From owner-freebsd-net@FreeBSD.ORG Fri Jul 24 08:29:18 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0C2C0106564A for ; Fri, 24 Jul 2009 08:29:18 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from smtp.zeninc.net (smtp.zeninc.net [80.67.176.25]) by mx1.freebsd.org (Postfix) with ESMTP id B846C8FC18 for ; Fri, 24 Jul 2009 08:29:17 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from astro.zen.inc (astro.zen.inc [192.168.1.239]) by smtp.zeninc.net (smtpd) with ESMTP id 0D3472798B8; Fri, 24 Jul 2009 10:29:16 +0200 (CEST) Received: by astro.zen.inc (Postfix, from userid 1000) id 0748B1702F; Fri, 24 Jul 2009 10:29:15 +0200 (CEST) Date: Fri, 24 Jul 2009 10:29:15 +0200 From: VANHULLEBUS Yvan To: Ingo Flaschberger Message-ID: <20090724082915.GA93467@zeninc.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: All mail clients suck. This one just sucks less. Cc: freebsd-net@freebsd.org Subject: Re: natt (again) in 7.2 stable and a forticlient X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Jul 2009 08:29:18 -0000 On Thu, Jul 23, 2009 at 10:15:25PM +0200, Ingo Flaschberger wrote: > Dear Yvan, Hi. > I have tried to get natt at freebsd 7.2 stable with your patch > http://people.freebsd.org/~vanhu/NAT-T/patch-natt-7.2-2009-05-12.diff > and ipsec-tools 0.7.2 and 0.8-alpha20090525+natt running, > but have no success. http://people.freebsd.org/~vanhu/NAT-T/patch-natt-7.2-2009-05-12.diff will work with ipsec-tools 0.7.2 but NOT with 0.8-alpha20090525+natt. > negotiation works, but traffic from forticlient gives > esp_input_cb: authentication hash mismatch for packet in SA x.x.x.x/009320d9 > error. Strange.... does this work with the same forticlient but without NAT-T ? > Also there is no traffic seen incoming at the forticlient, but leaves the > freebsd-box. Are you sure you don't have "something strange" on your network ? For example an old an ugly "IKE proxy" which would tries to "fix" traffic coming through UDP 500 ? Can you check what version of NAT-T is used by your forticlient ? By default, ipsec-tools will announce support for RFC and drafts 00/01 (we'll have to change that to only announce RFC by default). If forticlient announces/choices drafts 00/01, and if there is some kind of IKE proxy on the way, it will probably just won't work (and may explain authentication hashs mismatches....). > I have tried to figure out changes at freebsd 8.0 and the patchset > http://people.freebsd.org/~bz/20090523-04-natt.diff, but that is at some > places new code. Thare are some changes, but basically, the code does the same thing (but it does it in a cleaner way :-) ). > Do you have any idea what breaks? > Will it work at 8.0? and does it make sense to go with 8.0? > (have seen some other ipsec patches from you that address stability) You can also try 8.0 with a recent ipsec-tools HEAD, but I guess you'll have the same result. Yvan.