Site Navigation

Date:      Fri, 9 Dec 2016 07:16:47 -0600
From:      Karl Denninger <karl@denninger.net>
To:        freebsd-ipfw@freebsd.org
Subject:   Re: IPFW problem with passing IPSEC through in-kernel NAT
Message-ID:  <01fbc965-f5bc-0f62-eb89-02e097e03cf7@denninger.net>
In-Reply-To: <156E272C-0EFA-4A15-8544-C580AAEB6033@obsigna.com>
References:  <099203a1-f601-bb79-548d-27c62fcbf556@denninger.net> <005b34c8-2217-fa06-5584-6999022481a3@denninger.net> <156E272C-0EFA-4A15-8544-C580AAEB6033@obsigna.com>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

[-- Attachment #1 --]
On 12/9/2016 06:18, Dr. Rolf Jansen wrote:
>> Am 09.12.2016 um 02:11 schrieb Karl Denninger <karl@denninger.net>:
>> ...
>> Some more information on this issue.... I suspect that something is
>> getting mangled somewhere in the IP stack, perhaps related to hardware
>> checksumming or similar -- or in the ipfw code.
> I had always ran into IPsec-NAT-UDP checksumming issues since I started working with FreeBSD, that tim v8.0. With a rather simple change in the respective kernel source file at least my issue can be resolved. This may be related to your issue or even not, anyway, I guess it is worth to give it a try.
>
> I am now running FreeBSD 11-RELEASE-p5. On line 462 of file /usr/src/sys/netinet/udp_usrreq.c, I replaced:
>
>     if (uh->uh_sum) {
>
> with:
>
>     if (uh->uh_sum &&
>         uh->uh_dport != htons(1701) &&
>         uh->uh_dport != htons(4500)) {
>
> This effectively skips extended UDP checksumming for certain UDP ports -- here the L2TP and IPsec-NAT-T ports. When I investigated the issue, I found in one related RFC, that IPsec-NAT-T isn't supposed to do UDP checksumming on the encapsulated packets anyway, and my patch enforces this behaviour.
>
> Best regards
>
> Rolf
>

In this case is that I never get to the use of port 4500 (there are no
packets emitted on that port that I can find); the initial key exchange
on port 500 is failing, and in-kernel NAT appears to be involved in some
fashion because I'm getting inside addresses that are (in some cases)
not being NATted at all despite the fact that as far as I can tell they
*should* be.

I'm going to spend some time refactoring the IPFW rule set to
compartmentalize the various paths through it more-fully.  Perhaps that
will shed some more light on the problem, or at least make
more-reasonable an attempt to trace it.

-- 
Karl Denninger
karl@denninger.net <mailto:karl@denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/

[-- Attachment #2 --]
0�	*�H��

��0�

10
	`�H
e0�	*�H��


��_0�[0�C�

)0
	*�H��


0��10	UUS10UFlorida10U	Niceville10U
Cuda Systems LLC10UCuda Systems LLC CA1"0 	*�H��

	
Cuda Systems LLC CA0
150421022159Z
200419022159Z0Z10	UUS10UFlorida10U
Cuda Systems LLC10UKarl Denninger (OCSP)0�"0
	*�H��



�0�
�
��X�@v�kY�
�T��q/v�E�]��5#�֯�MX����\8��L�J/V?�5���Da�+
��sJ��c�*��/�r�{ȼ�n��S�+�w"�)���ąZ^�Dt��dC�OZ�� ~7��Q ��'��@���a#i�j�c۴oZdB&���!�Ӝ���-�<	�?��H���N���5���y
5�}F�|ef゘��"V��لi��o��7��4���
zn�">����a����1q�Wuɖ�b�F��e�GE�&�3(��K�h����ix�G�3���!��#�e_X�Ƭ����Ϝ/,��$�+�;�4y��'�B�z<qT�9����_?rRU�pn�5
��Jn&R��x/�p J�yel�*�pN�8�/#�9�u����/��YP�E��C)T����Y>��~/˘N[������v��yi���DKˉ�,�^�"� ?�$��T8����v�&�����K�%z��8�C @?�K{�9�f`��+���@,|����M��bia

���0��07+


+0)0'+
0
�http://cudasystems.net:88880	U00	`�H
��B

�0U�0,	`�H
��B

OpenSSL Generated Certificate0U��-��h\F����f ��Y0U#0�$q���}��ݽ�ʒ����m50U0�karl@denninger.net0
	*�H��


�
Ow�b��a�bɺx�&��Uk�[��(O�j��!����%�p��MQ�0I�!#�Q��H��}.>~2���&D}�<�wm_>�V6�v��]�f��>=�N�n�+8;q �wfΰ����/��R�LyU��G#�b�}n�!D����ր_��up�|��_�ǰ��c��/�%ۥ���
�nN8:�d��;�-�UJ��d/�m��1~Vނי���nN I˾$t�F1&}�|?q?�\đ�X��ԑ�&\�4V�<lK������ۮ3%Am_����(��q����-(c����Ae�G�X)f}�-˥6c��v~��K�g�8m~v��;|�9�:-i�A����P��қ�6�ېn�-���.)�<[�$KJ�t�����t/L4�ᖣ�^Cm�u4v�b{+�B�G�$M���0c�\��[M�R�|�0FԸ�����P&7����8�"4p������#���}��DZ�9;V�9�#>�S�w"��[�UP7�1�0�

0��0��10	UUS10UFlorida10U	Niceville10U
Cuda Systems LLC10UCuda Systems LLC CA1"0 	*�H��

	
Cuda Systems LLC CA
)0
	`�H
e��M0	*�H��

	1	*�H��


0	*�H��

	1
161209131647Z0O	*�H��

	1B@u8�4O$�6l�v#�)pԝL-L)b�Z�D�@�����TC��E������3S�aXJ���_�cCn�s0l	*�H��

	1_0]0	`�H
e
*0	`�H
e
0
*�H��
0*�H��
�0
*�H��

@0+0
*�H��

(0��	+

�71��0��0��10	UUS10UFlorida10U	Niceville10U
Cuda Systems LLC10UCuda Systems LLC CA1"0 	*�H��

	
Cuda Systems LLC CA
)0��*�H��

	1�����0��10	UUS10UFlorida10U	Niceville10U
Cuda Systems LLC10UCuda Systems LLC CA1"0 	*�H��

	
Cuda Systems LLC CA
)0
	*�H��



�W�\&��z@!=�k�="�ϵ��b��H�]�z��͆sJ̒��艖W����͸.�O�,�C�{o�p#��@6��K���'4�2��yȿ��v�.���ȩl�>�N�h�Y����
-�H�O)��l'S��U
�.p���T��"�F?�����'LXk����)�Jd�Qjt�#*�
F��K���)NN<��,0.@���[�q�)�
�m_�I���t#9��
A�K�6p��$�^���e۳�D�+޽e�.-W'^�����+���0��
?]�E��0���M���Vg�<���I�)]���W|�����YA�h[Ю>z����t~:�7*x�	��0p9G��O������~�+	wD
|�)� �F�D9��s��Ժ��(d�$L�K�޸q�iT|��y@���/د�X&���8"�R�!8��K�7(�^�)���`�:-W�R�����R~�8) ��ۄ.��v�c�_L�r9M?��І�χ8@i�bȑ��d

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?01fbc965-f5bc-0f62-eb89-02e097e03cf7>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact