From owner-freebsd-net@FreeBSD.ORG Thu Feb 11 12:47:58 2010 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BEFF4106566B for ; Thu, 11 Feb 2010 12:47:58 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from smtp.zeninc.net (smtp.zeninc.net [80.67.176.25]) by mx1.freebsd.org (Postfix) with ESMTP id 796E88FC1C for ; Thu, 11 Feb 2010 12:47:58 +0000 (UTC) Received: from astro.zen.inc (astro.zen.inc [192.168.1.239]) by smtp.zeninc.net (smtpd) with ESMTP id 174952798BC; Thu, 11 Feb 2010 13:47:57 +0100 (CET) Received: by astro.zen.inc (Postfix, from userid 1000) id F2C1D1702F; Thu, 11 Feb 2010 13:47:56 +0100 (CET) Date: Thu, 11 Feb 2010 13:47:56 +0100 From: VANHULLEBUS Yvan To: Denis Antrushin Message-ID: <20100211124756.GA9528@zeninc.net> References: <4B73E902.6050301@mail.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4B73E902.6050301@mail.ru> User-Agent: All mail clients suck. This one just sucks less. Cc: freebsd-net@freebsd.org Subject: Re: IPSec connection troubles X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Feb 2010 12:47:58 -0000 On Thu, Feb 11, 2010 at 02:24:50PM +0300, Denis Antrushin wrote: > Hello, Hi. > I'm trying to establish IPSec connection between FreeBSD and > Solaris boxes. I use FreeBSD 8-STABLE (don't recall exact checkout > date, but it contains recent IPComp fixes for sure). > Since I'm behind NAT, I compiled 0.8alpha snapshot of ipsec-tools > from their site. [config] > When I try to connect to TCP port 2112 of solaris box, > racoon successfully negotiates with remote peer, I see > SA installed in kernel, >From developer's view, that's a good news :-) > but then nothing happens. > I see encapsulated TCP SYN packets sent on enc0, but > nothing else. TCP connection is not established, nothing > in racoon logs (except KA), nothing on PF_KEY socket. > The very same setup works on Linux and Mac. > > How can I further debug this problem? You can check on responder that you have lots of TCP checksums errors, which will confirm that you would need support for NAT-OA extension of NAT-T RFC, as you want to do some Transport IPsec of TCP flows using NAT-T. Unfortunately, actually, there is no support for NAT-OA extension, there are just specifications on PFKey interface to send them to kernel. Yvan.