[Openswan Users] UDP: Bad checksum

[Lars Bakker]

>
>
>> No, I cannot confirm that those problems do not occur when the ipsec 
>> server is directly connected to the Internet
>
>
> I.e. only client side NAT?

Yes, I haven't checked what happens when my virtual IPsec-server has a 
direct connection to the Internet. The clients I've been trying to 
connect from are all behind a NAT device (BSD-Firewall). I had been able 
to establish a connection from those clients to my old openswan/l2tpd 
server which wasn't NATed in the past.

>> but I used a similar configuration on the host system without NAT 
>> device which worked > trouble-free.
>
>
> I.e. no client side or server side NAT at all?

No, the client side was NATed but the server was not.

>> If it is a problem related to the mtu value, what do I have to change 
>> to make it working?
>
>
> Check out the overridemtu= parameter.

I 've tried several different overridemtu values without success 
regarding to my "UDP: Bad checksum" problem.

> Also be sure to check the settings of your NAT device(s) and try 
> disabling
> the broken IPsec passthrough that is incompatible with NAT-T.

I'm using an AVM Fritz! WLAN Voip box which supports IPsec passthrough 
and I've tried to find out how to disable this feature. I wrote an 
e-mail to AVM and all I got in reply were three manuals which described 
the procedure of how to enable IPsec passthrough and a note that I 
should do exactly the opposite. The problem is, that if you enable port 
forwarding UDP 500, IPsec passthough also gets enabled and there seems 
to be no other way to get rid of it. :-(

I did write another e-mail where I asked if there might be another 
option, but so far I haven't got an answer.

Does anyone know about the problems with that particular router?

___________
Lars Bakker





> Jacco