Re: bin/47894: racoon w/NAT-T - pfkey update: wrong ports

[Egerváry Gergely <gergely%egervary.hu@localhost>]

> I found a problem about checksum update of transport mode NAT-T IPsec.
> 
> A NAT box can rewrite a address in IP header, but it cannot rewrite a
> checksum field in TCP/UDP header. The header is protected by ESP.
> So IPsec stack must update the checksum instead of NAT BOX,
> but there is no implementation about it.
> 
> IKE Protocol has NAT-OA(Origianl Address) payloads to do this. We must
> handle the payload and update the checksum. There is some difficulity
> around it. There is two NAT-OA payload for initiator side and responder
> side. But our kernel doesn't know its side of nagotiation. racoon knows it,
> but there is no API to send the side information to kernel.

Thank you for the patch, I will try it soon.

For your information: for testing only, all the three hosts are now
running NetBSD. (the server, the NAT box, and the client, too) but in
my real-life screnario, only the server runs NetBSD. (I don't know
anything about the client side, my users may use Windows, Linux, etc.
as clients, and SOHO wireless routers as NAT)

I'm using Linux (with racoon installed from Debian GNU/Linux package)
as IPSec/L2TP server for years with great success, all of my Windows,
Linux, etc. users are satisfied.

Now, I want to move the IPsec/L2TP service from my Linux server to my
NetBSD server with the same racoon.conf and settings.

You say:
  "kernel doesn't know its side of negotiation. racoon knows it, but
  there is no API to send the side information to kernel."

Probably you should look into the Linuxized racoon code (and the Linux
IPSec code, if required) how it is handled there.

Thank you again!
-- 
Egerváry Gergely