From owner-freebsd-stable@FreeBSD.ORG  Fri Jan 22 13:19:39 2010
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id DD29D1065670
	for <freebsd-stable@freebsd.org>; Fri, 22 Jan 2010 13:19:39 +0000 (UTC)
	(envelope-from vanhu@zeninc.net)
Received: from smtp.zeninc.net (smtp.zeninc.net [80.67.176.25])
	by mx1.freebsd.org (Postfix) with ESMTP id 96C648FC22
	for <freebsd-stable@freebsd.org>; Fri, 22 Jan 2010 13:19:39 +0000 (UTC)
Received: from astro.zen.inc (astro.zen.inc [192.168.1.239])
	by smtp.zeninc.net (smtpd) with ESMTP id 7D7432798BC;
	Fri, 22 Jan 2010 14:19:37 +0100 (CET)
Received: by astro.zen.inc (Postfix, from userid 1000)
	id 7E0ED17047; Fri, 22 Jan 2010 14:19:37 +0100 (CET)
Date: Fri, 22 Jan 2010 14:19:37 +0100
From: VANHULLEBUS Yvan <vanhu@FreeBSD.org>
To: David Murray <david000@davidmurray.name>
Message-ID: <20100122131937.GA50007@zeninc.net>
References: <659350866.20100120151602@mail.ru> <4B5703A3.6010507@cyb0rg.org>
	<hj9vps$dnm$1@ger.gmane.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <hj9vps$dnm$1@ger.gmane.org>
User-Agent: All mail clients suck. This one just sucks less.
Cc: freebsd-stable@freebsd.org
Subject: Re:  IPSec NAT-T in transport mode
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jan 2010 13:19:39 -0000

Hi.

On Thu, Jan 21, 2010 at 04:36:12PM +0000, David Murray wrote:
[...]
> On 2010-01-20 Wed 1:22 pm, Crest wrote:
> 
> >Yes the NAT-T Patch has been integrated into FreeBSD 8.0.
> >
> >Just rebuild your kernel with this options:
> >device crypto # IPsec depends on this
> >options IPSEC
> >options IPSEC_DEBUG
> >options IPSEC_NAT_T
> 
> I'm trying to do the same thing as the OP, so thanks for these replies.
> 
> However, they seem to be at odds.  Are we saying that the NAT-T patch is 
> there, but is missing checksum re-calculation, so MPD's packets are 
> going to be discarded?

Yes, see my other mail in this thread.


> (FWIW, this seems to be what happens.  All the negotiation to set up 
> IPSEC SAs happens, but MPD's log never shows a single entry.  I hadn't 
> got as far as packet dumps when this thread popped up.)

And if you have a look at system stats, you'll see lots of UDP packets
dropped because of invalid checksums....


Yvan.