Re: IKEv2/IPsec VPN

[Brett Lymn <blymn%internode.on.net@localhost>]

On Fri, Sep 22, 2017 at 02:21:53PM -0400, Chuck Zmudzinski wrote:
> 
> I didn't share my patches because i was not sure NetBSD wanted to 
> implement RFC 3948 because it had been said a long time ago in another 
> place that it might be encumbered by a patent. I will post my patch for 
> netbsd-7 kernels on a tech-net shortly and we can discuss further over 
> there. The patch uses the NAT original address information from the peer 
> that IKE nat-t extensions provide, as described in RFC 3948.
> 

I am a bit surprised that this didn't just work for you.  I did a
consult about 10 years ago where both the server and clients were behind
NAT and, at the time, everything worked.  I guess nobody noticed the
lossage before now.

One thing that did bite me when I was setting my project up was making
sure the udp packets did not fragment.  Some commodity grade routers
don't handle UDP fragmentation well at all.  The symptoms I had was the
connection would come up and the client could ping the remote net fine
but trying to start a remote display or something more serious would
stall - the ping packets were small enough to get through but the lager
packets would lose.  I ended up writing a small bit of vbscript that
tweaked the MTU down on the VPN interface on the client so it was low
enough that, after encapsulation, the final UDP packet payload did not
need to be fragmented.

-- 
Brett Lymn
Let go, or be dragged - Zen proverb.