From owner-freebsd-net@FreeBSD.ORG Thu Feb 11 13:00:07 2010 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D83AD1065670; Thu, 11 Feb 2010 13:00:07 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [IPv6:2001:4068:10::3]) by mx1.freebsd.org (Postfix) with ESMTP id 5E89B8FC13; Thu, 11 Feb 2010 13:00:07 +0000 (UTC) Received: from localhost (amavis.fra.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 6418B41C7A4; Thu, 11 Feb 2010 14:00:06 +0100 (CET) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([192.168.74.103]) by localhost (amavis.fra.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id LQChppK1URor; Thu, 11 Feb 2010 14:00:06 +0100 (CET) Received: by mail.cksoft.de (Postfix, from userid 66) id 0387B41C796; Thu, 11 Feb 2010 14:00:06 +0100 (CET) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id 4D33044496D; Thu, 11 Feb 2010 12:55:25 +0000 (UTC) Date: Thu, 11 Feb 2010 12:55:25 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: VANHULLEBUS Yvan In-Reply-To: <20100211124756.GA9528@zeninc.net> Message-ID: <20100211125420.G27327@maildrop.int.zabbadoz.net> References: <4B73E902.6050301@mail.ru> <20100211124756.GA9528@zeninc.net> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-net@freebsd.org Subject: Re: IPSec connection troubles X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Feb 2010 13:00:08 -0000 On Thu, 11 Feb 2010, VANHULLEBUS Yvan wrote: Hi, >> I'm trying to establish IPSec connection between FreeBSD and >> Solaris boxes. I use FreeBSD 8-STABLE (don't recall exact checkout >> date, but it contains recent IPComp fixes for sure). >> Since I'm behind NAT, I compiled 0.8alpha snapshot of ipsec-tools >> from their site. > [config] > >> When I try to connect to TCP port 2112 of solaris box, >> racoon successfully negotiates with remote peer, I see >> SA installed in kernel, > >> From developer's view, that's a good news :-) > > >> but then nothing happens. >> I see encapsulated TCP SYN packets sent on enc0, but >> nothing else. TCP connection is not established, nothing >> in racoon logs (except KA), nothing on PF_KEY socket. >> The very same setup works on Linux and Mac. >> >> How can I further debug this problem? > > You can check on responder that you have lots of TCP checksums errors, > which will confirm that you would need support for NAT-OA extension of > NAT-T RFC, as you want to do some Transport IPsec of TCP flows using > NAT-T. > > > Unfortunately, actually, there is no support for NAT-OA extension, > there are just specifications on PFKey interface to send them to > kernel. Him saying it works on linux - hsa ipsec-tools grown porpper OA support these days? If that would be the case the kernel would probably a minor task. /bz -- Bjoern A. Zeeb It will not break if you know what you are doing.