[Openswan dev] [Commits] [OPENSWAN.git] Changes to ref refs/heads/skiphash

Michael Richardson mcr at sandelman.ca
Thu Jan 13 15:54:30 EST 2011

Hash: SHA1

    Paul> mode for IPSec/L2TP connections and both sides are NATted, the
    Paul> UDP checksum created by NAT-OA in KLIPS seems to be bad. The
    Paul> packets on ipsec0 have bad checksums and, consequently, are
    Paul> dropped by the kernel. If I deactivate the checksum rewriting,

So, either the ports passed in by the NAT-OA mechanism for the fixup are
wrong, and so the checksum fixup is wrong.

    Paul> i.e. set the checksum to 0, everything works great. Thus, it
    Paul> seems that the rewritten checksum is the problem and that the
    Paul> packets themselves are ok. When only one side is NATted, the
    Paul> problem does not occur - the checksums are correct. The
    Paul> behaviour is the same for OpenSWAN 2.4.4.
    Paul>     Is this an error in KLIPS / NAT-OA? Is it safe to disable
    Paul> the checksum?

For L2TP inside of ESP, the UDP checksum is basically useless.
The AUTH-hash in ESP is so much stronger for detected corrupted packets.
The L2TP also has a layer of PPP with more checksums, so that's also

In general it's a bad idea (gateway to gateway with transport
mode... due to NAPT...) --- but transport-mode UDP is mostly used for
L2TP... so not big deal. 
- -- 
]       He who is tired of Weird Al is tired of life!           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr at sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
   Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE>
	               then sign the petition. 
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Finger me for keys


More information about the Dev mailing list