[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: kernel/4071: Problem with IPsec with NAT (udpencap)



The following reply was made to PR kernel/4071; it has been noted by GNATS.

From: Markus Friedl <markus_(_at_)_openbsd_(_dot_)_org>
To: witek2c_(_at_)_poczta_(_dot_)_onet_(_dot_)_pl
Cc: gnats_(_at_)_openbsd_(_dot_)_org
Subject: Re: kernel/4071: Problem with IPsec with NAT (udpencap)
Date: Mon, 24 Jan 2005 11:09:29 +0100

 i think you need this fix. it seems that PMTU is not working.
 
 http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet/ipsec_output.c.diff?r1=1.31&r2=1.32
 
 
 On Sat, Jan 22, 2005 at 09:10:29PM +0100, root_(_at_)_dsl_(_dot_)_pl wrote:
 > >Number:         4071
 > >Category:       kernel
 > >Synopsis:       Problem with IPsec using udpencap
 > >Confidential:   yes
 > >Severity:       non-critical
 > >Priority:       medium
 > >Responsible:    bugs
 > >State:          open
 > >Quarter:        
 > >Keywords:       
 > >Date-Required:
 > >Class:          sw-bug
 > >Submitter-Id:   net
 > >Arrival-Date:   Sat Jan 22 21:00:02 GMT 2005
 > >Closed-Date:
 > >Last-Modified:
 > >Originator:     Charlie Root
 > >Release:        OpenBSD 3.6 with patches 001 to 010
 > >Organization:
 > net
 > >Environment:
 > 	
 > 	System      : OpenBSD 3.6
 > 	Architecture: OpenBSD.i386
 > 	Machine     : i386
 > >Description:
 > 	I have connected two machines with OpenBSD 3.6 with patches 001 to 010. One with public IP address and second with private IP address behind NAT. Both are exchanging data using UDP 4500 <-> 4500. When I send an PING via VPN it works fine. But when I try connect to HTTPS server via VPN it don't  work properly. I can see some data transfer using tcpdump on external and internal interface. There is an UPD packet and corresponding TCP packet. But I think some TCP packet are dropped. I can see some single TC P packet coming into interface, but there is no corresponding IPsec UDP packet going out.
 > 	It is an example of TCP packet without corresponding UDP packet.
 > 	20:39:16.178304 172.20.0.201.443 > 192.168.127.36.1578: . 64:1524(1460) ack 79 win 17442 (DF)
 > >How-To-Repeat:
 > 	Establish connection via IPsec with NAT using udpencap.
 > >Fix:
 > 	I have no idea.
 > 
 > 
 > >Release-Note:
 > >Audit-Trail:
 > >Unformatted: