From owner-freebsd-net@FreeBSD.ORG Thu Feb 11 13:18:15 2010 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 94E82106566B for ; Thu, 11 Feb 2010 13:18:15 +0000 (UTC) (envelope-from DAntrushin@mail.ru) Received: from gmp-eb-inf-2.sun.com (gmp-eb-inf-2.sun.com [192.18.6.24]) by mx1.freebsd.org (Postfix) with ESMTP id 270A08FC1A for ; Thu, 11 Feb 2010 13:18:14 +0000 (UTC) Received: from fe-emea-10.sun.com (gmp-eb-lb-1-fe1.eu.sun.com [192.18.6.7] (may be forged)) by gmp-eb-inf-2.sun.com (8.13.7+Sun/8.12.9) with ESMTP id o1BDIDK9014679 for ; Thu, 11 Feb 2010 13:18:14 GMT MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; CHARSET=US-ASCII; format=flowed Received: from conversion-daemon.fe-emea-10.sun.com by fe-emea-10.sun.com (Sun Java(tm) System Messaging Server 7u2-7.04 64bit (built Jul 2 2009)) id <0KXO00A00I2Y0R00@fe-emea-10.sun.com> for freebsd-net@freebsd.org; Thu, 11 Feb 2010 13:17:58 +0000 (GMT) Received: from [129.159.126.126] ([unknown] [129.159.126.126]) by fe-emea-10.sun.com (Sun Java(tm) System Messaging Server 7u2-7.04 64bit (built Jul 2 2009)) with ESMTPSA id <0KXO00K0JI9KLAC0@fe-emea-10.sun.com> for freebsd-net@freebsd.org; Thu, 11 Feb 2010 13:17:45 +0000 (GMT) Date: Thu, 11 Feb 2010 16:17:35 +0300 From: Denis Antrushin In-reply-to: <20100211125420.G27327@maildrop.int.zabbadoz.net> Sender: Denis.Antrushin@Sun.COM To: freebsd-net@freebsd.org Message-id: <4B74036F.6060803@mail.ru> References: <4B73E902.6050301@mail.ru> <20100211124756.GA9528@zeninc.net> <20100211125420.G27327@maildrop.int.zabbadoz.net> User-Agent: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.9.1.5) Gecko/20091202 Lightning/1.0pre Thunderbird/3.0 Subject: Re: IPSec connection troubles X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Feb 2010 13:18:15 -0000 On 02/11/10 15:55, Bjoern A. Zeeb wrote: > On Thu, 11 Feb 2010, VANHULLEBUS Yvan wrote: > >>> How can I further debug this problem? >> >> You can check on responder that you have lots of TCP checksums errors, >> which will confirm that you would need support for NAT-OA extension of >> NAT-T RFC, as you want to do some Transport IPsec of TCP flows using >> NAT-T. >> >> >> Unfortunately, actually, there is no support for NAT-OA extension, >> there are just specifications on PFKey interface to send them to >> kernel. > > Him saying it works on linux - has ipsec-tools grown proper OA support > these days? If that would be the case the kernel would probably a > minor task. Yes, I see some NAT-OA debug messages in racoon logs. With ipsec-tools 0.7.3 they were missing and I could not even finish quick mode exchange... I'm sorry for ignorance, but can I workaround this problem using UDP instead? Or it requires that NAT_OA stuff as well? Thanks, Denis