[Openswan dev] [Commits] [OPENSWAN.git] Changes to ref refs/heads/skiphash

Michael Richardson mcr at sandelman.ca
Thu Jan 13 15:54:30 EST 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


    Paul> mode for IPSec/L2TP connections and both sides are NATted, the
    Paul> UDP checksum created by NAT-OA in KLIPS seems to be bad. The
    Paul> packets on ipsec0 have bad checksums and, consequently, are
    Paul> dropped by the kernel. If I deactivate the checksum rewriting,

So, either the ports passed in by the NAT-OA mechanism for the fixup are
wrong, and so the checksum fixup is wrong.

    Paul> i.e. set the checksum to 0, everything works great. Thus, it
    Paul> seems that the rewritten checksum is the problem and that the
    Paul> packets themselves are ok. When only one side is NATted, the
    Paul> problem does not occur - the checksums are correct. The
    Paul> behaviour is the same for OpenSWAN 2.4.4.
    
    Paul>     Is this an error in KLIPS / NAT-OA? Is it safe to disable
    Paul> the checksum?

For L2TP inside of ESP, the UDP checksum is basically useless.
The AUTH-hash in ESP is so much stronger for detected corrupted packets.
The L2TP also has a layer of PPP with more checksums, so that's also
good.

In general it's a bad idea (gateway to gateway with transport
mode... due to NAPT...) --- but transport-mode UDP is mostly used for
L2TP... so not big deal. 
    
- -- 
]       He who is tired of Weird Al is tired of life!           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr at sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
   Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE>
	               then sign the petition. 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Finger me for keys

iQEVAwUBTS9mg4CLcPvd0N1lAQINOgf/VQuxvGAuoZsP9xzAVFFg/xNcLsF+jpEk
mIIS+bbSRW+jwO6FZdXZ432pHoZrptkNEe6RaHnc309mevts+px+6J4idTVPKvW2
qVASgWMv7XpWoB7Gr75+wnWWEONZH1/NRON5QzWWX6wuxtZASaFLulZQpmTlV8+3
TXOy95z9LY2rOj4qNf7g16T66f2PSq//5mx+S8Lrl1/gCOvNJfUKW+ELEc/QlUPt
IjPisEB2g6ZOQPxRF6fpqDgDu5dgtjVzzOxF6kGzjj75RiUCUtloL3jKBe+MQ9Ah
ifApKFAHyCAOTMsTPALFBLvjmeUSxRpo/vkNWDXQ49jm8lDkArHd3w==
=6VZ+
-----END PGP SIGNATURE-----

More information about the Dev mailing list