From owner-freebsd-net@FreeBSD.ORG Mon Aug 23 08:09:00 2010 Return-Path: Delivered-To: freebsd-net@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 07AA71065675 for ; Mon, 23 Aug 2010 08:09:00 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from smtp.zeninc.net (smtp.zeninc.net [80.67.176.25]) by mx1.freebsd.org (Postfix) with ESMTP id B91588FC1C for ; Mon, 23 Aug 2010 08:08:59 +0000 (UTC) Received: from astro.zen.inc (astro.zen.inc [192.168.1.239]) by smtp.zeninc.net (smtpd) with ESMTP id 95EFE2798BC for ; Mon, 23 Aug 2010 09:52:21 +0200 (CEST) Received: by astro.zen.inc (Postfix, from userid 1000) id 8C1FA17063; Mon, 23 Aug 2010 09:52:21 +0200 (CEST) Date: Mon, 23 Aug 2010 09:52:21 +0200 From: VANHULLEBUS Yvan To: freebsd-net@FreeBSD.org Message-ID: <20100823075221.GA93863@zeninc.net> References: <86vd72nypn.fsf@chateau.d.if> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <86vd72nypn.fsf@chateau.d.if> User-Agent: All mail clients suck. This one just sucks less. Cc: Subject: Re: IPsec support in FreeBSD X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Aug 2010 08:09:00 -0000 On Mon, Aug 23, 2010 at 02:37:16AM +0530, Ashish SHUKLA wrote: > Hi, Hi. > I'm running 8.1-RELEASE on amd64. > > I'm connecting to an IPsec VPN (IPv4, dynamic keying using racoon) from behind > a NAT and I'm having strange issues working with it. IPsec negotiation > succeeds but there are problems with sending traffic over the tunnel. In fact, you're trying to set up an IPsec tunnel through a NAT, with an userland probably compiled by default with NAT-T support, but a kernel without NAT-T support according to your kernel configuration file. To have it work, first add "options IPSEC_NAT_T" to your kernel conf file, compile / install it again. Then install -HEAD version of ipsec-tools, as it is actually the only one to be able to send correctly NAT-T PFkey extensions to FreeBSD kernel. Then you'll have time to deal with other things such as racoon.conf or filtering stuff :-) Yvan.