On 2. May 2012, at 18:50 , Zmiter wrote: > 24.04.2012 23:10, Andreas Longwitz ?????: >> There is one limitation I would like to get over. From man 8 setkey: >> System that do not perform the port check cannot support multiple >> endpoints behind the same NAT. I think this is a FreeBSD kernel restriction: >> For the first incoming L2TP packet the IPSEC part of the kernel does not >> save the source port in the corresponding SA (maybe a field like >> natt_l2tp_port). So the kernel does for outgoing L2TP packets not know >> the correct SA, if two ore more SA's with the same IP exists. >> >> I would like to know if the patch mentioned in this thread adresses this >> problem. > Thank you very much for your attention. > I've been testing those patches (actually, without your part) and YES it's a > big problem with clients (Android, Windows Mobile) behind the same NAT. I > cannot find the solution yet, but I'm very interested in it. > So, my Androids is some sort of stupid bricks, they do not send NAT-OA > payloads at phase 2, and ipsec-tools fills the SPD with IPs taken from IDs. > But this is not the correct way. IDs contain LAN (which is behind the NAT) > addresses, and FreeBSD cannot route packets to the IPSec crypto part. > I've made some quick patching of IPSec tools to get my devices working, but I > don't know if they accomodate to the RFCs and ISAKMP. The main idea is to > take NAT-OAi and NAT-OAr addresses not from IDs when we are using NAT-T, but > from real source and destination addresses of the server and client NATs. > > Here is my ipsec-tools patch (i've call it patch-zz-local-2.diff and place at > /usr/ports/security/ipsec-tools/files with two other patches from kern > /146190)
... > It differs from that in kern/146190 in one simple thing. I have problems with > the original patch from kern/146190. When there was no NAT-OAi or NAT-OAr > values in the kernel space, checksums was calculated at 0, but they were not > ignored despite of the sysctl net.inet.esp.esp_ignore_natt_cksum value. The > improvement allows to ignore every checksum in esp packets when > net.inet.esp.esp_ignore_natt_cksum=1. Just replying to the last one -- you all need to make sure that this will work with a double-NAT (both i and r sitting behind a NAT) and not just i behind a NAT and r sitting there with a globally routable IP. The changes suddenly become a lot more complex. Just my 5cts. /bz -- Bjoern A. Zeeb You have to have visions! It does not matter how good you are. It matters what good you do! _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
