From owner-freebsd-net@FreeBSD.ORG Wed Sep 6 07:01:50 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E0ADF16A4E1 for ; Wed, 6 Sep 2006 07:01:49 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from leia.fdn.fr (ns0.fdn.org [80.67.169.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1AEB643D53 for ; Wed, 6 Sep 2006 07:01:48 +0000 (GMT) (envelope-from vanhu@zeninc.net) Received: from smtp.zeninc.net (reverse-25.fdn.fr [80.67.176.25]) by leia.fdn.fr (8.13.3/8.13.3/FDN) with ESMTP id k8671fHq029403 for ; Wed, 6 Sep 2006 09:01:46 +0200 Received: from jayce.zen.inc (jayce.zen.inc [192.168.1.7]) by smtp.zeninc.net (smtpd) with ESMTP id 2DDE63F17 for ; Wed, 6 Sep 2006 09:01:36 +0200 (CEST) Received: by jayce.zen.inc (Postfix, from userid 1000) id 327502E25A; Wed, 6 Sep 2006 09:01:36 +0200 (CEST) Date: Wed, 6 Sep 2006 09:01:35 +0200 From: VANHULLEBUS Yvan To: freebsd-net@freebsd.org Message-ID: <20060906070135.GA1003@jayce.zen.inc> References: <20060905022120.19c6d62d.nork@FreeBSD.org> <20060904172700.W44392@maildrop.int.zabbadoz.net> <20060904175127.F44392@maildrop.int.zabbadoz.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: All mail clients suck. This one just sucks less. Subject: Re: Where is IPSec NAT-T support? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Sep 2006 07:01:50 -0000 Hi. On Mon, Sep 04, 2006 at 01:59:47PM -0400, Scott Ullrich wrote: > On 9/4/06, Bjoern A. Zeeb wrote: > >Are you sure this is a clean RELENG_6_1 with the correct patch? > >MD5 (freebsd6-natt.diff) = 5e7bb5a3203c8959928bf910d5498140 > > Yes it was a clean RELENG_6_1. > > >I compiled this on i386 and am64 just a few days ago and everything > >was fine. > > > >Perhaps contact me off-list and we'll post a summary once we found the > >problem? > > Maybe it is because I am including FAST_IPSEC? I have attempted to > build and use a NAT-T kernel on atleast 7 attempts now. Last of which > was a couple months ago. Actually, I did NOT make the FAST_IPSEC part of the patch. Here is probably the good location and the good time for a small summary of the patch's state: - The public patch (A) works for IPSEC, and should apply on both RELENG_6 and RELENG_6_1 (some minor patching issues may need to be solved by hand, but it's just some indentation changes in the source code between the two versions). - This public patch does NOT provide support for multiple peers behind the same NAT device. - I have a newer version of the patch (B), against RELENG_6_1, which provides such support for multiples peers behind the same NAT device. I was about to put it in public place when someone raised a discutable implementation choice in the way ipsec-tools and kernel exchange some datas specific to that NAT-T support (I ported it from Manu's work on NetBSD). - I guessed I would have quickly the time to look at it and to clean it up for both FreeBSD and NetBSD (and perhaps Linux), but I drastically lacked free time those last months. - Some FreeBSD developpers already had a look at the patch, and are in contact with me to include it in the kernel, but it has been reported several times for various reasons. - FAST_IPSEC support will be quite easy to do when all the other problems will be solved, and I guess Larry Baird will do it if I don't have free time for that quickly. As I reported that work several time on the last months, I guess I'll publish the actual version of the patch (B) those days, which will already solve some problems for most people, then I'll start to do the rest of the stuff (FAST_IPSEC and solve kernel/ipsec-tools commnication design). > The Kernel configuration file that I am trying to build is > http://pfsense.com/cgi-bin/cvsweb.cgi/tools/builder_scripts/conf/pfSense.6?rev=1.32 > with the added options IPSEC_NAT_T > option. > > Maybe I am overlooking something simple? FAST_IPSEC.... Yvan. -- NETASQ http://www.netasq.com