From owner-freebsd-stable@FreeBSD.ORG Thu Jan 21 16:50:09 2010 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 51B231065679 for ; Thu, 21 Jan 2010 16:50:09 +0000 (UTC) (envelope-from freebsd-stable@m.gmane.org) Received: from lo.gmane.org (lo.gmane.org [80.91.229.12]) by mx1.freebsd.org (Postfix) with ESMTP id 0C8548FC13 for ; Thu, 21 Jan 2010 16:50:08 +0000 (UTC) Received: from list by lo.gmane.org with local (Exim 4.50) id 1NY0EP-0000wJ-Fb for freebsd-stable@freebsd.org; Thu, 21 Jan 2010 17:50:05 +0100 Received: from static-195-248-102-183.adsl.hotchilli.net ([195.248.102.183]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Thu, 21 Jan 2010 17:50:05 +0100 Received: from david000 by static-195-248-102-183.adsl.hotchilli.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Thu, 21 Jan 2010 17:50:05 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-stable@freebsd.org From: David Murray Date: Thu, 21 Jan 2010 16:36:12 +0000 Lines: 45 Message-ID: References: <659350866.20100120151602@mail.ru> <4B5703A3.6010507@cyb0rg.org> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: static-195-248-102-183.adsl.hotchilli.net User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.7) Gecko/20100111 Thunderbird/3.0.1 In-Reply-To: <4B5703A3.6010507@cyb0rg.org> Sender: news Subject: Re: IPSec NAT-T in transport mode X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Jan 2010 16:50:09 -0000 Chaps, On 10-01-20 Wed 1:04 pm, VANHULLEBUS Yvan wrote: > On Wed, Jan 20, 2010 at 03:16:02PM +0600, Rabidinov M.A. wrote: > >> Does FreeBSD 8.0 support IPSec NAT-T in transport mode? >> I want to create a L2TP/IPSec server. My VPN clients are NATed. >> L2TP server (MPD5.x) makes tunnel, so I need working IPSec NAT-T in >> transport mode. > > It may work..... or not.... > > The missing part is support of NAT-OA payloads, which are used to > update checksums when receiving packets. > > But afaik, most L2TP implementations computes checksums, so they will > be checked, and of course will be wrong.... On 2010-01-20 Wed 1:22 pm, Crest wrote: > Yes the NAT-T Patch has been integrated into FreeBSD 8.0. > > Just rebuild your kernel with this options: > device crypto # IPsec depends on this > options IPSEC > options IPSEC_DEBUG > options IPSEC_NAT_T I'm trying to do the same thing as the OP, so thanks for these replies. However, they seem to be at odds. Are we saying that the NAT-T patch is there, but is missing checksum re-calculation, so MPD's packets are going to be discarded? (FWIW, this seems to be what happens. All the negotiation to set up IPSEC SAs happens, but MPD's log never shows a single entry. I hadn't got as far as packet dumps when this thread popped up.) -- David Murray