[Openswan dev] [Commits] [OPENSWAN.git] Changes to ref refs/heads/skiphash
mcr at sandelman.ca
Thu Jan 13 15:54:30 EST 2011
-----BEGIN PGP SIGNED MESSAGE-----
Paul> mode for IPSec/L2TP connections and both sides are NATted, the
Paul> UDP checksum created by NAT-OA in KLIPS seems to be bad. The
Paul> packets on ipsec0 have bad checksums and, consequently, are
Paul> dropped by the kernel. If I deactivate the checksum rewriting,
So, either the ports passed in by the NAT-OA mechanism for the fixup are
wrong, and so the checksum fixup is wrong.
Paul> i.e. set the checksum to 0, everything works great. Thus, it
Paul> seems that the rewritten checksum is the problem and that the
Paul> packets themselves are ok. When only one side is NATted, the
Paul> problem does not occur - the checksums are correct. The
Paul> behaviour is the same for OpenSWAN 2.4.4.
Paul> Is this an error in KLIPS / NAT-OA? Is it safe to disable
Paul> the checksum?
For L2TP inside of ESP, the UDP checksum is basically useless.
The AUTH-hash in ESP is so much stronger for detected corrupted packets.
The L2TP also has a layer of PPP with more checksums, so that's also
In general it's a bad idea (gateway to gateway with transport
mode... due to NAPT...) --- but transport-mode UDP is mostly used for
L2TP... so not big deal.
] He who is tired of Weird Al is tired of life! | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr at sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE>
then sign the petition.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Finger me for keys
-----END PGP SIGNATURE-----
More information about the Dev