[Openswan Users] XL2TPD/Double NAT issue
vogt at spamcop.net
Mon Oct 15 07:52:56 EDT 2007
Frank Schmirler wrote:
> On Fri, 12 Oct 2007 20:56:54 +0900, Gerald Vogt wrote
>> 20:50:02.888409 IP (tos 0x0, ttl 62, id 3484, offset 0, flags
>> [none], proto: UDP (17), length: 88) 22.214.171.124.49166 >
>> 192.168.4.2.l2f: [bad udp cksum 563c!] l2tp:[TLS](0/0)Ns=0,Nr=0
>> *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(AS) *HOST_NAME()
>> *ASSND_TUN_ID(1) *RECV_WIN_SIZE(4)
>> The packet has a bad checksum. This only happens when the client is
>> behind the NAT router as well. When the client is not behind the NAT
>> router the checksums are O.K. Is this the problem why xl2tpd cannot
>> read the packet?
> That's exactly what happened here with openswan 2.4.7. We switched to 2.4.9
> which includes the DISABLE_UDP_CHECKSUM workaround. Now the checksum is set to
> 0 (i.e. no checksum) and it works. Check openswan/linux/net/ipsec/ipsec_rcv.c
> for the corresponding code bits. Maybe enable rcv debugging with klipsdebug to
> find out why it doesn't work for you.
Interesting. I thought I had the DISABLE_UDP_CHECKSUM set. It was set in
the main openswan Makefile.inc file. But with klipsdebug on I could see
that the debug message which would be written if DISABLE_UDP_CHECKSUM
was enabled is actually not there.
Digging into the Makefiles I have learned in the current 2.4.9 sources
that Makefile.inc is not used to compile the module. The Makefile comes
basically out of packaging/makefiles/module26.make. O.K. I have added
the -DDISABLE_UDP_CHECKSUM in module26.make. clean again and recompiled
the module only to run into a syntax error at line 929 which reads:
"NAT-T & TRANSPORT: "
"UDP checksum using NAT-OA disabled at compile time\n");
O.K. There is obviously a ; missing at the end of the first line. This
syntax error is still there in the latest source in CVS in revision
Now I start to wonder do you all really use this DISABLE_UDP_CHECKSUM
and fixed the syntax error or do you think it is in there but in fact?
Do you really see this message "UDP checksum using NAT-OA disabled at
compile time" in the klipsdebug output?
I suppose I should submit a bug report for this syntax error...
I am recompiling right now and will test if it makes any difference...
More information about the Users