Site Navigation

Date:      Fri, 9 Dec 2016 21:23:01 -0600
From:      Karl Denninger <karl@denninger.net>
To:        freebsd-ipfw@freebsd.org
Subject:   Re: IPFW problem with passing IPSEC through in-kernel NAT
Message-ID:  <d3bfafc7-c4ad-7984-546b-6b95f8d6d577@denninger.net>
In-Reply-To: <01fbc965-f5bc-0f62-eb89-02e097e03cf7@denninger.net>
References:  <099203a1-f601-bb79-548d-27c62fcbf556@denninger.net> <005b34c8-2217-fa06-5584-6999022481a3@denninger.net> <156E272C-0EFA-4A15-8544-C580AAEB6033@obsigna.com> <01fbc965-f5bc-0f62-eb89-02e097e03cf7@denninger.net>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

[-- Attachment #1 --]
On 12/9/2016 07:16, Karl Denninger wrote:
> On 12/9/2016 06:18, Dr. Rolf Jansen wrote:
>>> Am 09.12.2016 um 02:11 schrieb Karl Denninger <karl@denninger.net>:
>>> ...
>>> Some more information on this issue.... I suspect that something is
>>> getting mangled somewhere in the IP stack, perhaps related to hardware
>>> checksumming or similar -- or in the ipfw code.
>> I had always ran into IPsec-NAT-UDP checksumming issues since I started working with FreeBSD, that tim v8.0. With a rather simple change in the respective kernel source file at least my issue can be resolved. This may be related to your issue or even not, anyway, I guess it is worth to give it a try.
>>
>> I am now running FreeBSD 11-RELEASE-p5. On line 462 of file /usr/src/sys/netinet/udp_usrreq.c, I replaced:
>>
>>     if (uh->uh_sum) {
>>
>> with:
>>
>>     if (uh->uh_sum &&
>>         uh->uh_dport != htons(1701) &&
>>         uh->uh_dport != htons(4500)) {
>>
>> This effectively skips extended UDP checksumming for certain UDP ports -- here the L2TP and IPsec-NAT-T ports. When I investigated the issue, I found in one related RFC, that IPsec-NAT-T isn't supposed to do UDP checksumming on the encapsulated packets anyway, and my patch enforces this behaviour.
>>
>> Best regards
>>
>> Rolf
>>
> In this case is that I never get to the use of port 4500 (there are no
> packets emitted on that port that I can find); the initial key exchange
> on port 500 is failing, and in-kernel NAT appears to be involved in some
> fashion because I'm getting inside addresses that are (in some cases)
> not being NATted at all despite the fact that as far as I can tell they
> *should* be.
>
> I'm going to spend some time refactoring the IPFW rule set to
> compartmentalize the various paths through it more-fully.  Perhaps that
> will shed some more light on the problem, or at least make
> more-reasonable an attempt to trace it.
>
I have completely re-factored the IPFW rule set that I am using here (it
was formerly built on top of the
"Simple" config in /etc/rc.firewall) to be completely stand-alone and
the problem has disappeared.

Bottom line -- this appears to have been some sort of problem with the
rule set rather than ipfw itself.

-- 
Karl Denninger
karl@denninger.net <mailto:karl@denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/

[-- Attachment #2 --]
0�	*�H��

��0�

10
	`�H
e0�	*�H��


��_0�[0�C�

)0
	*�H��


0��10	UUS10UFlorida10U	Niceville10U
Cuda Systems LLC10UCuda Systems LLC CA1"0 	*�H��

	
Cuda Systems LLC CA0
150421022159Z
200419022159Z0Z10	UUS10UFlorida10U
Cuda Systems LLC10UKarl Denninger (OCSP)0�"0
	*�H��



�0�
�
��X�@v�kY�
�T��q/v�E�]��5#�֯�MX����\8��L�J/V?�5���Da�+
��sJ��c�*��/�r�{ȼ�n��S�+�w"�)���ąZ^�Dt��dC�OZ�� ~7��Q ��'��@���a#i�j�c۴oZdB&���!�Ӝ���-�<	�?��H���N���5���y
5�}F�|ef゘��"V��لi��o��7��4���
zn�">����a����1q�Wuɖ�b�F��e�GE�&�3(��K�h����ix�G�3���!��#�e_X�Ƭ����Ϝ/,��$�+�;�4y��'�B�z<qT�9����_?rRU�pn�5
��Jn&R��x/�p J�yel�*�pN�8�/#�9�u����/��YP�E��C)T����Y>��~/˘N[������v��yi���DKˉ�,�^�"� ?�$��T8����v�&�����K�%z��8�C @?�K{�9�f`��+���@,|����M��bia

���0��07+


+0)0'+
0
�http://cudasystems.net:88880	U00	`�H
��B

�0U�0,	`�H
��B

OpenSSL Generated Certificate0U��-��h\F����f ��Y0U#0�$q���}��ݽ�ʒ����m50U0�karl@denninger.net0
	*�H��


�
Ow�b��a�bɺx�&��Uk�[��(O�j��!����%�p��MQ�0I�!#�Q��H��}.>~2���&D}�<�wm_>�V6�v��]�f��>=�N�n�+8;q �wfΰ����/��R�LyU��G#�b�}n�!D����ր_��up�|��_�ǰ��c��/�%ۥ���
�nN8:�d��;�-�UJ��d/�m��1~Vނי���nN I˾$t�F1&}�|?q?�\đ�X��ԑ�&\�4V�<lK������ۮ3%Am_����(��q����-(c����Ae�G�X)f}�-˥6c��v~��K�g�8m~v��;|�9�:-i�A����P��қ�6�ېn�-���.)�<[�$KJ�t�����t/L4�ᖣ�^Cm�u4v�b{+�B�G�$M���0c�\��[M�R�|�0FԸ�����P&7����8�"4p������#���}��DZ�9;V�9�#>�S�w"��[�UP7�1�0�

0��0��10	UUS10UFlorida10U	Niceville10U
Cuda Systems LLC10UCuda Systems LLC CA1"0 	*�H��

	
Cuda Systems LLC CA
)0
	`�H
e��M0	*�H��

	1	*�H��


0	*�H��

	1
161210032301Z0O	*�H��

	1B@�ճ��`t���=�������M�t��L��-`�
E
�^֑�U[d$oZ�����>`�B�1-
8�0l	*�H��

	1_0]0	`�H
e
*0	`�H
e
0
*�H��
0*�H��
�0
*�H��

@0+0
*�H��

(0��	+

�71��0��0��10	UUS10UFlorida10U	Niceville10U
Cuda Systems LLC10UCuda Systems LLC CA1"0 	*�H��

	
Cuda Systems LLC CA
)0��*�H��

	1�����0��10	UUS10UFlorida10U	Niceville10U
Cuda Systems LLC10UCuda Systems LLC CA1"0 	*�H��

	
Cuda Systems LLC CA
)0
	*�H��



�
}n,Zb��~‹���sfm�����
G�f�y澣�ֆoLJ^���̼�i<�5��
w������e�����R���
��/��Ȥ(���*�:�	)[��3�S�BPaH���D��m���`"NA��sE7@φ���=T��.�Y��?�����gkec�w��.Ƙ��l�T3`�� ղ??�<p)�S��`����
��Sf|*ΐ��ዕD��е���K�^@R!(M�EXKLc����t��N'�'S��
�5�ľB>�/�$e+9@��������Qj�KO!�`ź��dO�0�v�#��'n��W�u�����R�)g�E�,G����e�����I"��*�`иʲi��]����:?�
��9wzFUA�lio	�23�nJb����vJīKX�����v��
h�-�L�{A��Y�1wb��	��H,"ՠo����h��)^d{̠F�+u����;-d��=�N.r�LEf�����x�W��o{%

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d3bfafc7-c4ad-7984-546b-6b95f8d6d577>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact