From: VANHULLEBUS Y. <va...@fr...> - 2005-08-12 16:55:31
|
On Fri, Aug 12, 2005 at 08:17:55AM -0400, Uri wrote: > Debugging IPsec over double NAT, I'm observing a strange situation. > > 1. ISAKMP and IPsec SA's get established (between two hosts, Transport > mode, protocol ANY). > 2. ICMP and UDP traffic flows OK, both directions. > 3. TCP connection cannot proceed beyond the first SYN. RFC 3947, sect 5.2: 5.2. Sending the Original Source and Destination Addresses To perform incremental TCP checksum updates, both peers may need to know the original IP addresses used by their peers when those peers constructed the packet (see [RFC3715], section 2.1, case b). [......] And AFAIK, there is still no complete NAT-OA support in ipsec-tools, and I don't know if there is such support (ie: updates TCP checksums update) in Linux kernel (and AFAIK, there is no such support in NetBSD or FreeBSD). But your tests seems to show that windows don't care about TCP checksums (or perhaps your windows IPSec client have such a support, but I think it doesn't have a good NAT-OA payload to do such fix )!!! Yvan. |