Date: Fri, 9 Dec 2016 10:18:26 -0200 From: "Dr. Rolf Jansen" <rj@obsigna.com> To: freebsd-ipfw@freebsd.org Cc: Karl Denninger <karl@denninger.net> Subject: Re: IPFW problem with passing IPSEC through in-kernel NAT Message-ID: <156E272C-0EFA-4A15-8544-C580AAEB6033@obsigna.com> In-Reply-To: <005b34c8-2217-fa06-5584-6999022481a3@denninger.net> References: <099203a1-f601-bb79-548d-27c62fcbf556@denninger.net> <005b34c8-2217-fa06-5584-6999022481a3@denninger.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> Am 09.12.2016 um 02:11 schrieb Karl Denninger <karl@denninger.net>:
> ...
> Some more information on this issue.... I suspect that something is
> getting mangled somewhere in the IP stack, perhaps related to hardware
> checksumming or similar -- or in the ipfw code.
I had always ran into IPsec-NAT-UDP checksumming issues since I started =
working with FreeBSD, that tim v8.0. With a rather simple change in the =
respective kernel source file at least my issue can be resolved. This =
may be related to your issue or even not, anyway, I guess it is worth to =
give it a try.
I am now running FreeBSD 11-RELEASE-p5. On line 462 of file =
/usr/src/sys/netinet/udp_usrreq.c, I replaced:
if (uh->uh_sum) {
with:
if (uh->uh_sum &&
uh->uh_dport !=3D htons(1701) &&
uh->uh_dport !=3D htons(4500)) {
This effectively skips extended UDP checksumming for certain UDP ports =
-- here the L2TP and IPsec-NAT-T ports. When I investigated the issue, I =
found in one related RFC, that IPsec-NAT-T isn't supposed to do UDP =
checksumming on the encapsulated packets anyway, and my patch enforces =
this behaviour.
Best regards
Rolf=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?156E272C-0EFA-4A15-8544-C580AAEB6033>