Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 18 Sep 2006 21:43:41 +0200 (CEST)
From:      Joerg Pulz <Joerg.Pulz@frm2.tum.de>
To:        Larry Baird <lab@gta.com>
Cc:        freebsd-net@freebsd.org, VANHULLEBUS Yvan <vanhu_bsd@zeninc.net>
Subject:   Re: FAST_IPSEC NAT-T support
Message-ID:  <20060918210519.J978@hades.admin.frm2>
In-Reply-To: <20060918180053.73854.qmail@gta.com>
References:  <20060918180053.73854.qmail@gta.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

--0-1595678069-1158608621=:978
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,

first of all, a big thanks to Yvan and Larry, and all others, for their 
work. IPSEC_NAT_T is working fine for me with either IPSEC or FAST_IPSEC 
with RELENG_6 as server and FAST_IPSEC with CURRENT (small modifications 
after patching where necessary) as client.


Regarding the /sbin/setkey against ${LOCALBASE}/sbin/setkey (ipsec-tools 
version) discussion, i found a minor difference in the output between 
those two when using aes/rijndael encryption and executing "setkey -D".
The FreeBSD base version of setkey outputs something like this:
 	E: rijndael-cbc  XXXXXXXX ...
and the ipsec-tools version of setkey outputs this:
 	E: 12  XXXXXXXX ...

The difference comes out of libipsec/pfkey_dump.c .
In the FreeBSD base version of this file we have this:
#ifdef SADB_X_EALG_RIJNDAELCBC
         { SADB_X_EALG_RIJNDAELCBC, "rijndael-cbc", },
#endif

and in the ipsec-tools version this:
#ifdef SADB_X_EALG_AESCBC
         { SADB_X_EALG_AESCBC, "aes-cbc", },
#endif

Unfortunately, we have no definition for SADB_X_EALG_AESCBC in FreeBSD's 
pfkeyv2.h file. The definition for encryption algorithm number 12 in 
pfkeyv2.h is the following:
#define SADB_X_EALG_RIJNDAELCBC 12
#define SADB_X_EALG_AES         12

I'm not sure which one is right in this case, but as a quick fix i've 
attached two small patches for the ipsec-tools port.
Simply copy both files to ${PORTSDIR}/security/ipsec-tools/files and 
rebuild/reinstall the port.

Any comments on this?

Kind regards
Joerg

- -- 
The beginning is the most important part of the work.
 				-Plato
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)

iD8DBQFFDvbwSPOsGF+KA+MRAuofAKCoYZnYVBFOTsV4WtEZKhcl2tKp6gCfYLrw
/vYWOKnjgBUe0zMppDNFarQ=
=OH/c
-----END PGP SIGNATURE-----
--0-1595678069-1158608621=:978
Content-Type: TEXT/PLAIN; charset=US-ASCII;
	name=patch-src__libipsec__pfkey_dump.c
Content-Transfer-Encoding: BASE64
Content-ID: <20060918214341.V978@hades.admin.frm2>
Content-Description: 
Content-Disposition: attachment; filename=patch-src__libipsec__pfkey_dump.c

LS0tIHNyYy9saWJpcHNlYy9wZmtleV9kdW1wLmMub3JpZwlNb24gU2VwIDE4
IDIwOjU2OjAyIDIwMDYNCisrKyBzcmMvbGliaXBzZWMvcGZrZXlfZHVtcC5j
CU1vbiBTZXAgMTggMjA6NTg6MTMgMjAwNg0KQEAgLTE5MCw2ICsxOTAsOSBA
QA0KICNpZmRlZiBTQURCX1hfRUFMR19BRVNDQkMNCiAJeyBTQURCX1hfRUFM
R19BRVNDQkMsICJhZXMtY2JjIiwgfSwNCiAjZW5kaWYNCisjaWZkZWYgU0FE
Ql9YX0VBTEdfUklKTkRBRUxDQkMNCisJeyBTQURCX1hfRUFMR19SSUpOREFF
TENCQywgInJpam5kYWVsLWNiYyIsIH0sDQorI2VuZGlmDQogI2lmZGVmIFNB
REJfWF9FQUxHX1RXT0ZJU0hDQkMNCiAJeyBTQURCX1hfRUFMR19UV09GSVNI
Q0JDLCAidHdvZmlzaC1jYmMiLCB9LA0KICNlbmRpZg0K

--0-1595678069-1158608621=:978
Content-Type: TEXT/PLAIN; charset=US-ASCII; name=patch-src__setkey__token.l
Content-Transfer-Encoding: BASE64
Content-ID: <20060918214341.H978@hades.admin.frm2>
Content-Description: 
Content-Disposition: attachment; filename=patch-src__setkey__token.l

LS0tIHNyYy9zZXRrZXkvdG9rZW4ubC5vcmlnCU1vbiBTZXAgMTggMjE6MzA6
MTggMjAwNg0KKysrIHNyYy9zZXRrZXkvdG9rZW4ubAlNb24gU2VwIDE4IDIx
OjMxOjA1IDIwMDYNCkBAIC0yMDgsOCArMjA4LDggQEANCiAjZW5kaWYNCiB9
DQogPFNfRU5DQUxHPnJpam5kYWVsLWNiYwl7IA0KLSNpZmRlZiBTQURCX1hf
RUFMR19BRVNDQkMNCi0JeXlsdmFsLm51bSA9IFNBREJfWF9FQUxHX0FFU0NC
QzsgQkVHSU4gSU5JVElBTDsgcmV0dXJuKEFMR19FTkMpOyANCisjaWZkZWYg
U0FEQl9YX0VBTEdfUklKTkRBRUxDQkMNCisJeXlsdmFsLm51bSA9IFNBREJf
WF9FQUxHX1JJSk5EQUVMQ0JDOyBCRUdJTiBJTklUSUFMOyByZXR1cm4oQUxH
X0VOQyk7IA0KICNlbmRpZg0KIH0NCiA8U19FTkNBTEc+YWVzLWN0cgl7IHl5
bHZhbC5udW0gPSBTQURCX1hfRUFMR19BRVNDVFI7IEJFR0lOIElOSVRJQUw7
IHJldHVybihBTEdfRU5DKTsgfQ0K

--0-1595678069-1158608621=:978--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060918210519.J978>