Date: Tue, 23 Feb 2010 13:21:27 +0100 From: VANHULLEBUS Yvan <vanhu@FreeBSD.org> To: Denis Antrushin <DAntrushin@mail.ru> Cc: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>, freebsd-net@freebsd.org Subject: Re: IPSec connection troubles Message-ID: <20100223122127.GA45649@zeninc.net> In-Reply-To: <4B83B79F.102@mail.ru> References: <4B73E902.6050301@mail.ru> <20100211124756.GA9528@zeninc.net> <20100211125420.G27327@maildrop.int.zabbadoz.net> <4B83B79F.102@mail.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Feb 23, 2010 at 02:10:23PM +0300, Denis Antrushin wrote: [...] > ipsec-tools understand NAT-OA payload in IKE exchange, but then simply > discard it and do not send this information to kernel. > In ipsec-tool mailing list archives I found mention that linux does not > need this OA info, because it simply recomputes/ignore TCP checksums. Userland part is the most simple to do, as PFKey extension for NAT-OA already exists, it haven't been done so far because it's useless until someone does the big part of the kob on a kernel... > Can we do the same or this is unacceptable for FreeBSD and we want > NAT-OA communicated to kernel by IKEd? > I made a simple patch to ipsec_common_input_cb() to ignore TCP/UDP > checksums of ESP-protected packets and I happily can connect to > Solaris VPN server from behind the NAT device (after working around > some security policy matching issues). Just adding some code to always ignore such checksums sounds like a bad idea for me..... But maybe we could have at least a sysctl (disabled by default) to ignore them..... Yvan.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100223122127.GA45649>