From owner-freebsd-net@FreeBSD.ORG  Mon Sep 18 19:44:08 2006
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@freebsd.org
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 85C1416A4CA
	for <freebsd-net@freebsd.org>; Mon, 18 Sep 2006 19:44:08 +0000 (UTC)
	(envelope-from Joerg.Pulz@frm2.tum.de)
Received: from mailhost.frm2.tum.de (mailhost.frm2.tum.de [129.187.179.12])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0C5C943D79
	for <freebsd-net@freebsd.org>; Mon, 18 Sep 2006 19:43:50 +0000 (GMT)
	(envelope-from Joerg.Pulz@frm2.tum.de)
Received: from localhost (mailhost.frm2.tum.de [129.187.179.12])
	by mailhost.frm2.tum.de (8.13.8/8.13.8) with ESMTP id k8IJhnHD008382;
	Mon, 18 Sep 2006 21:43:49 +0200 (CEST)
	(envelope-from jpulz@frm2.tum.de)
X-Virus-Scanned: at mailhost.frm2.tum.de
Received: from hades.admin.frm2 (hades.admin.frm2 [172.25.1.10])
	by mailhost.frm2.tum.de (8.13.8/8.13.8) with ESMTP id k8IJhjjH008378
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT);
	Mon, 18 Sep 2006 21:43:45 +0200 (CEST)
	(envelope-from jpulz@frm2.tum.de)
Received: from hades.admin.frm2 (localhost [127.0.0.1])
	by hades.admin.frm2 (8.13.6/8.13.6) with ESMTP id k8IJhj3q025067;
	Mon, 18 Sep 2006 21:43:45 +0200 (CEST)
	(envelope-from jpulz@frm2.tum.de)
Received: (from jpulz@localhost)
	by hades.admin.frm2 (8.13.6/8.13.6/Submit) id k8IJhiea025066;
	Mon, 18 Sep 2006 21:43:44 +0200 (CEST) (envelope-from jpulz)
Date: Mon, 18 Sep 2006 21:43:41 +0200 (CEST)
From: Joerg Pulz <Joerg.Pulz@frm2.tum.de>
To: Larry Baird <lab@gta.com>
In-Reply-To: <20060918180053.73854.qmail@gta.com>
Message-ID: <20060918210519.J978@hades.admin.frm2>
References: <20060918180053.73854.qmail@gta.com>
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="0-1595678069-1158608621=:978"
Cc: freebsd-net@freebsd.org, VANHULLEBUS Yvan <vanhu_bsd@zeninc.net>
Subject: Re: FAST_IPSEC NAT-T support
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Sep 2006 19:44:08 -0000

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

--0-1595678069-1158608621=:978
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,

first of all, a big thanks to Yvan and Larry, and all others, for their 
work. IPSEC_NAT_T is working fine for me with either IPSEC or FAST_IPSEC 
with RELENG_6 as server and FAST_IPSEC with CURRENT (small modifications 
after patching where necessary) as client.


Regarding the /sbin/setkey against ${LOCALBASE}/sbin/setkey (ipsec-tools 
version) discussion, i found a minor difference in the output between 
those two when using aes/rijndael encryption and executing "setkey -D".
The FreeBSD base version of setkey outputs something like this:
 	E: rijndael-cbc  XXXXXXXX ...
and the ipsec-tools version of setkey outputs this:
 	E: 12  XXXXXXXX ...

The difference comes out of libipsec/pfkey_dump.c .
In the FreeBSD base version of this file we have this:
#ifdef SADB_X_EALG_RIJNDAELCBC
         { SADB_X_EALG_RIJNDAELCBC, "rijndael-cbc", },
#endif

and in the ipsec-tools version this:
#ifdef SADB_X_EALG_AESCBC
         { SADB_X_EALG_AESCBC, "aes-cbc", },
#endif

Unfortunately, we have no definition for SADB_X_EALG_AESCBC in FreeBSD's 
pfkeyv2.h file. The definition for encryption algorithm number 12 in 
pfkeyv2.h is the following:
#define SADB_X_EALG_RIJNDAELCBC 12
#define SADB_X_EALG_AES         12

I'm not sure which one is right in this case, but as a quick fix i've 
attached two small patches for the ipsec-tools port.
Simply copy both files to ${PORTSDIR}/security/ipsec-tools/files and 
rebuild/reinstall the port.

Any comments on this?

Kind regards
Joerg

- -- 
The beginning is the most important part of the work.
 				-Plato
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)

iD8DBQFFDvbwSPOsGF+KA+MRAuofAKCoYZnYVBFOTsV4WtEZKhcl2tKp6gCfYLrw
/vYWOKnjgBUe0zMppDNFarQ=
=OH/c
-----END PGP SIGNATURE-----
--0-1595678069-1158608621=:978
Content-Type: TEXT/PLAIN; charset=US-ASCII;
	name=patch-src__libipsec__pfkey_dump.c
Content-Transfer-Encoding: BASE64
Content-ID: <20060918214341.V978@hades.admin.frm2>
Content-Description: 
Content-Disposition: attachment; filename=patch-src__libipsec__pfkey_dump.c

LS0tIHNyYy9saWJpcHNlYy9wZmtleV9kdW1wLmMub3JpZwlNb24gU2VwIDE4
IDIwOjU2OjAyIDIwMDYNCisrKyBzcmMvbGliaXBzZWMvcGZrZXlfZHVtcC5j
CU1vbiBTZXAgMTggMjA6NTg6MTMgMjAwNg0KQEAgLTE5MCw2ICsxOTAsOSBA
QA0KICNpZmRlZiBTQURCX1hfRUFMR19BRVNDQkMNCiAJeyBTQURCX1hfRUFM
R19BRVNDQkMsICJhZXMtY2JjIiwgfSwNCiAjZW5kaWYNCisjaWZkZWYgU0FE
Ql9YX0VBTEdfUklKTkRBRUxDQkMNCisJeyBTQURCX1hfRUFMR19SSUpOREFF
TENCQywgInJpam5kYWVsLWNiYyIsIH0sDQorI2VuZGlmDQogI2lmZGVmIFNB
REJfWF9FQUxHX1RXT0ZJU0hDQkMNCiAJeyBTQURCX1hfRUFMR19UV09GSVNI
Q0JDLCAidHdvZmlzaC1jYmMiLCB9LA0KICNlbmRpZg0K

--0-1595678069-1158608621=:978
Content-Type: TEXT/PLAIN; charset=US-ASCII; name=patch-src__setkey__token.l
Content-Transfer-Encoding: BASE64
Content-ID: <20060918214341.H978@hades.admin.frm2>
Content-Description: 
Content-Disposition: attachment; filename=patch-src__setkey__token.l

LS0tIHNyYy9zZXRrZXkvdG9rZW4ubC5vcmlnCU1vbiBTZXAgMTggMjE6MzA6
MTggMjAwNg0KKysrIHNyYy9zZXRrZXkvdG9rZW4ubAlNb24gU2VwIDE4IDIx
OjMxOjA1IDIwMDYNCkBAIC0yMDgsOCArMjA4LDggQEANCiAjZW5kaWYNCiB9
DQogPFNfRU5DQUxHPnJpam5kYWVsLWNiYwl7IA0KLSNpZmRlZiBTQURCX1hf
RUFMR19BRVNDQkMNCi0JeXlsdmFsLm51bSA9IFNBREJfWF9FQUxHX0FFU0NC
QzsgQkVHSU4gSU5JVElBTDsgcmV0dXJuKEFMR19FTkMpOyANCisjaWZkZWYg
U0FEQl9YX0VBTEdfUklKTkRBRUxDQkMNCisJeXlsdmFsLm51bSA9IFNBREJf
WF9FQUxHX1JJSk5EQUVMQ0JDOyBCRUdJTiBJTklUSUFMOyByZXR1cm4oQUxH
X0VOQyk7IA0KICNlbmRpZg0KIH0NCiA8U19FTkNBTEc+YWVzLWN0cgl7IHl5
bHZhbC5udW0gPSBTQURCX1hfRUFMR19BRVNDVFI7IEJFR0lOIElOSVRJQUw7
IHJldHVybihBTEdfRU5DKTsgfQ0K

--0-1595678069-1158608621=:978--