On Fri, Sep 22, 2017 at 02:21:53PM -0400, Chuck Zmudzinski wrote: > > I didn't share my patches because i was not sure NetBSD wanted to > implement RFC 3948 because it had been said a long time ago in another > place that it might be encumbered by a patent. I will post my patch for > netbsd-7 kernels on a tech-net shortly and we can discuss further over > there. The patch uses the NAT original address information from the peer > that IKE nat-t extensions provide, as described in RFC 3948. >
I am a bit surprised that this didn't just work for you. I did a consult about 10 years ago where both the server and clients were behind NAT and, at the time, everything worked. I guess nobody noticed the lossage before now. One thing that did bite me when I was setting my project up was making sure the udp packets did not fragment. Some commodity grade routers don't handle UDP fragmentation well at all. The symptoms I had was the connection would come up and the client could ping the remote net fine but trying to start a remote display or something more serious would stall - the ping packets were small enough to get through but the lager packets would lose. I ended up writing a small bit of vbscript that tweaked the MTU down on the VPN interface on the client so it was low enough that, after encapsulation, the final UDP packet payload did not need to be fragmented. -- Brett Lymn Let go, or be dragged - Zen proverb.