From owner-freebsd-net@FreeBSD.ORG Thu Dec 29 14:04:36 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C125A16A41F for ; Thu, 29 Dec 2005 14:04:36 +0000 (GMT) (envelope-from jan@melen.org) Received: from foxgw.melen.org (Savi-Mel.dna.fi [83.143.60.138]) by mx1.FreeBSD.org (Postfix) with ESMTP id C6C7343D46 for ; Thu, 29 Dec 2005 14:04:33 +0000 (GMT) (envelope-from jan@melen.org) Received: from [2001:14b8:400:101::50] ([IPv6:2001:14b8:400:101::50]) (authenticated bits=0) by foxgw.melen.org (8.13.5/8.13.4) with ESMTP id jBTE4INI073072 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO); Thu, 29 Dec 2005 16:04:29 +0200 (EET) (envelope-from jan@melen.org) From: Jan Mikael Melen To: freebsd-net@freebsd.org Date: Thu, 29 Dec 2005 16:04:34 +0200 User-Agent: KMail/1.8.2 References: <20051228143817.GA6898@uk.tiscali.com> <20051229121359.GA10949@uk.tiscali.com> <20051229123521.GA1854@zen.inc> In-Reply-To: <20051229123521.GA1854@zen.inc> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200512291604.39225.jan@melen.org> X-Virus-Scanned: ClamAV version 0.87.1, clamav-milter version 0.87 on foxgw.melen.org X-Virus-Status: Clean Cc: VANHULLEBUS Yvan Subject: Re: IPSEC documentation X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Dec 2005 14:04:36 -0000 Hi, This now goes a little bit off topic from original subject of IPsec documentation, but we have made an implementation of the BEET (A Bound End to End Tunneling) mode IPsec on FreeBSD 5 and 6 (http://www.ietf.org/internet-drafts/draft-nikander-esp-beet-mode-04.txt). The implementation is part of our HIP (Host Identity Protocol) code and can be downloaded from the http://www.hip4inter.net/ through the download page. It might be interesting to include atleast the BEET mode code to the standard FreeBSD kernel at some point of time. We have made also modified the input handling of ESP to correspond the ESP-v3 where the SA is searched only based on the SPI value. Regards, Jan On Thursday 29 December 2005 14:35, VANHULLEBUS Yvan wrote: > On Thu, Dec 29, 2005 at 12:14:00PM +0000, Brian Candler wrote: > > On Wed, Dec 28, 2005 at 06:04:37PM +0100, Eric Masson wrote: > > [....] > > > > ports/net/sl2tps > > > > I was rather surprised that I just got IPSEC tunnel mode working between > > Windows XP and FreeBSD; and then afterwards I also got transport mode + > > L2TP working using the Windows client and sl2tps. Zounds! > > Very interesting, I'll try that ASAP ! > > > There is a bug (arguably) in the ipsec-tools port, in that all useful > > messages are logged at level 'daemon.info', but the default syslog.conf > > discards these messages. Once that's fixed, debugging suddenly becomes a > > whole lot easier :-) I've submitted a PR. > > Got the mail about the PR, but I curently can't see the PR itself (PR > database busy). I'll handle it as soon as I'll get the real PR. > > > [....] > > > Once up, I can happily ping through the L2TP tunnel and run short telnet > > sessions but I can't view large web pages, which looks like an MTU issue. > > Yep, that is the most probable reason ! > > > As it happens this FreeBSD box is also acting as a NAT gateway using pf > > (myhost is on a private IP) and actually its external IP is also private > > - it sits behind a second NAT firewall. So maybe that's where the problem > > originates, although I really can't understand where the value of 1380 > > comes from. > > 1500 - (pppoe encapsulation ?) - ESP header - L2TP encapsulation.... > > And perhaps another extra UDP encapsulation may be considered, but I > guess you probably don't have NAT-T support. > > > Yvan.