[Openswan Users] XL2TPD/Double NAT issue

Gerald Vogt vogt at spamcop.net
Mon Oct 15 07:52:56 EDT 2007 

Frank Schmirler wrote:
> On Fri, 12 Oct 2007 20:56:54 +0900, Gerald Vogt wrote
>> 20:50:02.888409 IP (tos 0x0, ttl  62, id 3484, offset 0, flags 
>> [none], proto: UDP (17), length: 88) 1.0.0.2.49166 > 
>> 192.168.4.2.l2f: [bad udp cksum 563c!]  l2tp:[TLS](0/0)Ns=0,Nr=0 
>> *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(AS) *HOST_NAME()
>>  *ASSND_TUN_ID(1) *RECV_WIN_SIZE(4)
>>
>> The packet has a bad checksum. This only happens when the client is 
>> behind the NAT router as well. When the client is not behind the NAT 
>> router the checksums are O.K. Is this the problem why xl2tpd cannot 
>> read the packet?
> 
> That's exactly what happened here with openswan 2.4.7. We switched to 2.4.9
> which includes the DISABLE_UDP_CHECKSUM workaround. Now the checksum is set to
> 0 (i.e. no checksum) and it works. Check openswan/linux/net/ipsec/ipsec_rcv.c
> for the corresponding code bits. Maybe enable rcv debugging with klipsdebug to
> find out why it doesn't work for you.

Interesting. I thought I had the DISABLE_UDP_CHECKSUM set. It was set in 
the main openswan Makefile.inc file. But with klipsdebug on I could see 
that the debug message which would be written if DISABLE_UDP_CHECKSUM 
was enabled is actually not there.

Digging into the Makefiles I have learned in the current 2.4.9 sources 
that Makefile.inc is not used to compile the module. The Makefile comes 
basically out of packaging/makefiles/module26.make. O.K. I have added 
the -DDISABLE_UDP_CHECKSUM in module26.make. clean again and recompiled 
the module only to run into a syntax error at line 929 which reads:

		udp->check=0
		KLIPS_PRINT(debug_rcv,
			    "klips_debug:ipsec_rcv: "
			    "NAT-T & TRANSPORT: "
			    "UDP checksum using NAT-OA disabled at compile time\n");

O.K. There is obviously a ; missing at the end of the first line. This 
syntax error is still there in the latest source in CVS in revision 
1.171.2.12.

http://anoncvs.openswan.org/cgi-bin/viewcvs.cgi/openswan-2/linux/net/ipsec/ipsec_rcv.c?rev=1.171.2.12&view=markup

Now I start to wonder do you all really use this DISABLE_UDP_CHECKSUM 
and fixed the syntax error or do you think it is in there but in fact? 
Do you really see this message "UDP checksum using NAT-OA disabled at 
compile time" in the klipsdebug output?

I suppose I should submit a bug report for this syntax error...

I am recompiling right now and will test if it makes any difference...

Gerald

More information about the Users mailing list