A FreeBSD machine acts as VPN client (ESP-Transport, L2TP, NAT-T) to an OpenSWAN based VPN concentrator.
The L2TP (UDP) packets originating from the concentrator are rejected because of a wrong UDP checksum.
Detailed problem description:
[RFC 3948, 3.1.2] states:
When a transport mode has been used to transmit packets, contained
TCP or UDP headers will have incorrect checksums due to the change of
parts of the IP header during transit. This procedure defines how to
fix these checksums [...]
Depending on local policy, one of the following MUST be done:
3. If the protocol header after the ESP header is a UDP header, set
the checksum field to zero in the UDP header. [...]
Fix: Patch attached with submission follows:
Over to maintainer(s).
while this is the simplest solution there is a patch for review that
is supposed to do proper cksum re-calculations by 3.1.2. 1. which I
think would prefer.
This is especially the case as the default of RFC2661 (L2TP) says that
UDP checksums must be enabled. To my memory an application may disbale
them for data messages but never for control messages; thus you
actually want proper checksum re-calculation when doing L2TP.
Bjoern A. Zeeb It will not break if you know what you are doing.
I shall not use bugzilla (at least until we will have a CLI).
For bugs matching the following criteria:
Status: In Progress Changed: (is less than) 2014-06-01
Reset to default assignee and clear in-progress tags.
Mail being skipped