[Openswan dev] [Commits] [OPENSWAN.git] Changes to ref refs/heads/skiphash

Paul Wouters paul at xelerance.com
Thu Jan 13 16:40:00 EST 2011


On Thu, 13 Jan 2011, Michael Richardson wrote:

>     Paul> mode for IPSec/L2TP connections and both sides are NATted, the
>     Paul> UDP checksum created by NAT-OA in KLIPS seems to be bad. The
>     Paul> packets on ipsec0 have bad checksums and, consequently, are
>     Paul> dropped by the kernel. If I deactivate the checksum rewriting,
> 
> So, either the ports passed in by the NAT-OA mechanism for the fixup are
> wrong, and so the checksum fixup is wrong.

>     Paul>     Is this an error in KLIPS / NAT-OA? Is it safe to disable
>     Paul> the checksum?
> 
> For L2TP inside of ESP, the UDP checksum is basically useless.
> The AUTH-hash in ESP is so much stronger for detected corrupted packets.
> The L2TP also has a layer of PPP with more checksums, so that's also
> good.

Thanks for the feedback!

Paul


More information about the Dev mailing list