[Openswan dev] [Commits] [OPENSWAN.git] Changes to ref refs/heads/skiphash
Paul Wouters
paul at xelerance.com
Thu Jan 13 16:40:00 EST 2011
On Thu, 13 Jan 2011, Michael Richardson wrote:
> Paul> mode for IPSec/L2TP connections and both sides are NATted, the
> Paul> UDP checksum created by NAT-OA in KLIPS seems to be bad. The
> Paul> packets on ipsec0 have bad checksums and, consequently, are
> Paul> dropped by the kernel. If I deactivate the checksum rewriting,
>
> So, either the ports passed in by the NAT-OA mechanism for the fixup are
> wrong, and so the checksum fixup is wrong.
> Paul> Is this an error in KLIPS / NAT-OA? Is it safe to disable
> Paul> the checksum?
>
> For L2TP inside of ESP, the UDP checksum is basically useless.
> The AUTH-hash in ESP is so much stronger for detected corrupted packets.
> The L2TP also has a layer of PPP with more checksums, so that's also
> good.
Thanks for the feedback!
Paul
More information about the Dev
mailing list