Hello, Freebsd-stable. Does FreeBSD 8.0 support IPSec NAT-T in transport mode? I want to create a L2TP/IPSec server. My VPN clients are NATed. L2TP server (MPD5.x) makes tunnel, so I need working IPSec NAT-T in transport mode. Thanks a lot. -- ? ?????????, Rabidinov mailto:tuxper@mail.ru
Rabidinov M.A. schrieb:> Hello, Freebsd-stable. > > Does FreeBSD 8.0 support IPSec NAT-T in transport mode? > I want to create a L2TP/IPSec server. My VPN clients are NATed. > L2TP server (MPD5.x) makes tunnel, so I need working IPSec NAT-T in transport mode. > Thanks a lot. >Yes the NAT-T Patch has been integrated into FreeBSD 8.0. Just rebuild your kernel with this options: device crypto # IPsec depends on this options IPSEC options IPSEC_DEBUG options IPSEC_NAT_T
On Wed, Jan 20, 2010 at 03:16:02PM +0600, Rabidinov M.A. wrote:> Hello, Freebsd-stable.Hi.> Does FreeBSD 8.0 support IPSec NAT-T in transport mode? > I want to create a L2TP/IPSec server. My VPN clients are NATed. > L2TP server (MPD5.x) makes tunnel, so I need working IPSec NAT-T in transport mode. > Thanks a lot.It may work..... or not.... The missing part is support of NAT-OA payloads, which are used to update checksums when receiving packets. For TCP, this is mandatory. For UDP (so for L2TP), checksums of 0 are allowed, and of course not checked, so packet will go to destination. But afaik, most L2TP implementations computes checksums, so they will be checked, and of course will be wrong.... Yvan.
I'm very interested in this problem -- I want to run an L2TP server myself. Is anyone actually working on this? I might be able to chip in a few bucks... But I'm not seeing bad checksums. Here's my setup: L2tp server A<---------------->B Freebsd NAT box C <-----------internal network----------->D my mac Where should I be seeing the bad checksums? A, B, C, or D? Looking only at B, I don't see any bad udp checksums, but I'm seeing a bunch of these (IP numbers changed to bracketed names): 23:49:48.004107 IP (tos 0x0, ttl 64, id 52328, offset 0, flags [none], proto ICMP (1), length 56) [NAT Box] > [External Server] ICMP [NAT Box] udp port 58660 unreachable, length 36 IP (tos 0x20, ttl 59, id 36320, offset 0, flags [none], proto UDP (17), length 143) [External Server].1701 > [NAT Box].58660: [|l2tp]
Hello. Does FreeBSD 8.[0-4] support IPSec NAT-T in transport mode? Or it's still in broken state? I need to connect NATed VPN clients through L2TP/IPSec and seeing nothing in mpd5 logs, but growing counters of bad checksums in udp packets. After some research I found an opened kern/146190 with some sort of solving the problem through disabling checksum validation, but it still not work. Every incoming UDP encapsulated ESP packet toggles two counters: udp no checksums (because of 0 value in every incoming packet udp checksum) and udp bad checksums (hmmm..., I thought it shouldn't be happen with a magic patch). So, can anyone tell me is it possible to connect my NATed VPN clients through L2TP/IPSec or it's impossible nowadays? Thanks a lot. Zmiter 12.04.2012