Date: Thu, 11 Feb 2010 13:47:56 +0100 From: VANHULLEBUS Yvan <vanhu@FreeBSD.org> To: Denis Antrushin <DAntrushin@mail.ru> Cc: freebsd-net@freebsd.org Subject: Re: IPSec connection troubles Message-ID: <20100211124756.GA9528@zeninc.net> In-Reply-To: <4B73E902.6050301@mail.ru> References: <4B73E902.6050301@mail.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Feb 11, 2010 at 02:24:50PM +0300, Denis Antrushin wrote: > Hello, Hi. > I'm trying to establish IPSec connection between FreeBSD and > Solaris boxes. I use FreeBSD 8-STABLE (don't recall exact checkout > date, but it contains recent IPComp fixes for sure). > Since I'm behind NAT, I compiled 0.8alpha snapshot of ipsec-tools > from their site. [config] > When I try to connect to TCP port 2112 of solaris box, > racoon successfully negotiates with remote peer, I see > SA installed in kernel, >From developer's view, that's a good news :-) > but then nothing happens. > I see encapsulated TCP SYN packets sent on enc0, but > nothing else. TCP connection is not established, nothing > in racoon logs (except KA), nothing on PF_KEY socket. > The very same setup works on Linux and Mac. > > How can I further debug this problem? You can check on responder that you have lots of TCP checksums errors, which will confirm that you would need support for NAT-OA extension of NAT-T RFC, as you want to do some Transport IPsec of TCP flows using NAT-T. Unfortunately, actually, there is no support for NAT-OA extension, there are just specifications on PFKey interface to send them to kernel. Yvan.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100211124756.GA9528>