Created attachment 180038 [details] patch This patch adds NATT_EXTRA_PATCHES=natt.diff and enables only UDP encapsulation defined in RFC3948. The natt.diff patch contains the following changes: * added support for SADB_X_EXT_NAT_T_OAI and SADB_X_EXT_NAT_T_OAR PF_KEY messages; * used NAT address instead of original for SAs created by racoon; * NAT-T keep-alives now sends only by NATed host. Several people reported that now they are able to use NAT-T in transport mode with IPsec from projects/ipsec. However I did not tested how it affects IPsec implementation from stable/9,10,11. From quick look it should not affect something that worked earlier.
Created attachment 180110 [details] patch Fix bug in one chunk. OAi/OAr addresses should be reversed, because they present peer's view of addresses.
I've tested this path with new kernel IPSEC code committed to head by Andrey and it just works. Please commit the patch.
A commit references this bug: Author: eugen Date: Tue Apr 18 14:36:08 UTC 2017 New revision: 438782 URL: https://svnweb.freebsd.org/changeset/ports/438782 Log: This patch adds NATT_EXTRA_PATCHES=natt.diff and enables only UDP encapsulation defined in RFC3948. The natt.diff patch contains the following changes: * added support for SADB_X_EXT_NAT_T_OAI and SADB_X_EXT_NAT_T_OAR PF_KEY messages; * used NAT address instead of original for SAs created by racoon; * NAT-T keep-alives now sends only by NATed host. Tested with 11.0-STABLE after projects/ipsec merge. PR: 217131 Submitted by: Andrey V. Elsukov Approved by: VANHULLEBUS Yvan (maintainer timeout, 2 months), vsevolod (mentor) Changes: head/security/ipsec-tools/Makefile head/security/ipsec-tools/files/natt.diff