From owner-freebsd-stable@FreeBSD.ORG  Wed Jan 20 13:23:28 2010
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 8CB0E1065670
	for <freebsd-stable@freebsd.org>; Wed, 20 Jan 2010 13:23:28 +0000 (UTC)
	(envelope-from vanhu@zeninc.net)
Received: from smtp.zeninc.net (smtp.zeninc.net [80.67.176.25])
	by mx1.freebsd.org (Postfix) with ESMTP id 48F048FC1F
	for <freebsd-stable@freebsd.org>; Wed, 20 Jan 2010 13:23:27 +0000 (UTC)
Received: from astro.zen.inc (astro.zen.inc [192.168.1.239])
	by smtp.zeninc.net (smtpd) with ESMTP id 8801C2798BC;
	Wed, 20 Jan 2010 14:04:24 +0100 (CET)
Received: by astro.zen.inc (Postfix, from userid 1000)
	id 88F8717058; Wed, 20 Jan 2010 14:04:24 +0100 (CET)
Date: Wed, 20 Jan 2010 14:04:24 +0100
From: VANHULLEBUS Yvan <vanhu@FreeBSD.org>
To: "Rabidinov M.A." <tuxper@mail.ru>
Message-ID: <20100120130424.GA44272@zeninc.net>
References: <659350866.20100120151602@mail.ru>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <659350866.20100120151602@mail.ru>
User-Agent: All mail clients suck. This one just sucks less.
Cc: freebsd-stable@freebsd.org
Subject: Re: IPSec NAT-T in transport mode
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jan 2010 13:23:28 -0000

On Wed, Jan 20, 2010 at 03:16:02PM +0600, Rabidinov M.A. wrote:
> Hello, Freebsd-stable.

Hi.


> Does FreeBSD 8.0 support IPSec NAT-T in transport mode?
> I want to create a L2TP/IPSec server. My VPN clients are NATed.
> L2TP server (MPD5.x) makes tunnel, so I need working IPSec NAT-T in transport mode.
> Thanks a lot.

It may work..... or not....

The missing part is support of NAT-OA payloads, which are used to
update checksums when receiving packets.

For TCP, this is mandatory.
For UDP (so for L2TP), checksums of 0 are allowed, and of course not
checked, so packet will go to destination.

But afaik, most L2TP implementations computes checksums, so they
will be checked, and of course will be wrong....


Yvan.