From owner-freebsd-net@FreeBSD.ORG Tue Jun 20 15:30:18 2006 Return-Path: X-Original-To: net@freebsd.org Delivered-To: freebsd-net@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 021D116A4CD for ; Tue, 20 Jun 2006 15:30:17 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from leia.fdn.fr (ns0.fdn.org [80.67.169.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id DE57E43D46 for ; Tue, 20 Jun 2006 15:30:15 +0000 (GMT) (envelope-from vanhu@zeninc.net) Received: from smtp.zeninc.net (reverse-25.fdn.fr [80.67.176.25]) by leia.fdn.fr (8.13.3/8.13.3/FDN) with ESMTP id k5KFUC4q001031; Tue, 20 Jun 2006 17:30:14 +0200 Received: by smtp.zeninc.net (smtpd, from userid 1000) id DB6623F17; Tue, 20 Jun 2006 17:30:06 +0200 (CEST) Date: Tue, 20 Jun 2006 17:30:06 +0200 From: VANHULLEBUS Yvan To: Michael Vince Message-ID: <20060620153006.GA30732@zen.inc> References: <4497F777.4040206@thebeastie.org> <20060620135939.GB28424@zen.inc> <44981231.4060001@thebeastie.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <44981231.4060001@thebeastie.org> User-Agent: All mail clients suck. This one just sucks less. Cc: net@freebsd.org Subject: Re: FAST_IPSEC and NAT-T X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Jun 2006 15:30:18 -0000 On Wed, Jun 21, 2006 at 01:20:17AM +1000, Michael Vince wrote: [NAT-T patch] > OK cool, the thing that really turns my off about that IPSec is when I > reboot with it compiled in says "Expect reduced performance" because its > not mpsafe. > > Also I just tried to compile a kernel with that Nat-T patch on the other > IPSEC kernel on 6.1-release and it failed. > I can't think of anything I have done wrong on this machine its pretty > fresh, I did cvsup with "RELENG_6_1" before hand > maybe there is a tiny enough about of changes since the RELENG_6_1_0 > release for it to fail but I didn't notice anything serious changed, I > also used the new pure C csup over cvsup client. > > The patch installed fine with no errors but the kernel failed to compile > ending with this.. > > /usr/src/sys/netinet/udp_usrreq.c:1046: warning: 'udp4_espinudp' defined > but not used You are compiling without NAT-T support, and this function is not properly #ifdef'ed in the public version of the patch. It has been fixed in the new (not yet available) version, which also provide new features (mainly support for multiple peers behind the same public IP). As ipsec-tools 0.6.6 is out now, I'll update the patch on ipsec-tools website. [....] > options IPSEC > options IPSEC_ESP > options IPSEC_DEBUG Add "options IPSEC_NAT_T" here and it will compile. Yvan. -- NETASQ http://www.netasq.com