 From: Denis Antrushin In-reply-to: <20100223122127.GA45649@zeninc.net> Sender: Denis.Antrushin@Sun.COM To: VANHULLEBUS Yvan Message-id: <4B83CEE6.9040409@mail.ru> References: <4B73E902.6050301@mail.ru> <20100211124756.GA9528@zeninc.net> <20100211125420.G27327@maildrop.int.zabbadoz.net> <4B83B79F.102@mail.ru> <20100223122127.GA45649@zeninc.net> User-Agent: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.9.1.5) Gecko/20091202 Lightning/1.0pre Thunderbird/3.0 Cc: freebsd-net@freebsd.org Subject: Re: IPSec connection troubles X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Feb 2010 12:50:14 -0000 On 02/23/10 15:21, VANHULLEBUS Yvan wrote: > On Tue, Feb 23, 2010 at 02:10:23PM +0300, Denis Antrushin wrote: > [...] >> ipsec-tools understand NAT-OA payload in IKE exchange, but then simply >> discard it and do not send this information to kernel. >> In ipsec-tool mailing list archives I found mention that linux does not >> need this OA info, because it simply recomputes/ignore TCP checksums. > > Userland part is the most simple to do, as PFKey extension for NAT-OA > already exists, it haven't been done so far because it's useless until > someone does the big part of the kob on a kernel... Taking into account this quote: On 02/11/10 15:55, Bjoern A. Zeeb wrote: > Him saying it works on linux - has ipsec-tools grown proper OA support > these days? If that would be the case the kernel would probably a > minor task. this means that I have to come up with patches for both FreeBSD kernel and racoon at the same time. :-) May I contact you off-list with patches for both, when ready? As far as I understand, you are the one who can review both. >> Can we do the same or this is unacceptable for FreeBSD and we want >> NAT-OA communicated to kernel by IKEd? >> I made a simple patch to ipsec_common_input_cb() to ignore TCP/UDP >> checksums of ESP-protected packets and I happily can connect to >> Solaris VPN server from behind the NAT device (after working around >> some security policy matching issues). > > Just adding some code to always ignore such checksums sounds like a > bad idea for me..... > > But maybe we could have at least a sysctl (disabled by default) to > ignore them..... > > Yvan.