On 02/23/10 15:21, VANHULLEBUS Yvan wrote:
On Tue, Feb 23, 2010 at 02:10:23PM +0300, Denis Antrushin wrote:
[...]
ipsec-tools understand NAT-OA payload in IKE exchange, but then simply
discard it and do not send this information to kernel.
In ipsec-tool mailing list archives I found mention that linux does not
need this OA info, because it simply recomputes/ignore TCP checksums.
Userland part is the most simple to do, as PFKey extension for NAT-OA
already exists, it haven't been done so far because it's useless until
someone does the big part of the kob on a kernel...
Taking into account this quote:
On 02/11/10 15:55, Bjoern A. Zeeb wrote:
> Him saying it works on linux - has ipsec-tools grown proper OA support
> these days? If that would be the case the kernel would probably a
> minor task.
this means that I have to come up with patches for both FreeBSD kernel
and racoon at the same time. :-)
May I contact you off-list with patches for both, when ready?
As far as I understand, you are the one who can review both.
Can we do the same or this is unacceptable for FreeBSD and we want
NAT-OA communicated to kernel by IKEd?
I made a simple patch to ipsec_common_input_cb() to ignore TCP/UDP
checksums of ESP-protected packets and I happily can connect to
Solaris VPN server from behind the NAT device (after working around
some security policy matching issues).
Just adding some code to always ignore such checksums sounds like a
bad idea for me.....
But maybe we could have at least a sysctl (disabled by default) to
ignore them.....
Yvan.
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
